Security Point of Contact Each organization is required to designate at least one (1) Security Point of Contact (SPOC) who is responsible for ensuring the organization is compliant with CMS security requirements and policies. For additional security requirements and training, refer to the Security tab on the QualityNet Communications Hub. The SPOC is responsible for reporting and handling security incidents that occur within the organization. When a contract is awarded, the CMS COR will designate the first SPOC who will be established in ServiceNow. When an organization needs to add, update, replace or make any changes to the SPOC it can be done by contacting, with COR approval, the ISG Contract Onboarding Services team by email at ISGContractorOnboardingServices@cms.hhs.gov or via Slack at #help-contract-onboarding. Note that the SPOC must have a HARP account for your request to be approved. Once approved, the SPOC is stored and tracked for general tracking and maintenance.
Security Awareness and Training During the onboarding process, and before accessing any QualityNet system or application, each user must sign Rules of Behavior, complete the appropriate training, and provide evidence of training completion to their Security Point of Contact (SPOC); the SPOC will track all required training within their organization. In many cases, an annual attestation is also provided to the organization’s CMS Contracting Officer’s Representative (COR) as a deliverable. For additional information, refer to the Security Awareness & Training page on the QualityNet Communications Hub.
Resources CCSQ ServiceNow QualityQualityNet SecurityNet Security - Central source of security-related information and reference material. |