QualityNet Jira will be unavailable on Tuesday, September 03, 2024, between 8:00 PM ET and 11:00 PM ET while the team performs a system upgrade. QualityNet Confluence will also be briefly unavailable between 8:00 PM ET and 8:30 PM ET.  If you have questions or concerns, please reach out to us in Slack at #help-atlassian.

QualityNet Security

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 26 Next »



HCQIS Security Awareness Training (SAT) & Certification Administration Instructions


General Information


HHS and CMS in accordance to Federal Information Security Management Act (FISMA) of 2002 and other policies requires that all Federal CMS and Contractor users of Federal Information Systems to be exposed to security and privacy awareness training materials at least annually. This is to inform federal employees, contractors and other users of information systems that support the operations and assets of the agency, of:

  • Information Security risks associated with technologies and their activities while utilizing those technologies.
  • Responsibilities in complying with agency policies and procedures designed to reduce risks.
  • Overview of protecting Personally Identifying Information (PII) or Personal Health Information (PHI) of any individual as directed in the Privacy Act of 1974.
  • Records Management and Retention.


During onboarding and before access to any HCQIS system or application each user must complete proper training requirements on an annual basis and must provide evidence of completion to his/her respective Security Point of Contact (SPOC) who will track all required training within the organization.













  1. Only (1) memo is required for all sites under each prime contract region/area/site.
  2. The Certification Memo must be signed by the Security Point of Contact (SPOC)/ Security Officer (SO) and the organization's designated Program Lead.
  3. You may apply a naming convention that best suits your organization, Contract or deliverable. Some examples of the document format names are listed below:
    1. Naming format for BFCC: "BFCC-QIO-(Contract Name)_SAT_20xx.pdf"
    2. Naming format for QIN: "QIN-QIO-(Contract Name)_SAT_20xx.pdf"
    3. Other Organizations: "(Org/Contract Name)_SAT_20xx.pdf"
  4. You may also have multiple sites that need to be tracked separately. "Site Identification" located at the top of the Certification Memo will help (if applicable):
    1. Region/Area/Network ID; this will vary between contract type/organization.
      1. "BFCC-QIO Region 1"
      2. "QIN-QIO Area-G"
  5. Submit the completed certification memo electronically to your COR using the specified vehicle outlined in the contract (email, CDS, DARRT, etc.) as directed by the CMS COR (if applicable).







Newly on-boarded HCQIS Services users who have taken all three training modules within thelast 90 days of the organization's certification period are EXEMPT from taking SAT training for the current annual certification period. This group of users will take security awareness training as normal during the following annual certification period.
Note: Any deviations from either training module will require the user to take any missed training during the current certification period.











  1. SAT Records are not required for submission unless requested by the COR or ISSO. SAT Records must always be updated and maintained. (SAT record templates are available within HCQIS Security Resources on QNP or may be obtained by the CMS COR/ISSO.
  2. Contracts acting under multiple sites (prime/sub) may exercise the option of having multiple SAT records or a single SAT record that reflects ALL individual sites and each user respectfully.
  3. At the top of each page insert the Contract name and specify the site if applicable.
  4. For multiple sites in a single area, you may use a different table that identifies each state/region for each site.







  • No labels