QualityNet Jira will be unavailable on Tuesday, September 03, 2024, between 8:00 PM ET and 11:00 PM ET while the team performs a system upgrade. QualityNet Confluence will also be briefly unavailable between 8:00 PM ET and 8:30 PM ET.  If you have questions or concerns, please reach out to us in Slack at #help-atlassian.

QualityNet Security

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 121 Next »


Security Policy

Awareness & Training

Security Point Of Contact

Incident Response



Required Training


User Instructions

SPOC Certifications/Attestation

Record Keeping for SPOCs


Introduction

During onboarding, and before access to any HCQIS system or application, each user must sign Rules of Behavior, complete the appropriate training, and provide evidence of training completion to their Security Point of Contact (SPOC); the SPOC will track all required training within their organization. In many cases, an annual attestation is also provided to the organization’s CMS Contracting Officer’s Representative (COR) as a deliverable.  

If you have questions about policy or need more information regarding contract requirements, please contact your COR.





 Required Training(s)



Security Awareness Training (SAT)The HCQIS program utilizes the DoD Cyber Exchange, a publicly accessible training library with course offerings to allow contractors to meet the CMS SAT requirements. SAT Training is broken into two (2) separate trainings focusing on Security and Privacy. These trainings include:

  • Cyber Awareness Challenge and Identifying

  • Safeguarding Personal Identifiable Information (PII).


Records Management TrainingAdditional to Security Awareness training, the HHS Records Management Training is a mandatory requirement outlined in the HHS Policy for Records Management and the Office of Management and Budget (OMB)/National Archives and Records Administration (NARA) joint Directive M-19-21, Transition to Electronic Records.  The records management training is to provide an overview of user responsibilities for records handling, help users tell the difference between records and non-records, and assist them in learning how to manage the federal records lifecycle.  

Note: The HHS Office of Human Capital manages records management training and requirements for CMS. Therefore, updated instructions may be issued by HHS to include new training requirements, content or links. Please check with your COR for any changes to the information provided by HHS.


Back to Top








The SPOC should adhere to the following guidelines related to certification and attestation of training results:

  1. Only one memo is required for all sites under each prime contract region/area/site.
  2. The Certification Memo must be signed by the SPOC (or in the SPOC’s absence, the Security Officer (SO)) and the organization’s designated Program Lead.
  3. You may apply a naming convention that best suits your organization, Contract or deliverable, but that is easy to understand by other readers.
  4. Submit the completed certification memo electronically to you’re COR using the specified vehicle outlined in the contract as directed by the CMS COR.


Organizational SPOCs may leverage the provided template to fulfill the requirement. 

QNet Security Awareness Certification Template.docx



Back to Top









Records must be updated and maintained at all times, but they are only to be submitted to CMS if requested by the COR or the Information Systems Security Officer (ISSO). Record templates are available within the Security page on the QualityNet Communications Hub or may be obtained through your CMS COR.

Contracts operating across multiple sites (prime/sub) may exercise the option of having multiple records or a single record that reflects all individual sites and each user respectively.

At the top of each page insert the Contract name and specify the site if applicable. For multiple sites in a single area, you may use a different table that identifies each State/region for each site.


Organizational SPOCs may leverage the provided template to fulfill the requirement. 

Security Awareness Training Record template.docx



Back to Top







New users on a contract take training at the time of receiving initial access and annually thereafter. Some contracts and organizations require all users to complete training by a specific time each year. With this, there may be times where an user has transferred from another contract or has recently started and would NOT have to re-take the training again.  Therefore, if a user has started or transferred and has taken all required trainings within the last 90 days, that user may be except from taking any training again until the following calendar year or deliverable period; whichever schedule is followed.


Back to Top




  • No labels