To document the security and privacy controls that have been implemented by the research organization, CMS requires the research organization to complete an evidence-based data management plan, now known as the Data Management Plan Self-Attestation Questionnaire (DMP SAQ). The DMP SAQ asks research organizations to attest that the organization complies with CMS ARS security and privacy controls imbedded within the questionnaire. The primary function of the DPSP is to review and audit requesters' DMP SAQ submissions and provide guidance to researchers on how to implement effective, reasonable, and appropriate measures that protect CMS data. Other functions of the DPSP include training, education, and guidance.
The DPSP has prepared several supporting documents to help organizations complete the DMP SAQ including the DMP SAQ Requirements & Guidance for Security & Privacy Controls.
Additional DMP SAQ instructions documents and an FAQ can be found here and include the following:
The DPSP team is available to assist when organizations have questions that cannot be answered by the guidance materials. The DPSP team can be reached at firstname.lastname@example.org.