Updated research request forms and data security approval requirement effective 4/24/23
To document the security and privacy controls that have been implemented by the research organization, CMS requires the research organization to complete an evidence-based data management plan, now known as the Data Management Plan Self-Attestation Questionnaire (DMP SAQ). The DMP SAQ asks research organizations to attest that the organization complies with CMS ARS security and privacy controls imbedded within the questionnaire. The primary function of the DPSP is to review and audit requesters' DMP SAQ submissions and provide guidance to researchers on how to implement effective, reasonable, and appropriate measures that protect CMS data. Other functions of the DPSP include training, education, and guidance.
The DPSP has prepared several supporting documents to help organizations complete the DMP SAQ including the DMP SAQ Requirements & Guidance for Security & Privacy Controls.
Additional DMP SAQ instructions documents and an FAQ can be found here and include the following: