Data Management Plan Self-Attestation Questionnaire (DMP SAQ) for Federal Agencies

The Data Management Plan Self-Attestation Questionnaire (DMP SAQ) for Federal Agencies allows for documentation that security and privacy controls have been implemented by the federal agency to protect the requested Identifiable Data File (IDFs) in the environment in which the data will be stored.

The DMP SAQ for Federal Agencies replaces the former Data Management Plan (DMP) requirement for CMS IDF requests. Unlike the DMP, which was specific to a single study, the DMP SAQ is an organizational-level plan and all studies using the approved environment can be covered by a single DMP SAQ.

The DMP SAQ for Federal Agencies is a short form with a few administrative requests. The form is for federal agencies who will be storing data within a system that has a current Authority to Operate (ATO) from the agency’s Authorizing Official (AO). The requesting federal agency must provide the ATO as evidence as required in Section 3 of the DMP SAQ. If any identifiable CMS data will be stored in a system that does not have a federal ATO, the federal agency must complete the standard DMP SAQ.

Approved DMP SAQs are valid for one year or until the expiration of the ATO, whatever comes first, after which organizations will need to recertify and update the DMP SAQ to capture any changes. Any changes prior to the recertification date require notification within 15 days of the change.