Data Management Plan Self-Attestation Questionnaire (DMP SAQ)

The Data Management Plan Self-Attestation Questionnaire (DMP SAQ) documents security and privacy controls implemented by the research organization to protect the requested Research Identifiable Files (RIF) in the environment in which the data will be stored.

The DMP SAQ replaces the former Data Management Plan (DMP) requirement for CMS RIF requests. Unlike the DMP, which was specific to a single study, the DMP SAQ is an organizational-level plan and all studies using the approved computing environment can be covered by a single DMP SAQ.

The DMP SAQ is based on the CMS Acceptable Risk Safeguards (ARS) security and privacy controls. Research organizations attest that the organization complies with CMS ARS security and privacy controls addressed by the questionnaire. Some questions also require additional explanation and evidence.

The DMP SAQ recognizes information systems may vary between organizations and allows flexibility through compensating controls or alternative implementations. The important takeaway when implementing the controls is that the intent of the security and privacy control is met. For any control that cannot be met, organizations must provide justification for not being able to implement the control.

Approved DMP SAQs are valid for one year, after which organizations will need to recertify and update the DMP SAQ to capture any changes to their environments. Any changes to the organization’s environment prior to the recertification date require notification within 15 days of the change.