Reminder: DUA and VRDC access needs to be extended or renewed annually. Read more.
Purpose of this document
The Data Management Plan Self-Attestation Questionnaire (DMP SAQ) documents security and privacy controls implemented by the research organization to protect the requested Controlled Unclassified Information (CUI) in the environment in which the data will be stored. CUI is unclassified information that is defined as sensitive and requires safeguarding or dissemination controls in accordance with applicable laws, regulations, and government-wide policies. CMS Research Identifiable File (RIF) data and Limited Data Set (LDS) files are included under the classification of CUI.
The DMP SAQ replaces the former Data Management Plan (DMP) requirement for CMS data requests. Unlike the DMP, which was specific to a single study, the DMP SAQ is an organizational-level plan and all studies using the approved computing environment can be covered by a single DMP SAQ.
The DMP SAQ is based on the CMS Acceptable Risk Safeguards (ARS) security and privacy controls. Research organizations attest that the organization complies with CMS ARS security and privacy controls addressed by the questionnaire. Some questions also require additional explanation and evidence.
The DMP SAQ recognizes information systems may vary between organizations and allows flexibility through compensating controls or alternative implementations. The important takeaway when implementing the controls is that the intent of the security and privacy control is met. For any control that cannot be met, organizations must provide justification for not being able to implement the control.
Approved DMP SAQs are valid for one year, after which organizations will need to recertify and update the DMP SAQ to capture any changes to their environments. Any changes to the organization’s environment prior to the recertification date require notification within 15 days of the change.
All organizations requesting CMS data must have an approved DMP SAQ for the environment in which they intend to store the CMS data.
CMS’ Data Privacy Safeguard Program (DPSP) is responsible for reviewing and approving the completed DMP SAQ. More information on the DPSP can be found at https://resdac.org/articles/cmss-data-privacy-safeguard-program-dpsp and the DPSP team can be contacted at DPSP@cms.hhs.gov.
How to get started
Below you will find the DMP SAQ form and supporting documents. For information on how to get started with the DMP SAQ, see the following documents:
- The Requirements and Guidance for Security and Privacy Controls: a detailed, CMS ARS control-specific document that provides supplemental guidance on CMS ARS requirements for security and privacy controls, and cross-references the security and privacy control to the matching DMP SAQ question.
- How to Establish a DMP SAQ
- How to Prepare for a DMP SAQ
All DMP SAQ instructions documents:
Download How to Establish a DMP SAQ
Download How to Prepare for a DMP SAQ
Download The DMP SAQ Process - Start to Finish
Download How to Renew a DMP SAQ
Download Crosswalking the DMP to the DMP SAQ
Download How to Update the DMP SAQ
Download How to Identify the Data Custodian for the DMP SAQ
Download DMP SAQ Frequently Asked Questions