Data Management Self-Attestation Questionnaire

NOTICE: Updated DMP SAQ

CMS has updated the DMP SAQ to reflect the latest security standards, CMS Acceptable Risk Safeguards (ARS) 5.1. Beginning August 11, 2026, new DMP SAQs and DMP SAQ recertifications will need to comply with these updated standards. The new DMP SAQ requirements and other guidance materials, including a description of changes from ARS 3.1 to 5.1, are available below.

To ensure safeguards are in place for CMS Controlled Unclassified Information (CUI), CMS requires research organizations to complete an evidence-based data management plan, known as the Data Management Plan Self-Attestation Questionnaire (DMP SAQ) (DOCX).

CMS’ Data Privacy Safeguard Program (DPSP) is responsible for reviewing and approving the completed DMP SAQ. The DPSP team can be contacted at DPSP@cms.hhs.gov.

What is a DMP SAQ?

Standard DMP SAQ : The DMP SAQ (DOCX) is based on the CMS Acceptable Risk Safeguards (ARS) and documents the security and privacy controls implemented by the research organization. The DMP SAQ is a computing environment-level plan and all studies using the approved computing environment can be covered by a single DMP SAQ.

Approved DMP SAQs are valid for one year, after which organizations will need to recertify and update the DMP SAQ to capture any changes to their environments. Any changes to an organization’s environment prior to the recertification date require notification to CMS within 15 days of the change.

DMP SAQ for Federal Agencies: The DMP SAQ for Federal Agencies (DOCX) is for federal agencies interested in leveraging a system with a current Authority to Operate (ATO) from the agency’s Authorizing Official (AO). The requesting federal agency must provide the ATO letter as evidence as required in Section 3 of the DMP SAQ. DMP SAQs for Federal Agencies are valid for one year or until the expiration of the ATO, whatever comes first. If an ATO does not exist, federal agencies can complete the standard DMP SAQ.

Who Needs a DMP SAQ?

All organizations requesting physical copies of CMS RIF data for research must have an approved DMP SAQ for the environment where they intend to store CMS data.

Beginning August 11, 2026, all organizations requesting CMS LDS Files must have an approved DMP SAQ for the environment where they intend to store CMS data.

Researchers who exclusively utilize the Chronic Conditions Warehouse Virtual Research Data Center (CCW VRDC) do not need a DMP SAQ.

How to get Started

Standard DMP SAQ: To get started with the DMP SAQ (DOCX), refer to the following documents:

How to Prepare for a DMP SAQ (PDF)

How to Establish a DMP SAQ (PDF)

The Requirements and Guidance for Security and Privacy Controls (PDF): a detailed, CMS ARS control-specific document that provides supplemental guidance on CMS ARS requirements for security and privacy controls and cross-references the security and privacy control to the matching DMP SAQ question.

DMP SAQ for Federal Agencies: To get started, complete the DMP SAQ for Federal Agencies and provide it to the DPSP at DPSP@cms.hhs.gov along with your ATO letter. If the system does not have an ATO, complete the standard DMP SAQ.

Additional Resources

The DPSP has prepared several resources to help organizations complete the DMP SAQ:

The DPSP team is available for questions that cannot be answered by the guidance materials at DPSP@cms.hhs.gov.

DMP SAQ 5.1

CMS has updated the DMP SAQ to reflect the latest security standards, CMS ARS 5.1. Organizations may begin using the DMP SAQ version 5.1 now, and it will be required starting August 11, 2026.