diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 30bdd56723..c8415d296a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -29,8 +29,11 @@ jobs:
     steps:
       - name: set branch_name # Some integrations (Dependabot & Snyk) build very long branch names. This is a switch to make long branch names shorter.
         run: |
-          if [[ "$GITHUB_REF" =~ ^refs/heads/dependabot/.* ]] || [[ "$GITHUB_REF" =~ ^refs/remotes/origin/snyk-upgrade-* ]] || [[ "$GITHUB_REF" =~ ^refs/remotes/origin/snyk-fix-* ]]; then
-            echo "branch_name=`echo ${GITHUB_REF#refs/heads/} | md5sum | head -c 10 | sed 's/^/x/'`" >> $GITHUB_ENV
+          echo "GITHUB_REF=${GITHUB_REF}"        
+          if [[ "$GITHUB_REF" =~ ^refs/heads/dependabot/.* ]]; then
+            echo "branch_name=`echo ${GITHUB_REF##*/*-} | md5sum | head -c 10 | sed 's/^/x/'`" >> $GITHUB_ENV
+          elif [[ "$GITHUB_REF" =~ ^refs/.*/snyk-* ]]; then
+            echo "branch_name=`echo ${GITHUB_REF##*/*-} | head -c 10 | sed 's/^/s/'`" >> $GITHUB_ENV
           else
             echo "branch_name=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
           fi
diff --git a/services/app-api/package.json b/services/app-api/package.json
index 3020659f07..a3f7f671e4 100644
--- a/services/app-api/package.json
+++ b/services/app-api/package.json
@@ -39,7 +39,7 @@
     "aws4": "^1.11.0",
     "cross-fetch": "^4.0.0",
     "jwt-decode": "^3.1.2",
-    "kafkajs": "^1.16.0",
+    "kafkajs": "^2.2.4",
     "prompt-sync": "^4.2.0",
     "uuid": "^7.0.3",
     "xml2js": "0.6.0"
diff --git a/services/app-api/yarn.lock b/services/app-api/yarn.lock
index b313494c47..3e3f9e46d6 100644
--- a/services/app-api/yarn.lock
+++ b/services/app-api/yarn.lock
@@ -2476,9 +2476,9 @@ flat@^5.0.2:
   integrity sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ==
 
 follow-redirects@^1.14.0:
-  version "1.15.3"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.3.tgz#fe2f3ef2690afce7e82ed0b44db08165b207123a"
-  integrity sha512-1VzOtuEM8pC9SFU1E+8KfTjZyMztRsgEfwQl44z8A25uy13jSzTj6dyK2Df52iV0vgHCfBwLhDWevLn95w5v6Q==
+  version "1.15.4"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.4.tgz#cdc7d308bf6493126b17ea2191ea0ccf3e535adf"
+  integrity sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==
 
 for-each@^0.3.3:
   version "0.3.3"
@@ -3611,10 +3611,10 @@ jwt-decode@^3.1.2:
   resolved "https://registry.yarnpkg.com/jwt-decode/-/jwt-decode-3.1.2.tgz#3fb319f3675a2df0c2895c8f5e9fa4b67b04ed59"
   integrity sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A==
 
-kafkajs@^1.16.0:
-  version "1.16.0"
-  resolved "https://registry.yarnpkg.com/kafkajs/-/kafkajs-1.16.0.tgz#bfcc3ae2b69265ca8435b53a01ee9e8787b9fee5"
-  integrity sha512-+Rcfu2hyQ/jv5skqRY8xA7Ra+mmRkDAzCaLDYbkGtgsNKpzxPWiLbk8ub0dgr4EbWrN1Zb4BCXHUkD6+zYfdWg==
+kafkajs@^2.2.4:
+  version "2.2.4"
+  resolved "https://registry.yarnpkg.com/kafkajs/-/kafkajs-2.2.4.tgz#59e6e16459d87fdf8b64be73970ed5aa42370a5b"
+  integrity sha512-j/YeapB1vfPT2iOIUn/vxdyKEuhuY2PxMBvf5JWux6iSaukAccrMtXEY/Lb7OvavDhOWME589bpLrEdnVHjfjA==
 
 keyv@^4.0.0:
   version "4.2.2"
diff --git a/services/ui-src/.env_example b/services/ui-src/.env_example
index 5d54e14cee..c5902af176 100644
--- a/services/ui-src/.env_example
+++ b/services/ui-src/.env_example
@@ -1,12 +1,15 @@
 BRANCH_NAME=local
 LOCAL_LOGIN=true
 PROD_URL=placeholder
+STAGE=local
 
 # AWS
+
 API_REGION=us-east-1
 API_URL=http://localhost:3030
 
 ## COGNITO
+
 COGNITO_IDENTITY_POOL_ID=us-east-1:61c849d8-f95c-45af-8131-15b75c525034
 COGNITO_REDIRECT_SIGNIN=http://localhost:3000/
 COGNITO_REDIRECT_SIGNOUT=http://localhost:3000/
@@ -17,10 +20,12 @@ COGNITO_USER_POOL_CLIENT_ID=46fh6sftchq768ab0v65cpq0cf
 POST_SIGNOUT_REDIRECT=http://localhost:3000/
 
 ## S3
+
 S3_ATTACHMENTS_BUCKET_NAME=uploads-master-attachments-024259748323
 S3_ATTACHMENTS_BUCKET_REGION=us-east-1
 S3_LOCAL_ENDPOINT=http://localhost:4569
 
 # LAUNCHDARKLY
+
 LD_PROJECT_KEY=mdct-qmr
 REACT_APP_LD_SDK_CLIENT=63581ea07a993f590567cb44 #pragma allowlist secret
diff --git a/services/ui-src/public/index.html b/services/ui-src/public/index.html
index 65f767f81a..f5556f0f70 100644
--- a/services/ui-src/public/index.html
+++ b/services/ui-src/public/index.html
@@ -31,9 +31,40 @@
       rel="stylesheet"
       href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
     />
+    <!-- Tealium Analytics Tag Manager -->
+    <script>
+      var nodeEnv = window._env_.STAGE;
+      var tealiumEnvMap = {
+        val: "qa",
+        production: "prod",
+      };
+      var tealiumEnv = tealiumEnvMap[nodeEnv] || "dev";
+      var tealiumUrl = `https://tags.tiqcdn.com/utag/cmsgov/cms-mdctqmr/${tealiumEnv}/utag.sync.js`;
+      document.write(`<script src="${tealiumUrl}" async><\/script>`);
+    </script>
   </head>
   <body>
     <noscript>You need to enable JavaScript to run this app.</noscript>
+    <!-- Tealium Analytics Tag Manager -->
+    <script>
+      window.utag_cfg_ovrd = { noview: true };
+    </script>
+    <script>
+      (function (t, e, a, l, i, u, m) {
+        t = "cmsgov/cms-mdctqmr";
+        e = tealiumEnv;
+        a = "/" + t + "/" + e + "/utag.js";
+        l = "//tags.tiqcdn.com/utag" + a;
+        i = document;
+        u = "script";
+        m = i.createElement(u);
+        m.src = l;
+        m.type = "text/java" + u;
+        m.async = true;
+        l = i.getElementsByTagName(u)[0];
+        l.parentNode.insertBefore(m, l);
+      })();
+    </script>
     <div id="root"></div>
   </body>
 </html>
diff --git a/services/ui-src/src/App.tsx b/services/ui-src/src/App.tsx
index 2e83c12134..75bfe00e2b 100644
--- a/services/ui-src/src/App.tsx
+++ b/services/ui-src/src/App.tsx
@@ -2,12 +2,19 @@ import { AppRoutes } from "./Routes";
 import * as QMR from "components";
 import { LocalLogins, PostLogoutRedirect } from "components";
 import { useUser } from "hooks/authHooks";
-import { Suspense } from "react";
+import { Suspense, useEffect } from "react";
 import { MeasuresLoading } from "views";
-import { Route, Routes } from "react-router-dom";
+import { Route, Routes, useLocation } from "react-router-dom";
+import { fireTealiumPageView } from "utils/tracking/tealium";
 
 const App = () => {
   const { logout, user, showLocalLogins, loginWithIDM } = useUser();
+  const { pathname, key } = useLocation();
+
+  // fire tealium page view on route change
+  useEffect(() => {
+    fireTealiumPageView(user, window.location.href, pathname);
+  }, [key, pathname, user]);
 
   const authenticatedRoutes = (
     <>
diff --git a/services/ui-src/src/utils/tracking/tealium.js b/services/ui-src/src/utils/tracking/tealium.js
new file mode 100644
index 0000000000..fdbc37759a
--- /dev/null
+++ b/services/ui-src/src/utils/tracking/tealium.js
@@ -0,0 +1,23 @@
+export const fireTealiumPageView = (user, url, pathname) => {
+  // TODO: this will need to be updated for the upcoming Combined Ratio page view
+  const isReportPage =
+    pathname.endsWith("-AD") ||
+    pathname.endsWith("-CH") ||
+    pathname.endsWith("-HH") ||
+    pathname.endsWith("CSQ");
+  const contentType = isReportPage ? "form" : "app";
+  const sectionName = isReportPage ? pathname.split("/")[1] : "main app";
+  const { host: siteDomain } = url ? new URL(url) : null;
+  if (window.utag) {
+    window.utag.view({
+      content_language: "en",
+      content_type: contentType,
+      page_name: sectionName + ":" + pathname,
+      page_path: pathname,
+      site_domain: siteDomain,
+      site_environment: process.env.NODE_ENV,
+      site_section: sectionName,
+      logged_in: !!user,
+    });
+  }
+};
diff --git a/services/ui-src/yarn.lock b/services/ui-src/yarn.lock
index 300d77fe27..22b5bee99d 100644
--- a/services/ui-src/yarn.lock
+++ b/services/ui-src/yarn.lock
@@ -6579,9 +6579,9 @@ cross-spawn@^7.0.2, cross-spawn@^7.0.3:
     which "^2.0.1"
 
 crypto-js@^4.1.1:
-  version "4.1.1"
-  resolved "https://registry.yarnpkg.com/crypto-js/-/crypto-js-4.1.1.tgz#9e485bcf03521041bd85844786b83fb7619736cf"
-  integrity sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw==
+  version "4.2.0"
+  resolved "https://registry.yarnpkg.com/crypto-js/-/crypto-js-4.2.0.tgz#4d931639ecdfd12ff80e8186dba6af2c2e856631"
+  integrity sha512-KALDyEYgpY+Rlob/iriUtjV6d5Eq+Y191A5g4UqLAi8CyGP9N1+FdVbkc1SxKc2r4YAYqG8JzO2KGL+AizD70Q==
 
 crypto-random-string@^2.0.0:
   version "2.0.0"
@@ -8091,9 +8091,9 @@ focus-trap@^7.2.0:
     tabbable "^6.0.1"
 
 follow-redirects@^1.0.0, follow-redirects@^1.14.0:
-  version "1.14.8"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.14.8.tgz#016996fb9a11a100566398b1c6839337d7bfa8fc"
-  integrity sha512-1x0S9UVJHsQprFcEC/qnNzBLcIxsjAV905f/UkQxbclCsoTWlacCNOpQa/anodLl2uaEKFhfWOvM2Qg77+15zA==
+  version "1.15.4"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.4.tgz#cdc7d308bf6493126b17ea2191ea0ccf3e535adf"
+  integrity sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==
 
 for-in@^1.0.2:
   version "1.0.2"
@@ -10555,9 +10555,9 @@ node-fetch@3.3.1:
     formdata-polyfill "^4.0.10"
 
 node-fetch@^2.6.1:
-  version "2.6.6"
-  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.6.tgz#1751a7c01834e8e1697758732e9efb6eeadfaf89"
-  integrity sha512-Z8/6vRlTUChSdIgMa51jxQ4lrw/Jy5SOW10ObaA47/RElsAN2c5Pn8bTgFGWn/ibwzXTE8qwr1Yzx28vsecXEA==
+  version "2.6.7"
+  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.7.tgz#24de9fba827e3b4ae44dc8b20256a379160052ad"
+  integrity sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==
   dependencies:
     whatwg-url "^5.0.0"
 
diff --git a/services/ui/serverless.yml b/services/ui/serverless.yml
index e65c684ea8..5831f7dcf9 100644
--- a/services/ui/serverless.yml
+++ b/services/ui/serverless.yml
@@ -239,6 +239,7 @@ resources:
             var headers = response.headers;
             headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'};
             headers['x-frame-options'] = { value: 'DENY' };
+            headers["content-security-policy"] = { value: "default-src 'self'; img-src 'self' data: https://www.google-analytics.com; script-src 'self' https://www.google-analytics.com https://ssl.google-analytics.com https://www.googletagmanager.com tags.tiqcdn.com tags.tiqcdn.cn tags-eu.tiqcdn.com https://*.adoberesources.net 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src https://*.amazonaws.com/ https://*.amazoncognito.com https://www.google-analytics.com https://*.launchdarkly.us https://adobe-ep.cms.gov https://adobedc.demdex.net; frame-ancestors 'none'; object-src 'none'"};
             return response;
           }
         FunctionConfig:
diff --git a/yarn.lock b/yarn.lock
index cd7a77c1f8..b4f7504ba7 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5576,9 +5576,9 @@ flatted@^3.1.0:
   integrity sha512-WIWGi2L3DyTUvUrwRKgGi9TwxQMUEqPOPQBVi71R96jZXJdFskXEmf54BoZaS1kknGODoIGASGEzBUYdyMCBJg==
 
 follow-redirects@^1.14.0:
-  version "1.15.1"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.1.tgz#0ca6a452306c9b276e4d3127483e29575e207ad5"
-  integrity sha512-yLAMQs+k0b2m7cVxpS1VKJVvoz7SS9Td1zss3XRwXj+ZDH00RJgnuLx7E44wx02kQLrdM3aOOy+FpzS7+8OizA==
+  version "1.15.4"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.4.tgz#cdc7d308bf6493126b17ea2191ea0ccf3e535adf"
+  integrity sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==
 
 for-each@^0.3.3:
   version "0.3.3"