ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support
What is ISSO As A Service (ISSOaaS)?
Information System Security Officers (ISSO) serve as the front line of information security and privacy for CMS systems. Their role is critical for keeping CMS data safe throughout a system’s life cycle. But sometimes, there is not a trained CMS ISSO available within a component to perform key security tasks.
To address this need, the CMS Information Security and Privacy Group (ISPG) provides the ISSO As A Service (ISSOaas) program to deploy skilled ISSOs where they are most needed to support CMS Business Owners in maintaining information security and privacy for their system(s).
ISPG works with a contractor organization to onboard and train professional ISSOs in CMS-specific policies and frameworks so they are equipped to provide industry-certified security and compliance support, allowing Business Owners to focus on their business mission.
To get started with ISSO As A Service, you can talk to your Cyber Risk Advisor (CRA) or send an email to ISSO@cms.hhs.gov. The ISSOaaS team will work with you to assess requirements and find an ISSO that can support the needs of your system(s).
Why does CMS need ISSOaaS?
For all CMS components, the safety of information and systems should be a top priority – as we are entrusted with the personal and health data of millions of Americans. Every CMS component must take a strategic and proactive approach to security compliance and risk management. It should not be an afterthought. This means employing a suitably skilled and experienced person who is responsible for these things.
Sometimes, a CMS component assigns ISSO duties to someone who has other primary responsibilities and is not adequately trained in CMS requirements for cybersecurity. This leads to a hazardous situation for the component’s information and systems, including:
- Conflict of interest between that person’s ISSO role and their other responsibilities
- Insufficient skills, time, and knowledge for that person to properly manage ISSO tasks
- False sense of complacency in the component that security and privacy is being fully addressed by this shared role, while in fact there are gaps in compliance and appropriate risk management
Evolving and modernizing information security
Beyond ensuring security and privacy compliance, the ISSO role at CMS has grown increasingly complex and technical in response to the evolving threat landscape and the modernized approach to cybersecurity that is being implemented across the federal government. For example:
- Agile processes and rapid development cycles result in the need for continuous security and privacy monitoring / assessments
- Business Owners and senior leadership depend on ISSOs for insights about potential security risks and mitigation strategies
- Federal guidance and requirements are constantly evolving (NIST, FISMA, HIPAA, DHS, HITECH, IRS)
- CMS is modernizing risk management with programs like Ongoing Authorization (OA), Cybersecurity and Risk Assessment Program (CSRAP), and Continuous Diagnostics and Mitigation (CDM)
ISSO As A Service connects CMS components with knowledgeable professionals who can help ensure adequate information security across all CMS components and systems.
Who are the Service ISSOs?
Within the ISSOaaS program, a Service ISSO is a professional ISSO who is trained in CMS cybersecurity practices and onboarded to support specific systems or tasks for a CMS component that otherwise would not have a qualified ISSO available. CMS works with a contractor organization to engage Service ISSOs for an agreed-upon length of time.
Service ISSOs operate in direct liaison with ISPG as well as their assigned system teams and Business Owner. This ensures consistency and shared visibility into system security throughout the engagement.
What tasks can Service ISSOs do?
Service ISSOs do the same tasks and have the same skills as CMS ISSOs– although Service ISSO qualifications and duties may be adjusted to fit the specific needs of the component and system. Responsibilities may include:
- Provide overall professional ISSO support for CMS systems
- Collaborate with system stakeholders and Cyber Risk Advisors
- Evaluate security categorization
- Review compliance assurance and reporting
- Perform risk assessment
- Identify and document security and privacy controls
- Provide guidance for PII, PHI, and FTI compliance
- Perform tasks that support system assessment and authorization
- Review information security and privacy compliance within the Target Life Cycle (TLC)
- Review and analyze POA&Ms
- Perform CMS Security Control Assessment (or coordinate Cybersecurity and Risk Assessment Program)
- Coordinate Contingency Planning
- Utilize CMS Risk Management Framework (as recommended by NIST)
Why use a Service ISSO?
ISSOaaS makes it easier for CMS Business Owners to get accurate and insightful information from an experienced professional to manage their systems’ risk. The Service ISSO can deliver a set of proactive, scheduled, planned services for a defined timeframe or on a continuous basis. Engaging a Service ISSO will ensure:
- Information systems and information risks and vulnerabilities are identified, their impact to the organization are quantified, communicated, and understood by all relevant stakeholders
- Appropriate information systems control and risk mitigation are in place to ensure the confidentiality, integrity and availability of the information systems
- Proper coordination of appropriate training and communication of information security policies, controls, and best practices to all stakeholders
- Organizational compliance with policies as well as any external regulatory or legal compliance obligations
- Management is provided with advice concerning cybersecurity strategy and can serve as the organization’s contact point for auditors and agencies
- Any necessary coordination of information systems security incident response
- Cybersecurity and privacy practices for their assigned organization are in keeping with CMS policies, latest privacy legislation, security advisories, alerts, and vulnerabilities
When to use Service ISSOs
Engaging a Service ISSO could be beneficial for your component if:
- ISSO tasks need to be performed and there is no trained CMS ISSO available
- A new ISSO needs help getting started
- A surge period is causing an unmanageable amount of work for existing ISSOs
How to request a Service ISSO
If you as a Business Owner need ISSO support from the ISSOaaS program, you can work with your CRA to start the process – or you can send an email to ISSO@cms.hhs.gov.
How it works
ISSO As A Service requires coordination among multiple stakeholders. Everyone involved has a role in making sure the selected ISSO can meet the requirements for the specific component and system(s). The steps for starting an ISSOaaS engagement are described below.
A request by a Business Owner initiates the process for a Service ISSO. The Business Owner should talk to their CRA or email ISSO@cms.hhs.gov to let ISPG know that ISSOaaS support is needed.
A meeting to discuss the requirements of the engagement will be scheduled with the Business Owner, ISPG, the ISSOaaS contractor, and any other stakeholders. Topics of the meeting will include cybersecurity requirements, level of effort, cost and funding activities, and onboarding. All factors will be evaluated by ISPG and the ISSOaaS contractor.
After the meeting, ISPG will complete an ISSOaaS Request Form, which helps ISPG and the contractor during their search for a Service ISSO.
As ISPG and the contractor work to determine the best match for a Service ISSO, they will consider the context for the engagement, including factors such as:
- System complexity
- Data sensitivity
- Whether the system supports a Mission Essential Function
- Whether the system is a High Value Asset (HVA)
The ISSOaaS contractor will categorize the workforce skillset needed for the assignment using:
- NICE Framework as applicable to the CMS ISSO role
- Role duties and responsibilities as outlined in policy
- Required experience, certifications, and areas of expertise
Once a Service ISSO has been identified, onboarding and training will begin so the ISSO can be embedded in their assigned team. Onboarding requires collaboration among the Business Owner, ISPG, the ISSOaaS contractor, and the ISSO. (More details below).
Service ISSO onboarding
The established process at CMS for onboarding new Service ISSOs ensures that the ISSO completes the orientation, logistics, and training needed to start providing value to the organization quickly. We want all new ISSOs to feel welcome and have access to the resources needed to become productive and confident in their new role. The goal is for new Service ISSOs to be onboarded and trained within a time period of 60 days.
Business Owner responsibilities
The Business Owner or component representatives should prepare their organization for the arrival of the ISSO. Data Guardians, CRAs, and existing ISSOs (if applicable) should also prepare. ISPG will coordinate with the component for an initial meeting with the new ISSO. The goals of this meeting are for the new ISSO to:
- Meet the Business Owner and other key stakeholders in the component’s organization, including contract developers and contract security staff
- Understand the component’s business and cybersecurity environment
- Learn about the component’s business model and logic
Contractor responsibilities
The ISSOaaS contractor oversees the logistics of onboarding and keeps ISPG continually updated on the progress of Service ISSO onboarding and training. Much of this is managed through the ISSO Information Card, which tracks items such as:
- CMS security clearance
- Fingerprinting
- PIV card
- EUA ID
- eQIP
The full list of items is managed by the ISSOaaS contractor throughout the engagement and is also used as a checklist for off-boarding when the engagement is over. Additionally, the contractor keeps track of the Service ISSO’s progress through workforce training activities. All of this is relayed to ISPG through a weekly status report to the CMS Government Task Lead (GTL) and/or the Contracting Officer Representative (COR) for the ISSOaaS program.
ISPG responsibilities
The CMS GTL for the ISSOaaS program is within ISPG and serves as the go-to person for program communications and problem resolution as necessary. They can help remove blockers or provide support at any point in the ISSO’s onboarding process (and subsequent engagement). ISPG also coordinates with the ISSOaaS contractor for onboarding needs such as scheduling meetings or providing necessary equipment.
ISSO responsibilities
The new Service ISSO is expected to take a proactive role during onboarding – especially in keeping their leadership informed about progress through security clearances, obtaining EUA access, and other onboarding activities. The ISSO should respond quickly to inquiries or requests from CMS or others in the ISSOaaS program, and let someone know if there are problems or questions. In addition to onboarding logistics, the Service ISSO needs to complete as much CMS-specific training as possible (described below).
Service ISSO training
Service ISSOs joining CMS should receive the same training and support as CMS employee ISSOs (to the greatest extent possible). Details will depend on the workload and duration of services required. Service ISSOs should refer to the CMS Information System Security Officer (ISSO) Handbook as a go-to resource for ISSO responsibilities, activities, policy and guidance, training, and community support.
The ISSOaaS contractor collaborates with ISPG and the Business Owner to determine what formal ISSO training is most suitable for the component’s specific needs. Training activities can often happen in tandem with other onboarding activities. In general, Service ISSOs should expect to utilize the following:
Getting started as a CMS ISSO
- Review CMS ISSO role and responsibilities
- Use the ISSO Scorecard as a quick self-assessment to help you identify areas of training focus
- Watch the CMS ISSO video training series (overview of essential job functions)
- Get an overview of ISSO activities at CMS
- Bookmark the ISSO toolkit as a handy reference for key points of contact, acronyms, important reference documents, and CMS platforms you will use in your daily work
- Consider the ISSO Mentorship Program as a way to get extra support from an experienced CMS ISSO
Role Based Training (RBT)
You will coordinate with your leadership to learn what kind of Role Based Training is required for your position.
Federal policies and guidance
Get familiar with cybersecurity policies and guidance from CMS, HHS, NIST, and other authorities. You can see information about the most important federal guidance in the ISSO Toolkit.
CMS and HHS cybersecurity training
If you need specialized training for your assigned role, there are many offerings available from CMS and HHS that you can access for free. Learn about training opportunities here.
ISSO meetings and community
You will have a regular monthly check-in with ISPG, the Service ISSO team, and ISSOaaS contract leadership. Additionally, you should plan to attend the monthly CMS Cybersecurity Community Forum, an important source of current information for all CMS staff and contractors with security and privacy responsibilities.
Collaboration and relationships
It’s essential that you build relationships with your Business Owner, your Cyber Risk Advisor (CRA), and other security and developer staff. Collaboration with your portfolio team – both CMS staff and contractors – is key to a successful engagement as a Service ISSO.
Service ISSO engagement
The success of a Service ISSO engagement depends on frequent communication among all stakeholders. ISPG schedules recurring meetings to gauge satisfaction and determine if any areas need improvement. Regular meetings during the engagement include:
- Satisfaction sessions with Business Owners (as needed)
- Meetings with Service ISSO Lead(s) for check-in and support (weekly)
- Meetings with Service ISSOs for check-in and support (monthly)
- Meetings with contract leads to ensure Role Based Training (RBT) requirements are satisfied (as needed)
ISPG also ensures that Service ISSOs (along with CMS employee ISSOs) have access to supportive resources such as the CMS Cybersecurity Community Forum and the CMS Information System Security Officer (ISSO) Handbook.
Service ISSO off-boarding
At the conclusion of an engagement, ISPG coordinates with the Business Owner for transition activities where appropriate. The ISSOaaS contractor ensures that a smooth off-boarding process occurs, including recovery of government property such as computer, badge, and any other equipment. The contractor updates the ISSO Information Card constructed during onboarding, and retains the completed form.
Service ISSO qualifications
When ISPG and the ISSOaaS contractor are seeking a Service ISSO suitable for the needs of a CMS component, the following qualifications serve as a guide. (Specific skills and level of experience will be driven by the extent and duration of ISSO services required.) In general, an ISSO should have proven skills and knowledge in the following areas:
Cybersecurity federal standards and best practices
- Comprehensive and expert knowledge of FISMA/NIST/RMF methodology, professional standards, policies, directives, guidance, concepts, procedures, principles, practices, and assessment and evaluation criteria, as related to Federal information systems security controls and auditing requirements.
- Thorough knowledge of Federal legislation related to information technology, computer security, government performance measurement, fiscal management and contracting.
Information technology (IT)
Expert knowledge of information technology architecture, hardware, software, networking, communications, data collection/dissemination, and security of data practices.
Information security disciplines
Thorough knowledge of information security disciplines including threats to and vulnerabilities of computer and data communications systems, safeguards (counter measures) which can be utilized to protect sensitive/critical information resources, and methodologies for developing and implementing contingency plans for disaster recovery. Extensive knowledge of the roles of various organization units for ensuring adequate security and safety of information resources.
Information security program evaluation / testing / planning
- Knowledge of information systems security concepts and methods, multiple IT disciplines, enterprise IT architecture, and project management principles and methods sufficient to:
- Review and evaluate program’s security incident response policies
- Identify need for changes based on new security technologies or threats
- Test and implement new policies
- Institute measures to ensure awareness and compliance
- Knowledge of, and ability to conduct, security program planning at higher organizational levels in terms of applying policy direction to specific operating requirements and the development of strategies and policy implementation guidance.
- Ability to use knowledge in key decision-making and policy-developing responsibilities in difficult assignments such as planning for significantly new or far reaching security program requirements.
Risk assessment and mitigation for new or existing systems
Knowledge of information systems security principles, concepts, and methods, the infrastructure protection environment, and interrelationships to multiple IT disciplines sufficient to:
- Review proposed new systems, networks, and software designs for potential security risks
- Recommendations for mitigation or countermeasures
- Resolve integration issues related to the implementation of new systems within the existing infrastructure.
Information security leadership and communication
- Mastery of and skill in applying policy and planning concepts and practices, interrelationships of multiple IT disciplines; and project management methods sufficient to manage communities of interest involved in the development and implementation of workable approaches to IT architecture and other IT related legislative and policy initiatives.
- Mastery and skills in applying the principles of management sufficient to develop long-range plans for IT security systems that anticipate, identify, evaluate, mitigate, and minimize risks associated with IT systems vulnerabilities.
- Demonstrated ability to present clear and concise presentations (oral and written) and to communicate effectively with government, contractors, and applicable business entity representatives.