CMS Cybersecurity Integration Center (CCIC)

What is the CCIC?

The CMS Cybersecurity Integration Center (CCIC) is the hub of cybersecurity strategy and response at CMS. The CCIC works with System/Business Owners, ISSOs, CRAs, and Data Guardians to manage how cyber threats are found and understood throughout our agency and works to educate users about best practices in continuous monitoring, risk management, and cybersecurity. 

The CCIC is owned and managed by the Information Security and Privacy Group (ISPG) and is responsible for the following activities as determined by the CMS Information Systems Security and Privacy Policy (IS2P2): 

• Identifying cyber threats 
• Disseminating cybersecurity advisories and guidance
• Coordinating incident response activities in response to ongoing threats
• Developing containment and mitigation approaches for cyber threats
• Defining minimum interoperable defensive technology requirements for CMS systems
• Reporting CMS information security and privacy incidents and breaches to HHS 
• Performing malware analysis and advanced analytics
• Adhering to federal law, regulations, mandates, and directives for continual assessment and incident response activities
• Defining information security and privacy requirements for all phases of the system development life cycle (SDLC)
• Validating incident response processes and procedures
• Defining reporting metrics for Penetration Testing, continuous monitoring, incident and breach response, and cyber threat intelligence

The CCIC is made up of a collection of resources and teams that provide continuous monitoring, incident response, and threat intelligence services to System Teams across the enterprise and access to the following resources: 

Security Operations Center (SOC)

The ISPG Security Operations Center (SOC) offers 24/7, 365 continuous monitoring activities for FISMA systems throughout CMS. The teams within the SOC serve as a second set of eyes for security operations teams across the agency. System Teams throughout CMS can benefit from the services offered by the SOC including: 

SOC-as-a-Service 

As the premier SOC at CMS, the ISPG SOC provides resources and training to System Teams across CMS. The ‘SOC-as-a-Service’ was designed to provide SOC services and capabilities to CMS FISMA System Teams that are not able to provide those capabilities themselves or that do not wish to incur the costs associated with these services directly. Systems can be onboarded to the ISPG SOC through an MOU to provide a direct response to incidents, breaches, and threats. With improved access to information, tools, and resources, teams can develop better response capabilities. 

Threat Hunting Services 

Threat Hunting Teams within the SOC routinely conduct different types of cyber hunts, looking for bad actors and threats. These teams proactively look for signs of compromise within CMS FISMA systems and provide reports to System Teams about appropriate mitigations and procedures to address gaps that lead to threats. 

Content Creation and Management Services 

The Content Creation and Management Team provides subject-matter expertise in the areas of producing alert signatures, establishing dashboards, and developing reports for data sets. With help from Splunk, SOC Content Developers create signatures, look for known threats, and generate new alerts based on new indicators of compromise. 

Marketplace SOC 

The Marketplace SOC reports twice per week during non-open enrollment times regarding attacks to various spaces in the marketplace. Members of this team review data to identify weaknesses in FISMA systems across CMS. They then help System Teams drive Plan of Action and Milestones (POA&Ms) to closure prior to open enrollment and provide risk management services for POA&Ms. 

Insider Threat 

Some threats to CMS systems and data do not come from external bad actors, but from CMS employees or contractors. Whether intentional or unintentional, these threats need to be handled strategically by the organization. The Insider Threat Team within the SOC coordinates and shares information with the Division of Strategic Information (DSI) to triage insider threats and plan for appropriate response and mitigation efforts. 

Phishing Prevention Analysis 

Working with the Training and Awareness Team, this SOC service triages reports of phishing activity across CMS. When users report phishing activity (using the Cofense button located on the ribbon of their Outlook email), the SOC analyzes each report and makes recommendations or takes specific action based on the findings.  

ServiceNOW Security Incident Response 

This service within the SOC provides Incident Response Breach Response (IRBR) activities with improved ticketing to enhance response time. This resource also helps System Teams improve their overall incident response capabilities and update the content and accuracy of their tabletop exercises. 

Incident Management 

The Incident Management Team (IMT) is responsible for incident response at CMS. They triage tickets that come to the service desk when there is a potential compromise to the security of CMS systems or data. The IMT helps speed response time and supports System Teams through the appropriate handling of incidents.  

Penetration Testing 

The CCIC is the home of ISPG’s in-house Penetration Testing Team. Penetration Testing (PenTesting) helps to identify areas where system security has been compromised or could be compromised in the future. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. 

The ISPG Penetration Testing Team has knowledge of FISMA systems they’re testing, so they’re a great place to start for your Penetration Testing needs. 

Forensics 

The Forensics Team offers memory and disk forensics and malware analysis for CMS FISMA systems. With the data and evidence gathered, the Forensics Team can determine the source of an attack, identify the malware used, and understand the attacker's techniques. This information can be used in internal incident response efforts and shared with the Office of the Inspector General (OIG). The Forensics Team will also work with System Teams to  strengthen security defenses after an attack.

Cyber Threat Intelligence 

The Cyber Threat Intelligence Team was created to identify emerging cyber threats in the healthcare sector. These threat hunters scan the dark web and other sources to seek out bad actors and threats before they materialize and impact CMS systems. 

Vulnerability Analysis 

The Vulnerability Analysis Team provides compliance and vulnerability scans for FISMA Systems across CMS. Using external-facing tool sets like DB Protect and Invicty, the team initiates system scans every 72 hours to assess the overall security posture of each system. They share vulnerability scan data with System Teams so that teams have the information they need to make decisions about their systems. 

CCIC Engineering 

The CCIC Engineering Team helps to build and test tools used by System Teams across the enterprise. As part of this work, they run proof-of-concept for outside vendors and tools to identify what might be a good fit for use at CMS. This team also creates, reviews, and manages network monitoring tools for all of CMS. 

Connecting with the CCIC

CMS System Teams can find many of the resources, services, and tools offered by the CCIC in the ServiceNOW catalog. Teams are encouraged to review the available resources and engage with the CCIC early and often to ensure that they understand the correct procedures to follow in the event of an incident, breach, or cyber threat.