Public if possible: ISPG’s commitment to customers
Why is the ISPG website (CyberGeek) open to the public?
When we set out to provide one authoritative home for CMS security and privacy information, ISPG leadership decided to make this information “public if possible”. That means instead of putting things behind a CMS login barrier by default, we go through a careful process to determine whether the information can safely be made public. If so, it is published here on our website. There are many benefits to this approach:
The CMS Information Security and Privacy Library is retired: 3 things to do now
The Information Security and Privacy Group (ISPG) has a new website — known as “CyberGeek” — that is now your first stop for security and privacy information! Visit CyberGeek at security.cms.gov to learn about the policies, programs, and tools that help keep CMS information and systems safe.
CMS Guide to Federal Laws, Regulations, and Policies
There are federal laws, regulations, and policies outside of CMS that shape how security and privacy is managed inside CMS. This page contains a comprehensive list of these external requirements, and shows how they relate to the security and privacy policies and guidance at CMS.
DISCLAIMER:
CMS Key Management Handbook
Background
This handbook aligns with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-57 series, the CMS IS2P2, and the CMS Acceptable Risk Safeguards (ARS).
Read the CMS ISSO Journal
What is the ISSO Journal?
The ISSO Journal was established to share knowledge among CMS Information System Security Officers (ISSOs) and promote ongoing role-based education. As the publication evolved over time, it now serves the entire CMS cybersecurity community with the latest insights on security and privacy topics. It provides information about cybersecurity trends and developments at CMS to support ISSOs and decision makers alike.
Template management is changing at ISPG: what you need to know
The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS that provides:
The 7 Tenets of Zero Trust for ISSOs and ADOs
As part of their white paper on Zero Trust SP-800-207, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.
Zero Trust Maturity Model, Version 2: now with less trust!
In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released version two of their Zero Trust Maturity Model (ZTMM). This version incorporates feedback from experts and the community in response to their initial June 2021 draft. CISA has kept its conceptual view of a Zero Trust Architecture (ZTA), incorporating five pillars and three cross-cutting capabilities. However, it has significantly reviewed the functions that build each pillar and capability.
Evaluating Threat Modeling Methodologies
In today's increasingly digital world, cybersecurity has become an essential component of any organization's risk management strategy. Threat modeling is a key technique used by cybersecurity professionals to identify, prioritize, and mitigate potential threats and vulnerabilities in their systems and applications. There are various threat modeling methodologies used in the industry, but three of the most commonly used are STRIDE, DREAD, and PASTA.