CMS Awareness and Training Guide 

Introduction 

CMS is dedicated to protecting the confidentiality, integrity and availability of its information systems and data. The Awareness and Training program ensures all CMS employees, contractors and stakeholders understand their roles and responsibilities in recognizing and reporting threats to CMS data and information systems. 

Training Scope & Compliance 

This training applies to all federal employees, contractors, interns and others acting on behalf of CMS. The curriculum aligns with federal standards and policies, including: *references below will be linked* 

• NIST SP 800-53 Rev 5  

(https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) 

• HHS Policy for Cybersecurity Awareness and Training  

(https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.html) 

• CMS Information Systems Security & Privacy Policy (IS2P2)  

(https://security.cms.gov/policy-guidance/cms-information-systems-security-privacy-policy-is2p2) 

Role-Based Training (RBT) 

Role-Based Training (RBT) is designed specifically for CMS roles with significant security and privacy responsibilities. It is updated annually or whenever major system or policy changes occur. Employees must complete RBT annually and additionally whenever major system or policy changes occur, with initial training provided upon assignment. Training topics include: 

• Best cybersecurity practices
• Incident response strategies
• Physical security measures
• Personally Identifiable Information (PII) processing and protection 

Literacy Training and Awareness 

CMS delivers cybersecurity awareness and literacy training through various methods to educate users on recognizing and reporting threats such as phishing, social engineering, insider threats and anomalous system behavior to include: 

• Computer-Based Training (CBT) for users with Enterprise User Administration (EUA) accounts, with reminders for renewal and consequences for non-compliance.
• Simulated phishing campaigns to test and educate users on social engineering tactics.
• Awareness campaigns that include email advisories, informational posters, login screen messages, and security-themed events. 

Awareness and Training Services and Practices at CMS 

The following training is offered and delivered by the CMS Awareness and Training team to ensure the implementation of cybersecurity awareness and training aligns with applicable regulations, policies, and procedures. 

Mandatory Training Requirements 

CMS Information Systems Security and Privacy Awareness (ISSPA) Course 

ISSPA training is required to be taken by all CMS users. It covers the basics of information security and privacy and must be completed before gaining access to any CMS system. It must be completed annually in order to maintain access.  

• Includes acknowledgment of Rules of Behavior (RoB).
• CMS enforces compliance with training requirements by tracking completion and revoking system access for users who do not comply. 

(https://cms-lms.usalearning.net/) 

Social Engineering Awareness 

CMS actively educates personnel on the risks associated with social engineering and phishing attacks. Training addresses common social engineering tactics including: 

• Phishing attempts
• Pretextual phone calls (vishing)
• Tailgating (physical security breaches)
• Deceptive communications designed to manipulate personnel into divulging confidential information. 

https://cms-lms.usalearning.net/course/ 

Insider Threat Awareness 

CMS provides training to ensure personnel understand and can recognize insider threats, emphasizing the identification of indicators such as  

• Attempts to access unauthorized information
• Unusual employee behaviors
• Unexplained wealth or debts
• Open dissatisfaction with work
• Working unusual hours 

https://cms-lms.usalearning.net/course/ 

Recognizing Anomalous System Behavior 

CMS teaches personnel how to detect and respond to anomalous system behavior including: 

• Multiple failed login attempts followed by success.
• Logins from unusual geographic locations.
• Unexpected or unsolicited emails from unfamiliar senders, especially those impersonating known sponsors or contractors.
• Emails containing poor grammar, urgent threats, or requests for sensitive, non-job-related information.
• Spikes in data transfers or unauthorized configuration changes
• Training also reinforces proper incident reporting procedures to mitigate potential breaches. 

(https://cms-lms.usalearning.net/) 

Advanced Persistent Threats (APT) 

APT’s are highly skilled are highly skilled attackers who gain unauthorized access to networks and remain undetected for extended periods. Training educates CMS personnel on recognizing sophisticated methods APTs use to infiltrate the organization, including: 

• Phishing and spear phishing emails
• Social engineering techniques
• Zero-day exploits
• AI-driven attacks 

Protecting Personally Identifiable Information (PII) 

CMS provides training for identified personnel involved in handling Personally Identifiable Information (PII) upon their assumption of assigned roles and annually thereafter. These CMS personnel are trained to understand the types of information that may constitute PII, and the risks, consideration and obligations associated with its processing. 

Training includes: 

• Proper handling, storage, sharing, and disposal of PII.
• Transparency and legal obligations related to data handling.
• Compliance with federal regulations. 

(https://cms-lms.usalearning.net/) 

Training Records and Compliance 

Effective cybersecurity training relies on meticulous record-keeping and robust compliance measures. CMS training programs will: 

• CMS tracks all training completions through cms-lms.usalearning.net.
• RBT records for federal personnel must be retained for at least five (5) years to comply with NARA General Records Schedule (GRS).
• Training coordinators and contracting officers monitor compliance and issue reminders for overdue training. 

CMS monitors training effectiveness through employee feedback surveys, audit findings and lessons learned from security incidents, and annual program evaluations and updates; additionally, CMS employees and contractors are encouraged to provide feedback directly to the CMS Information Security and Privacy Group (ISPG) Cybersecurity Training and Awareness Team at CMSISPGTrainers@cms.hhs.gov. 

Conclusion 

Awareness and Training is central to CMS’s strategic cybersecurity initiative. It empowers stakeholders to actively participate in protecting CMS’s information systems, effectively manage security risks, and respond swiftly to cybersecurity incidents, enhancing overall security and privacy across CMS.