Information System Security Officer (ISSO)
Overview
As an Information System Security Officer (ISSO) at CMS, you oversee the security posture of the FISMA system(s) assigned to you. Following CMS policies and frameworks for risk management, you help Business Owners and system teams comply with federal regulations for keeping information safe. For a detailed description of ISSO responsibilities, see the CMS IS2P2.
This page provides links to all documents relevant to ISSOs; however, the most important and comprehensive resource for CMS ISSOs is the ISSO Handbook.
For questions or help, contact the ISSO Support and Advocacy team: ISSO@cms.hhs.gov.
All resources in Information System Security Officer (ISSO)
General Information
- Authorization to Operate (ATO)
- Breach Response
- CMS Computer Matching Agreement (CMA)
- CMS Cybersecurity Community (C3) Forum
- CMS CyberWorks
- CMS Enterprise Data Encryption (CEDE)
- CMS Guidance for Security and Privacy Policies
- CMS Information Exchange Agreement (IEA)
- CMS Information Security Advisory Board (CISAB)
- CMS Information System Risk Assessment (ISRA)
- CMS Interconnection Security Agreement (ISA)
- CMS ISSO Journal
- CMS Risk Management Framework (RMF)
- CMS Technical Reference Architecture (TRA)
- CMS Vulnerability Disclosure Program (VDP)
- Data Sharing Agreements
- Email Encryption Requirements at CMS
- Federal Information Security Modernization Act (FISMA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- ISSO Appointment Letter
- Ongoing Authorization (OA)
- Password Requirements
- Plan of Action and Milestones (POA&M)
- Privacy Impact Assessment (PIA)
- Rapid Cloud Review (RCR)
- Role Based Training (RBT)
- Security and Privacy Requirements for IT Procurements
- Security Controls Assessment (SCA)
- Security Impact Analysis (SIA)
- Software Bill of Materials (SBOM)
- Supply Chain Risk Management (SCRM)
- System Audits
- Vetting and Credentialing (V&C)
- Zero Trust
Policies and Handbooks
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- CMS Acceptable Risk Safeguards (ARS)
- CMS Breach Analysis Team (BAT) Handbook
- CMS Breach Response Handbook
- CMS Breach Response Plan
- CMS Cyber Risk Management Plan (CRMP)
- CMS Cybersecurity and Privacy Training & Awareness Handbook
- CMS Guide to Federal Laws, Regulations, and Policies
- CMS Information System Security Officer (ISSO) Handbook
- CMS Information Systems Security & Privacy Policy (IS2P2)
- CMS Key Management Handbook
- CMS Plan of Action and Milestones (POA&M) Handbook
- CMS Privacy Impact Assessment (PIA) Handbook
- CMS Privacy Program Plan
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- CMS Threat Modeling Handbook
- Configuration Management (CM)
- Guidance for Responsible Use of Artificial Intelligence (AI) at CMS
- HHS Policy for Rules of Behavior for Use of Information & IT Resources
- Identification and Authentication (IA)
- Incident Response (IR)
- Information System Contingency Plan (ISCP) Exercise Handbook
- Information System Contingency Plan (ISCP) Handbook
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical & Environmental Protection (PE)
- Risk Assessment (RA)
- Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)
- Risk Management Handbook Chapter 15: System & Services Acquisition
- Risk Management Handbook Chapter 2: Awareness and Training (AT)
- Risk Management Handbook Chapter 8: Incident Response (IR)
- RMH Chapter 16: System & Communications Protection
- RMH Chapter 4: Security Assessment & Authorization
- Security & Privacy Planning (PL)
- Supply Chain Risk Management (SR)
- System and Services Acquisition (SA)
Tools and Services
- Advanced Cybersecurity Concepts
- CMS Cybersecurity Integration Center (CCIC)
- CMS FISMA Continuous Tracking System (CFACTS)
- Continuous Diagnostics and Mitigation (CDM)
- Cyber Risk Reports (CRR)
- Cybersecurity and Risk Assessment Program (CSRAP)
- ISSO As A Service
- ISSO Boot Camp
- ISSO Mentorship Program
- ISSO Mentorship Program: Mentee Guide
- ISSO Mentorship Program: Mentor Guide
- Penetration Testing (PenTesting)
- SaaS Governance (SaaSG)
- Threat Modeling
Latest articles and updates
- 12/18/2025UpdatesFrom Policy
CISO Memo 25-03: ATO requirements for systems migrating to the OIT Hybrid Cloud
Learn about Authorization to Operate (ATO) requirements for CMS systems migrating to the Office of Information Technology (OIT) Hybrid Cloud environment
- 12/16/2025ArticlesFrom Policy
Incident Response at CMS
At CMS, protecting our information systems requires more than just strong defenses, it also demands a prepared, well-coordinated response when incidents occur.
- 12/12/2025ArticlesFrom Policy
Program Management: Strengthening Security and Privacy Across the Enterprise
Program Management (PM) requires strong governance, leadership, and oversight at the enterprise level.