About

What is CyberGeek?

The CyberGeek website is a one-stop resource for everything related to the Information Security and Privacy Program at the Centers for Medicare & Medicaid Services (CMS).

“Information security and privacy” means that CMS properly protects the sensitive data entrusted to CMS by the people and organizations who participate in our healthcare programs. We make sure that all CMS systems handling this type of data have met federal security requirements and are granted official Authorization to Operate (ATO).

CMS maintains comprehensive security policies to protect sensitive data and systems. The CyberGeek website centralizes these requirements in an approachable and user-friendly format, helping staff efficiently implement strong security practices across all CMS systems.

Who is this website for?

CyberGeek is intended as a resource for CMS employees and contractors who work on information systems and applications. This includes:

• Information System Security Officers (ISSOs) who must ensure security and privacy compliance for systems entrusted to their care.
• Business and System Owners, Program Managers, and portfolio teams who are held accountable for the security of the sensitive information collected and used by their systems.
• Cyber Risk Advisors, who must remain up to date on CMS programs and standards for cyber risk management so they can support system teams with compliance activities.
• Application Development Organization (ADO) teams who design, build, and maintain the applications that power CMS services. They need guidance on the “CMS way” of meeting federal requirements for information security.

The CyberGeek website is public facing (doesn’t require a CMS authenticated login) so that anyone who needs to interact with the Information Security and Privacy Program can quickly access essential resources. Learn more about our reasons for this approach.

What will I find here?

CyberGeek is a searchable library for everything related to information security at CMS, including:

• Compliance requirements and security policies specific to CMS systems
• Handbooks and guidance to help people accomplish their security tasks
• Programs that support a proactive risk management approach at CMS
• Role-based information to help all CMS stakeholders find what they need
• Links to federal policies and guidance that impact CMS information security
• Latest articles and updates on CMS security and privacy topics
• Links to security awareness resources and required cybersecurity training for everyone who works at CMS

If you can’t find something that you think should be located here, please let us know by filling out our feedback form.

Frequently asked questions

Is CyberGeek authoritative? How do I know what is “official” policy or guidance?

The CyberGeek website is the home of the CMS Information Security and Privacy Program, which carries the authority of the CMS Chief Information Security Officer (CISO). The policies and guidance on CyberGeek are the most current and trusted information available. The website is reviewed and updated on a regular basis by CMS security and privacy staff. 

When it comes to policies and guidance that are managed outside of the Information Security and Privacy Program (for example, by other groups within CMS or by other federal agencies), CyberGeek will provide an overview and link, but will not host a copy of the document, in order to avoid version control issues.

Where are the version numbers? How do I know I’m looking at the current version of a document?

Because CyberGeek pages are regularly reviewed and updated by CMS security and privacy staff, the website always reflects the latest version. Look at the top of any page to see when it was last reviewed. You can also visit the CyberGeek blog and filter to posts from the Policy team for details about any policy updates.

Can I get a downloadable PDF of a policy document?

CyberGeek is modernizing security and privacy information at CMS. We avoid using PDF and Word files, and instead provide web pages that can be shared as links. This helps us align with Section 508 standards for accessibility, and ensures that everyone is using the same version of any information. This approach also improves findability by making the content structured and searchable.

Where can I see the record of changes for a document?

Whenever a page is updated on CyberGeek, the change is automatically recorded in the content management system. This internal change log meets CMS requirements for record-keeping and will be available to CMS staff if needed for historic reference and review.

For everyone else, the CyberGeek blog will have the latest updates about policies, procedures, and programs for CMS cybersecurity. These posts provide timely, authoritative information about any changes that affect your daily work. You can also sign up for CyberGeek Updates – a bi-monthly email digest of the latest changes on the site.

Contact us

The CyberGeek website is managed by the CMS Information Security and Privacy Group (ISPG) within the CMS Office of Information Technology (OIT). We depend on input from our stakeholders to improve the website and make sure it meets your needs. 

If you have questions or comments about the site, you can:

• Fill out our feedback form
• Email the Security and Privacy Policy Team: CISO@cms.hhs.gov
• Join the #ispg-cybergeek channel in CMS Slack

Our goal is to help you along the way as you work on your piece of the innovative service delivery that CMS provides to the public. The CyberGeek website is a crucial part of this promise to our customers. It’s designed to support a more informed and efficient experience with CMS cybersecurity — ultimately resulting in stronger protection for CMS information and systems.