Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

About ISPG CyberGeek

CyberGeek is the home of the CMS Information Security and Privacy Group (ISPG)

Contact: CISO Team | CISO@cms.hhs.gov
slack logoCMS Slack Channel
  • #ispg-cybergeek

What is ISPG CyberGeek?

The CyberGeek website is provided by the CMS Information Security and Privacy Group (ISPG) as a one-stop resource for everything related to information security and privacy at CMS. The site is designed to be searchable and user-friendly, making cybersecurity more approachable for CMS stakeholders, contractors, and staff. 

CyberGeek aims to:

  • Point people to the resources and information they need to accomplish their tasks
  • Provide information that is current, authoritative, and easy to understand
  • Replace and expand upon the CMS Information Security and Privacy Library
  • Keep people informed about the latest cybersecurity news and events at CMS

Give feedback

We depend on your input to make sure CyberGeek is meeting the needs of our stakeholders. Please take a moment to let us know how we’re doing.

Take the survey

About ISPG

The Information Security and Privacy Group (ISPG) is within the CMS Office of Information Technology (OIT). ISPG provides the policies, programs, and services that support system authorization and compliance, cyber risk management, and a security awareness culture at CMS. It’s our job to protect the sensitive data provided to CMS by the millions of Americans who entrust us with their personal and healthcare information.

At ISPG we serve as the gatekeepers of information security, working with many people across CMS (both federal employees and contractors) throughout a system’s lifecycle – from the moment a new system idea is submitted for consideration, all the way through to its authorization, operation, and retirement. It’s our goal to help you along the way – not to slow you down – as you work on your piece of the innovative service delivery that CMS provides to the public.

The CyberGeek website is a crucial part of this promise to our customers. It’s designed to support a more informed and efficient experience with CMS cybersecurity – ultimately resulting in stronger protection for CMS information and systems.

What will I find here?

CyberGeek aims to serve as a one-stop resource for everything related to information security and privacy at CMS. This includes:

  • Compliance requirements and security policies specific to CMS FISMA systems
  • Handbooks and procedural guidance to help people accomplish their tasks
  • Innovative programs that support a proactive risk management approach at CMS
  • Role-based information to help our various customers quickly find what they need
  • Links to related programs, tools, and services (both from ISPG and other groups)
  • Latest news, events, and updates on CMS security and privacy topics

If you can’t find something that you think should be located here, please let us know by filling out our feedback form.

Frequently asked questions

Is CyberGeek authoritative? How do I know what is “official” policy or guidance?

The CyberGeek website is meant to serve as the authoritative voice for ISPG, providing the latest policies and official guidance related to information security and privacy at CMS. The pages on CyberGeek are reviewed and updated on a regular basis by ISPG staff.

However, aside from the IS2P2 and the ARS, it’s worth noting that most of the information published by ISPG is procedural guidance as opposed to formal policy / standards. Learn about the difference here.

When it comes to policies and guidance that are not managed by ISPG, CyberGeek will provide an overview and link to the document (or tell you where you can access it) – but will not host a copy of the document, in order to avoid version control issues. Examples include:

  • Federal policies and guidance (HHS, DHS, NIST, OMB, FISMA)
  • CMS policies or guidance outside of ISPG (Office of the CIO, Infrastructure and User Services Group (IUSG), CMS component-specific documentation, etc.)

Where are the version numbers? How do I know I’m looking at the current version of a document?

Because CyberGeek pages are regularly reviewed and updated by ISPG staff, the website always reflects the latest version. For policy and guidance documents, look at the top of the page to see when it was last reviewed. 

News and updates from ISPG have a publication date at the top of the page, and should be considered as supplementary information to help you better understand cybersecurity policies and programs. 

Some formal policy documents – like the ARS – still have a version number, but most pages on the site are simply updated in real time, so version numbers are no longer necessary. Everyone has access to the latest version at all times.

Where can I see the record of changes for a document?

Whenever a page is updated on the ISPG CyberGeek website, the change is automatically recorded in the content management system. This internal change log meets CMS requirements for record-keeping and will be available to ISPG staff if needed for historic reference and review.

For everyone else, the ISPG blog will have the latest updates about policies, procedures, and programs for CMS cybersecurity. These posts provide timely, authoritative information about any changes that affect your daily work.

Does CyberGeek contain sensitive (non-public) information?

The majority of information on the ISPG CyberGeek website is open to the public. This supports our commitment to:

  • Promote government transparency (at an appropriate level)
  • Remove blockers for contractors and others who need to access cybersecurity information
  • Provide a public example of how government policies can be made approachable using human-centered design and plain language 

However, there is some information (such as detailed documentation for security tools / methods) that should be kept to the internal CMS audience. In those cases, CyberGeek gives a brief overview of the subject and provides a link that requires a CMS login to access.

Where are the superscripts / footnotes?

Information on CyberGeek is published as navigable, searchable web content – not as static PDFs – so things may look a little different than they used to. Before the modern web evolved to where it is today, authors used footnotes to reference other documents. Now, an inline link can be used to refer to another page or document. 

For example: "The CMS CIO, CISO, and SOP designed this Policy to comply with the NIST 800-53, Revision 5, Program Management (PM) control family."

As you can see, we are able to link to the information we are referencing, instead of placing it as a footnote. The new way is more intuitive for people to navigate and easier to maintain.

I have an idea / question / comment about CyberGeek. Where do I send it?

Great! We depend on input from our stakeholders to improve the website and make sure it meets your needs. You can:

  • Fill out our feedback form
  • Join #ispg-cybergeek in CMS Slack to learn about new features or make suggestions