ISSO Appointment Letter
An official document that outlines the responsibilities to be completed by the ISSO on behalf of a specific FISMA System
- #cms-isso
What is the ISSO Appointment Letter?
The Information System Security Officer (ISSO) role at CMS is responsible for both the technical and the business evaluations for securing information and FISMA systems. The role requires the skills necessary to evaluate technical solutions from an information security perspective and to determine the business risks in order to justify decisions to both the Business Owner and the technical support staff. Before an ISSO can begin their work on behalf of a FISMA system, an ISSO Appointment Letter must be signed and processed.
The ISSO Appointment Letter is a document signed by the ISSO, the System/Business Owner, and the Chief Information Security Officer (CISO) that formally authorizes the selected ISSO to perform duties on behalf of a FISMA System. The letter outlines the specific tasks that will be completed by the ISSO on behalf of the system. It also provides a place for both ISSOs and System/Business Owners to attest that the ISSO will protect information and information systems from unauthorized activity and complete their work with confidentiality and integrity.
To complete the ISSO Appointment Letter, the ISSO and System/Business Owner must download and fill out the ISSO Appointment Letter Template.
Instructions for ISSOs: Appointment Letter Template
Follow these steps to download and complete the portion of the ISSO Appointment Letter for which you are responsible. At the completion of the document, forward your completed document to your Business Owner. There are screenshots at the end of the document to reinforce the instructions.
WARNING: Please follow the instructions carefully. You will note that there is a “Submit” button at the top of your form. Do not press that button, or your appointment letter will be received without all of the necessary data, and this process will need to be repeated.
- Download the ISSO Appointment Letter Template
- After you download the template, open the file. Read the document through Page 5. Answer the questions beginning on Page 7.
- Complete all of the questions relevant to ISSOs through page 9. At the bottom of page 9, digitally sign the document.
- When you digitally sign the document, you will be asked to save the document to your computer. Do that, and append your name to the end of the file. Example: If your name is John Smith, save your digitally signed file as ISSO_Appointment_Template_2.02 JSmith.
- Once you have saved your file, email it to your Business Owner for their approval and routing. Your actions are now complete.
- If you have questions, please contact the CISO Help Desk.
Instructions for Business Owners: Appointment Letter Template
Follow these steps to review and complete the portion of the ISSO Appointment Letter for which you are responsible. At the completion of the document, forward your completed document to ISPG for final processing.
WARNING: Please follow the instructions carefully. You will note that there is a “Submit” button at the top of your form. Do not press that button, or your ISSO appointment letter will be received without all of the necessary data, and this process will have to be repeated.
- You will receive an email from your ISSO with an attachment that begins with the text “ISSO_Appointment_Template_2.02 “, with their name appended to the file. Example: If your ISSO’s name is John Smith, the attachment should be named “ISSO_Appointment_Template_2.02 JSmith” or something very similar.
- Open the file and review your ISSO’s responses to the information requested. Complete the rest of the information requested.
- At the bottom of page 9, digitally sign the document.
- When you sign the document, you will be asked to save the document to your computer. Save it, but do not rename it. At this point the file will have the same name that it had when it was forwarded to you.
- Once you have saved your file, email it to the ISPG ISSO Mailbox.
- Your actions are now complete. ISPG will process the Appointment Letter and ensure that it is entered into CFACTS.
Related documents and resources
Guidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training
CFACTS is a CMS database that tracks application security deficiencies and POA&Ms, and supports the ATO process
FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations