Skip to main content

ISSO Appointment Letter

Contact: ISSO Support Team | 
slack logoCMS Slack Channel: #cms-isso

Last Reviewed: 6/17/2025

An official document that outlines the responsibilities to be completed by the ISSO on behalf of a specific FISMA System

What is the ISSO Appointment Letter?

The Information System Security Officer (ISSO) role at CMS is responsible for both the technical and the business evaluations for securing information and FISMA systems. The role requires the skills necessary to evaluate technical solutions from an information security perspective and to assess business risks and provide security recommendations to both the Business Owner and technical support staff. Before an ISSO can begin their work on behalf of a FISMA system, an ISSO Appointment Letter must be signed and processed. 

The ISSO Appointment Letter is a document signed by the ISSO, the System/Business Owner, and the Chief Information Security Officer (CISO) that formally authorizes the selected ISSO to perform duties on behalf of a FISMA System. The letter outlines the specific tasks that will be completed by the ISSO on behalf of the system. It also provides a place for both ISSOs and System/Business Owners to attest that the ISSO will protect information and information systems from unauthorized activity and complete their work with confidentiality and integrity.

To complete the ISSO Appointment Letter, the ISSO and System/Business Owner must download and fill out the ISSO Appointment Letter Template. 

Instructions for ISSOs

Follow these steps to download and complete the portion of the ISSO Appointment Letter for which you are responsible.  At the completion of the document, forward your completed document to your Program Executive/Business Owner.

  1. Download the ISSO Appointment Letter Template.
  2. Complete questions on pages 3 and 4, and the top box on page 5.
  3. Digitally sign the form.
  4. Submit the signed appointment letter template to your Program Executive/Business Owner so they can fill out their part (after which they will send it back to you).
  5. Submit the letter to your Cyber Risk Advisor (CRA), who will take it to the Information Security and Privacy Group (ISPG) for processing.

Instructions for Business Owners

Follow these steps to review and complete the portion of the ISSO Appointment Letter for which you are responsible:

  1. You will receive an email from your ISSO with an attachment.
  2. Open the file and review your ISSO’s responses to the information requested. Complete the rest of the information requested on page 5.
  3. Also on page 5, digitally sign the document.
  4. When you sign the document, you will be asked to save the document to your computer. Save it, but do not rename it. At this point the file will have the same name that it had when it was forwarded to you.
  5. Once you have saved your file, email it back to your ISSO appointee.
  6. Your actions are now complete. The ISSO appointee will submit to ISPG via their CRA, and the appointment letter will be processed. 

Questions?

If you have questions or need assistance, contact the CISO helpdesk: CISO@cms.hhs.gov