What is the ISSO Boot Camp?

The ISSO Boot Camp is a series of live training sessions that help new ISSOs at CMS gain the baseline knowledge and skills needed for their role of overseeing security and privacy compliance for CMS systems.  

No matter your level of security experience, the Boot Camp will equip you with the foundational knowledge you need to be effective as an Information Security and Privacy Officer (ISSO) at CMS.

Who should attend?

Initially, session space is prioritized for Security and Privacy Officers who are newer to CMS (both federal and contractor). Later sessions will be open to all interested CMS employees.

Training structure and dates

The ISSO Boot Camp is a live, instructor-led training offered quarterly. Sessions are held via Zoom.

Each session is held from 9am – 12pm (Eastern Standard Time) two days a week for three consecutive weeks. 

The upcoming training sessions are:

• September 09, 11, 16, 17, 23 (2025)
• December 02, 04, 09, 11, 16 (2025)

Within a quarter, each session builds on the prior material. Attendees should plan to attend all sessions to gain the maximum benefit from the ISSO Boot Camp. 

What will I learn?

The ISSO Boot Camp covers a broad range of topics that establish a strong foundation for being an effective Security and Privacy Officer at CMS.

1. Security Concepts and Principles: Start with the basics – system security definitions and the CIA triad (Confidentiality, Integrity, and Availability) – which are the guiding principles for information security. Followed by understanding risk and risk response, security controls, and privacy concepts. 

2. Introduction to Risk: Explore risks, threats, vulnerabilities, and the calculation of risk (impact and likelihood). Then learn strategies for effectively managing risk.

3. Federal Security Environment: This section covers key federal laws, such as FISMA, and the policies, regulations, and guidelines that govern information security for federal agencies.

4. CMS Security and Privacy Environment: CMS-specific security and privacy policies, including Acceptable Risk Safeguards (ARS), and the roles at CMS with significant security responsibilities.

5. Risk Management Framework (RMF) – Part 1: This section introduces the Risk Management Framework and relates it to the CMS Target Life Cycle (TLC). Learn steps 1-4 of the RMF, including the specific tasks required during each step.

6. Risk Management Framework (RMF) – Part 2: Dive deeper into step 5 of the RMF including the role of the Cybersecurity and Risk Assessment Program (CSRAP), the ATO process, and system monitoring.

7. Incident Response at CMS: Discusses incident handling, impacts and threat vectors, and the steps for response escalation.

The ISSO Boot Camp concludes with a review and walkthrough of the ISSO toolkit, a collection of resources that every ISSO needs to perform their role effectively.

Why do we have the ISSO Boot Camp?

Security and Privacy Officers play a critical role in every CMS business unit that collects, stores, or shares stakeholder information. The ISSO is the primary cybersecurity advisor to the System Maintainer (SDM) and Business Owner (BO) in their unit – helping them comply with policies and manage risk throughout the system life cycle.

However, many ISSOs are assigned their role without having the necessary training and security background to perform their duties effectively. The Boot Camp is part of an effort at CMS to improve and standardize the ISSO experience. Instead of being “duties as assigned”, the ISSO role will be a formal position with opportunities for career progression.

Through the Boot Camp and other programs, we aim to build a capable ISSO workforce that is well prepared to safeguard information and IT systems for CMS.