What is ISSO As A Service (ISSOaaS)?

Information System Security Officers (ISSO) serve as the front line of information security and privacy for CMS systems. Their role is critical for keeping CMS data safe throughout a system’s life cycle. But sometimes, there is not a trained CMS ISSO available within a component to perform key security tasks.

To address this need, the CMS Information Security and Privacy Group (ISPG) provides the ISSO As A Service (ISSOaas) program to deploy skilled ISSOs where they are most needed to support CMS Business Owners in maintaining information security and privacy for their system(s). 

ISPG works with a contractor organization to onboard and train professional ISSOs in CMS-specific policies and frameworks so they are equipped to provide industry-certified security and compliance support, allowing Business Owners to focus on their business mission.

Why does CMS need ISSOaaS?

For all CMS components, the safety of information and systems should be a top priority – as we are entrusted with the personal and health data of millions of Americans. Every CMS component must take a strategic and proactive approach to security compliance and risk management. It should not be an afterthought. This means employing a suitably skilled and experienced person who is responsible for these things.

Sometimes, a CMS component assigns ISSO duties to someone who has other primary responsibilities and is not adequately trained in CMS requirements for cybersecurity. This leads to a hazardous situation for the component’s information and systems, including:

• Conflict of interest between that person’s ISSO role and their other responsibilities
• Insufficient skills, time, and knowledge for that person to properly manage ISSO tasks
• False sense of complacency in the component that security and privacy is being fully addressed by this shared role, while in fact there are gaps in compliance and appropriate risk management

Evolving and modernizing information security

Beyond ensuring security and privacy compliance, the ISSO role at CMS has grown increasingly complex and technical in response to the evolving threat landscape and the modernized approach to cybersecurity that is being implemented across the federal government. For example:

• Agile processes and rapid development cycles result in the need for continuous security and privacy monitoring / assessments
• Business Owners and senior leadership depend on ISSOs for insights about potential security risks and mitigation strategies
• Federal guidance and requirements are constantly evolving (NIST, FISMA, HIPAA, DHS, HITECH, IRS)
• CMS is modernizing risk management with programs like Ongoing Authorization (OA), Cybersecurity and Risk Assessment Program (CSRAP), and Continuous Diagnostics and Mitigation (CDM)

ISSO As A Service connects CMS components with knowledgeable professionals who can help ensure adequate information security across all CMS components and systems.

Who are the Service ISSOs?

Within the ISSOaaS program, a Service ISSO is a professional ISSO who is trained in CMS cybersecurity practices and onboarded to support specific systems or tasks for a CMS component that otherwise would not have a qualified ISSO available. CMS works with a contractor organization to engage Service ISSOs for an agreed-upon length of time.

Service ISSOs operate in direct liaison with ISPG as well as their assigned system teams and Business Owner.  This ensures consistency and shared visibility into system security throughout the engagement.

What tasks can Service ISSOs do?

Service ISSOs do the same tasks and have the same skills as CMS ISSOs – although Service ISSO qualifications and duties may be adjusted to fit the specific needs of the component and system. Responsibilities may include:

• Provide overall professional ISSO support for CMS systems
• Collaborate with system stakeholders and Cyber Risk Advisors
• Evaluate security categorization 
• Review compliance assurance and reporting
• Perform risk assessment
• Identify and document security and privacy controls
• Provide guidance for PII, PHI, and FTI compliance
• Perform tasks that support system assessment and authorization
• Review information security and privacy compliance within the Target Life Cycle (TLC)
• Review and analyze POA&Ms
• Perform CMS Security Control Assessment (or coordinate Cybersecurity and Risk Assessment Program)
• Coordinate Contingency Planning
• Utilize CMS Risk Management Framework (as recommended by NIST)

Why use a Service ISSO?

ISSOaaS makes it easier for CMS Business Owners to get accurate and insightful information from an experienced professional to manage their systems’ risk. The Service ISSO can deliver a set of proactive, scheduled, planned services for a defined timeframe or on a continuous basis. Engaging a Service ISSO will ensure:

• Information systems and information risks and vulnerabilities are identified, their impact to the organization are quantified, communicated, and understood by all relevant stakeholders
• Appropriate information systems control and risk mitigation are in place to ensure the confidentiality, integrity and availability of the information systems
• Proper coordination of appropriate training and communication of information security policies, controls, and best practices to all stakeholders
• Organizational compliance with policies as well as any external regulatory or legal compliance obligations
• Management is provided with advice concerning cybersecurity strategy and can serve as the organization’s contact point for auditors and agencies
• Any necessary coordination of information systems security incident response
• Cybersecurity and privacy practices for their assigned organization are in keeping with CMS policies, latest privacy legislation, security advisories, alerts, and vulnerabilities

When to use Service ISSOs

Engaging a Service ISSO could be beneficial for your component if:

• ISSO tasks need to be performed and there is no trained CMS ISSO available
• A new ISSO needs help getting started
• A surge period is causing an unmanageable amount of work for existing ISSOs 

How to request a Service ISSO

If you as a Business Owner need ISSO support from the ISSOaaS program, you can work with your CRA to start the process – or you can send an email to ISSO@cms.hhs.gov. 

How it works

ISSO As A Service requires coordination among multiple stakeholders. Everyone involved has a role in making sure the selected ISSO can meet the requirements for the specific component and system(s). The steps for starting an ISSOaaS engagement are described below.

Service ISSO onboarding

The established process at CMS for onboarding new Service ISSOs ensures that the ISSO completes the orientation, logistics, and training needed to start providing value to the organization quickly. We want all new ISSOs to feel welcome and have access to the resources needed to become productive and confident in their new role. The goal is for new Service ISSOs to be onboarded and trained within a time period of 60 days.

Business Owner responsibilities

The Business Owner or component representatives should prepare their organization for the arrival of the ISSO. Data Guardians, CRAs, and existing ISSOs (if applicable) should also prepare. ISPG will coordinate with the component for an initial meeting with the new ISSO. The goals of this meeting are for the new ISSO to:

• Meet the Business Owner and other key stakeholders in the component’s organization, including contract developers and contract security staff
• Understand the component’s business and cybersecurity environment
• Learn about the component’s business model and logic

Contractor responsibilities

The ISSOaaS contractor oversees the logistics of onboarding and keeps ISPG continually updated on the progress of Service ISSO onboarding and training. Much of this is managed through the ISSO Information Card, which tracks items such as:

• CMS security clearance
• Fingerprinting
• PIV card
• EUA ID
• eQIP

The full list of items is managed by the ISSOaaS contractor throughout the engagement and is also used as a checklist for off-boarding when the engagement is over. Additionally, the contractor keeps track of the Service ISSO’s progress through workforce training activities. All of this is relayed to ISPG through a weekly status report to the CMS Government Task Lead (GTL) and/or the Contracting Officer Representative (COR) for the ISSOaaS program.

ISPG responsibilities

The CMS GTL for the ISSOaaS program is within ISPG and serves as the go-to person for program communications and problem resolution as necessary. They can help remove blockers or provide support at any point in the ISSO’s onboarding process (and subsequent engagement). ISPG also coordinates with the ISSOaaS contractor for onboarding needs such as scheduling meetings or providing necessary equipment.

ISSO responsibilities

The new Service ISSO is expected to take a proactive role during onboarding – especially in keeping their leadership informed about progress through security clearances, obtaining EUA access, and other onboarding activities. The ISSO should respond quickly to inquiries or requests from CMS or others in the ISSOaaS program, and let someone know if there are problems or questions. In addition to onboarding logistics, the Service ISSO needs to complete as much CMS-specific training as possible (described below).

Service ISSO training

Service ISSOs joining CMS should receive the same training and support as CMS employee ISSOs (to the greatest extent possible). Details will depend on the workload and duration of services required. Service ISSOs should refer to the CMS Information System Security Officer (ISSO) Handbook as a go-to resource for ISSO responsibilities, activities, policy and guidance, training, and community support. 

The ISSOaaS contractor collaborates with ISPG and the Business Owner to determine what formal ISSO training is most suitable for the component’s specific needs. Training activities can often happen in tandem with other onboarding activities. In general, Service ISSOs should expect to utilize the following:

Getting started as a CMS ISSO

• Review CMS ISSO role and responsibilities
• Use the ISSO Scorecard as a quick self-assessment to help you identify areas of training focus
• Watch the CMS ISSO video training series (overview of essential job functions)
• Get an overview of ISSO activities at CMS
• Bookmark the ISSO toolkit as a handy reference for key points of contact, acronyms, important reference documents, and CMS platforms you will use in your daily work
• Consider the ISSO Mentorship Program as a way to get extra support from an experienced CMS ISSO

Role Based Training (RBT)

You will coordinate with your leadership to learn what kind of Role Based Training is required for your position.

Federal policies and guidance

Get familiar with cybersecurity policies and guidance from CMS, HHS, NIST, and other authorities. You can see information about the most important federal guidance in the ISSO Toolkit.

CMS and HHS cybersecurity training

If you need specialized training for your assigned role, there are many offerings available from CMS and HHS that you can access for free. Learn about training opportunities here.

ISSO meetings and community

You will have a regular monthly check-in with ISPG, the Service ISSO team, and ISSOaaS contract leadership. Additionally, you should plan to attend the monthly CMS Cybersecurity Community Forum, an important source of current information for all CMS staff and contractors with security and privacy responsibilities.

Collaboration and relationships

It’s essential that you build relationships with your Business Owner, your Cyber Risk Advisor (CRA), and other security and developer staff. Collaboration with your portfolio team – both CMS staff and contractors – is key to a successful engagement as a Service ISSO.

Service ISSO engagement

The success of a Service ISSO engagement depends on frequent communication among all stakeholders. ISPG schedules recurring meetings to gauge satisfaction and determine if any areas need improvement. Regular meetings during the engagement include:

• Satisfaction sessions with Business Owners (as needed)
• Meetings with Service ISSO Lead(s) for check-in and support (weekly)
• Meetings with Service ISSOs for check-in and support (monthly)
• Meetings with contract leads to ensure Role Based Training (RBT) requirements are satisfied (as needed)

ISPG also ensures that Service ISSOs (along with CMS employee ISSOs) have access to supportive resources such as the CMS Cybersecurity Community Forum and the CMS Information System Security Officer (ISSO) Handbook.

Service ISSO off-boarding

At the conclusion of an engagement, ISPG coordinates with the Business Owner for transition activities where appropriate. The ISSOaaS contractor ensures that a smooth off-boarding process occurs, including recovery of government property such as computer, badge, and any other equipment.  The contractor updates the ISSO Information Card constructed during onboarding, and retains the completed form.

Service ISSO qualifications

When ISPG and the ISSOaaS contractor are seeking a Service ISSO suitable for the needs of a CMS component, the following qualifications serve as a guide. (Specific skills and level of experience will be driven by the extent and duration of ISSO services required.) In general, an ISSO should have proven skills and knowledge in the following areas: