Awareness and Training (AT)
Last Reviewed: 8/8/2025
This page provides guidance for following the requirements of the AT control family from the CMS ARS. Business Owners, ISSOs, and application teams should review these guidelines to ensure compliance with CMS security and privacy standards.
Awareness and Training (AT)
At the Centers for Medicare & Medicaid Services (CMS), security is a fundamental component integrated across all information systems, mandating that employees and contractors possess the necessary knowledge and resources to protect sensitive data. This informational guide explains how CMS addresses this through the AT control family, a key section of the CMS Acceptable Risk Safeguards (ARS), which outlines the mandatory minimum-security standards. This ensures that the agency implements AT requirements consistently and effectively across all operations.
Why It Matters
CMS is dedicated to protecting the confidentiality, integrity, and availability of its information systems and data. The Awareness and Training program ensures that all CMS employees, contractors, and stakeholders understand their roles and responsibilities in recognizing and reporting threats to CMS data and information systems.
Awareness and Training is central to CMS strategic cybersecurity initiative. It empowers stakeholders to actively protect CMS information systems, manage security risks effectively, and respond swiftly to cybersecurity incidents, thereby enhancing overall security and privacy across CMS.
Many resources for getting the right training for your role are found in the CMS Cybersecurity and Privacy Training & Awareness Handbook.
Key Security and Privacy Measures
The following measures describe how Awareness and Training (AT) requirements are fulfilled at CMS. The training provided by the AT program applies to all federal employees, contractors, interns, and others acting on behalf of CMS. The curriculum aligns with federal standards and policies, including the following:
- NIST SP 800-53 Rev 5
- HHS Policy for Cybersecurity Awareness and Training
- CMS Information Systems Security and Privacy Policy (IS2P2)
Role-Based Training (RBT)
Role-Based Training (RBT) is designed specifically for CMS roles with significant security and privacy responsibilities. It is updated annually or during major system or policy changes. Employees are to complete RBT upon assignment, annually thereafter, and during major system or policy changes. Training topics include:
- Best cybersecurity practices
- Incident response strategies
- Physical security measures
- Personally Identifiable Information (PII) processing and protection
Cybersecurity Awareness and Literacy
CMS delivers training to increase cybersecurity awareness and literacy. CMS staff and contractors are educated on recognizing and reporting threats such as phishing, social engineering, insider threats, and anomalous system behavior. Training methods include:
- Computer-Based Training (CBT) for users with Enterprise User Administration (EUA) accounts, with reminders for renewal and consequences for non-compliance. This training is delivered and tracked through the CMS Learning Management System (LMS).
- Simulated phishing campaigns to test and educate users on social engineering tactics. These campaigns are augmented by communications in various CMS channels to remind users how to report potential phishing attacks.
- Awareness campaigns that include email advisories, informational posters, login screen messages, and security-themed events.
CMS Training Offerings for AT
The following training is offered and delivered by the CMS Awareness and Training team to ensure the implementation of cybersecurity awareness and training aligns with applicable regulations, policies, and procedures.
All of the following training, including the mandatory annual ISSPA training, is delivered and tracked through the CMS Learning Management System (LMS).
CMS Information Systems Security and Privacy Awareness (ISSPA) Course
All CMS users are required to complete ISSPA training. The course covers the basics of information security and privacy. It must be completed before gaining access to any CMS system. It must be completed annually in order to maintain access.
This training includes acknowledgment of the HHS Rules of Behavior (RoB). CMS enforces ISSPA compliance by tracking completion and revoking access for noncompliant users.
Social Engineering Awareness
CMS educates personnel on the risks associated with social engineering and phishing attacks. Training addresses common social engineering tactics, including:
- Phishing attempts
- Pretextual phone calls (vishing)
- Tailgating (physical security breaches)
- Deceptive communications designed to manipulate personnel into divulging confidential information
Insider Threat Awareness
CMS provides training to ensure employees can recognize (and report) insider threats. To report a suspected or confirmed security or privacy incident contact the CMS IT Service Desk directly at 410-786-2580 or 800-562-1963.
Training emphasizes indicators such as:
- Attempts to access unauthorized information
- Unusual or suspicious employee behaviors
- Unexplained wealth or debts
- Expressions of dissatisfaction with work
- Unusual working hours
Recognizing Anomalous System Behavior
CMS teaches personnel how to detect and respond to anomalous system behavior, including the following:
- Multiple failed login attempts followed by success
- Logins from unusual geographic locations
- Unexpected or unsolicited emails from unfamiliar senders, particularly those impersonating known sponsors or contractors
- Emails containing poor grammar, urgent threats, or requests for sensitive, non-job-related information
- Spikes in data transfers or unauthorized configuration changes
- Training also reinforces proper incident reporting procedures to mitigate potential breaches.
Advanced Persistent Threats (APT)
APTs are highly skilled attackers who gain unauthorized access to networks and remain undetected for extended periods. Training educates CMS personnel on recognizing sophisticated methods APTs use to infiltrate the organization, including:
- Phishing and spear-phishing emails
- Social engineering techniques
- Zero-day exploits
- AI-driven attacks
Protecting Personally Identifiable Information (PII)
CMS provides training for personnel involved in handling Personally Identifiable Information (PII) upon assignment to their roles and annually thereafter. These personnel are trained to understand the types of data that constitute PII, as well as the risks, considerations, and obligations associated with its processing.
Training includes:
- Proper handling, storage, sharing, and disposal of PII
- Transparency and legal obligations related to data handling
- Compliance with federal regulations
Training Records and Compliance
Effective cybersecurity training relies on accurate record-keeping and robust compliance measures. Record-keeping for CMS security training includes the following measures:
- Tracking of all training completions through the CMS Learning Management System (LMS)
- Retention of RBT records for federal personnel for at least five (5) years to comply with NARA General Records Schedule (GRS)
- Monitoring by training coordinators and contracting officers to ensure compliance and issue reminders for overdue training
Training Efficacy and Metrics
CMS monitors training effectiveness through employee feedback surveys, audit findings, and lessons learned from security incidents. CMS also conducts annual program evaluations and updates training materials as necessary.
CMS employees and contractors are encouraged to provide feedback directly to the CMS Information Security and Privacy Group (ISPG) Cybersecurity Training and Awareness Team at: CMSISPGTrainers@cms.hhs.gov.