Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CMS Cybersecurity and Privacy Training Handbook

Find the right cybersecurity training for your role, and learn how to do your part to keep CMS systems secure and safe

Last reviewed: 5/29/2024

Contact: Training & Awareness team | CMSISPGTrainers@cms.hhs.gov

Related Resources

Introduction

At CMS, we prioritize the security of our data, systems, and your work environment. Every person here is part of our effort to keep CMS information and beneficiary data safe. Security and privacy are everyone's job. Being aware of cyber threats is an ongoing responsibility that we all share.

This handbook will be your companion for security and privacy awareness, whether you're new to CMS or have been with us for a while. It can also guide you to training opportunities that help you advance your knowledge and skills in areas specific to your role.

New hires and contractors will find information on the ISSPA security training they need to complete. Current employees will learn about renewing ISSPA training, plus other training and career development opportunities available to them. Everyone gets pointers on cybersecurity basics, events, and resources at CMS. 

Take your required training

What is ISSPA training?

Information System Security and Privacy Awareness (ISSPA) training covers the basics of information security and privacy, so everyone can do their part to keep sensitive data safe. It's hosted in the CMS learning management system (CBT/LMS).

All CMS employees and contractors must take ISSPA training each year. New employees first take it when they are hired. Current employees renew their training once every year after that.

Taking your ISSPA training satisfies three requirements:

  1. Mandatory cybersecurity training (required for all CMS contractors)
  2. Role Based Training (RBT) (required for people at CMS with security responsibilities)
  3. Signing the HHS Rules of Behavior (required for everyone working at CMS)

In other words, when you complete your ISSPA training for the year, you have also completed your required RBT (if needed) and Rules of Behavior renewal for that year. You won't need to take them elsewhere. 

When the due date for renewing your ISSPA training is near, you will get an email reminder. You must complete the training before your due date, or you will be locked out of CMS systems. If that happens, you will need to go through an extension process to complete the training and regain your access.

Instructions for completing your ISSPA training are outlined in the next section. You can also watch this video explainer to see a step-by-step tutorial.

How to access ISSPA in the CBT/LMS

There are two ways to get into the CMS learning management system (CBT/LMS), where your personalized dashboard shows what training you need to complete.

1. Use a direct URL

  • Go to cms-lms.usalearning.net (formerly cms.gov/cbt)
  • Log in using your 4-character CMS user ID and your password, or use your CMS PIV card

2. Use your IDM dashboard

  • Go to your IDM dashboard (you'll be redirected to login if you're not already logged in)
  • Select the ISPG LMS button to go to the CBT/LMS

If you have trouble logging in, you can:

  • Consult the Logging In Job Aid
  • Call the CMS LMS Helpdesk at 202-753-0845 (Mon–Fri, 8:30am–6:00pm ET)

How to get credit for ISSPA training

Make sure you complete all items below when you are in the CBT/LMS taking your ISSPA training. If you leave any of these undone, you won’t get credit for taking it.

  1. Complete your ISSPA training
  2. Sign and upload pages 19 and 22 of the Rules of Behavior
  3. Complete the brief post-course evaluation

Explore personalized training

ISSPA training is just one way to expand your cybersecurity knowledge using the CBT/LMS.

CMS offers a variety of security and privacy awareness and training, and recommends educational resources to benefit the CMS community. The CBT/LMS also tracks your personal learning journey, so you can get credit for required training and get recommendations for additional training specific to your role.

Resources and offerings include online training, videos, quick guides, podcasts, and documentation, all designed to deepen your knowledge about security related topics at CMS. 

See training offerings in the CBT/LMS (CMS login required)

Practice everyday security

Your role in keeping CMS information safe doesn’t end after you take cybersecurity training. That’s just the beginning! Practicing security awareness and avoiding security risks is an everyday task that is everyone’s job. 

The information in this handbook will help you practice “everyday security” in the workplace. But we also provide you with tips for digital safety in all areas of your life through the Cyber360 campaign, a yearlong series to help CMS employees build security awareness to protect themselves and their families. 

Learn more about Cyber360 here — and don’t forget to save the date for CMS CyberWorks. Every October, this annual cybersecurity festival includes the Cyber360 finale and much more.

Following are cybersecurity topics and tips that everyone at CMS needs to be familiar with. When you make security awareness a priority in your daily work, you help protect the sensitive information of millions of beneficiaries who entrust their personal data to CMS for healthcare services and benefits.

Protect PII and PHI

Personally Identifiable Information (PII) and Protected Health Information (PHI) are two major kinds of information that CMS has access to and that require special handling and treatment. They’re attractive targets for bad actors. Safeguarding both kinds of information is one of your major responsibilities as part of CMS. 

Personally Identifiable Information (PII) is any information that can be used to identify a specific individual. PII is sensitive, and requires special protection due to the risks associated with its misuse.

Examples of PII include full names, Social Security Numbers, addresses, bank account numbers, fingerprints, employee IDs, and email addresses. This is not a comprehensive list — many other kinds of information are considered PII!

Determining whether or not certain information counts as PII can require a case-by-case assessment of whether an individual’s identity can be revealed by piecing information together.

More guidance for identifying PII can be found in the ISSPA training.

Protected Health Information (PHI) at CMS is any individually identifiable health information that is held or transmitted by a covered entity or its business associates and that is related to the physical or mental health or condition of an individual.

Examples of PHI include prescription information, health plan beneficiary numbers, and medical records. As with PII, this is not a full list, and many other kinds of information can be PHI. 

More guidance for identifying PHI can be found in the ISSPA training.

Reporting breaches and incidents

Any time you suspect that PII or PHI has been used or shared in an unauthorized manner, report the incident to the CMS Information Technology Service Desk.

The CMS Breach Response Handbook is a comprehensive guide to breaches and incidents, with more information about each kind, how to report them, and what happens next. 

Watch out for phishing

Phishing by email or text message is one of the most popular social engineering attacks. 

Phishers typically pretend to be a person or business familiar to you. They use a sense of urgency to hijack your normal desire to be helpful. Their goal is to get you to reveal sensitive information, or to click on a file or link that could introduce malware or ransomware to the CMS network.

More guidance on phishing can be found here in the CBT/LMS (CMS login required).

Password security

When setting up login credentials for CMS accounts (such as your 4-character CMS user ID), use the most secure passwords you can. The stronger and longer your password is, the better. 

Create complex passwords using a combination of uppercase and lowercase letters, numbers, and special characters. Avoid easily guessable information and use unique passwords for each account.

Never reuse your CMS password. 

For policy guidance on setting up passwords for CMS systems, see Password Requirements.

CMS email accounts

Your CMS email is a business email address, provided to you for business use only. 

Do not use your CMS email address for shopping, entertainment, or other personal websites. Use a personal email address for personal use. 

Using your CMS email address for non-business purposes adds risk, cost, and difficulty to maintaining cybersecurity at CMS. 

Beware free public WiFi

Do not use "free" public WiFi networks in places like airports or restaurants for CMS business. 

They are often fake networks run by hackers. When you log in to one, bad actors get access to your personal data and CMS information. 

Protect your hardware and workspace

Protect CMS systems and information by securing your computer and mobile devices when you're not using them. Set your devices and screens to automatically lock after a few minutes of inactivity. Don’t leave devices unattended unless they are in a secure space, such as a closed office or your home.

Safeguard your home workspace. Be aware of windows that could provide a way for someone to glimpse CMS sensitive information. Keep your home locked when you leave. 

Rules for foreign travel

Do not take CMS computers, cell phones, and other equipment furnished by the government with you on personal foreign travel. 

It is not permitted to access CMS information systems on personal foreign travel. This includes use of a virtual desktop application. 

If you will need to access CMS systems during approved, official travel, contact the CMS International Travel Team via email: international@cms.hhs.gov.

Start this process in advance (10 or more days before you depart) so you can complete all requirements.  

Level up your security expertise

You have access to many government and industry resources beyond what CMS provides in the CBT/LMS. You can take courses, strengthen your skills, earn continuing education units, and even earn professional certifications. Cybersecurity training resources are outlined below.  

HHS training

The Department of Health and Human Services (HHS) Learning Portal provides many professional development courses, including cybersecurity certification preparatory training and continuing education unit (CEUs). To access these courses:

  • Federal government employees: Log in to the HHS Learning Portal
  • Contractors: Email the Training and Awareness Team at CMSISPGTrainers@cms.hhs.gov. Include your name, the class you want to attend, and contact information for your approving government supervisor.

CISA training

Cybersecurity and Infrastructure Security Agency (CISA) offers training for federal employees, private-sector cybersecurity professionals, critical infrastructure operators, educational partners, and the general public.

Explore CISA training opportunities

NICCS training

The National Initiative for Cybersecurity Careers and Studies (NICCS) helps people find cybersecurity education and training to advance their careers and close skill gaps across the workforce.

Explore NICCS training opportunities

FedVTE training

The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans.

CMS employees and contractors interested in FedVTE training will need to get an account to login and prior approval from their supervisor.

See FedVTE training for the full catalog of program offerings.

AWS training

Amazon Web Services (AWS) training and resources are available for you to learn more about cloud services, developer tools, machine learning, and system architecture.

Prior supervisor approval is required to complete AWS training. Free training resources are available to anyone at CMS; prior supervisor approval is required for paid AWS training.

See AWS training

Splunk training

CMS developers use Splunk to monitor and interpret security data. Splunk offers resources and training to help you get a handle on your system’s data.

Prior supervisor approval is required for Splunk’s paid training.

See Splunk training

Fortinet training

Fortinet’s training program includes self-paced and instructor-led courses, as well as practical, experiential exercises that demonstrate mastery of complex network security concepts.

Fortinet training offers a number of certification levels. 

Prior supervisor approval is required.

See Fortinet training