CMS Cybersecurity and Privacy Training Handbook
Find the right cybersecurity training for your role, and learn how to do your part to keep CMS systems secure and safe
Last reviewed: 7/15/2024
Related Resources
Introduction
At CMS, we prioritize the security of our data, systems, and your work environment. Every person here is part of our effort to keep CMS information and beneficiary data safe. Security and privacy are everyone's job. Being aware of cyber threats is an ongoing responsibility that we all share.
This handbook will be your companion for security and privacy awareness, whether you're new to CMS or have been with us for a while. It can also guide you to training opportunities that help you advance your knowledge and skills in areas specific to your role.
New hires and contractors will find information on the ISSPA security training they need to complete. Current employees will learn about renewing ISSPA training, plus other training and career development opportunities available to them. Everyone gets pointers on cybersecurity basics, events, and resources at CMS.
Take required ISSPA training
What is ISSPA training?
Information System Security and Privacy Awareness (ISSPA) training covers the basics of information security and privacy, so everyone can do their part to keep sensitive data safe. It's hosted in the CMS learning management system (CBT/LMS).
All CMS employees and contractors must take ISSPA training each year. New employees first take it when they are hired. Current employees renew their training once every year after that.
Taking your ISSPA training satisfies three requirements:
- Mandatory cybersecurity training (required for all CMS contractors)
- Role Based Training (RBT) (required for people at CMS with security responsibilities)
- Signing the HHS Rules of Behavior (required for everyone working at CMS)
When the due date for renewing your ISSPA training is near, you will get an email reminder. You must complete the training before your due date, or you will be locked out of CMS systems. If that happens, you will need to go through an extension process to complete the training and regain your access.
Instructions for completing your ISSPA training are outlined in the next section. You can also watch this video explainer to see a step-by-step tutorial.
How does ISSPA relate to RBT?
CMS is responsible for providing Role Based Training (RBT) to Federal staff and direct support contractors who have significant security or privacy responsibilities. The RBT provided by CMS is imbedded in the yearly required annual Information Systems Security and Privacy Awareness (ISSPA) Training. This training covers the security and privacy policies, procedures, and skills needed for the respective roles and satisfies both the role and annual requirements. (This is described above.)
Some roles may require additional RBT due to specific security and privacy responsibilities. You may find relevant training for your role in the CMS Computer Based Training/Learning Management System (CMS login required). You can also talk to your supervisor to see what RBT you need.
How to access ISSPA in the CBT/LMS
There are two ways to get into the CMS learning management system (CBT/LMS), where your personalized dashboard shows what training you need to complete.
1. Use a direct URL
- Go to cms-lms.usalearning.net (formerly cms.gov/cbt)
- Log in using your 4-character CMS user ID and your password, or use your CMS PIV card
2. Use your IDM dashboard
- Go to your IDM dashboard (you'll be redirected to login if you're not already logged in)
- Select the ISPG LMS button to go to the CBT/LMS
If you have trouble logging in, you can:
- Consult the Logging In Job Aid
- Call the CMS LMS Helpdesk at 202-753-0845 (Mon–Fri, 8:30am–6:00pm ET)
How to get credit for ISSPA training
Make sure you complete all items below when you are in the CBT/LMS taking your ISSPA training. If you leave any of these undone, you won’t get credit for taking it.
- Complete your ISSPA training
- Sign and upload page 8 of the Rules of Behavior
- *Optional- Complete the brief post-course evaluation
Explore personalized training
ISSPA training is just one way to expand your cybersecurity knowledge using the CBT/LMS.
CMS offers a variety of security and privacy awareness and training, and recommends educational resources to benefit the CMS community. The CBT/LMS also tracks your personal learning journey, so you can get credit for required training and get recommendations for additional training specific to your role.
Resources and offerings include online training, videos, quick guides, podcasts, and documentation, all designed to deepen your knowledge about security related topics at CMS.
See training offerings in the CBT/LMS (CMS login required)
CFACTS training (for new ISSOs / CRAs)
CFACTS is the CMS governance, risk, and compliance tool used as a repository to manage its information systems security and privacy requirements. The CFACTS platform provides a common foundation to manage policies, controls, risks, assessments, and deficiencies across all CMS systems.
The Training & Awareness Team at CMS offers several training sessions every year, designed to provide you with the knowledge you need to use CFACTS effectively.
Who should take this course?
If you’re an ISSO or CRA and new to the CMS Cybersecurity program, this introductory training session was designed for you. You’ll learn about roles and responsibilities, security controls, security assessment remediation plans of action, and more.
We have sessions available in 2024 in August and October.
What will you learn in this course?
This course will use the CMS FISMA Continuous Tracking System (CFACTS) mapped to the steps within the Risk Management Framework (RMF). Topics you will learn about in this session:
- Understanding roles and responsibilities
- Categorizing and implementing security controls
- Milestones in the security assessment remediation plan of action
- NIST Special Publication 800-37, ”Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”
- NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations”
- System Security and Privacy Plan (SSPP)
- Authorization to Operate (ATO) packages to request for FISMA certification
Course details
These are the sessions remaining in 2024. Each training consists of two sessions across two days:
- October 29 and 30
This course is NOT a hands-on session using CFACTS — it is a presentation of introductory concepts. Experienced ISSOs and CRAs who have been working in CFACTS for awhile should not attend this course.
Reserve your spot
Send an email to cmsispgtrainers@cms.hhs.gov. Include:
- Subject line: CFACTS Training Registration
- Your name
- Dates of the course you want to attend
We will reply to your email to confirm your registration and give you further details. If you have questions, email the Training & Awareness Team: CMSISPGTrainers@cms.hhs.gov or find us in the CMS Slack channel: #cyber-training-support.
Practice everyday security
Your role in keeping CMS information safe doesn’t end after you take cybersecurity training. That’s just the beginning! Practicing security awareness and avoiding security risks is an everyday task that is everyone’s job.
The information in this handbook will help you practice “everyday security” in the workplace. But we also provide you with tips for digital safety in all areas of your life through the Cyber360 campaign, a yearlong series to help CMS employees build security awareness to protect themselves and their families.
Learn more about Cyber360 here — and don’t forget to save the date for CMS CyberWorks. Every October, this annual cybersecurity festival includes the Cyber360 finale and much more.
Following are cybersecurity topics and tips that everyone at CMS needs to be familiar with. When you make security awareness a priority in your daily work, you help protect the sensitive information of millions of beneficiaries who entrust their personal data to CMS for healthcare services and benefits.
Protect PII and PHI
Personally Identifiable Information (PII) and Protected Health Information (PHI) are two major kinds of information that CMS has access to and that require special handling and treatment. They’re attractive targets for bad actors. Safeguarding both kinds of information is one of your major responsibilities as part of CMS.
Personally Identifiable Information (PII) is any information that can be used to identify a specific individual. PII is sensitive, and requires special protection due to the risks associated with its misuse.
Examples of PII include full names, Social Security Numbers, addresses, bank account numbers, fingerprints, employee IDs, and email addresses. This is not a comprehensive list — many other kinds of information are considered PII!
Determining whether or not certain information counts as PII can require a case-by-case assessment of whether an individual’s identity can be revealed by piecing information together.
More guidance for identifying PII can be found in the ISSPA training.
Protected Health Information (PHI) at CMS is any individually identifiable health information that is held or transmitted by a covered entity or its business associates and that is related to the physical or mental health or condition of an individual.
Examples of PHI include prescription information, health plan beneficiary numbers, and medical records. As with PII, this is not a full list, and many other kinds of information can be PHI.
More guidance for identifying PHI can be found in the ISSPA training.
Reporting breaches and incidents
Any time you suspect that PII or PHI has been used or shared in an unauthorized manner, report the incident to the CMS Information Technology Service Desk.
- Phone: 410-786-2580 or 800-562-1963
- Email: CMS_IT_Service_Desk@cms.hhs.gov
The CMS Breach Response Handbook is a comprehensive guide to breaches and incidents, with more information about each kind, how to report them, and what happens next.
Watch out for phishing
Phishing by email or text message is one of the most popular social engineering attacks.
Phishers typically pretend to be a person or business familiar to you. They use a sense of urgency to hijack your normal desire to be helpful. Their goal is to get you to reveal sensitive information, or to click on a file or link that could introduce malware or ransomware to the CMS network.
More guidance on phishing can be found here in the CBT/LMS (CMS login required).
Password security
When setting up login credentials for CMS accounts (such as your 4-character CMS user ID), use the most secure passwords you can. The stronger and longer your password is, the better.
Create complex passwords using a combination of uppercase and lowercase letters, numbers, and special characters. Avoid easily guessable information and use unique passwords for each account.
Never reuse your CMS password.
For policy guidance on setting up passwords for CMS systems, see Password Requirements.
CMS email accounts
Your CMS email is a business email address, provided to you for business use only.
Do not use your CMS email address for shopping, entertainment, or other personal websites. Use a personal email address for personal use.
Using your CMS email address for non-business purposes adds risk, cost, and difficulty to maintaining cybersecurity at CMS.
Beware free public WiFi
Do not use "free" public WiFi networks in places like airports or restaurants for CMS business.
They are often fake networks run by hackers. When you log in to one, bad actors get access to your personal data and CMS information.
Protect your hardware and workspace
Protect CMS systems and information by securing your computer and mobile devices when you're not using them. Set your devices and screens to automatically lock after a few minutes of inactivity. Don’t leave devices unattended unless they are in a secure space, such as a closed office or your home.
Safeguard your home workspace. Be aware of windows that could provide a way for someone to glimpse CMS sensitive information. Keep your home locked when you leave.
Rules for foreign travel
Do not take CMS computers, cell phones, and other equipment furnished by the government with you on personal foreign travel.
It is not permitted to access CMS information systems on personal foreign travel. This includes use of a virtual desktop application.
If you will need to access CMS systems during approved, official travel, contact the CMS International Travel Team via email: international@cms.hhs.gov.
Start this process in advance (10 or more days before you depart) so you can complete all requirements.
Level up your security expertise
You have access to many government and industry resources beyond what CMS provides in the CBT/LMS. You can take courses, strengthen your skills, earn continuing education units, and even earn professional certifications. Cybersecurity training resources are outlined below.
HHS training
The Department of Health and Human Services (HHS) Learning Portal provides many professional development courses, including cybersecurity certification preparatory training and continuing education unit (CEUs). To access these courses:
- Federal government employees: Log in to the HHS Learning Portal
- Contractors: Email the Training and Awareness Team at CMSISPGTrainers@cms.hhs.gov. Include your name, the class you want to attend, and contact information for your approving government supervisor.
CISA training
Cybersecurity and Infrastructure Security Agency (CISA) offers training for federal employees, private-sector cybersecurity professionals, critical infrastructure operators, educational partners, and the general public.
Explore CISA training opportunities
NICCS training
The National Initiative for Cybersecurity Careers and Studies (NICCS) helps people find cybersecurity education and training to advance their careers and close skill gaps across the workforce.
Explore NICCS training opportunities
FedVTE training
The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans.
CMS employees and contractors interested in FedVTE training will need to get an account to login and prior approval from their supervisor.
See FedVTE training for the full catalog of program offerings.
AWS training
Amazon Web Services (AWS) training and resources are available for you to learn more about cloud services, developer tools, machine learning, and system architecture.
Prior supervisor approval is required to complete AWS training. Free training resources are available to anyone at CMS; prior supervisor approval is required for paid AWS training.
Splunk training
CMS developers use Splunk to monitor and interpret security data. Splunk offers resources and training to help you get a handle on your system’s data.
Prior supervisor approval is required for Splunk’s paid training.
Fortinet training
Fortinet’s training program includes self-paced and instructor-led courses, as well as practical, experiential exercises that demonstrate mastery of complex network security concepts.
Fortinet training offers a number of certification levels.
Prior supervisor approval is required.