CMS Beneficiary Data Protection Initiative (BDPI)

CMS created the Beneficiary Data Protection Initiative (BDPI) in July 2015 in response to public breach events. CMS’ BDPI is managed by the Information Security Privacy Group (ISPG), Division of Security and Privacy Compliance (DSPC), and provides information security and privacy training and education for all employees and contractors. Its key principles are:

1. Protecting beneficiary data, 
2. Improving CMS’s situational awareness of risks
3. Increasing awareness of cyber threats to downstream users

CMS Data Guardian Program

The Data Guardian program was created as part of the BDPI to ensure a coordinated and consistent approach to safeguarding personally identifiable information (PII) and protected health information (PHI) and to promote awareness of cybersecurity throughout CMS.  

The Data Guardian Program provides the following benefits:

• Awareness - Ensures awareness of the current cybersecurity landscape across agency personnel.
• Alignment – Aligns component business strategies with organizational privacy policies and regulations.
• Accountability - Each component is accountable for meeting their own privacy responsibilities. 
• Adaptability – The Data Guardians proactively seek to improve the privacy posture of their programs as things change within their respective business area.
• Action- Agency personnel understand and are prepared to respond to cyber threats appropriately.

Who are Data Guardians? 

Data Guardians, both primary and alternate, are CMS employees who ensure that their components are prepared to safeguard CMS systems and sensitive data. They represent their components at quarterly meetings where they discuss: 

• Organizational security/privacy issues 
• The latest information about safeguarding 
• How to support an information and privacy awareness culture at CMS
• Security and privacy policy, standards, and requirements

Data Guardian Responsibilities 

The responsibilities of a CMS Data Guardian include, but are not limited to, the following:

• Increase awareness of cyber-attack methods to reduce the likelihood that security and privacy incidents will occur by creating a culture of good cyber hygiene 
• Communicate best practices for protecting personal information to your component
• Serve as a liaison with other components to raise situational awareness of cyber threats, pass on lessons learned, and foster a culture of cooperation and compliance designed to protect CMS assets 
• Mentor office/components staff to properly identify suspicious emails and report them
• Work to ensure security and privacy training material location is known, i.e., BDPI and CBT websites 
• Encourage staff to complete training related to data protection and phishing
• Monitor internal and external cyber incidents and news
• Advocate that the minimum amount of personal information is collected, created, used/disclosed, and maintained to carry out CMS’ authorized functions
• Attend the quarterly Data Guardian meetings

All CMS Data Guardian duties, as assigned, are intended to consume less than 5 hours per month or 3 percent of any given work week. Data Guardians should have experience with information security and privacy vulnerabilities applicable to their component’s business operations. Data Guardians should promote education, communication, and mentorship across the enterprise. They should feel comfortable approaching and mentoring staff at all levels about cyber security matters.

By raising awareness across the agency, Data Guardians reduce the likelihood that CMS’ systems and sensitive data would be vulnerable to exposure and help CMS be prepared in the event of an incident occurring.

Phishing Awareness at CMS

Phishing is the practice of sending fraudulent emails or other messages to enterprise employees that are designed to trick them into revealing sensitive information or clicking on malicious links. 

Attackers use phishing to accomplish the following goals:

• Theft of personal information from the victim
• Installation of malware on the victim’s computer
• Confirmation of the validity of the target email address
• Theft of victim’s network credentials 

Phishing scams targeting both individuals and industries are increasing in number as technology continues to advance. Attackers prey on the human element. Their emails are designed to trick users into revealing sensitive information or clicking on malicious links. As users have become more vigilant to phishing attempts, attackers have had to alter their methods. Phishing emails are now more sophisticated than ever and attackers are using new methods to reach potential victims including:

• Vishing - when attackers call government-issued phones and leave deceptive voice messages in an effort to reach potential victims 
• Smishing - text message attacks sent to government-issued phones

Phishing Training at CMS 

CMS has created a pilot social engineering project that uses phishing, vishing, and smishing to simulate attacks. These exercises begin with campaigns that are easy for end users to identify and become more challenging over time. Through this process, users become more adept at identifying attacks and increase confidence that they will also be able to identify real world phishing attempts they receive. 

CMS has conducted numerous exercises with users across the enterprise. The overall results of CMS’ internal phishing exercises include:

• Improved ability of staff to identify a phishing scam
• An increase in the rate that phishing is reported
• Improved response to phishing emails by the Security Operations Team
• A reduction in the risk that phishing will result in a breach of CMS data
• Data Guardians connecting with those staff members who successfully identified and reported the phishing attempt, and educate those who did not on best practices for the future
• Development future plans and exercises based on the results of the exercise 

With the help of the Data Guardians, the number of individuals at CMS who have clicked on phishing emails has steadily declined. As of 2023, the average number of CMS staff and contractors that correctly identified and reported CMS-generated phishing exercises has been 33%. That is approximately 3,300 of the 10,000 contractors and employees that are phished in each campaign. 

Training to increase reporting

One of the key objectives of the Data Guardian program is to increase the number of reports of phishing across CMS. When CMS-issued phishing emails are sent, it is important that staff know to report them, not just ignore or delete them. Reporting phishing emails allows the Security Operations Team to quickly respond and strip that email from the email client server and network, further reducing the risk of human error exposing CMS to a breach. When communicating with components, it’s important that Data Guardians encourage their colleagues to report any suspicious emails. Remember when in doubt, phish it out!

Adding the Report Phish icon to MS Outlook

Windows users

For VDI and Federal staff PC users, the easiest way to report a suspected phishing email is to use the “Report Phish” button within your MS Outlook banner. You may not initially see this icon, so checking to see if you have it is crucial. Here’s how to check:

Your Outlook ribbons may be collapsed. If they are, click the file arrow button to expand. The arrow button is located in the bottom right of your Outlook ribbon. If you click this and still do not see the “Report Phish” icon, please complete the following steps on your PC: 

1. From your MS outlook click on the top left tab “File”
2. Then to “Options” on the left side the Outlook Options pop-up. 
3. Then on the left, halfway down the click “Customize Ribbon”
4. Click the drop down on the left titled “Choose commands from”
5. Click Main Tabs
6. Expand the Home (email) folder
7. Look in the drop down for <<no label>> when you expand that is should read, Report Phishing or Report SPAM
8. Click on it (if it is gray and not black you might already have the icon on the right in the ribbon), hit Add>> which should move over. 

Users can also view a complete step-by-step guide with images to help them set up their "Report Phishing" icon to Outlook. 

MAC Users and federal staff using the browser version of Outlook

MAC users cannot install the Report SPAM/Phish ICON, and there is no expected server upgrade date. Instead, when you identify a CMS training phishing email or a real-world phishing attempt, please forward that suspicious email to spam@cms.hhs.gov. 

Federal iPhone Users

When you identify a CMS training phishing email or a real-world phishing attempt, please forward that suspicious email to spam@cms.hhs.gov. 

Data Guardian training responsibilities 

Under the new CMS pilot social engineering project, Data Guardians are expected to communicate with their component after a CMS-issued phishing email is sent. The purpose of the communication is two-fold: 

• Follow up with members of the component who properly reported the CMS issued phishing email to congratulate them for the successful identification
• Email colleagues that did not report the phishing attempt, and ask them why they did not report it
• Personally connect with colleagues who clicked on CMS-issued phishing emails to mentor them about how to spot future phishing attempts in their inbox 

Templates for component communication 

Communication after a CMS phishing exercise is the key to changing individual behavior over time. Data Guardians can use the following email templates when communicating with their CMS component to promote a culture of cybersecurity awareness.

Post-phishing exercise email example:

Hello <Insert Component or Name>,

As you may know, phishing exercises are performed periodically throughout CMS. These exercises are an educational tool to help CMS staff identify malicious emails and take the appropriate steps to protect our beneficiary data. To help us all improve, data collected from these phishing exercises are shared with senior leadership to see how well we are doing as an Agency.

The phishing campaign results for <INSERT DATE> exercise, subject <INSERT SUBJECT>, and you have been identified as someone that did not report the campaign. It’s critical that all CMS staff not only recognize phishing attempts but also report them. Reporting demonstrates that our staff is knowledgeable and allows our Security Operations Team (SOC) to plan for future phishing attempts from bad actors and nation-states. The success of the phishing training program is based on the number of individuals who correctly report the phishing email, so it's important that you report it instead of ignoring it or deleting it. To meet our goals, the percentage of training phish reported must increase to 50% or higher. If you are an employee or contractor that did not identify the (<INSERT DATE>) training phish and report it, please do so next time. 

Don't hesitate to get in touch with me if you would like a training session on how to identify phishing emails and how to report them properly.

Again, if you suspect an email is malicious, please report it via the Report SPAM button on the MS Outlook Ribbon.

Alerting staff of a Phishing exercise 

In the past, some CMS staff have occasionally alerted team members when a training phish was released. Unfortunately, this foreknowledge led to skewed results and artificially increased the number of staff who reported the campaign. Data Guardians must ensure that staff and management do not notify one another when a phishing exercise is released. If you have concerns about this, please send an email to the CMS Privacy Office at privacy@cms.hhs.gov and your identity will not be passed on.

Phishing Hall of Fame

The CMS Phishing Hall of Fame was created to recognize those individuals who have demonstrated their commitment to keeping our data, systems, and networks safe by reporting real-world phishing attacks. If a person within your component reported a real-world phishing attempt by clicking on the “report phish/spam” icon within the MS Office ribbon, the CISO Mailbox will send an email thanking that employee for following procedures. As the Data Guardian, you will be copied on that email.

As the Data Guardian, you can also send a follow-up email to the reporter and copy their management for additional recognition and praise. It’s an easy way to reward positive actions and establish relationships within your component.

Resources for Data Guardians 

The following programs and information are designed to help Data Guardians in their daily work and to connect with other Data Guardians across the CMS enterprise.  

Data Guardian library

The Data Guardian library contains information specific to the Data Guardian via the Beneficiary Data Protection Initiative webpage.  It is only accessible by Data Guardians, ISPG, and identified stakeholders. If you need access, contact your CMS Access Administrator (CAA) and ask for two CFACTS job codes:

• (1) CFACTS_USER_P 
• (2) CFACTS_USER_V   

Contact your CMS Access Administrator (CAA) and provide this justification: “This user, in the role as CMS Data Guardian, requires access to the Data Guardian library within CFACTS."

Data Guardian list

CMS maintains a list of current Data Guardians, their CMS component, and their contact information. You can use this link to connect with your fellow Data Guardians or to contact your component’s Data Guardian with questions. Data Guardians can also connect through the private Data Guardian listserv DataGuardian@cms.hhs.gov or via Slack at #cms_data_guardians. 

Data Guardian training

Training and additional opportunities for Data Guardians are available through ISPG’s Role Based Training initiative. You can view current offerings tailored to your role here, or contact CISO@cms.hhs.gov