Published: 7/12/2024
New IS2P2 updates: What you need to know
The Policy team updated the IS2P2 in June 2024. Here we’re spotlighting the key changes to make it easy for you to see what’s new.
The ISPG Policy team regularly revisits the CMS Information Systems Security & Privacy Policy (IS2P2) to incorporate new information, update language, and keep the document up to date.
The most recent revisions came out in June 2024. We’ve called out and clearly identified the six big changes so you can quickly and easily understand what’s new and how it might affect your work.
List of updates
The IS2P2 updates address several gaps:
- Role updates: In the CMS Federal Executives section, assigned responsibilities of the agency’s Chief Acquisition Officer to the Office Director, OAGM (Office of Acquisition and Grants Management)
- New role: Added an Enterprise Architecture (Function) section, and assigned appropriate responsibilities as dictated by HHS IS2P and HHS Policy for Enterprise Architecture
- Requirement updates: Updated the CMS-CLD-1 section to clarify requirements for cloud service implementation
- Personnel update: Updated Approval section to accurately reflect CMS Leadership
- Terminology: Updated “ISSO” to “Security and Privacy Officer” throughout the document to reflect current policy
- Accuracy: Revised document version numbers in the Scope section
Why these changes were made
The Policy team made these changes to align the roles and responsibilities in the IS2P2 with those listed in HHS policy.
We updated requirements to clarify the policy around using SaaS tools and the RCR (Rapid Cloud Review) process. Teams should review the CMC-CLD-1 section to see how the changes apply to them, and update their practices going forward.
ISSO vs. SSPO: Which is it?
With this update to the IS2P2, we have updated all references to Information System Security Officer (ISSO) to System Security and Privacy Officer (SSPO) because this change was made in the HHS IS2P awhile ago. CMS must formally align with the HHS policy, so we changed the name of this role in our IS2P2 document.
However, the everyday usage of the term "ISSO" is deeply woven into our programs, trainings, materials, and communication channels across CMS. Changing the everyday usage of the term is not necessary, as long our policy reflects the formal term. So for simplicity, the CMS cybersecurity community will continue to use the term Information System Security Officer (ISSO) in everyday settings, unless otherwise noted.
Questions?
Thank you for your attention to these updates.
If you have any questions, please reach out to the policy team in CMS Slack #ispg-sec_privacy-policy, or email CISO@cms.hhs.gov.
About the publisher:
The ISPG Policy Team (also known as CMS CISO Team) manages the policies, standards, and guidance that keep information and systems safe at CMS. Our goal is to help you understand requirements and apply them effectively in your project environments – so you can focus on delivering value to CMS beneficiaries and customers.
