Why is the ISPG website (CyberGeek) open to the public?

When we set out to provide one authoritative home for CMS security and privacy information, ISPG leadership decided to make this information “public if possible”. That means instead of putting things behind a CMS login barrier by default, we go through a careful process to determine whether the information can safely be made public. If so, it is published here on our website. There are many benefits to this approach:

Provide a “one stop shop” for ISPG information

Our customers safeguard security and privacy for CMS information systems. From ISSOs and CRAs to security engineers and ADO teams, they rely on ISPG for accurate information about the policies and programs that support information security. 

With the launch of CyberGeek, we aimed to provide a single convenient place for them to find everything they need. Making it publicly accessible — and retiring older information from legacy spaces — means our customers visit fewer sites, open fewer files, and spend less time hunting down the most current version of a document.

Reduce barriers and improve efficiency

Many of the people who work daily to protect CMS information are contractors – our valued partners in maintaining secure systems that serve our beneficiaries. Contractors come and go as contracts change. New team members must onboard quickly to projects and often struggle to access tools and systems placed behind barriers. 

Making CyberGeek publicly accessible removes some of those barriers, increasing collaboration and efficiency for CMS system teams. Since the site’s launch, ISPG has received enthusiastic feedback from contractors. For example: “CyberGeek helps me onboard new team members quickly and orient them to the CMS cybersecurity ecosystem. And our team constantly references it in our daily work.”

Establish CMS as a cybersecurity leader

CyberGeek is built using best practices and standards for web content, which means it is easily discoverable by people through search engines like Google and Bing. This boosts CMS’ visibility as a forward-thinking government agency that is investing in proactive, modern security practices – making CMS more attractive to potential talent and customers. 

In fact, the CMS Threat Modeling team has been contacted by people outside of CMS who were interested in learning more about Threat Modeling services! By continuing to make our non-sensitive information publicly accessible, we put CMS “on the map” of the larger cybersecurity community in a positive way.

Model best practices

At ISPG we deliver information following best practices used by federal agencies that are dedicated to improving customer service. For example, the 2023 Executive Order from the White House promotes the publishing of government information online in a clear, accessible format so customers can “find what they need, understand what they find, and use what they find to meet their needs.”

Although ISPG’s customers are within CMS and are not the general American public, it better serves both groups to make information “public if possible” unless there’s a clear reason not to. And having our information publicly available promotes federal information transparency, which is a core tenet of building trust in government and sharing knowledge for the benefit of all.

What about sensitive information?

It’s healthy to have concerns about publishing sensitive information. At CMS we are dedicated to protecting the personal and health information of the millions of Americans we serve. The key consideration is doing the work of identifying what constitutes sensitive information — instead of making all information harder to access “just to be safe.”

ISPG uses these criteria to determine whether information is truly unsuitable for public availability:

• Is the information “Controlled Unclassified Information (CUI)” as defined by NIST?
  • In plain terms: Is there a law, policy, or regulation that requires any of this information to remain protected? Examples: PII, PHI, etc.
     
• Is the information “Sensitive” as defined by NIST?
  • In plain terms: Could any of the information be used by a bad actor to access or harm CMS information or systems?

If the answer is “yes” to either question, the ISPG information publisher must provide a logical reason or example to prove the sensitivity of the information. It will then remain protected behind a CMS login. If the answer is “no,” then the information should be published on CyberGeek, even if it feels different from “the way it’s always been done” on older legacy sites. 

Pitfalls of “security through obscurity”

It can be tempting to “play it safe” and default to putting information behind a login, whether or not it needs that protection. This is sometimes called “security through obscurity” — the reliance on secrecy as the default method for keeping something safe. 

There is also a tendency to keep doing things that have been done for a long time — for example, marking documents For Official Use Only (FOUO) even if there’s not a clear and specific reason to do so.

But this comes with a cost. When people can’t easily access information they need for their work, they cut corners, keep local copies, collaborate in alternative spaces, and find other workarounds in order to get the job done. This ultimately makes information less secure, defeating the purpose of putting information behind a login in the first place. It also creates a sense of frustration that negatively impacts collaboration and innovation.

“Security through obscurity” reflects a rigid, compliance-based approach to security, which has proven ineffective. ISPG fosters security through a proactive, risk-based approach, which critically examines the potential for harm and makes an educated decision based on clear criteria.

What you can do

At CMS, we all have a part to play in keeping information safe. 

If you’re an ISPG customer, you can:

• Visit CyberGeek first as your trusted place for ISPG information. From there, you will be directed to other spaces and resources if necessary.
• Know that the information we publish on CyberGeek is as current and accurate as possible, and has been reviewed for public-facing suitability.

If you’re an ISPG information publisher, you can:

• Plan to publish all of your customer-facing information on CyberGeek, unless there’s a clear reason not to.
• Use the criteria questions listed above if you’re unsure about whether something is suitable for publication on CyberGeek.
• Contact the Policy Team (CISO@cms.hhs.gov) if you see something on CyberGeek that should not be there because of concerns about sensitive information.

Questions?

This article is an official statement from the ISPG Policy Team and the Office of the CMS Chief Information Security Officer (CISO). If you have questions, contact us:

• CMS Slack: ispg-sec_privacy-policy

Email: CISO@cms.hhs.gov