Summary

ISSO Program Manager Don Bartley discusses the new ISPG website CyberGeek and its potential to help strengthen the knowledge and preparedness for ISSOs and anyone whose day-to-day work includes cybersecurity responsibilities

Graphic of man working at computer with connected icons representing files and cloud security hovering overhead

 Articles

A “Single Source of Truth” for ISSOs: Don Bartley Explains Benefits of CyberGeek

Graphic of man working at computer with connected icons representing files and cloud security hovering overhead

Over the past 24 years as an OIT employee working in cybersecurity, Don Bartley has worn many hats. One of the more prominent hats he has worn during this time is leading the many Information System Security Officer (ISSO) programs at CMS.

The ISSO role is unique in that it is not typically filled by a full-time employee devoted to that particular job. With the exception of a handful of people, most ISSOs spend only part of their time supporting the role. Given this situation, training for new ISSOs and easy access to cybersecurity information are essential. 

That’s why Bartley is optimistic about the impact of CyberGeek, a new website coming soon from the Information Security and Privacy Group (ISPG).

CyberGeek is a clearinghouse for all things cybersecurity-related at CMS. While it is designed for anyone who addresses cybersecurity in their day-to-day work, the accessible and searchable website will be especially useful for strengthening knowledge and preparedness for ISSOs. Thanks to this ease of access, CyberGeek will help improve the overall security and privacy for CMS information and systems. 

The project will provide a navigable, searchable resource with hyperlinks and functionality you’d expect out of a website,” says Bartley.

Bartley, who has been providing feedback on the CyberGeek project, believes it is the next evolution of CMS ISSO support program. He would know because he has been there since the beginning. 

Prior to 2009, there was not a formal ISSO structure across CMS and there was no training available. It would not be out of the ordinary for your manager to come to you and say, ‘We need someone to support the security of our system, so you're now the ISSO,’” says Bartley. 

People from every background imaginable, from clinicians to lawyers to those who actually have degrees in cybersecurity could be asked to fill the ISSO role. 

“That's a wide-ranging, diversified community,” says Bartley, whose programs help ISSOs understand how they should prepare to meet the security requirements of a system and be successful in the role.

Currently, there are many different sites that provide cybersecurity information throughout OIT. CyberGeek will soon become the go-to authority, combining all security and privacy related policies, updates, programs, and resources under one roof. 

Bartley is excited about how CyberGeek will provide links to related support tools. For instance, if a person searches for a specific security topic in CyberGeek, they can follow a link to an educational video on that topic in the upcoming Learning Management System.

CyberGeek will be a single source of truth by reducing any issues with version control that exist when information is stored on multiple sites such as SharePoint or Confluence, Bartley explains. The goal is to phase out old or duplicative information on other platforms and handle version control in one, streamlined place. This way, people can be sure they are looking at the most current, authoritative version of documentation.

“CyberGeek is really what we need,” says Bartley. For more information, see the CyberGeek project update presentation and visit the ISPG CyberGeek website, http://security.cms.gov/, to see new features and pages in the coming weeks.

A Timeline of ISSO Support at CMS

When it comes to ISSO programs at CMS, Don Bartley is a living history book. To help us understand where CyberGeek fits into the evolving efforts to support ISSOs. Bartley shared a timeline of OIT's past ISSO support programs with PlanetOIT:

2009: the CISO approaches Bartley with the idea of starting a training program for the ISSO role. Bartley identifies several subjects necessary for the ISSO to be competent in the role. In conjunction with skilled trainers, he created instructor-led courses to enable the ISSO to successfully perform their duties.

2012: The instructor-led portion of the training program ends.

2015: Bartley approaches Chief Technology Officer George Linares to start an ISSO engagement and mentoring program and they enter a pilot phase within OIT. The concept of supporting ISSOs is deemed important enough that senior leadership decides the program should be rolled out across all of CMS.

2017: OIT launches the ISSO Engagement and Outreach Initiative. That program includes multiple facets, including creation of an ISSO mentoring program. The ultimate goal of the Initiative is to determine whether the ISSO role should become a full-time professional position. 

2020: The program is rebranded to come into alignment with the OIT Workforce Resilience initiative and the name changes to ISSO Workforce Initiative.

2023: What’s next? This year, the program is being renamed and repurposed. It will become the ISSO Advocacy and Support Program. “We chose those words because they really reflect what the program is about,” Bartley says. “The ISSO Advocacy and Support Program provides the training, tools, and resources, organizational structure and individual empowerment necessary to ensure the ISSO at CMS can support and maintain the cybersecurity posture of the agency and drive change necessary for continued cybersecurity success.”

Recent Articles

Recent Media