Nearly half of all Americans, 160 million people, get their health coverage through Centers for Medicare and Medicaid Services (CMS) programs like Medicare, Medicaid, the Children's Health Insurance Program, and the Health Insurance Marketplace
Protecting the sensitive personal information of millions of people requires an entire ecosystem of digital tools and products. CMS’ Information Security and Privacy Group (ISPG) holds these products to a high standard of security.
One of ISPG’s most critical functions is guiding and supporting users as they complete security-related tasks. Because these tasks are often very complex, ISPG personnel spend a large percentage of their time responding to help desk tickets and direct inquiries.
Fearless, alongside our partner Civic Actions, has been working with CMS to build security.cms.gov, a unified portal for ISPG information.
The CMS ISPG challenge:
CMS ISPG is in charge of the policies and programs that ensure the security and privacy of data handled by CMS information systems. ISPG staff and contractors maintain policies, distribute guidance, communicate with customers, support security programs, and promote new initiatives.
Over the years, ISPG amassed an extensive collection of documents and resources spread across various locations and formats. This led to issues with version control and made it hard for people to find the information needed to do their security-related tasks.
Without a single, trusted location for cybersecurity information – and with many of the documents being in static PDFs – finding essential information from ISPG was time-consuming and difficult, which could negatively affect CMS’ overall security posture.
CMS needed a user-friendly website to:
- Improve customer service through modern information delivery
- Support CMS security personnel with the resources needed for their critical work
- Make security topics and policies more approachable and human-centered
- Build user-friendly processes to help ISPG staff maintain their content
- Establish a platform where customers can find news and updates from ISPG
Our solution for CMS ISPG:
We stepped in to build an improved security.cms.gov. The user-friendly website is improving CMS’ customer service and promoting better security across CMS systems. It is the authoritative home for CMS security and privacy information.
How we did it.
We worked alongside ISPG customers and stakeholders to design and build a searchable, user-friendly portal for cybersecurity information – making it easier for security personnel to keep CMS data and systems safe.
“This is the best effort to date to get all of the security and privacy information in one place, in a way that makes sense. This is modern government information delivery at its best.”
– CMS Program Leader
Our team needed to understand the cybersecurity ecosystem at CMS. We built relationships across ISPG and partnered with their leadership and program teams to streamline content into a single, trusted platform. We emphasized making cybersecurity information approachable and human-centered.
By interviewing ISPG customers, we could build the site’s information architecture in a way that made sense to the people using it. Card sorting – a process that involves users in the design of the site navigation – helped solidify the menus and categories that would be the foundation of a user’s journey through the site.
A commitment to open source and user needs.
Security.cms.gov is a decoupled site using Drupal and React, giving ISPG flexibility for technology changes in the future. Our component library leans on the U.S. Web Design System (USWDS) to meet government requirements for accessibility and mobile responsiveness. We used Storybook to build components in isolation before deployment to the site, catching errors in real time and fixing them on the spot.
Making search a priority.
One of the key problems ISPG wanted to solve for was the difficulty of searching for security documents, templates, and program information. The information was difficult for their customers to find in various internal repositories. We implemented a powerful search feature using Algolia, with filter options to help people find information specific to their needs. Improvements to search are ongoing as we learn more about how people use it.
The results:
Alongside CivicActions and CMS, the Fearless team has built an authoritative source of security & privacy information. The site is customer-centric, multi-generational, and promotes empowerment.
Stats:
Improved customer experience.
From Information System Security Officers (ISSOs) to Business and System Owners, the new website provides a better experience for people who need to interact with ISPG as part of the security compliance process at CMS.
Searchable and intuitive site.
User and stakeholder interviews revealed that ISPG customers love the website’s powerful search feature, intuitive navigation, and clean design. Cybersecurity staff can focus on their work without spending time hunting for information.
Approachable policy guidance.
Complex security policies and processes are easier to understand. ISPG’s guidance documents are now written in plain language, with user needs best practices at the forefront.
Simple content management.
ISPG staff now edit and oversee website pages with a user-friendly content management interface in Drupal. The workflows support busy staff and reduce content publishing bottlenecks.
Trusted communication channel.
ISPG staff struggled to communicate critical program updates effectively across many different platforms. The blog on the website offers streamlined messaging into one trusted channel.
Ongoing partnership.
To ensure the ongoing success of the ISPG website, we engaged deeply with ISPG teams all along the way. Focusing on helping them evolve their organizational processes and sharing best practices for modern web content management.
Learn more about Fearless' work with CMS and the healthcare industry.
This announcement was published independently of the Centers for Medicare and Medicaid Services (CMS). This release does not constitute or imply an endorsement by CMS or the United States Government of the product, process, or service, or its producer or provider. The views and opinions expressed in any referenced document do not necessarily state or reflect those of CMS, or the United States Government.