Enterprise Cybersecurity Awareness and Training Program Support (ECATPS)   3

The Centers for Medicare & Medicaid Services (CMS) is a federal agency of the U.S. Department of Health & Human Services (HHS) that is responsible for administering Medicare, Medicaid, the Children's Health Insurance Program (CHIP), and the Health Insurance Marketplace programs. A key initiative of the agency is to help the approximately 100 million people covered under these programs receive high quality, better healthcare that results in lower costs.

CMS is responsible for the payment of approximately $1 trillion each year for medical services rendered to over 100 million program beneficiaries and recipients. The organization carries out its mission through employment of approximately 4,500 employees located at its central office site in Baltimore, and in 10 regional offices located in major cities throughout the United States. The agency contracts with numerous companies to process claims for reimbursement for medical services rendered under the Medicare program, and works with all 50 states, the District of Columbia and the Territories in the administration of the Medicaid and CHIP programs.

In the administration of these programs, CMS utilizes many assets, including buildings, facilities, communications equipment, computer systems, employees, Contractors, public trust, and information. A loss to any one of these assets could negatively affect the goals, the mission or the quality of support necessary for CMS to deliver and provide to its customers, stakeholders, and to the American public. Additionally, CMS collects, uses, and stores information that is defined as Personally Identifiable Information (PII), Protected Health Information (PHI), proprietary data, procurement data, inter-agency data, sensitive information, and / or privileged system information. Access to and the necessary protections of information can be controlled by the Privacy Act of 1974 (as amended), the Computer Security Act of 1987 (as amended), the E-Government Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Federal Information Security Management Act (FISMA) of 2002, as well as many other important and relevant rules, regulations, policies, and guidelines promulgated by HHS, the Office of Management and Budget (OMB), and the National Institute of Standards and Technology (NIST). As a result, CMS has a responsibility to collect, use, and / or disclose information properly and in accordance with federal regulations, to safeguard it at all times, and to maintain the confidentiality, integrity, and availability (CIA) of information and information systems.

To safeguard the CIA of its information and information systems effectively, CMS has established an enterprise-wide cybersecurity and privacy program led by the Information Security and Privacy Group (ISPG). ISPG is charged with protecting CMS data as it provides leadership to CMS in managing information security and privacy risks appropriate for evolving cyber threats . ISPG executes this vision utilizing an innovative approach to provide optimal visibility, situational awareness, resilience and incident response readiness across all CMS FISMA Systems.

The ISPG Security and Privacy program is responsible for defining policy, providing security and privacy services, and leading compliance and oversight of the program. The ISPG is comprised of five divisions: Division of Security and Privacy Compliance (DSPC), Division of Cyber Threat and Security Operations (DCTSO), Division of Security, Privacy Policy and Governance (DSPPG), Division of Strategic Information (DSI), and Division of Implementation and Reporting (DIR); and supported by the Front Office.

ISPG is looking for a contractor with knowledge in Cybersecurity and Privacy Awareness and Training Program support, which is needed to consolidate existing ISPG training efforts and support the continuation of the program's training activities of ISPG. Tasks and activities completed by the contractor will service ISPG, as well as ISPG's OIT Group partners and customers, to promote transparency, accountability, less duplication of effort, and improved program and cost efficiency. To meet these objectives, the contractor will have responsibilities in the following task areas:

• Project management
• Supporting the ISPG training team
• Consulting expertise to address emerging challenges and operation requirements within the awareness and training program
• Providing training content development services and delivery
• Providing subject matter expert support for the development, delivery and maintenance of a comprehensive information security and privacy awareness and training program
• Developing and implementing curriculum using the cognitive apprenticeship learning model
• Recommending, employing, and managing a unified learning management solution

Actively participating in the support, refinement, and delivery of the CyberVet-cohort program, monitor, as well as providing feedback on the progress and results of both the cohorts and the program with recommendations to ISPG.