Modernizing and Streamlining Cybersecurity Information
Centers for Medicare and Medicaid ServicesWe worked alongside ISPG customers and stakeholders to design and build a searchable, user-friendly portal for cybersecurity information – making it easier for security personnel to keep CMS data and systems safe.
95%
of ISPG’s static PDF documents converted to accessible HTML content
240+
CMS systems protected by ISPG’s security policies & programs
1
trusted source for CMS security and privacy information
“This is the best effort to date to get all of the security and privacy information in one place, in a way that makes sense. This is modern government information delivery at its best.”
CMS Program Leader
The challenge
The CMS Information Security and Privacy Group (ISPG) is in charge of the policies and programs that ensure the security and privacy of data that is handled by CMS information systems. ISPG staff and contractors work to maintain policies, distribute guidance, communicate with customers, support security programs, and promote new initiatives.
While doing this important work over the years, they amassed a large collection of documents and resources that were spread across various locations and formats. This led to issues with version control and made it hard for people to find the information needed to do their security-related tasks.
Without a single, trusted location for cybersecurity information – and with many of the documents being in static PDFs that were full of jargon and hard to understand – finding essential information from ISPG could be onerous, negatively impacting CMS’ overall security posture.
Client goal
To improve their customer service and promote better security across CMS systems, ISPG engaged our team to develop a user-friendly website (informally known as “CyberGeek”) at security.cms.gov that is recognized as the authoritative home for CMS security and privacy information. With this project, ISPG aims to:
- Improve customer service through modern information delivery
- Support CMS security personnel with the resources needed for their critical work
- Make security topics and policies more approachable and human-centered
- Build user-friendly processes to help ISPG staff maintain their content
- Establish a platform where customers can find news and updates from ISPG
Expertise
- Product Strategy
- Information Architecture
- Communications Strategy
- Content Design
- Plain Language Writing
- User Research & Testing
- Prototype Development & Testing
- UX / UI Design
- Stakeholder Engagement
- Frontend Development
- Decoupled Methodology
- Continuous Integration & Deployment
- Drupal Customization
- Accessibility Testing
Tools and technologies
- Figma
- Mural
- Storybook
- Airtable
- batCAVE (Platform-As-A-Service provided by CMS)
- Drupal 10
- React JS
- Algolia Search
- Google Analytics
- Google Search Console
- Axe
- Pa11y
Our Approach
Together with our partner Affix Digital, we worked closely with ISPG stakeholders and customers to understand the cybersecurity ecosystem at CMS. We built relationships across ISPG and partnered with their leadership and program teams to streamline their content into a single, trusted platform that makes cybersecurity information approachable and human-centered.
First, listen and learn
We started by interviewing ISPG customers to make sure we built the site’s information architecture in a way that made sense to the people using it. Card sorting – a process that involves users in the design of the site navigation – helped solidify the menus and categories that would be the foundation of a user’s journey through the site.
Open source and accessible
We built a decoupled site using Drupal and React to give the client flexibility for technology changes in the future. Utilizing the U.S. Web Design System (USWDS), we created a component library that ensures the site meets government requirements for things like accessibility and mobile responsiveness. We used Storybook to build components in isolation before deployment to the site, catching errors in real-time so they could be fixed on the spot.
Search at the core
One of the main problems ISPG wanted to solve for their customers was the headache of searching for security documents, templates, and program information – which had been difficult to find in various internal repositories. We implemented a powerful search feature using Algolia, with filter options to help people find information specific to their needs. Improvements to search are ongoing as we learn more about how people use it.
Key outcomes
Improved customer experience
From Information System Security Officers (ISSOs) to Business and System Owners, the new website provides a better experience for people who need to interact with ISPG as part of the security compliance process at CMS.
Searchable and intuitive site
User and stakeholder interviews revealed that ISPG customers are loving the website’s powerful search feature, intuitive navigation, and clean design. Cybersecurity staff can focus on their work without wasting time hunting for information.
Accessible & approachable policy guidance
Complex security policies and processes are easier to understand now that ISPG’s guidance documents are written in plain language, with user needs and accessibility best practices at the forefront.
Simple content management
ISPG staff can access the pages they are responsible for managing through a user-friendly content management interface in Drupal. The workflows are designed to support busy staff and reduce content publishing bottlenecks.
Trusted communication channel
ISPG staff had struggled to communicate critical program updates effectively across many different platforms. The blog on their new website streamlines messaging into one trusted channel.
Ongoing partnership
To ensure the ongoing success of the ISPG website, we engaged deeply with ISPG teams all along the way, helping them evolve their organizational processes and sharing best practices for modern web content management.