Skip to contentSkip to footer

Modernizing and Streamlining Cybersecurity Information

Centers for Medicare and Medicaid Services

We worked alongside ISPG customers and stakeholders to design and build a searchable, user-friendly portal for cybersecurity information – making it easier for security personnel to keep CMS data and systems safe.

A webpage with a welcome message for the CMS Information Security and Privacy Group (ISPG). It describes ISPG's role within CMS's Office of Information Technology, focusing on security and privacy.The new ISPG website at security.cms.gov is a customer-centric portal for security information at CMS.

95%

of ISPG’s static PDF documents converted to accessible HTML content

240+

CMS systems protected by ISPG’s security policies & programs

1

trusted source for CMS security and privacy information

“This is the best effort to date to get all of the security and privacy information in one place, in a way that makes sense. This is modern government information delivery at its best.”

CMS Program Leader

The challenge

The CMS Information Security and Privacy Group (ISPG) is in charge of the policies and programs that ensure the security and privacy of data that is handled by CMS information systems. ISPG staff and contractors work to maintain policies, distribute guidance, communicate with customers, support security programs, and promote new initiatives.

While doing this important work over the years, they amassed a large collection of documents and resources that were spread across various locations and formats. This led to issues with version control and made it hard for people to find the information needed to do their security-related tasks.

Without a single, trusted location for cybersecurity information – and with many of the documents being in static PDFs that were full of jargon and hard to understand – finding essential information from ISPG could be onerous, negatively impacting CMS’ overall security posture.

Client goal

To improve their customer service and promote better security across CMS systems, ISPG engaged our team to develop a user-friendly website (informally known as “CyberGeek”) at security.cms.gov that is recognized as the authoritative home for CMS security and privacy information. With this project, ISPG aims to:

  • Improve customer service through modern information delivery
  • Support CMS security personnel with the resources needed for their critical work
  • Make security topics and policies more approachable and human-centered
  • Build user-friendly processes to help ISPG staff maintain their content
  • Establish a platform where customers can find news and updates from ISPG

Expertise

  • Product Strategy
  • Information Architecture
  • Communications Strategy
  • Content Design
  • Plain Language Writing
  • User Research & Testing
  • Prototype Development & Testing
  • UX / UI Design
  • Stakeholder Engagement
  • Frontend Development
  • Decoupled Methodology
  • Continuous Integration & Deployment
  • Drupal Customization
  • Accessibility Testing

Tools and technologies

  • Figma
  • Mural
  • Storybook
  • Airtable
  • batCAVE (Platform-As-A-Service provided by CMS)
  • Drupal 10
  • React JS
  • Algolia Search
  • Google Analytics
  • Google Search Console
  • Axe
  • Pa11y

Our Approach

Together with our partner Fearless, we worked closely with ISPG stakeholders and customers to understand the cybersecurity ecosystem at CMS. We built relationships across ISPG and partnered with their leadership and program teams to streamline their content into a single, trusted platform that makes cybersecurity information approachable and human-centered.

First, listen and learn

We started by interviewing ISPG customers to make sure we built the site’s information architecture in a way that made sense to the people using it. Card sorting – a process that involves users in the design of the site navigation – helped solidify the menus and categories that would be the foundation of a user’s journey through the site.

A dashboard screenshot showing various categories like CMS, Risk Management, Privacy Policy, and more. Each category contains different selections with some having lists of items and others with icons.
We involved ISPG customers and program leaders at every step of our design process, and tested our assumptions with User Experience (UX) best practices.

Open source and accessible

We built a decoupled site using Drupal and React to give the client flexibility for technology changes in the future. Utilizing the U.S. Web Design System (USWDS), we created a component library that ensures the site meets government requirements for things like accessibility and mobile responsiveness. We used Storybook to build components in isolation before deployment to the site, catching errors in real-time so they could be fixed on the spot.

Search at the core

One of the main problems ISPG wanted to solve for their customers was the headache of searching for security documents, templates, and program information – which had been difficult to find in various internal repositories. We implemented a powerful search feature using Algolia, with filter options to help people find information specific to their needs. Improvements to search are ongoing as we learn more about how people use it.

Risk management and resources page: A webpage with tools and information to help manage and mitigate risks effectively.
ISPG customers report that the new CyberGeek search is a huge improvement on the prior experience.

Key outcomes

Improved customer experience

From Information System Security Officers (ISSOs) to Business and System Owners, the new website provides a better experience for people who need to interact with ISPG as part of the security compliance process at CMS.

Searchable and intuitive site

User and stakeholder interviews revealed that ISPG customers are loving the website’s powerful search feature, intuitive navigation, and clean design. Cybersecurity staff can focus on their work without wasting time hunting for information.

Accessible & approachable policy guidance

Complex security policies and processes are easier to understand now that ISPG’s guidance documents are written in plain language, with user needs and accessibility best practices at the forefront.

Simple content management

ISPG staff can access the pages they are responsible for managing through a user-friendly content management interface in Drupal. The workflows are designed to support busy staff and reduce content publishing bottlenecks.

Trusted communication channel

ISPG staff had struggled to communicate critical program updates effectively across many different platforms. The blog on their new website streamlines messaging into one trusted channel.

Ongoing partnership

To ensure the ongoing success of the ISPG website, we engaged deeply with ISPG teams all along the way, helping them evolve their organizational processes and sharing best practices for modern web content management.

Meet the team

Let’s build a public success story.

Get in touch to start.