Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Applications for the 2025 U.S. Digital Corps cohort are now closed.

Implementing HSTS to serve all CMS websites over encrypted channels

Centers for Medicare and Medicaid Services

CMS
  • Capacity building
  • Cybersecurity
  • Health

Skill Set:

Cybersecurity

Learn More:

website

About CMS

The Centers for Medicare and Medicaid Services (CMS) is a federal agency within the U.S. Department of Health and Human Services (HHS) that administers the nation’s major healthcare programs. CMS serves over 160 million people through Medicare, Medicaid, the Children’s Health Insurance Program (CHIP), and the Health Insurance Marketplaces created by the Affordable Care Act.

Within CMS, the Information Security and Privacy Group (ISPG) is responsible for safeguarding CMS’s vast digital infrastructure and protecting sensitive healthcare information across all agency operations. As part of CMS’s Office of Information Technology (OIT), ISPG plays a critical role in ensuring the security and privacy of systems that serve millions of people.

The challenge

In response to OMB M-22-09’s mandate for federal agencies to adopt Zero Trust cybersecurity principles, CMS faced the critical challenge of securing its complex web infrastructure. The memorandum specifically requires agencies to encrypt all DNS requests and HTTP traffic, making HSTS implementation not just a best practice but a federal compliance requirement.

A U.S. Digital Corps Cybersecurity Fellow working with the CMS Information Security and Privacy Program supporting the Zero Trust Team was tasked with leading this critical security initiative. CMS maintains a complex and expansive web presence with 6 parent domains and over 400 subdomains serving hundreds of millions of sessions each year. Each domain serves critical public-facing services for Medicare beneficiaries, Healthcare marketplace consumers, and healthcare professionals.

The approach

The Fellow proactively curated a comprehensive set of guidance materials and implementation frameworks, streamlining the update process for over 100 CMS teams. This systematic approach included creating standardized procedures, technical documentation, and coordination protocols to ensure consistent implementation across CMS.

Recognizing the need for visibility and accountability across this complex, multi-team initiative, the Fellow independently collaborated with another team to develop a progress-tracking dashboard that provided real-time visibility into HSTS implementation status across all 6 parent domains and CMS’s over 400 subdomains.

The impact

This foresight saved significant time across CMS – and with over 100 teams needing to implement HSTS, a savings of 10 hours per team from using these guides and thereby avoiding debugging and troubleshooting equates to at least 1,000 hours saved across the agency. The dashboard also enabled easy follow-up with lagging teams.

The Fellow’s leadership of this large technical undertaking that helped to ensure all web pages are served over encrypted channels directly contributed to the agency’s security posture and protected the public accessing vital Medicare and Healthcare Marketplace websites.

digitalcorps.gsa.gov

An official website of GSA’s Technology Transformation Services