Obamacare marketplace violates federal security law

Font Size:

The bureaucracy tasked with Obamacare implementation may be violating a law that requires government agencies to keep private information safe.

Under the the Federal Information Security Management Act (FISMA), the Department of Health and Human Services’ Center for Medicare and Medicaid Services (CMS) is required to have an “Authority to Operate,” or ATO. In order to receive an ATO, new information tech systems must perform a set of tests, including “Security Control Assessments” (SCA).

But according to CMS’s 2014 budget request, no such security assessment took place. The Federal Healthcare Marketplace website was rolled out without full end­-to­-end testing.

Indeed, the large number of new systems created because of Obamacare created a backlog of testing. CMS could not complete its required security. Failing to complete the required means no ATO, and hence a violation of federal law under FISMA.

FISMA was enacted in 2002. Under FISMA, federal agencies are required: “to develop, document, and implement an agency­-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”

Centers for Medicaid and Medicare Services is responsible for the oversight and implementation of the Federal Healthcare Marketplace website and associated systems.

Documents obtained by The Daily Caller reveal the federal violations.

A CMS Information Security bulletin released in April 2013 explains that FISMA applies to

 …all organizations (sources) which have physical or electronic access to a Federal agency’s computer systems, networks, or IT infrastructure; or use information systems to generate, store, process, or exchange data with a Federal agency, or on behalf of a Federal agency, regardless of whether the data resides on a Federal Agency or a Contractor’s information system. This includes services that are either fully or partially provided; including other agency hosted, outsourced, and cloud computing solutions. (Pg.1)

Part of FISMA’s law requires CMS to complete the ATO process.

The implementation of a Federal Government information system requires a formal Government Authorization to Operate (ATO) for infrastructure systems and/or all application systems developed, hosted and/or maintained on behalf of CMS. (Pg. 8)

Another CMS document entitled “Security Information Review” released in September 2012 reaffirms the FISMA requirement:

By law, each CMS FISMA system must obtain an ATO before it can be placed into operation. Therefore, security controls must be operational, effective, managed, and continuously monitored. (Pg. 7)

CMS has published guidelines called the “Authorization to Operate Package Guide” to provide instruction on how to obtain an ATO. Each ATO package must include 12 “artifacts” in order to be submitted for authorization. The table of 12 artifacts includes two known as the “Security Control Assessment Plan (SCA Test Plan)” and “Security Control Assessment Report (SCA Report).”

As part of annual reporting responsibilities to the Dept. of Health and Human Service, CMS must provide an “Online Performance Appendix.”

From the CMS 2012 Online Performance Appendix:

This CMS Online Performance Appendix includes representative performance goals that reflect CMS‘ mission to be a major force and a trustworthy partner for the continual improvement of health and health care for all Americans (Pg. 3)…

The DHHS Office of Inspector General (OIG) issued a Management Implication Report (MIR) in May 2009 that led to subsequent memoranda from the Secretary and Deputy Secretary of HHS urging Operating Divisions to increase vigilance in several areas in information security. Specifically, the Certification and Accreditation (C&A) program which provides a system‘s authority to operate (ATO) was identified as a key area for improvement. (Pgs. 35­-37)

The report also states:

The OIG MIR also identified the lack of independent oversight of CMS systems over our systems as a critical weakness.”(Pg. 37)

This directive from the DHHS OIG is know as “MCR21: Effectively Manage Information Technology (IT) Systems and Investments to Minimize Risks and Maximize Returns.”

The CMS’ FY 2014 Performance Budget request includes a “Justification of Estimates for Appropriations Committees.” In it, CMS updates its progress with respect to MCR21:

We did not meet our FY 2012 target of 90 percent of CMS FISMA systems ATO based on defining the number of CMS FISMA systems for the following reasons:

(1) In the FISMA system inventory list, there are systems that did not fully follow the lifecycle; some either went into production prior to getting an ATO, and others still do not have an ATO. These systems may have followed parts of the lifecycle, but they did not fully complete it properly.

(2)The influx of systems from ACA [Affordable Care Act] created a large backlog of current and future systems that needed Security Control Assessments (SCAs) at one time. CMS does not have the resources to test them all at once. (Pg. 93)

Follow Charles on Twitter