Blunt probes ACA website’s testing, launch

In an effort to shore up security of the healthcare.gov website, Rep. Patrick Meehan (R-Pa.) on Thursday probed the Center for Medicare and Medicaid Services’ decision to certify that the website underwent adequate testing prior to its launch.

Meehan and Rep. Diane Black (R-Tenn.) probed the decision to certify the security testing in a letter to CMS Administrator Marilyn Tavenner.

“Now that healthcare.gov is open for business, it is imperative that Congress be provided the information necessary to understand how the federal exchange was certified and what protections are in place to protect Americans using the system,” Meehan and Black said. “What process has been implemented to monitor the ongoing effectiveness of security controls and the progress of actions taken to correct vulnerabilities?”

CMS cleared the website to launch in September by issuing an Interim Authority to Operate order.

“…A risk decision memo that accompanied the authorization explained that the security control assessment required by Federal Information Security Management Act was only partly completed ‘due to systems readiness issue,'” Meehan and Black said. “The IATO also appears to contradict regulatory guidance, which states that the Office of Management and Budget does not recognize interim authority to operate for security authorization. Furthermore, reports that CMS’ chief information security officer recommended a denial of healthcare.gov’s Authority to Operate are concerning.”

Meehan and Black also pressed Tavenner on what processes are in place to monitor the effectiveness of security controls and requested the results of a security test that was required within 60 to 90 days of the website’s launch.