ISSO Services for the CMS Marketplace (Centers for Medicare & Medicaid Services)

Partnering with VETS, LLC, InterSec Inc delivered AppSec, Penetration Testing, Secure Software Development, and DevSecOps for CMS Marketplace systems, ensuring compliance with EO 14028 and other federal standards.

Download Case Study
All Case Studies
AppSec

Background

CMS manages the Federally Facilitated Exchange (FFE) that provides health insurance coverage nationwide. These systems process sensitive healthcare data and must comply with stringent regulations and audits.
The Client
Centers for Medicare & Medicaid Services
Industry
Federal

The Challenge

  • Multi‐Layered Regulatory Environment: EO 14028, CMS Security ARS, Privacy Act requirements, and multiple audits (SCA, GAO, OIG, IRS, DHS RVA).
  • High-Value Assets (HVAs): Handling personally identifiable information and healthcare details in FISMA High systems.
  • Fast but Secure Development: Needed to align with CMS’s Expedited Life Cycle (XLC) without compromising security.

Approach and Strategy

  • Zero Trust & Supply Chain Security: Implemented verification at each access point and strengthened vendor assessment.
  • Collaboration with CMS Teams: Integrated DevSecOps practices into the XLC to streamline gate reviews and approvals.

Solution & Implementation

  • Comprehensive Compliance
    • Mapped system controls to CMS ARS; updated policies for Privacy Act adherence.
    Secure DevOps & AppSec
    • Deployed secure coding best practices, automated vulnerability scanning, and rigorous code reviews.
    Audit‐Ready Documentation
    • Supported audits by refreshing critical artifacts (CMP, CP, AMP) annually.
    Penetration Testing & Risk Assessments
    • Provided continuous testing to uncover emerging threats and ensure quick remediation.

Results / Outcomes

  • Continuous ATO: Achieved and maintained authority to operate for CMS Marketplace systems.
  • Reduced Risk for FISMA High Assets: Bolstered security measures, safeguarding sensitive healthcare data.
  • Regulatory & EO Compliance: Met EO 14028 requirements (Zero Trust, Supply Chain considerations) and other federal mandates.
  • Strengthened Security Posture: Demonstrated resilience amid multiple audits from SCA, GAO, OIG, IRS, and DHS RVA.

Lesson Learned

  • Integrated DevSecOps in an Expedited Framework: Balancing speed (XLC) with thorough security checks was key to efficiency.
  • Comprehensive Audit Preparedness: Ongoing documentation updates and review cycles drastically minimized audit‐related delays.
Untitled UI logotextLogo

Expert Cybersecurity Solutions for Federal, State and Commercial Organizations

Company
About
Partners
Contract Vehicles
Download Capability
Technology Partners
Solutions
Cybersecurity Advisory
Cybersecurity Architecture and Engineering
Threat and vulnerability management
DFARS/NIST Compliance
Managed Security Services
Cyber Workforce Development
Resources
Blogs
Guides
Case Studies
Whitepapers
Copyright@Intersec, Inc.
Terms

Privacy