ISSO Services for the CMS Marketplace (Centers for Medicare & Medicaid Services)
Partnering with VETS, LLC, InterSec Inc delivered AppSec, Penetration Testing, Secure Software Development, and DevSecOps for CMS Marketplace systems, ensuring compliance with EO 14028 and other federal standards.
Background
CMS manages the Federally Facilitated Exchange (FFE) that provides health insurance coverage nationwide. These systems process sensitive healthcare data and must comply with stringent regulations and audits.
Overview
CMS manages the Federally Facilitated Exchange (FFE), delivering health insurance coverage to millions of Americans. This high‐value environment requires strict adherence to multiple audits, including EO 14028 compliance and CMS Security ARS guidelines.
InterSec working as a subcontractor to a large Prime for past 9 years, introduced secure AppSec, DevSecOps, and continuous penetration testing to speed up CMS’s Expedited Life Cycle (XLC). As a result, CMS sustained continuous authority to operate and solidified consumer trust in national healthcare services.
- Oversees high‐volume FFE systems with sensitive health data
- Must comply with EO 14028, Privacy Act, and multiple audits (SCA, GAO, OIG, IRS, DHS RVA)
- Handles FISMA High systems requiring round‐the‐clock protection
The Challenge
CMS needed to launch updates rapidly while ensuring absolute compliance with multiple federal standards. Falling short of either speed or security could erode trust in the FFE’s vital healthcare services.
- Multi‐Layered Compliance: Cross‐agency audits and complex requirements
- High‐Value Assets (HVAs): Personally identifiable information within FISMA High categories
- Expedited Life Cycle (XLC): Required rapid delivery without exposing vulnerabilities
Our Approach
InterSec integrated DevSecOps checks into each step of the XLC, bolstering app security, verifying supply chain components, and maintaining readiness for any potential audits.
- Zero Trust & Supply Chain Security: Verified every user and vendor component before granting access
- Collaborative Gate Reviews: Integrated security checks into each XLC milestone
- Complete Documentation: Kept artifacts (CMP, CP, AMP) up to date for multiple audits
Solution & Implementation
We combined automated vulnerability scanning with secure coding best practices and continuous penetration testing, enabling CMS to confidently roll out updates without compromising on compliance.
- Penetration Testing & Risk Assessments: Ongoing security checks to catch emergent threats
- Regular Artifact Updates: Ensured audit readiness, minimizing last‐minute surprises
- AppSec Integration: Secure coding standards, automated vulnerability scans, and code reviews
Results & Outcomes
CMS preserved a delicate balance between regulatory obligations and speedy feature releases, reinforcing the FFE’s reputation for reliability and resilient healthcare coverage.
- Continuous ATO: Zero disruptions to coverage due to authorization gaps
- Improved Security Posture: Achieved improved Cybersecurity Posture via DevSecOps
- Met EO 14028: Such as Zero Trust, supply chain security, and broader federal mandates
- Successful ACA: Successfully completed annual Adaptive Control Assessment (ACA), GAO, OIG, IRS, and DHS RVA audits with minimal findings
Capabilities Demonstrated
ISSO Support for a FISMA High Environment, DevSecOps Integration Across the Expedited Life Cycle (XLC), Continuous Penetration Testing & Security Assessments, Cross-Agency Compliance (EO 14028, GAO, OIG, IRS, DHS), Zero Trust & Supply Chain Security Checks