Securing a cloud environment for CMS

Abstract blue pattern of squares and radians
Abstract blue pattern of squares and radians
The background

The mission of the Centers for Medicare and Medicaid Services (CMS) is to strengthen and modernize the nation’s health care system by providing access to high quality care and improved health at lower cost. The CMS vision of future success is a high quality health care system that ensures better care, access to coverage and improved health. CMS covers approximately 100 million U.S. citizens through Medicare, Medicaid, the Children’s Health Insurance Program, and the Health Insurance Marketplace.

The challenge

The Affordable Care Act (ACA) requires CMS to coordinate with states to establish Health Insurance Marketplaces, expand Medicaid, and regulate private health insurance plans. The ACA greatly broadened the agency’s roles and responsibilities, expanding CMS’ traditional service base and making it responsible for establishing Health Insurance Marketplaces, including the national Healthcare.gov website.

The Department of Health and Human Services (HHS)/CMS Strategic Plan states: “[CMS] will have achieved ‘Enterprise Excellence’ when CMS’ high-quality, diverse workforce develops, supports and utilizes innovative strategies, tools and processes, and collaborates effectively with its partners and agents to reach its goals.”

The technology backbone of the ACA is CMS’ virtual data center, eCloud. An advanced hybrid cloud hosting environment, eCloud consists of multiple technology vendors and connections to a variety of state governments, issuers, brokers, and assistors. The security and reliability of the underlying IT infrastructure that supports this data center was tantamount to ACA’s success. To address eCloud’s broad threat attack surface, CMS’ Center for Information and Insurance Oversight needed to implement a robust operational security management program to protect the data without impacting its estimated 35 million annual users.

Our solution

To provide the ACA with a cyber security solution, GovCIO (formerly Salient CRGT) implemented and operated a robust Operational Security Management Program. This program consists of an advanced 24×7 Security Operations Center (SOC), which provided both broad and deep cyber security services for the eCloud environment and Healthcare.gov. Our SOC support included:

  • Continuous monitoring, behavioral-based analytics, and signature development
  • Cyber threat intelligence
  • Digital forensic analysis including rapid response for data breach and consumer fraud
  • Security incident reporting, security risk analysis, and risk management
  • Full lifecycle maintenance of security appliances and tools
  • Multi-tenant, multi-vendor, hybrid cloud vulnerability scanning and assessments and privacy assessments

As security is fundamental to all components of ACA, the SOC had to serve as central hub for all security matters and maintain a visible, respected, and reliable presence throughout the ACA ecosystem, including a consistent connection to CMS and federal cyber security authorities.To achieve this, GovCIO's management approach centered on three tenants: quality, partnership, and customer service. We built and maintained relationships that facilitated continuous data exchange between government components and partners, and also introduced innovative processes and technologies to maintain the availability, quality, and delivery of time-sensitive information about cyber security health and the evolving threat landscape.

Our impact

GovCIO's efforts on this program, including our innovative processes and technologies, secured time-sensitive information and enabled CMS to maintain the security and privacy protections of the Healthcare.gov website and hosting environment since service launch. As a result, we have helped the CMS maintain both privacy protections and ensure its commitment to Enterprise Excellence. 

Washington, D.C. Cityscape