NorthShore Resources has a need for a Security Assessment consultant for a project at one of our clients.
The Department of Human Services is seeking a vendor to provide a security assessment for the Minnesota Eligibility Technology System (METS). This security assessment must evaluate METS implementation of, and compliance with the MARS-E (Minimum Acceptable Risk Standard for Exchanges) controls, version 2.0 and version 2.2 (soon to be released by CMS). The federal Framework for the Independent Assessment of Security and Privacy Controls provides an overview of the independent security and privacy assessment requirements and the associated Centers for Medicare & Medicaid Services (CMS) reporting process for Administering Entities. The purpose of the framework is to
- Define assessment independence and the independent assessor
- Provide assessment planning considerations
- Provide a basic security and privacy control assessment methodology
- Summarize security and privacy assessment reporting
- Provide a sample security and privacy assessment report
METS offers an easy-to-use one-stop web portal through which citizens can search and compare health insurance plans. The system includes the following functions: individual eligibility determination and enrollment; small employer eligibility and enrollment; certification and display of health benefit plan options and costs; navigator and agent/broker listing; display of health care provider information; premium aggregation and payment; and account administration. MNIT security professionals helped develop a system security plan that outlines security controls aligned with federal requirements.
The full scope of the need calls for assessments made over multiple years.
This request is for a vendor to provide services on a deliverables basis.
Project Milestones and Schedule
December, 2021 – Project kick off
March 1, 2022 – Review project scope and begin fieldwork
April 1, 2022 - Security assessment and scan result discussion
April 28, 2022 – Written report is due, meet with management to discuss results (payment will be made upon completion of the report)
- Dates are subject to modification as long as completion is before June 30, 2022
The goal of this RFO is to evaluate and select an experienced vendor specializing in technical security assessments to measure compliance with federal requirements for health insurance exchanges.
The deliverables and methodology of this assessment must align with federally mandated requirements in the Framework for the Independent Assessment of Security and Privacy Controls, version 2.0 and version 2.2 (soon to be released by CMS).
Responsibilities Expected of the Selected Vendor
- The selected vendor is expected to work with State staff throughout the assessment and be onsite. Any high findings, as defined in Appendix A, 5.1.1 SAR Content, will be reported to management immediately. The final written report will be discussed in a face-to-face meeting.
- The selected vendor will develop and obtain State’s prior written approval for a testing plan that will utilize their experience in selecting appropriate controls for review, while meeting federal requirements for independent assessments.
- The selected vendor will provide the State with a list of names in writing of primary staff (including any sub-contractual work) assigned to the project. The State reserves the right to require changes to any staffing assignments.
- The selected vendor will provide weekly documentation of work completed and a report on the status of efforts to complete remaining work.
- The selected vendor will assure that assigned staff be have received training appropriate to their positions and technical work.
- The selected vendor must obtain prior written approval from the State before conducting any automated scans or tests of controls.
- The vendor will produce a formal written report to summarize the assessment results, in a format that aligns with federal requirements.
- The vendor may have access to sensitive data, including personally-identifiable private health information subject to HIPAA, federal tax information subject to IRS regulations, and private data on individuals subject to protection by State law. Therefore, the vendor will need to enter into a business associates agreement with the State.
Minimum Qualifications for Vendor
- 2 engagements with NIST Certification and Accreditation processes and the NIST 800-53 family of controls.
- 2 years of experience assessing controls for compliance with the Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0.
- Experience conducting security and compliance assessments with IRS and HIPAA requirements.
- Assessment staff with industry standard certifications, such as Certified Information Systems Security Professional and Certified Information Systems Auditor.
- Experience with the Affordable Care Act.
Minimum Qualifications of Resources
- 7 Years of experience conducting security and compliance assessments, with at least one project that demonstrates familiarity with NIST framework requirements as they impact data privacy and security. The team lead shall have at least 4 years, and the team collectively 7.
- 2 years of demonstrated experience in testing technical controls in large IT environments with multiple, interconnected systems using Window and UNIX operating systems, Oracle databases, and web applications.