ISPG has secured what is believed to be the first Ongoing Authorization to Operate (OATO) in the federal government for a pilot program that is changing the way the CMS assesses vulnerabilities and validates the security posture of all of its information systems.

Image of brain in cyberspace.


MACFin Pilot Validates Faster Compliance Process

Image of brain surrounded by charts and graphs to represent the MACFin application.

ISPG has secured a significant Ongoing Authorization to Operate (OATO) for a pilot security compliance program that is streamlining the way CMS views, assesses, and authorizes the security posture of all of its information systems.

The OATO for the Medicaid and CHIP Financial (MACFin) pilot is the first within CMS. MACFin manages the Medicaid budget and expenditure for the Children’s Health Insurance Program (CHIP) Business and Expenditure. It is designed to improve the efficiency of existing reporting processes, while enhancing federal and state oversight of Medicaid and CHIP expenditures for compliance with federal law and regulations.

The Ongoing Authorization pilot, which involved information systems from three CMS centers – Drug Data Processing (DDP), Retired Drug Subsidy (RDS) and MACFin – has streamlined the long-standing manual process for assessing residual risks and system vulnerabilities and securing operational authorization every three years. For the first time, CMS has the ability to leverage real-time monitoring of system vulnerabilities utilizing Continuous Diagnostic and Mitigation (CDM) tools and Tableau Dashboards.

“This is a significant milestone for OIT and ISPG because it has streamlined our authorization process and leveraging vulnerability scanning tools,” says Gus Borjas, Senior Cyber Risk Advisor for ISPG. “We now can see how vulnerable our systems are in real time rather than doing a manually intensive review every year. Normally this information takes a month to compile. But the application of these tools changed all that.”

Prior to this, securing a traditional authorization to operate (ATO) required project teams to manually assess and attest to the soundness of their systems every year.

“Over the course of three years, if all of these requirements were met, an executive summary of the findings and residual risks was submitted to the chief information security officer and the CIO with a recommendation to approve the ATO.” Borjas says. “The federal government says if you are able to have this real-time visibility into the security posture of a system and can maintain those thresholds, then every third year you don’t have to do this to approve the ATO. This made the pilot an ideal candidate for OATO consideration.”

The benefits extend beyond the authorization process and give CMS the capability to view system security at any time.

“What we’re talking about is ongoing authorization,” Borjas said. “We don’t have to assess the residual risk of a system and make a recommendation to the CISO and CIO every three years. Now if everything looks good and the Ongoing Authorization thresholds are within parameters, then the ongoing authorization to operate is good to go for another three years.”

You can find more information on MACFin, the ATO process, SAF and CMS security at:

Why Secure an OATO?

The fundamental principle and requirements for obtaining an Ongoing Authorization to Operate (OATO) are to:

  • Have a valid authorization to operate that does not expire in the next six months.
  • Be fully hosted on the CMS AWS Environment.
  • Implement the AWS Security Hub (Sec-Hub).
  • Ensure that key CDM data and data feeds have been integrated into CDM architecture (HWAM, VUL), and requisite reporting mechanisms.
  • Ensure visibility in corresponding dashboards and reports have been verified.
  • Complete a security and privacy assessment (ACT and Pen-Test) within the past 12 months and validate participation in an ISPG-provided Threat Modeling session.

Recent Articles

Recent Media