This section provides guidance to CMS team members and contractors on the overall onboarding process into QualityNet IT Services. The following timeline identifies what occurs and when during the onboarding/offboarding process. The first five entries in the timeline refer to the activities involved in the onboarding process. Note that this timeline may vary based on your contract.
QualityNet | CCSQ Onboarding/Offboarding Timeline
To learn more about the actions required and who is responsible for each action, click on the tab that corresponds to the step in the timeline.
Notify of Contract Solicitation
The CMS COR notifies the CCSQ Onboarding Services team of a new contract solicitation and provides an estimated award date at the following email address: CCSQOnboardingteam@cms.hhs.gov.
Note: Only a high-level notice is needed; only provide contract specifics that are publicly available as contractors have access to the email address and only non-sensitive information should be included.
Identify Contract Requirements
The CMS COR works with the CCSQ Onboarding Services team to identify high-level service requirements for the new contract to gain a better understanding of what QualityNet IT Services will be applicable.
The CMS selects and contacts the New Contractor. Thereafter, CMS prepares the official approval of the contract to send to the New Contractor. The contract is then executed by the New Contractor. No work can start or meetings scheduled until the Period of Performance (POP) begins. The New Contractor must identify a Security Point of Contact (SPOC) and Security Official (SO) within one (1) day of the contract award.
Notify of Contract Award
The CMS COR notifies the CCSQ Onboarding Team of a new contract award at the following email address: CCSQOnboardingteam@cms.hhs.gov.
The Period of Performance (POP) is the time span between the effective date of a contract (when the contracted effort begins) and the last day under the contract on which deliveries of goods are made or services are performed. Once the POP begins all meetings, work, and calls can proceed.
Complete CCSQ Onboarding Services Intake Form
The CMS COR coordinates with the New Contractor to gather the required information to onboard a contract and identify the type of work to be performed and the services required. Refer to the CMS Services tab for guidance on the Data Use Agreement (DUA) process.
Within one day after the POP start date, the contractor needs to identify the Security Officer (SO) and the Security Point of Contract (SPOC) for their contract. These individuals need to initiate their background checks via EUA and create/activate their user ID in HARP and the New Contractor needs to provide their ID and contact information to the COR as part of the onboarding process.
Once the COR has gathered the required information, they need to submit the JSM Form to onboard the New Contractor. For detailed information regarding this process, CLICK HERE.
Responsible Parties: 
CMS COR, 
New Contractor, 
CCSQ Onboarding Services Team
Conduct Onboarding Services Meeting
The CCSQ Onboarding Team conducts a meeting with the CMS COR and New Contractor to confirm eligibility for the services identified in the Contract Onboarding Services Intake Form and sends a request for approval of these services to the CMS Service Leads for processing.
Responsible Parties:
CCSQ Onboarding Services Team, CMS COR, New Contractor
Complete Onboarding
After the CMS Service Leads have processed the request, the CCSQ Onboarding Services team prepares and sends a welcome package to the New Contractor’s Security Official (SO) to complete the engagement process. The welcome package includes the following information:
- List of SO Responsibilities
- List of Approved Services
- Description of Approved Services
- Instructions for Onboarding Users
Upon receipt of this welcome package and informational materials, the New Contractor SO can begin the process of onboarding new users into the QualityNet IT Services. Access is based on the list of approved services provided in the package.
Responsible Parties:
CCSQ Onboarding Services Team, CMS Service Leads; New Contractor
Hold Contract Calls as Needed
The CMS COR and CCSQ Onboarding Services team will conduct touch point calls with the New Contractor. During these calls, the teams will ensure that the New Contractor has all the necessary knowledge, templates, and points of contact (POCs) for any formal security deliverables or other security-related items within the dates of the engagement timeline. The teams will also ensure that the New Contractor has all necessary hardware and software ordered, delivered, and installed within the dates of the engagement timeline. The Contract Onboarding Services team will be responsible for archiving documentation of the results of the meetings/calls.
Responsible Parties:
CMS COR, CCSQ Onboarding Services Team, New Contractor
Complete Post-Onboarding Survey
The Contract Onboarding Services team forwards link to Contract Onboarding Services Post-Onboarding Survey to New Contractor for response. The goal of the survey is to assist the team in creating an effective and efficient onboarding process.
Responsible Parties:
CCSQ Onboarding Services Team, New Contractor
Existing Contracts
If you are an existing contractor with QualityNet IT Services looking to obtain access to an additional service, follow this three-step process to begin onboarding.
Step One: The CMS COR or Contractor submits a request to obtain access to an additional service by emailing CCSQOnboardingteam@cms.hhs.gov. The request should contain the following information:
- Name of Organization (HARP Organization Name Preferred)
- Name of QualityNet IT Service
- Business Justification for Use of Service
- Estimated Number of Users
- COR Approval (NOTE: COR approval for the new service request is required before we can proceed. Please include your COR's approval with your request.)
Step Two: The CCSQ Onboarding Team sends a request for approval of the service(s) to the CMS Service Leads for processing.
Step Three: After the CMS Service Leads have processed the request, the CCSQ Onboarding Team prepares and sends a welcome package to the Contractor’s Security Official (SO) to complete the onboarding process. The welcome package includes the following information:
- List of SO Responsibilities
- List of Approved Services
- Description of Approved Services
- Instructions for Onboarding Users
Upon receipt of this welcome package and informational materials, the Contractor SO can begin the process of onboarding users into the QualityNet IT Service(s).
This section lists the roles and responsibilities of those individuals that ISG Management has identified who play a part in the onboarding or offboarding of contractors to the QualityNet IT Services. Included is a general description of the role, the steps involved in the onboarding/offboarding process in which they participate, and who they interact with during each step.
CMS Contracting Officer's Representative
The CMS COR is an integral part of the CCSQ Onboarding Services process, representing CMS and supporting the new contracting organization to ensure all CMS contract requirements are met and all new contractor questions and needs are addressed for a successful onboarding experience. In addition, the CMS COR assists in closing out contracts, which can include extending or transitioning efforts to a new contractor.
COR changes/updates should be sent to CCSQOnboardingteam@cms.hhs.gov
Security Training
Refer to the Security tab on the QualityNet Communications Hub.
CMS COR Responsibilities
The CMS COR responsibilities are presented following the timeline for the processes involved in onboarding or offboarding contractors to the QualityNet IT Services, as well as activities conducted during the contract's period of performance.
| Onboarding Process | 60 Days Prior to Contract Award
|
|---|---|
| |
| |
| |
| |
| Offboarding Process | 60 Days Prior to Period of Performance Ending
|
| Contract Maintenance | During the contract's Period of Performance (POP), there are three actions for QualityNet IT Services that may require CMS COR involvement:
|
CCSQ Onboarding Team
The CCSQ Onboarding Team coordinates the transition between incoming and outgoing contracts. The team ensures all activities occur on schedule, addresses and supports activities as needed, and escalates any transition-related issues to ISG Management. The team includes CMS Service Leads who process all requests for approval of QualityNet IT Services.
Security Training
The CCSQ Onboarding Team is knowledgeable of the necessary security forms and requirements that need to be met by the New Contractor and works with the CMS COR and QualityNet Security with any questions posed by the contracting organization.
For additional security requirements and training, refer to the Security tab on the QualityNet Communications Hub.
CCSQ Onboarding Team Responsibilities
The CCSQ Onboarding Team responsibilities are presented following the timeline for the processes involved in onboarding or offboarding contractors to the QualityNet IT Services, as well as activities conducted during the contract's period of performance.
Onboarding Process | 60 Days Prior to Contract Award
|
|---|---|
| |
| |
| |
Offboarding Process | 60 Days Prior to Period of Performance Ending
|
| |
Contract Maintenance | During the contract's Period of Performance (POP), there is one action for QualityNet IT Services that will require ISG Contract Onboarding Services team involvement:
|
Contractors
Contractors represent the organizations who are either onboarding or offboarding to QualityNet IT Services.
Security Training
As part of the Contract Onboarding Services process, contractors are required to designate at least one Security Official (SO) and Security Point of Contact (SPOC).
For additional security requirements and training, refer to Security Awareness and Training on the QualityNet Communications Hub.
Security Official
The SO is responsible for the following:
- Communicate to users in your organization how to request access to the QualityNet IT Services approved for your contract/organization.
- Review and approve user role requests for individuals on the contract supported by the SO.
- NOTE: The SO must deny any role requests submitted by individuals who are unknown to them or who are known to NOT be part of the organization the SO supports.
- Remove user roles for users that no longer require access to these services.
- Remove ALL user roles for users that have left the contract supported by the SO.
- Approve other SOs within your organization, as needed, to assist with the above tasks.
Refer to the Security Official Role on the QualityNet | HARP page for instructions on requesting the SO role in HARP and a short video of the role. Once your request is approved, you will review and approve requests from members of your organization for access to the desired services. You will also remove users’ access to services no longer needed.
To ensure a smooth and quick start to utilizing the approved service(s), the Contract Onboarding Services team recommends the following actions be taken:
Resources
Security Point of Contact
Each organization is required to designate at least one (1) Security Point of Contact (SPOC) who is responsible for ensuring the organization is compliant with CMS security requirements and policies. For additional security requirements and training, refer to the Security tab on the QualityNet Communications Hub. The SPOC is responsible for reporting and handling security incidents that occur within the organization.
When a contract is awarded, the CMS COR will designate the first SPOC who will be established in ServiceNow. When an organization needs to add, update, replace or make any changes to the SPOC it can be done by contacting, with COR approval, the ISG Contract Onboarding Services team by email at CCSQOnboardingteam@cms.hhs.gov or via Slack at #help-contract-onboarding. Note that the SPOC must have a HARP account for your request to be approved. Once approved, the SPOC is stored and tracked for general tracking and maintenance.
Security Awareness and Training
During the onboarding process, and before accessing any QualityNet system or application, each user must sign Rules of Behavior, complete the appropriate training, and provide evidence of training completion to their Security Point of Contact (SPOC); the SPOC will track all required training within their organization. In many cases, an annual attestation is also provided to the organization’s CMS Contracting Officer’s Representative (COR) as a deliverable.
For additional information, refer to the Security Awareness & Training page on the QualityNet Communications Hub.
Resources
QualityNet Security - Central source of security-related information and reference material.
System Security Officer
Contractors tasked with developing and supporting a CMS system or application must identify a System Security Officer (SSO). In addition, the Contractor may identify an SSO back up. The SSO is only required to support IT Management or IT System Development and is responsible for implementing and maintaining system and application security controls and procedures to achieve and maintain technical compliance with CMS security requirements. The SSO must fulfill the following responsibilities, including, but not limited to:
- Support the CMS ISSO in the achievement and maintenance of an ATO for each application or system supported by the Contractor.
- Have a full understanding of the CMS’ Security Assessment and Authorization (SA&A) Processes.
- Implement and maintain Acceptable Risk Safeguards (ARS) controls for the appropriate system security level.
- Develop and maintain Federal Information Security Modernization Act (FISMA) system documentation.
- Ensure systems adhere to Technical Reference Architecture (TRA) foundational and supplemental documents as additional security specifications, when applicable (available upon request).
- Use approved security tools for continuous monitoring and management of security baselines.
- Implement audit tools or processes for auditing and reporting services that support Continuous Diagnostics and Monitoring (CDM).
- Provide engineering services and participation in Continuity of Operations Planning (COOP) and Disaster Recovery (DR) planning and exercises.
- Develop and implement Configuration Management and Change Management plans when necessary.
- Develop and maintain artifacts related to the CMS Target Life Cycle (TLC) and CASF (the CASF is available upon request).
- Perform or participate in threat and vulnerability management for applicable FISMA systems.
- Perform Plan of Action and Milestones (POA&M) management.
- Assist the CMS Information System Security Officer (ISSO) with other additional security support efforts within the scope of contractual responsibilities.
Resources
QualityNet Security - Central source of security-related information and reference material.
Contractor Responsibilities
The Contractor responsibilities are presented following the timeline for the processes involved in onboarding or offboarding contractors to the QualityNet IT Services, as well as activities conducted during the contract's period of performance.
Onboarding Process |
|
|---|---|
| |
| |
| |
Offboarding Process | 60 Days Prior to Period of Performance Ending
|
| |
Contract Maintenance | During the contract's Period of Performance (POP), there are two actions for QualityNet IT Services that will require Contractor involvement:
|
Refer to the Offboarding Process as the contract's Period of Performance nears its end to determine what actions are required and who is responsible.
- QualityNet IT Services: Please Contact the Service Center by phone at 1-866-288-8914 (TRS: 711); by email at ServiceCenterSOS@cms.hhs.gov; or via Slack at #help-service-center-sos
- Contract Services (Onboarding/Offboarding): Please Contact the CCSQ Onboarding team by email at CCSQOnboardingteam@cms.hhs.gov or via Slack at #help-ccsq-onboarding
- Contractors: If you have other questions, please reach out to your CMS COR.