| Horizontal Navigation Bar Page |
|---|
|  CMS Contracting Officer's Representative
The CMS COR is an integral part of the ISG Contract Onboarding Services process, representing CMS and supporting the new contracting organization to ensure all CMS contract requirements are met and all new contractor questions and needs are addressed for a successful onboarding experience. In addition, the CMS COR assists in closing out contracts, which can include extending or transitioning efforts to a new contractor. COR changes/updates should be sent to ISGContractorOnboardingServices@cms.hhs.gov.
| Tabs Container |
|---|
|
| Tabs Page |
|---|
| CMS COR ResponsibilitiesThe CMS COR responsibilities are presented following the timeline for the processes involved in onboarding or offboarding contractors to the QualityNet IT Services, as well as activities conducted during the contract's period of performance.
| Onboarding Process | 60 Days Prior to Contract Award |
|---|
Contract Awarded | Period of Performance Begins - Complete Contract Onboarding Services Intake form.
The CMS COR works with the New Contractor to complete the Contract Onboarding Services Intake form by identifying the type of work to be performed and the services required.
| Within 5 Business Days - Conduct Contract Onboarding Services meeting.
Upon receipt of the intake form, the CMS COR and New Contractor meet with the ISG Contract Onboarding Services team to confirm eligibility for the services identified in the Contract Onboarding Services Intake form. Upon confirmation, the ISG Contract Onboarding Services team sends a request for approval of these services to the CMS Service Leads for processing.
| Within 10 Business Days - Hold contract calls as needed.
The CMS COR and the ISG Contract Onboarding Services team will conduct touchpoint meetings with the New Contractor to ensure the organization has all the necessary knowledge, templates, and points of contact (POCs) for any formal security deliverables or other security-related items within the dates of the engagement timeline.
| | Offboarding Process | 60 Days Prior to Period of Performance Ending - Notify of contract closeout.
The CMS COR sends an email to the ISG Contract Onboarding Services team that identifies one of four scenarios that will occur when a contract's period of performance ends. The ISG Contract Onboarding Services team will respond requesting additional information that is needed to coordinate user access to QualityNet IT Services.
|
|---|
| Contract Maintenance | During the contract's Period of Performance (POP), there are three actions for QualityNet IT Services that may require CMS COR involvement: - Action 1: Assignment of new COR.
The ISG Contract Onboarding Services team should be advised immediately upon reassignment, if a new COR is assigned to the contract so that the HARP and ServiceNow records can be updated accordingly. An email should be sent to ISGContractorOnboardingServices@cms.hhs.gov. - Action 2: Approval of additional SPOCs.
The CMS COR approves additional contractor Security Points of Contact (SPOC), as needed. The CMS COR needs a HARP ID to approve/reject additional SPOC requests. Refer to the QualityNet | HARP for instructions on getting started with a HARP ID. NOTE: The first SPOC is set up by the ISG Contract Onboarding Services team during the onboarding process. - Action 3: Approve additional QualityNet IT Services.
The CMS COR approves additional QualityNet IT Services if a contract requires additional services after initial onboarding is completed. The ISG Contract Onboarding Services team will request approval by the CMS COR via email. - Action 4: Provide approved and active DUA prior to expiration date.
The COR is responsible for providing an approved and active DUA for contracts that access QualityNet IT Services which require a DUA, to ensure contractor data access is not revoked. The ISG Contract Onboarding Services team will send a reminder email to the COR 30 days prior to DUA expiration.
**For assistance with downloading a PDF copy of your DUA, refer to the DUA download instructions. - Action 5: Provide notice of lead contract personnel changes.
During the contract Period of Performance, the CMS COR is responsible for keeping current on contract staffing and to promptly advise the ISG Contract Onboarding Services team of any key personnel changes to avoid security risks. This includes departures or new appointments of primary contacts, Security Officials (SOs) and Security Points of Contact (SPOC). An email should be sent to ISGContractorOnboardingServices@cms.hhs.gov.
|
|---|
|
|
|
| Horizontal Navigation Bar Page |
|---|
| title | Contract Onboarding Services Team |
|---|
|  ISG Contract Onboarding Services Team
The ISG Contract Onboarding Services team coordinates the transition between incoming and outgoing contracts. The team ensures all activities occur on schedule, addresses and supports activities as needed, and escalates any transition-related issues to ISG Management. The team includes CMS Service Leads who process all requests for approval of QualityNet IT Services.
| Tabs Container |
|---|
|
| Tabs Page |
|---|
| Security TrainingThe ISG Contract Onboarding Services team is knowledgeable of the necessary security forms and requirements that need to be met by the New Contractor and works with the CMS COR and QualityNet Security with any questions posed by the contracting organization. For additional security requirements and training, refer to the Security tab on the QualityNet Communications Hub. |
| Tabs Page |
|---|
| ISG Contract Onboarding Services Team ResponsibilitiesThe ISG Contract Onboarding Services team responsibilities are presented following the timeline for the processes involved in onboarding or offboarding contractors to the QualityNet IT Services, as well as activities conducted during the contract's period of performance.
Onboarding Process | 60 Days Prior to Contract Award - Identify contract requirements.
The ISG Contract Onboarding Services team works with the CMS COR to identify high-level service requirements for the new contract to gain a better understanding of what QualityNet IT Services will be applicable. Some contract types, such as ADOs, already have a package of services pre-approved for use.
|
|---|
Period of Performance Begins - Complete Contract Onboarding Services Intake form.
The ISG Contract Onboarding Services team receives the completed Contract Onboarding Services Intake form and begins the onboarding process.
| Within 5 Business Days - Conduct Contract Onboarding Services meeting.
Upon receipt of the intake form, the ISG Contract Onboarding Services team meets with the CMS COR and New Contractor to confirm eligibility for the services identified in the Contract Onboarding Services Intake form and sends a request for approval of these services to the CMS Service Leads for processing. - Complete contract onboarding.
After the CMS Service Leads have processed the requests for services, the ISG Contract Onboarding Services team prepares and sends a welcome package to the New Contractor's Security Official (SO) to complete the engagement process.
| Within 10 Business Days - Hold contract calls as needed.
The CMS COR and the ISG Contract Onboarding Services team will conduct touchpoint meetings with the New Contractor to ensure the organization has all the necessary knowledge, templates, and points of contact (POCs) for any formal security deliverables or other security-related items within the dates of the engagement timeline.
- Complete Post-Engagement Survey.
The ISG Contract Onboarding Services team forwards link to Contract Onboarding Services Post-Onboarding Survey to New Contractor for response. The goal of the survey is to assist the team in creating an effective and efficient onboarding process.
| Offboarding Process | 60 Days Prior to Period of Performance Ending - Notify of contract closeout.
The ISG Contract Onboarding Services team receives an email from the CMS COR that identifies one of four scenarios that will occur when a contract's period of performance ends. The ISG Contract Onboarding Services team will respond requesting additional information that is needed to coordinate user access to QualityNet IT Services.
|
|---|
Period of Performance Ends - Contract removed from QualityNet IT Services.
The ISG Contract Onboarding Services team will remove user access to QualityNet IT Services based on the scenario identified by the CMS COR.
| Contract Maintenance | During the contract's Period of Performance (POP), there is one action for QualityNet IT Services that will require ISG Contract Onboarding Services team involvement: - Action 1: Assignment of new COR.
The ISG Contract Onboarding Services team should be advised immediately upon reassignment if a new COR is assigned to the contract so that the HARP and ServiceNow records can be updated accordingly. An email should be sent to ISGContractorOnboardingServices@cms.hhs.gov.
|
|---|
|
|
|
| Horizontal Navigation Bar Page |
|---|
|  Contractors
Contractors represent the organizations who are either onboarding or offboarding to QualityNet IT Services.
| Tabs Container |
|---|
|
| Tabs Page |
|---|
| Security TrainingAs part of the Contract Onboarding Services process, contractors are required to designate at least one Security Official (SO) and Security Point of Contact (SPOC). For additional security requirements and training, refer to Security Awareness and Training on the QualityNet Communications Hub.
| Tabs Container |
|---|
|
| Tabs Page |
|---|
| Security Official The SO is responsible for the following: - Communicate to users in your organization how to request access to the QualityNet IT Services approved for your contract/organization.
- Review and approve all new user requests for these services.
NOTE: Only approve user requests that come directly from your contract/organization. - Remove users that no longer require access to these services.
- Approve other SOs within your organization, as needed, to assist with the above tasks.
Refer to the Security Official Role on the QualityNet | HARP page for instructions on requesting the SO role in HARP and a short video of the role. Once your request is approved, you will review and approve requests from members of your organization for access to the desired services. You will also remove users’ access to services no longer needed. To ensure a smooth and quick start to utilizing the approved service(s), the Contract Onboarding Services team recommends the following actions be taken:
| Expand |
|---|
| Notify members that they may now request above services. Refer to the QualityNet IT Services page for instructions on the user request process for each service. |
| Expand |
|---|
| Approve user access to the services. As an approved SO for your organization, you can now approve or reject user role requests. For instructions on this process, refer to the Security Official Role tab on the QualityNet | HARP page. |
Resources QualityNet | HARP QualityNet Contract Services |
| Tabs Page |
|---|
| Security Point of Contact Each organization is required to designate at least one (1) Security Point of Contact (SPOC) who is responsible for ensuring the organization is compliant with CMS security requirements and policies. For additional security requirements and training, refer to the Security tab on the QualityNet Communications Hub. The SPOC is responsible for reporting and handling security incidents that occur within the organization. When a contract is awarded, the CMS COR will designate the first SPOC who will be established in ServiceNow. When an organization needs to add, update, replace or make any changes to the SPOC it can be done by contacting, with COR approval, the ISG Contract Onboarding Services team by email at ISGContractorOnboardingServices@cms.hhs.gov or via Slack at #help-contract-onboarding. Note that the SPOC must have a HARP account for your request to be approved. Once approved, the SPOC is stored and tracked for general tracking and maintenance.
Security Awareness and Training During the onboarding process, and before accessing any QualityNet system or application, each user must sign Rules of Behavior, complete the appropriate training, and provide evidence of training completion to their Security Point of Contact (SPOC); the SPOC will track all required training within their organization. In many cases, an annual attestation is also provided to the organization’s CMS Contracting Officer’s Representative (COR) as a deliverable. For additional information, refer to the Security Awareness & Training page on the QualityNet Communications Hub.
Resources QualityNet Security - Central source of security-related information and reference material. |
| Tabs Page |
|---|
| System Security Officer Contractors tasked with developing and supporting a CMS system or application must identify a System Security Officer (SSO). In addition, the Contractor may identify an SSO back up. The SSO is only required to support IT Management or IT System Development and is responsible for implementing and maintaining system and application security controls and procedures to achieve and maintain technical compliance with CMS security requirements. The SSO must fulfill the following responsibilities, including, but not limited to: - Support the CMS ISSO in the achievement and maintenance of an ATO for each application or system supported by the Contractor.
- Have a full understanding of the CMS’ Security Assessment and Authorization (SA&A) Processes.
- Implement and maintain Acceptable Risk Safeguards (ARS) controls for the appropriate system security level.
- Develop and maintain Federal Information Security Modernization Act (FISMA) system documentation.
- Ensure systems adhere to Technical Reference Architecture (TRA) foundational and supplemental documents as additional security specifications, when applicable (available upon request).
- Use approved security tools for continuous monitoring and management of security baselines.
- Implement audit tools or processes for auditing and reporting services that support Continuous Diagnostics and Monitoring (CDM).
- Provide engineering services and participation in Continuity of Operations Planning (COOP) and Disaster Recovery (DR) planning and exercises.
- Develop and implement Configuration Management and Change Management plans when necessary.
- Develop and maintain artifacts related to the CMS Target Life Cycle (TLC) and CASF (the CASF is available upon request).
- Perform or participate in threat and vulnerability management for applicable FISMA systems.
- Perform Plan of Action and Milestones (POA&M) management.
- Assist the CMS Information System Security Officer (ISSO) with other additional security support efforts within the scope of contractual responsibilities.
Resources QualityNet Security - Central source of security-related information and reference material. |
|
|
| Tabs Page |
|---|
| Contractor ResponsibilitiesThe Contractor responsibilities are presented following the timeline for the processes involved in onboarding or offboarding contractors to the QualityNet IT Services, as well as activities conducted during the contract's period of performance.
Onboarding Process | Contract Awarded - The New Contractor is contacted by the CMS ISG of contract award. Thereafter, ISG prepares the official approval of the contract is prepared by ISG and sent to the New Contractor. The contract is then executed by the New Contractor. No work can start or meetings scheduled with the New Contractor until the Period of Performance (POP) begins.
- The New Contractor must identify a Security Point of Contact (SPOC) and Account Administrator (AA) within one (1) day of the contract award.
|
|---|
Period of Performance Begins - Complete Contract Onboarding Services Intake form.
The New Contractor works with the CMS COR to complete the Contract Onboarding Services Intake form by identifying the type of work to be performed and the services required.
| Within 5 Business Days - Conduct Contract Onboarding Services meeting.
Upon receipt of the intake form, the New Contractor and CMS COR meet with the ISG Contract Onboarding Services team to confirm eligibility for the services identified in the Contract Onboarding Services Intake form. Upon confirmation, the ISG Contract Onboarding Services team sends a request for approval of these services to the CMS Service Leads for processing. - Complete contract onboarding.
The New Contractor's Security Official (SO) completes the engagement process upon receipt of welcome package from the ISG Contract Onboarding Services team. The welcome package is sent after the CMS Service Leads have processed the requests for services.
| Within 10 Business Days - Hold contract calls as needed.
The New Contractor participates in touchpoint meetings conducted by the CMS COR and the ISG Contract Onboarding Services team to ensure the organization has all the necessary knowledge, templates, and points of contact (POCs) for any formal security deliverables or other security-related items within the dates of the engagement timeline.
- Complete Post-Engagement Survey.
The New Contractor receives link to Contract Onboarding Services Post-Onboarding Survey from the ISG Contract Onboarding Services team. The Contractor's response will assist the team in creating an effective and efficient onboarding process.
| Offboarding Process | 60 Days Prior to Period of Performance Ending - Notify of contract closeout.
The Contractor works with the CMS COR in responding to one of four scenarios that will occur when a contract's period of performance ends and additional information that is needed by the ISG Contract Onboarding Services team to coordinate user access to QualityNet IT Services.
|
|---|
Period of Performance Ends - Contract removed from QualityNet IT Services.
The Contractor's user access to QualityNet IT Services is removed or transitioned by the ISG Contract Onboarding Services team based on the scenario identified by the CMS COR.
| Contract Maintenance | During the contract's Period of Performance (POP), there are two actions for QualityNet IT Services that will require Contractor involvement: - Action 1: Approval of additional SPOCs.
The Contractor seeks approval from the CMS COR for additional Security Points of Contact (SPOC), as needed. The CMS COR needs a HARP ID to approve/reject additional SPOC requests. Refer to the QualityNet | HARP for instructions on getting started with a HARP ID.
NOTE: The first SPOC is set up by the ISG Contract Onboarding Services team during the onboarding process. - Action 2: Approve additional QualityNet IT Services.
The CMS COR or Contractor submits a request to obtain access to an additional service by emailing ISGContractorOnboardingServices@cms.hhs.gov. Refer to the Onboarding Process > Period of Performance Begins for guidance on how to request additional services as an existing contractor.
|
|---|
|
|
|
|
ISG Playbook
APIs
