Update: CMS, Tavener Seem to Have Violated Federal Rules in Falsely Certifying Healthcare.gov As "Secure"

It appears that CMS violated federal guidelines regarding security certification.

Federal rules require that website be certified as secure before being permitted to go live. For reasons that I trust are obvious.

But Healthcare.gov was never tested, and the White House and CMS were being warned by IT people that it was insecure.

So what Tavener did is sign an "interim" security certification, with a directive to... test for security after the site already certified as secure was live.

Does this make sense? No, of course not:

Yet Sebelius’s matter-of-fact description of the temporary authorization is a lot different from the 2012 memo from Zients on federal cyber-security.

Page 11 of the Zients memo includes the following section:

Does OMB recognize interim authority to operate for security authorizations?

No. The security authorization process has been required for many years, and it is important to measure the implementation of this process to improve consistency and quality government-wide. Introducing additional inconsistency to the government's security program would be counter to FISMA's goals.

Note that Zients is the new Czar in charge of straightening out Healthcare.gov-- so Obama considers him a top expert. And he expressly says that an "interim" security certification -- that is, a certification without any actually security -- of course is "counter" to the goals of site security.

But that's what the team he's now in charge of did.

On Tuesday, CNN reported that until it was fixed last week -- weeks after the site was live -- a security hole allowed any user to “easily reset your healthcare.gov password without your knowledge and potentially hijack your account.”

CMS did not respond to an email seeking comment on the Authority to Operate issue.

Thanks to Andy, or as I know him, @theh2.

posted by Ace at 03:46 PM

| Access Comments