N00024-11-R-3359

Prime: Arch Systems Inc.

Solicitation:
Prime Contractor:
Project: CMS Portfolio, Program, and Project Management (PM3) II
Period of Performance:
Type of Contract:

Instructions:

Please rate your corporate expereience using the following method:

Put the following number in the cell if:

Capability Ratings Matrix Key
(Please grade each requirement as depicted below)
Subject Matter Experts (SMEs). Able to present or write a Past Performance and/or Technical Proposal section that demonstrates our
4 ability to meet or exceed this requirement with sustained superior results.****
Very Good/Excellent. Able to present or write a Past Performance and/or Technical Proposal section that demonstrates our ability to meet
3 or exceed this requirement with excellent results.****
Good, not great. Able to present or write a Past Performance and/or Technical Proposal section that demonstrates our ability to meet or
2 exceed up to 50-75% of this requirement.

1 Couldn’t even fake it

**** please include the contract number

Page 1 of 85
 Team Capability Matrix - Task

Narrative Requirement / Capabilit

2.1 Task Area 1: Portfolio, Program, and Project Management

2.1.1 Definitions
Project: Temporary endeavor undertaken to create a unique product, service, or result. It is consider
either within or outside of a program. ISG Projects include but are not limited to; HIQR, HOQR, etc
efforts that are Enterprise service- related.
Program: Grouped within a portfolio and are comprised of projects, subprograms
a coordinated fashion to obtain benefits not available from managing them indiv
System Services, in addition to lines of business (LOB) that include but are not l
Portfolio: Collection of projects and programs managed as a group to achieve str
the portfolio are linked to ISG’s strategic plan.
The task - The Contractor is to provide project, program, and portfolio-level support for designated
managing project teams using various methodologies (i.e. Waterfall, Agile, Scrum Agile, SAFe) dep
federal resources, it requires integrated project, program, and portfolio-level planning with the purpo
objectives.
The Contractor is required to provide ISG support in the roles of Project Manager, Program Manage
ISG’s implementation of agile methodology

2.1.2 Project Level

1. Monitor projects through all prescribed life cycle phases in accordance with Agency standards and
2. Design, develop, and maintain all project management plans using the input provided by CMS/ISG
3. In conjunction with ISG governing entities, design, develop, and maintain subsidiary plans which
change management plan, issue management plan, schedule management plan, communications man
management plan. More specifically:
 o Risk management: identifies and reports any potential risk factors that may inhibit, impe
The Contractor shall develop a robust management
artifact that outlines a plan to identify, address, mitigate and/or maximize (positive) risks. T
shall be evaluated regularly to determine whether there are issues that need further invest
and comment on risk updates, attending risk management meeting either in person or by c
be done in accordance with the ISG Risk Management Plan (RMP).
o Change management: The Contractor shall comply with the change control process. Any
plan must be further approved via a change control
prepared by the Contractor and approved by the PM (with concurrence by the COR). The pl
comply with the following tasks:
 Contractor assisting PM with the preparation of change requests in support of project,
 Contractor working with CMS Stakeholders to develop and define requirements relate
 Contractor supporting the implementation of changes throughout the TLC or other Ag
change request-related meetings, review
functional/technical documentation, review test scripts, and provide comments related t
o Schedule management: A schedule management plan shall include the parameters and for
IPT contributor. The Contractor shall regularly evaluate the schedule to determine whether
o All project management-related plans will be provided to the COR, GTL, Project Manager,
developed and/or updated.
 The Contractor shall develop high level plans for new program/product/releases.
4. Design, develop, and maintain other project management-related documents which include but are
agreement, risk register, issues list , action items, decision log, and lessons learned log.
o The Contractor shall consider such factors as: IT system development and/or modification
beneficiary education and outreach activities,
oversight and monitoring requirements and possible future reporting requirements as key p
in the project schedule.
 The Contractor shall update the project schedules throughout the period of performan
 The Contractor shall review and provide an analysis of the project schedule in order to
scheduling risks.
 All project schedules shall be provided in an Agency-approved format.
5. Coordinate with other Agency components and Contractors as necessary to ensure completion of t
6. Participate in meetings to provide information to Agency staff/leadership, address issues, and reso
Contractor will conduct the necessary research, prepare materials, and determine the progress of task
level briefing documents, including PowerPoint presentations and other material as requested. The C
presentation and collecting feedback on presentation materials.
7. Prepare briefings and create reports to be used at meetings with stakeholders at various levels with
develop and prepare visual representations as necessary in an effort to present data in a useful and in
will be provided using Agency-approved software such as Project Server, Project Professional, Portf
SharePoint, Collaborative Application Lifecycle Tool (CALT), Microsoft Project, Visio, PowerPoin
maintain a project level dashboard to include (but not limited to): accomplishments, upcoming activi

8. Maintain all project-related artifacts in an Agency-prescribed document management repository (e

9. Coordinate with Agency leadership, managers, staff and other internal and external stakeholders to

10. Develop and implement performance measurements and provide statistical analyses for assigned
that project funds are spent wisely.

11. Conduct appropriate project level and CMS IT governance reviews as required by established TL
baseline reviews, architecture reviews, project baseline reviews, preliminary design reviews, detailed
implementation readiness reviews, operational readiness reviews, post-implementation reviews, lesso
Development Methodology, the Contractor shall accommodate CMS required governance reviews sp
is where project managers review and obtain approval of the entire project and performance measure
established for the project are adequately documented and that the project management strategy is ap
cycle. This shall include a review of the budget, risk and user requirements for the project. Emphasis
development or acquisition costs. During the review, the completeness of the planning phase activiti
availability of resources to execute the next phase, and acceptability of the acquisition risk of enterin

12. Identify critical and non-critical project areas as well as opportunities for improvement.
13. Prepare recommendations for making changes to the project management plan, as necessary.
14. Participate in gap analysis to determine whether requirements are being met through planned IT
15. Assist the Executive Council and Integrated Project Teams, when necessary.
16.Work with Agency Governance Boards to schedule Gate Reviews.
17. Work with the Integrated Project Team to complete the tasks assigned by Agency Governance bo
18 Provide integrated project schedule guidance and standards to all Contractors and stakeholders.
19 Establish and maintain a repository of project-related documents.
20 Analyze project-level pain points and gaps and make process improvement recommendations.
21 Communicate from a project level with CMS staff on various topics including but not limited to m
strategies, release planning, etc.
22 Contribute to the Risk Register that is maintained at the program level.
23 Perform quantitative and qualitative risk analysis of identified risks on a schedule determined by
24 Assist ISG management and staff in preparing responses to positive and negative risks, opportuni
25 Provide ad hoc reports to address topics or issues as requested by ISG management. These includ
executive summaries, and SBARs (Situation, Background, Assessment/Alternatives, and Recommen
26 Responsible for developing, updating, and providing training on release planning processes and re
program, and project management tools.
In support of ISG’s implementation of agile, the Contractor shall:
1. As requested, attend and support facilitation of events and meetings, including, but not limited to D
Demonstrations, Iteration Retrospectives, Iteration Refinements, Product Owner (PO) Synchronizati
and Scrum of Scrums.
2. Attend PI Planning events in person.
3. Administratively manage the PI backlog, to include addition, refinement, and ranking of items in o
such as the PO.
4. Collaborate and provide consultation to federal resources to identify and address critical program

5. Apply program and systems expertise to identify pain points and provide recommendations for ba

6. Provide assistance to development teams by facilitating discussions with Product Management tha
and acceptance criteria.
7. Provide support and subject matter expertise to POs and development teams in order to solve requ
ensure alignment with program-established product goals and development timelines.
8. Provide support for meetings and events including but not limited to the PO Sync, Release Plannin
towards overall strategic objectives.
2.1.3 Program Level
a. Coordinate cross-team activities working on LOB or release-related projects.Ensure standardizatio
under his/her purview. Report on any issues if those standardizations are not followed.

b. Facilitate information sharing and coordination across projects under his/her purview. This includ
status meetings,and other meetings. Facilitate program operations support as requested.
c. Design, develop, and maintain program management plan using the input provided by CCSQ grou
d. Design, develop, and maintain subsidiary plans which include but are not limited to: risk managem
plan, schedule management plan, communications management plan, stakeholder management plan,
the
plans that are developed at the project or portfolio level.
e. Design, develop, and maintain other program management-related documents
f. which include but are not limited to: program charter, program process agreement , integrated pro
decision log, lessons learned log. These artifacts may be similar to the ones that are develope
g. Identify integration points, potential efficiencies and external dependencies between current proje
h. Consolidate all project-level schedules into an integrated program schedule.
i. Communicate with other Contractors for the purpose of solving any requirements issues and ensur
timelines including (but not limited to) : COTS Upgrades; Proposed Legislative Changes; Environm

j. Identify and distribute the critical path associated with each LOB or Enterprise Service undertakin
k. Provide integrated program schedule guidance and standards to all Contractors and stakeholders.
l. Establish and maintain a repository of program-related documents.
m. Analyze program-level pain points and gaps and make process improvement recommendations.
n. Provide ad hoc reports to address topics or issues as requested by ISG management. These include
executive summaries, SBARs (Situation, Background, Assessment/Alternatives, and Recommendati
o. Communicate from a program level with CMS staff on various topics including but not limited to
strategies, release planning, etc.
p. Perform quantitative and qualitative risk analysis of identified risks on aschedule determined by IS
q. Assist ISG management and staff in preparing responses to positive and negative risks, opportunit
r. Document lessons learned prevention plan or exploitation plan from resolved risks and issues or op
staff and stakeholders.
s. Provide Subject Matter Expert for post deployment and production issues triaging; develop and im
driving issues to resolution; facilitate and coordinate the production issue resolution process.
t. Provide functional testing of products during and after deployment as requested.
u. Coordinate steps needed for data validation as necessary and as requested.
v. Create/coordinate production fix templates for IV&V testing engagements as requested.
w. Driveprogramtowardsoverallstrategicobjectives.
In support of ISG’s implementation of agile, the Contractor shall:
1. Manage the Agile Release Train (ART) by using agency-approved tools and information radiators
2. Facilitate Program Increment (PI) readiness and Pre-PI planning.
3. Facilitate PI Planning events in person.
4. Attend other events (and facilitate or coordinate as requested), including but not limited to PI Retr
demonstrations, Scrum of Scrums, ART Synchronization meetings, PO Synchronization meetings, B
Iteration Demonstrations, and Daily Standups.
5. Aggregate Team PI Objectives into Program PI Objectives and publish them to a CMS- approved
6. Assist with the execution and tracking of features/capabilities.
7. Apply the ROAM (Resolve, Own, Accept, Mitigate) methodology to support the management of r
8. Escalate and track impediments throughout the release train lifecycle.
9. Support Product and Solution Management, POs, and other stakeholders in the execution and alig
10. Report status to the Lean Portfolio Management (LPM) team as requested.

11. Foster continuous improvement by facilitating Inspect and Adapt workshops, assessing the ART
2.1.4 Portfolio Level
1. Serve as the lead advisor to ISG leadership.

2. Implementation of a Strategic Plan aligned with ISG’s Strategic Vision, to include providing or ar
ISG’s IT Strategic Vision (including, but not limited to strategies such as the move to agile, DevOps

3. Develop the ability to track and report on work capacity across ISG Contractors.
4. Facilitate the maturation of ISG’s Strategic Plan by supporting the continued development, implem
and objectives.
5. Serve as the integrator of the overall technical vision of CCSQ in alignment with ISG’s implemen

6. Support the development and execution of portfolio-level strategic themes and maintain a portfoli
coordination across all projects and LOB. This includes portfolio-level team meetings, management

7. Design, develop, and maintain subsidiary plans which include but are not limited to: risk managem
plan, schedule management plan, communications management plan, stakeholder management plan,
similar to the plans that are developed at the project and/or program level.
8. Design, develop, and maintain other portfolio management-related documents which include but a
decision log, lessons learned log. These artifacts may be similar to the ones that are developed at the
Portfolio Management documentation.
9. Establish and maintain a repository of portfolio-related documents.
10. Analyze portfolio-level pain points and gaps and make process improvement recommendations.
(SWOT) or comparable analysis at Portfolio Level.
11. Communicate and collaborate from a portfolio level with CMS staff on various topics including
issues, mitigation strategies, release planning, etc.

12. Identify and develop risk management methodology, best practices and standards communicating

13. Monitoring compliance with risk management plan, policies, procedures and templates reporting
reporting the lack of compliance to ISG management, the contractor will develop recommendations

14. Perform quantitative and qualitative risk analysis of identified risks on a schedule determined by
15. Assist ISG management and staff in preparing responses to positive and negative risks, opportun

16. Assist in maturing CCSQ Enterprise Risk Management from its current state, to an integrated sta
decision making and planning.

17. Provide ad hoc reports to address topics or issues as requested by ISG management. These includ
executive summaries, SBARs (Situation, Background, Assessment/Alternatives, and Recommendati
18. Develop and execute an Information Radiator Strategy that leverages availabletoolsets in order to
(LOB)/Value Stream activities. Information Radiators shall provide information including but not lim
and risks. Specifically, the contractor shall create and maintain a visual information radiator that disp

19. Develop and implement governance to ensure consistency across HCQIS projects and spaces in s
structure, look and feel, etc.) for HCQIS Atlassian users.
20. Develop and deliver tool overviews and role-based training (virtual and in-person), manage awar
Town Hall presentations), define and implement application standards and branding and define fram
users.

21. Employ a user-centered approach to portfolio management by leveraging user-centered design (U

personas, and other processes that support the user experience for ISG stakeholders. Provide guidanc
management processes that result in the most efficient and optimal use of software license across the

22. Employ a human-centered approach to data management and systems by leveraging human-cente
observation, ideation, rapid prototyping, user feedback and other solutions for ISG stakeholders.

23. The contractor shall define Project Management (PM) standards and processes for all projects wi
being built for ISG internal usage and systems being ingested from CCSQ components that are not a
Standards must account for SAFeas well as CMS’s TLC and ISG’s TDB gate review process and do

 Defined list and description of what PM standards are needed and their logic for each pro
o Risk, Action, Issues and Decision log (RAID) communications plan.
 Standards should scale based on size, impact, and scope and security requirements sim
 Documented process for determining if a project is best suited for agile (scrum, scaled,
 Create templates to assist project teams in meeting newly defined PM standards.
 Develop a plan for ISG to best provide oversight for insuring PM standards are adhered.
 Link to work intake process, currently LEAN Portfolio Management SAFe methodology.
 Required steps should be documented in a concise checklist that should reference back
 Potential SAFe artifacts include: Portfolio Canvas, Value Stream Canvas, SWOT Analysis,
Objectives and Key Results (OKR), Value Stream, Program, Vision, Solution Intent, Solution
Scenario Act, and Scenario Scene

24. The contractor shall establish and maintain a Lean Agile Center of Excellence for the HCQIS com
Management Office (APMO) whose mission is to sustain and improve agile practices across the ente
organization relentlessly improve and achieve its business goals. The LACE provides a continuous s
through the continued organizational changes. In general, this support includes but is not limited to:
 Communicating the business need, urgency, and vision for CMS agile practices
 Work with CCSQ Values Steams to help them continually build on CCSQ’sAgile Principles
  Lead and foster continuous improvement by developing ISG and CCSQ recommendation
 Facilitate the continued refinement and support for lean governance, and provide proce
Agile tenants.
 Create, conduct, and review agility assessments for ART performance metrics, and to as
 Coordinate and support portfolio planning and logistics for Program Increment (PI) Plann
 Provide training for federal and contractor community on ISG’s Implementation of Lean
 Identifying Value Streams and helping define and launch Agile Release Trains (ARTs)
 Providing support and training to stakeholders and teams using or transitioningto using
critical events like PI Planning and Inspect and Adapt (I&A).
 Foster Communities of Practice (CoP) by scheduling and facilitating meetings. Facilitatio
determining meetingformats to keep participants engaged.
 Support and enhance HCQIS’ agile work management systems and tools.
 Work with CCSQ programs to implement business agility so that they can quickly respon
with innovative business solutions.
2.1.5 CCSQ Agile Principles
 Development should be completed at a sustainable pace
 At the end of almost every iteration teams should deliver fullytested, deployable software
 Build incrementally (and fast), with short learning cycles
 Build in Quality
 Transparency should exist between business stakeholders and scrum teams
 Continuously matching emerging business demand with realistic team capacity
 Tracking progress with Big Visual Information Radiators (BVIR)
 Adapt to changing realities using empirical data as a guide (rather than strictly follow pred
 Teams actively involved in determining what work gets done
 Use cadence and synchronizations such that uncertainty actually provides the freedom for
business to operate.
 Teams continuously welcome changing requirements while business stakeholders respect
 Teams strive for continuous improvement at both the individual team and program (team
2.1.6 Facilitating Agile Collaboration
 The agile development processes occurring under this contract will require frequent in- per
contractor. The Government expects that such collaboration will involve:
o Up to 12 scrum teams holding simultaneous meetings or ceremonies
o Up to 200 people meeting in the facility
o Hosting and supporting meetings and PI events on an “as-needed” basis to include but no
long Inspect and Adapt Workshops every 12 weeks per Line of Business (LOB)
o Utilization of video teleconferencing (VTC) capabilities
 o The contractor shall provide all services, personnel, material, equipment, and facilities ne
described above, including technical support and maintenance of all VTC equipment provid
secured at the appropriate level; and located no more than one mile from the U.S. Centers
Security Boulevard, Baltimore, MD 21244.
o Please provide plans, blueprints, and/or specifications on how your firm would provide an
aforementioned requirements.

2.2 Task Area 2: Schedule and Roadmap Integration

1. Support the creation and maintenance of roadmaps, calendars, and other scheduled- related artifac

2. Executes the Information Radiator Strategy to allow for transparency into achieving major milesto
3. Develop a straw man template that can be used by each contributor for submission and subsequen
schedules.
o Thestrawmantemplateneedstoincludestandardtimeframesto ensure all phases of the TLC
including submission of the Project Process Agreement, development of requirements, test
the project schedule prior to the start of requirements or steps in the TLC, as well as a dem
This needs to have sufficient details to include the start and end dates for requirements eli
tasks, to ensure major milestones are successfully satisfied. The template schedule also ne
Agency- approved gate reviews by PM3 staff that are early enough in the schedule to ensu
after the date that it should have occurred.
4. The Contractor shall identify dependencies, interrelated issues, and unintended consequences acro
5. The Contractor shall consider factors such as: IT system development or modification, policy deve
outreach and education activities, oversight and monitoring requirements and possible future reportin
6. The Contractor shall analyze and provide input into critical path actions.
7. The Contractor shall coordinate with other Agency components as necessary to ensure completion
in mitigating any risks identified in completing the identified deliverables.
8. The Contractor shall collaborate with ISG’s other primary Contractors, as appropriate, to obtain al
9. The Contractor shall update all schedules, roadmaps, calendars, and related artifacts and provide t
an alternative scheduling tool approved by CMS.

2.3 Task Area 3: Monthly Financial Report

The Contractor shall provide a monthly financial report to reflect the work performed by both the pri
include the content of pending invoices and shall include the following information:
a. Contract name;
b. Contract number;
c. Period of performance;
d. Cumulative hours and cost expended for each labor category (YTD actuals);
e. Current month, hours and cost expended for each labor category;
 f. Budgeted and projected monthly hours and costs for the remainder of the Contract period;
g. Break out of costs, both allocated and remaining;
h. Variance information to include;
(1) Analysis of budgeted versus actual expenses on a monthly basis for the full contract year;
(2) Explanation of variances of greater than 10% of the budgeted monthly cost indicated in the
(3) Any relevant analysis or information explaining an activity causing an unexplained varianc

2.4 Task Area 4: HCQIS IT Governance

HCQIS IT Governance defines and implements IT policies and processes that facilitate informed dec
support of CCSQ clinical standards and quality program goals.
2.4.1 Tasks
1. Implement and maintain HCQIS IT Governance structure within ISG.
2. Provide technical expertise, industry standards and guidance specific to the governance ofIT asset
3. Responsible for documenting, maintaining, and implementing enterprise wide
4. IT governance Charters, processes, policies and technical standards. Develop and maintain docum
catalog of HCQIS governanceprocesses.
5. Develop and maintain a guide to establish standards for quality and best practices for governance
6. Responsible for scheduling gate reviews, collecting the review documents, and preparing the findi
7. Responsible for training and communication of HCQIS IT Governance process, policiesand stand
and CMS Contractors.
8. Support creation and maintenance of HCQIS specific policy, processes and artifacts that suppleme
and goals. Ensure process and policies are updated, the Governance documents repository is maintai
are created to resolve outstanding issues.
Support ISG IT governance boards, committees and workgroup as members, coordinators and Subje
compliance with CMS and HCQIS process, policy and standards,
9. Assist Integrated Project Teams (IPT) by providing technical standards, documentation, artifact te
TLC, Technical Reference Architecture (TRA) and HCQIS Target Enterprise Architecture (TEA).
Responsible for making certain that all projects, programs and portfolios adhere to the decisions, dire
governance boards and committees.
10. Responsible for making sure that all IPTs adhere to the CMS and HCQIS established process, po
11. Develop and implement an organizational structure for the CMS designated governance reposito
intuitive searching of artifactsand navigation of the governance site.
12. Utilize a tool accessible to all HCQIS Governance stakeholders that would enable the tracking of
example, summary status reporting of Lean Improvement Opportunities (LIOs) Technical Evaluation
automation capabilities that may be utilized by the government during the period of performance of t
information within this tool is considered a weekly work product.
13. Develop an ISG Governance Evaluation & Strategy which shall identify gaps in HCQIS Governa
evaluate the adoption ofAgile Development Methodologies’ impact on the existing HCQIS Governa
modifications needed to existing governance bodies, policies, processes and templates and gaps crea
14. Develop a recurring Monthly Governance Activity Report that shall contain:
1. A summary of activities of HCQIS Governance bodies.
2. Identification of instances of non-adherence to decisions, direction, and recommendations of HCQIS Govern
processes, policies and guidance.
3. A summary of Governance related training activities, including participants.
4. Updates on efforts to address governance gaps.
5. Updates on efforts to incorporate Agile projects into Governance.

2.5 Task Area 5: External Agency Reporting Support

ISG will support external government agencies such as the United States Department of Defense (DO
requirements.
2.5.1 Task 5A: Department of Defense (DOD) Reporting Support – (Optional)
The Contractor shall support ISG and the United States DOD in managing a standard process which
packaging of data published to the Hospital Compare website. The contractor shall facilitate successf
monitoring data collection, developing and maintaining a release schedule, providing project status r
the standard process.
2.5.2 Task 5B: Department of Veterans Affairs (VA) Reporting Support – (Optional)
The Contractor shall support ISG and the United States VA in managing a standard process which ov
packaging of data published to the Hospital Compare website. The contractor shall facilitate successf
monitoring data collection, developing and maintaining a release schedule, providing project status r
the standard process.

2.6 Task 6: Survey and Operations Group (SOG) Support – (Optional)

2.6.1 Task: Provide Central Program Management Support
The Contractor shall support the development and continuous improvement of an operating environm
demands. This includes, but is not limited to:
1.To achieve multi-unit cohesion and impact, provide recommendations to the Director for enhanc
locations as well as the Survey and Oversight Group (SOG) Front Office to ensure optimal impac
Support SOG in their ongoing efforts to create an optimal distributed work model, including recom
2.Support CCSQ team on blocking and tackling of issues. Use evaluation framework to support pr
ahead” view of potential future issues that may arise.
 3. Support / improve / create governance and operating cadence-senior leadership are supported b
etc.
4. Create and update dashboards to highlight progress and key messages to senior leadership.
5. Provide support for critical questions e.g., logistical questions, reduce risk of infections in exist
6. Support overall communications plan to ensure partners and stakeholders are aligned and aware
7. Make recommendations regarding appropriate resourcing of efforts (e.g., ensuring non- critical
where needed).
8. Provide ad-hoc support to address the rapid need for solutions, support bottlenecks, support res
barriers.
2.6.2 Task: Supporting Coordinating Survey Team Response and Activities
The Contractor shall provide survey support, coordination, and analysis which is responsive to quick
limited to:
9. Leverage available systems, tools, and data sets using available resources to track survey activit
address gaps.
10. Develop a fact base on current survey teams’ activities (including, but not limited to, which of
surveyed, and by whom, and when).
11. Help coordinate survey activity and resources with other government agencies or entities, incl
and Prevention (CDC), Office of the Assistant Secretary for Preparedness and Response (ASPR),
12. Coordinate with partners to perform activities including, but not limited to, determining which
make recommendations on where data can be shared to maximize efficiency of CCSQ survey acti
13. Refine operating model for future surveying activity (including, but not limited to, developing
identifying most appropriate teams to conduct the survey, creating most efficient use of employee
identifying opportunities to amplify pace of surveys whilst remaining compliant).
14. Provide support to ensure alignment with external efforts, including, but not limited to, the CD
activities are coordinated with central CDC and White House.
2.6.3 Task: SWAT Effort – Support in Identifying Waiver and Other Policy Solutions
Collect and distribute documents before meeting, ensuring decisions to be presented to support in wa
ensuring appropriate prioritization of new requests, facilitating alignment between partners such as C
decisions are logged and communicated effectively.
Company Name:

Able to provide
Ratings Able to provide Past
support for
(Refer Tab 1 performance? (Y/N)?
proposal write up
Instructions) If Y, Which Agency?
(Y/N)?

3 Y Y
4 Y Y
2 N N

3 Y Y

3 Y Y
3 Y Y

3
Y Y
3
Y Y

3 Y Y

3
Y Y

Y Y
3 Y Y
3 Y Y
3 Y Y
3 Y Y

Y Y
3

Y Y
3 Y Y

1 N N

3 Y Y

2 N N

2 N N
3 Y Y
3 Y Y
2 N N
3 Y Y
1 N N
3 Y Y
3 Y Y
2 N N

2 N N

2 N N
2 N N
2 N N
2 N N

2 N N

N N

2 N N

3 Y Y
1 N N
2 N N

3 Y Y

2 N N

1 N N

3 Y Y

2 N N

3 Y Y

2 N N

2 N N

3 Y Y

2 N N

2 N N
3 Y Y
1 N N

1 N N
1 N N
2 N N
2 N N

2 N N

2 N N

2 N N
2 N N

2 N N

2 N N

2 N N
2 N N
3 Y Y
3 Y Y

1 N N
1 N N
1 N N

1 N N

1 N N
2 N N
1 N N
1 N N
1 N N
1 N N

2 N N
1 N N

2 N N

1 N N

1 N N

1 N N

1 N N

2 N N

2 N N

3 Y Y

2 N N

2 N N

2 N N

2 N N

2 N N
2 N N

1 N N

2 N N
1 N N

1 N N

1 N N

2 N N

3 Y Y

2 N N

2 N N
2 N N
2 N N
2 N N
2 N N
2 N N
2 N N

2 N N

1 N N

2 N N
2 N N
2 N N

2 N N

1 N N
2 N N
1 N N
1 N N

1 N N

1 N N

1 N N

1 N N

N N
2 N N
2 N N
2 N N
2 N N
2 N N
2 N N
1 N N
1 N N
2 N N

1 N N

2 N N
2 N N

2 N N
2 N N

2 N N

2 N N
2 N N

2 N N

2 N N

1 N N

1 N N

1 N N

2 N N

2 N N

2 N N

1 N N

2 N N

2 N N

3 Y Y
2 N N
2 N N
2 N N
2 N N
2 N N

2 N N
2 N N
2 N N

2 N N

2 N N

2 N N

2 N N

2 N N
2 N N

2 N N

2 N N
2 N N
2 N N
2 N N

2 N N
2 N N
2 N N
2 N N

2 N N

2 N N

2 N N

2 N N

2 N N
2 N N

2 N N
2 N N
2 N N
2 N N
2

2 N N

2 N N

3 Y Y

2 N N

1 N N

2 N N

2 N N

2 N N

2 N N

3 Y Y
 Team Capability Matrix - Line Of Busin

Narrative Requirement / Capabilit

3.1 Quality Payment Program (QPP)

3.1.1 QPP Contractor Support Needs:
The Contractor shall provide QPP IT project management support:
 Assist the CMS program management team to develop and communicate features – cre
 Facilitate weekly feature meetings to discuss feature definition, refine features to identi
out larger features in deep dive discussions
 Maintain program increment (PI) planning boards for current and future PIs
 Facilitate virtual or in-person PI planning sessions
 Facilitate PI retrospectives
 Facilitate weekly product team synch sessions to track progress on current PI
 Coordinate/Facilitate monthly system demos
 Facilitate release planning and execution
 Document and manage program risk register
 Facilitate program governance meetings (e.g., data governance)
 Facilitate weekly executive update meetings
 Liaison with level 1 service center and product teams to triage and manage service tick
conveyance of informational documentation and training for the service center
 Provide general SAFe Agile training
 Identify process improvements within the QPP SAFe Agile structure, and JIRA/Confluence
 Maintain schedule of program milestones, deliverables, and receipts
 Develop Reports/Slides as needed to assist CMS to with presentations to address risks, m
3.1.2 QPP applications to consider:
QPP development is broken out into a number of product teams, each comprised of one or more spri
infrastructure:
 Submissions API
 Scoring and Feedback
 Eligibility
  Claims Related Measures
 Authorization
 Web Interface Application
 Registry Self Nominations
 Targeted Reviews
 Analytics and Reporting
 Front End UI
 Content Management
There are also several supporting product teams that focus on the broader QPP surface:
 Human Centered Design
 Security
 Foundational Components (DevOps, Shared Tools and AWS Cost Management)
3.1.3 QPP DRAFT operational schedule:
 Fall of 1 year prior to the program year – 1st Eligibility Determination
 Summer/Fall prior to program year – accommodate rule changes to scoring, submission,
 Fall of the program year –
 January 2, following each program year - QPP submissions open
 March 31, following each program year - QPP submissions close
 April 1, following each program year – Preliminary Feedback
 June 15, following each program year - QPP Payment Adjustment file creation
 July 1, following each program year - QPP Final Feedback Reports
 July 1, following each program year - QPP Targeted Review Opens for 60 days
 November 1, following each program year - Payment Adjustment file delivered to MACs
January
3.1.4 QPP Release Cycle

QPP operates under a SAFe Agile framework that utilizes 12-week program increments. The work f
week sprints. CMS program management present features to the product teams, which are discussed
event (a 2 day all-hands meeting to set the agenda and deliverables for the next 12 weeks of work). D
user stories. Based on CMS priority, the user stories are added to each product team’s board, along w
deliver necessary technical infrastructure/tooling, security, or user enhancements. All dependencies a

For the next 6 sprints, the work agreed upon in PI planning is completed in 2 week increments, tested
work at the completion of every sprint. While a lot of features are deployed to production and becom
deployed with feature flags that can be used to set a future date/time at which they would become av
usually part of a major milestone release (e.g., the opening of QPP submissions at the beginning of J
coordinate the release to ensure the all of the component product team deliverables have gone throug
3.2 End Stage Renal Disease Quality Reporting System (EQRS)
3.2.1 Introduction
The End Stage Renal Disease Quality Reporting System (EQRS) is a system designed to monitor the
Disease (ESRD) healthcare products and services. The EQRS Team has been tasked with building a
legacy ESRD systems (CROWNWeb; REMIS and QIP) into one. This program includes steps to red
migrating the new system to a cloud-based infrastructure and applying a modernized architecture. Th
complete key tasks associated with system consolidation and modernization.
3.2.2 Background and Need

 Section 299I of Public Law 92-603 created the National End Stage Renal Disease (ESRD) Progra
of medical care for most individuals living with ESRD. The Social Security Amendments of 1972 (P
with ESRD who need either dialysis or transplantation to maintain life. Subsequent legislation, Publi
effectiveness, ensure quality of care, encourage kidney transplantation and home dialysis, and increa
Title XVIII of the Social Security Act by adding Section 1881, which designated ESRD Network are
Network Organization Program. This section provided statutory authority for the maintenance of an
and analysis of such data as are necessary to prepare the reports required by subparagraph (H) and to
paragraph.

 Public Law 95-292 established the ESRD Program Management and Medical
Information System (PMMIS). The PMMIS was created in response to the CMS requirement to prov
legislation ensured that Medicare would pay for the dialysis treatments and kidney transplants requir
comprised of two tightly coupled legacy systems, REMIS and SIMS, until May 2012. In June 2012,
this change was reflected in the new ESRD/PMMIS which now comprised REMIS and CROWNWe
renal community. The EQRS application group is comprised of three systems (e.g., CROWNWeb, R
patient/clinical/provider data and production of performance analyses on quality data for several CM

o The Consolidated Renal Operations on a Web-based Network (CROWNWeb) is an internet

to electronically transmit patient, clinical and facility data. CROWNWeb enables the sharing
Organizations, and the public via the Dialysis Facility Compare/Reporting websites.
o The Renal Management Information System (REMIS) primary function is to calculate ESRD
dialysis treatments. REMIS receives claims data, entitlement data from SSA, transplant dat
determinations.
o The End-Stage Renal Disease Quality Incentive Program (ESRD QIP) uses clinical/reporting
methodologies to rate providers. Facilities that do not meet or exceed performance standa
two percent.
 The CMS developed the End-stage Renal Disease Quality Incentive Program (E
performance (also known as "value- based purchasing") quality incentive progra
Improvements for Patients and Providers Act of 2008 (MIPPA) section 153(c). Th
community with the opportunity to enhance the overall quality of care that ESRD
devastating disease. The ESRD Quality Incentive Program (QIP) is the most rece
outcomes by establishing incentives for dialysis facilities to meet or exceed perf
step has been an important component of the Medicare ESRD payment system.

3.3 Hospital Quality Reporting (HQR)

3.3.1 Introduction
HQR is a collection of federally mandated programs that govern the quality of health care provided i
at over 5,000 facilities nationwide. These programs include, but are not limited to, the following:
 Hospital Inpatient Quality Reporting (HIQR)
a.Hospital Value-Based Purchasing (HVBP)
b.Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS)
c.HQR – Electronic Health Records (EHR)
 Hospital Outpatient Quality Reporting (HOQR)
 Ambulatory Surgical Center Quality Reporting (ASCQR)
 Inpatient Psychiatric Facility Quality Reporting (IPFQR)
 PPS-Exempt Cancer Hospital Quality Reporting (PCHQR)
 Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS)
In addition, there are initiatives that span multiple programs:
 Hospital Public Reporting
 Hospital Outcome/Efficiency Measures through Claims-Based Measures 
 Validation (eCQM, Inpatient, Outpatient)
 Promoting Interoperability (PI)
Data for the programs is submitted in a wide range of methods including XML, claims, web entry, re
(QRDA), attestation, and external data files. Data sources and file formats are subject to change. Exa
to:
- Clinical process data and population and sampling data – Hospitals or vendors abstract the
XML files. Population and sampling data may also be entered online.
- HCAHPS data – Hospitals or vendors submit survey data via XML files. Small hospitals may a
- Claims-based measure data – Hospitals submit Medicare claims which are stored in the Nat
systems and ISG Contractors to consume.
- HAI data – Hospitals submit HAI data to CDC NHSN (National Healthcare Safety Network). CD
- Web-based measure data – Hospitals submit aggregate quality measure data online.
- Structural measure data – Hospitals submit information about registry
The HQR programs support system components include, but are not limited to, the following:
 HARP (HCQIS Access Roles and Profiles)
 Site Navigation
 URM (User Role Management)
 Vendor Management
 NOP (Notice of Participation)
 CART (CMS Abstraction Reporting Tool)
 SDE (Simple Data Entry)
 SFS (Simple File Submission)
 Eligible Claims
 Data warehouses
 CACAO (IQR & OQR Chart-Abstracted Calculations and Outcomes, former measure engines
 Claims-Based Measures and Measure Engine
 VSS (Validation Sample Selection)
 PVT (Provider Validation Tool)
 Public Reporting Previews and Final Files
 Endpoint APIs
 Dashboards and Reporting (for users to review submission feedback and performance data
 Architecture Runway
 PRS (Program Resource System)
The PM3 Contractor shall manage and monitor an enterprise solution for the collection and reporting
(eCQMs) for these programs:
 Promoting Interoperability (PI) Program
 Hospital Inpatient Quality Reporting (IQR) program

The PM3 Contractor shall oversee all aspects of the program / project, making sure it is following th

The PM3 Contractor shall manage and support existing and new initiatives from the CMS administra
Reporting.
3.3.2 Background
Hospital Inpatient Quality Reporting (HIQR)
 Improve quality of care for beneficiaries
 Prevent medical care that harms patients or leads to preventable complications
 Empower consumers with information to make educated health care decisions
 Align payment incentives for high quality of care across settings
 Align HIQR clinical quality measure reporting requirements with eCQM submission requirem
3.3.3 Subcomponents of HIQR
3.3.3.1 Hospital Value Based Purchasing (HVBP)
Hospitals must meet the following criteria to participate in the HVBP program:
 Participate in HIQR program and receive full APU payment
 Above minimum number of cases, measures and domains
 Do not exceed specified number of citations for deficiencies that pose immediate jeopardy
Objectives:
 Hospital Value-Based Purchasing Program pays inpatient acute care hospitals based on the
for performance, rather than pay for reporting.
 Eliminate or reduce occurrence of adverse events
 Adopt evidence-based care standards and protocols that result in the best outcomes for th
 Improve patients’ experience of care during hospital stays
3.3.3.2 Hospital Consumer Assessment of Healthcare Providers and Systems (HC
Objective:
 Improve patients’ experience of care during hospital stays
3.3.3.3 HQR – HITECH EHR
Objectives
 The HITECH Act advances the use of Health Information Technology to save lives and reduc
technical infrastructure and adoption of health information technology (including both acquisi
effective utilization). It also addresses key policy areas regarding the privacy and security of p
programs are designed to support providers and instill the use of EHRs in meaningful ways to
efficiency of patient health care.
3.3.3.4 Hospital Outpatient Quality Reporting Program (HOQR)
Objectives:
 Improve quality of care for beneficiaries
 Drive quality improvement through measurements
 Empower consumers with information to make educated health care decisions
 Publicly display data to help more informed decision making
 Align payment incentives for high quality of care across settings
 Prevent medical care that harms patients or leads to preventable complications
3.3.3.5 Ambulatory Surgical Center Quality Reporting (ASCQR)
Objectives:
 The ASCQR Program uses a variety of tools to stimulate and support a significant improvem
 This initiative aims to refine and standardize ASC data collection, data transmission, and p
prioritized, and standard quality outpatient measure set for ASCs.
 The goal is for all private and public purchasers, oversight and accrediting entities, and pa
measures in their national public reporting activities.
 Quality improvement support, collaborations, standardization, and assuring compliance wi
important additional tools in achieving this objective.
3.3.3.6 Inpatient Psychiatric Facility Quality Reporting (IPFQR)
Objective:
 The IPFQR pay-for-reporting program is intended to equip consumers with quality of care in
healthcare options. It is also intended to encourage hospitals and clinicians to improve the qu
ensuring that providers are aware of, and reporting on, best practices for their respective faci
3.3.3.7 PPS-Exempt Cancer Hospital Quality Reporting (PCHQR)
Objective:
• The PCHQR program is intended to equip consumers with quality-of-care information to mak
It is also intended to encourage hospitals and clinicians to improve the quality of inpatient car
that providers are aware of and reporting on best practices for their respective facilities and t
3.3.3.8 Hospital Public Reporting
Public reporting supports the public display of measure data from the following programs and org
 Inpatient Quality Reporting (HIQR) – Including HCAHPS and HVBP data
 Hospital Outpatient Quality Reporting (HOQR)
 Inpatient Psychiatric Facilities Quality Reporting (IPFQR)
 PPS-Exempt Cancer Hospital Quality Reporting (PCHQR)
 Ambulatory Surgical Center Quality Reporting Program (ASCQR)
 VHA (Veterans Health Administration)
 DoD (Department of Defense)
Objectives:
 Provide people with Medicare and public consumers with comparative data to guide them
 Provide useful and valid information about hospital quality to the public
 Make health care performance data more transparent and meaningful to the public
 Encourage hospitals to adopt quality improvement strategies
3.3.3.9 Public Reporting of VA Hospital Data on Hospital Compare

CMS is working with the Veterans Affairs (VA)/Veterans Health Administration (VHA), establishin
report quality measure data for VA hospitals on Hospital Compare or its successor website on Medic
many, if not all, of the quality measures reported by civilian acute care hospitals. The types of qualit
Compare or its successor website on Medicare.gov include, but aren’t limited to, process of care, He
Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) measures.
This work is being undertaken in response to Section 206(c) of The Veteran’s Access, Choice, and A
of the VA to enter into an agreement with the Secretary of the Department of Health and Human Ser
patient quality and outcome information concerning VA medical centers through the CMS Compare
hospitals located throughout the United States. Publicly reporting VA data alongside civilian acute c
make meaningful comparisons of performance on aligned quality measures.
3.3.3.10 Public Reporting of DoD Hospital Data on Hospital Compare
Validation (eCQM, Inpatient, Outpatient)
Objectives:
 Ensure accuracy of chart-abstracted and Healthcare-Associated Infections (HAI) data subm
(IQR) Program and chart- abstracted data for the Outpatient Quality Reporting (OQR) through
 Verify on a quarterly basis that hospital-abstracted data submitted to the Clinical Warehou
Safety Network (NHSN) can be reproduced by a trained abstractor using a standardized proto
 Annually assess the accuracy of eCQM data and that it meets the eCQM measure's intent.
3.3.3.11 Promoting Interoperability (PI)
In the beginning this program consisted of 3 Stages:
 Stage 1 – set the foundation for the Promoting Interoperability Programs by establishing re
including providing patients with electronic copies of health information.
 Stage 2 – expanded upon the Stage 1 criteria with a focus on advancing clinical processes
supported the aims and priorities of the National Quality Strategy. Stage 2 criteria encourage
improvement at the point of care and the exchange of information in the most structured form
 Stage 3 – focuses on using CEHRT to improve health outcomes. In addition, this rule modifi
reporting requirements and align with other CMS programs.
Objectives:
 Improving quality, safety, efficiency and reducing health disparities
 Engage patients and families in their healthcare
 Improve care coordination
 Ensure adequate privacy and security protections for personal health information
3.3.3.12 Claims-Based Measures
 Inpatient Quality Reporting (IQR/PR)
 Outpatient Quality Reporting (OQR)
 Hospital Value-Based Purchasing (HVBP)
 Hospital Value-Based Purchasing Medicare Spending Per Beneficiary (HVBP MSPB)
 Outpatient Imaging Efficiency (OIE)
 Hospital Acquired Conditions Deficient Reduction Program (DRA HAC)
 Inpatient Psychiatric Facilities Quality Reporting (IPFQR)
 PPS-Exempt Cancer Hospital Quality Reporting (PCHQR)
 Ambulatory Surgical Center Quality Reporting Program (ASCQR)
 Hospital Acquired Conditions Reduction Program (HACRP)
 Hospital Readmission Reduction Program (HRRP)
Objective
 The purpose of the Claims-Based Measures (CBM) process is to produce the final data calcu
rates from Medicare fee-for-service (FFS) paid claims data. The reporting of claims data is inte
information to make more informed decisions about health care options. It is also intended to
quality of inpatient care provided to people with Medicare by ensuring that providers are awa
respective facilities and type of care.
3.4 Enterprise System Services (ESS) /Targeted Enterprise Architecture (TEA)
3.4.1 Introduction
The objectives of CMS’ enterprise IT architecture are:
 To promote interoperability and connectivity among dissimilar systems that must function
 To provide the ability to manage change, whether driven by legislation, policy,business log
upgrades, and vendor consolidations or failures.
 To foster the identification and reuse of components and services to avoid duplicative imp
 To identify areas for new development and to highlight legacy systems that must be retire
Enterprise Architecture (EA) not only describes the current and desired relationships among busines
technology, it also establishes a target for the future. The target architecture represents what CMS in
application developers must achieve.
CMS decided to adopt the concepts contained in Gartner’s “good enough” architecture as the founda
presented a set of architecture principles, called the “good enough” architecture. “Good enough" arch
architecture that is flexible and promotes business agility. The objective is to create an agile architec
changes in business models and technology. The focusis on being malleable, rather than perfect.
There are three principles of the “good enough” architecture: Information Management (DIM), Qual
IT Governance of HCQIS. The parity listing of enterprise service portfolio areas may change periodi
support all Enterprise System Services per CMS direction.
3.4.2 Scope
 CMS’ QualityNet consolidation will integrate multiple Center for Clinical Standards and Qua
and QualityNet.org (QNP)) and applications under a single, publically available entry point.
 HCQIS Access and Roles Profile Management (HARP) will provide a central authorization ser
retirement of multiple role databasesmanaged by Lines of Business.
 Data Exchange (DE) currently comprises two efforts Managed File Transfer (MFT) and Pre- S
Interface (PSVA).
o CMS HCQIS replaced QualityNet Exchange Secure Data Exchange (SDX) with an Axway p
Transfer (MFT), forall legacy QualityNet Exchange.
o Pre-submission Validation Application Programming Interface (PSVA) is a client- side Appl
vendors, hospitals, and providers with a method for validating electronic files prior to subm
to users’ requests to reduce the cost and time associated with invalid submissions.
 Data and Information Management encompasses the development and execution of archite
control, protect, deliver and enhance the value of data and information assets in support of a
Legacy data warehouses into a centralized Enterprise Data Warehouse, aligned with the CMS
 CMS has implemented quality measure reporting programs for multiple settings of care. Th
health care for Medicare beneficiaries. All of the programs utilize measurement functionality,
outcome metrics. CMS desires to implement a Quality Measures Enterprise Service to facilitat
measures in an expeditious manner. The Quality Measures Enterprise Service will be the defin
data and will propagate to ancillary products within the systems (i.e., import processors, data

 Architecting, engineering, developing, testing and promotion of the core Enterprise Security Servi
include, but not limited to the Security Gateway, Error Handling, Antivirus, SALARS and Incident R

3.4.3 QualityNet Portal (QSP/QNP)

The integrated project team (IPT), as a part of this effort, will take inventory of:
1) all current content and
2) all links to external sites and applications.

Content will be architected and approved styles will be applied to ensure a consistent user experience
standards. All content will bemanaged via a web content management system. The new QualityNet w
procedures that will be enforced by the Portal Governance Workgroup at the HCQIS or CCSQ level
input. Please note that publishing of content is also subject to mandates or directions from Congress
such.
3.4.4 User Experience and UX Activities
QualityNet Portal will improve the user experience for the CCSQ applications by having but not li
1. A common look and feel adhering to CMS standards for website style.
2. A common, global navigation framework guiding users to the core functionality ofall lines of busi
payment scoring.
3. Enhanced capabilities within the core functionality areas to improve the user experience.
4. A key supporting capability that provides a single point of access to the variousHCQIS user authe
3.4.5 Standards and Governance
1.The Contractor shall provide the necessary input to the Postal Governance Workgroup which comp
experts (SMEs) from CCSQ and contractor entities across the enterprise. The Portal 2. 2.Governance
adopted.
2. The contractor, in collaboration with CCSQ and the Portal Governance Workgroup, shall author p
will be standardized and governed for all LOBs.
3. The contractor, in collaboration with CCSQ and the Portal Governance Workgroup, shall also use
standards from HHS and CMS.
4. The contractor, with the support of the Portal Governance Workgroup, shall document requiremen
web content (static and dynamic, public and secure.)
5. The contractor shall create and execute a content strategy in collaboration with CCSQ and the Por

o Analyzing, validating, and updating content prior to consolidation of the existing sites;
o Confirming which content is static and which content is dynamic;
o Confirming which content is public and which content is secure;
6. The contractor shall ensure users will see the content appropriate to their role
team will publish content following established policies and procedures for conte
3.4.6 Content Management Processes
In the scope of Portal Governance Workgroup, content management activities shall include but not b
1. Defining content management policy and procedure
2. Defining HCQIS analytics policy and standards
3. Defining HCQIS usability policy and standards
4. Defining HCQIS editorial policy and standards
5. Defining HCQIS information architecture policy and standards
6. Defining HCQIS UX policy and standards
3.4.7 HCQIS Access and Roles Profile Management (HARP)
Tasks
 HARP shall provide a standard authorization structure that can be consumed by each LO
 HARP shall provide standard roles that can be consumed by across the enterprise.
 HARP shall provide the ability for multiple organizations to be associated to individual us
 HARP shall provide the user interface to manage user profiles, process access requests,
3.4.8 Enterprise Security Services (ESS)
Tasks
 HCQIS XML Gateway Service
 HCQIS Error Handling Service
 Security Audit Log Analysis and Reporting Service (SALARS), including Incident Respons
 Certificate Authority Service
 Integration of Host Intrusion Detection System (HIDS)
 Integration of NIDS appliance w/ HCQIS Span Port
3.4.9 Data Exchange (DE)
3.4.9.1 Managed File Transfer (MFT)
Tasks
 Providing enhanced capabilities for Axway SFT and SentinelReporting.
 Providing commercial off-the-shelf (COTS) upgrades to Axway ST for system optimizatio
increased productivity.
  Establishing a means for individuals to securely send and receive data files with unlicen
Request System (OARS) access role management.
 Providing file polling and batch upload capabilities for multiple LOBs.
 Development of a Security Audit Logging and Audit Reports Service (SALARS) prototype
 Development of an Axway Transfer/Cross File Transfer (CFT) to transfer Quality Improve
data upload functionality.
3.4.9.2 Pre-submission Validation Application Programming Interface (PSVA)
Scope

Every year, changes occur to submission file definitions and it is important that clients are executing
validation rules. The Pre-Submission Validation API (PSVA) tool will enable the vendors to perform
submission to CMS. Vendors who use the PSVA tool will leverage immediate feedback and a more

Tasks
 Provide a client-side validation API to catch errors prior to submission
 Provide a tool for validation and submission
 Provide multiple application interfaces for consumption (CLI, GUI, API)
 Integration with multiple validators via plug-n-play
3.4.10 Data and Information Management (DIM)
3.4.10.1 Enterprise Data Warehouse (EDW) - HCQIS Business Warehouse (HBW)
Tasks
 provide reliable CCSQ data that is standardized across operational systems and reportin
business decisions
 Data presented in a CCSQ business context that does not require users to know the und
 Data can be analyzed across LOBs as well as within an LOB
 Supports multiple access needs: Analytics, Data Extraction, Trending
 The available data supports CCSQ users making timely business decisions
 The environment is scalable and sustainable over time
 Minimize the rework needed to incorporate new requirements
 Data quality is improved through conforming and analyzing data
3.4.10.2 Informatica DQ (IDQ)
Tasks
 Implement the IDQ
 Select data sets for profiling
 Conduct data analysis to identify data to be profiled
 Create a data profile report
 Baseline quality for each data quality dimensions
 Develop standard operating procedures and training documentation for use of the tool
  Implement Enterprise Data Quality Dashboard
3.4.10.3 Quality Measures
Tasks
CMS has implemented quality measure reporting programs for multiple settings of care. These pro
for Medicare beneficiaries. All of the programs utilize measurement functionality, from evaluation
desires to implement a Measure Engine as an Enterprise Service to facilitate the definition, mainte
The Measure Engine will be the definitive source of measure definition and calculation data and w
(i.e., import processors, data collection tools, reports and outputs, etc.).

The Measure Engine implementation will reduce the level of ADO coding of measures, reduce the
measure implementation. This will allow CMS to react quickly to modifications to measures with
Measure Engine will provide the ability to conduct “what if” scenarios with measure modification
unintended consequences.

3.5 Quality Improvement Organization (QIO)

3.5.1 Introduction

The statutory mission of the Program, as set forth in Section 1862(g) of the Act, involves the Secr
Organizations (QIOs) for purposes of making determinations about whether items and services pr
necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a mal
addition, the Secretary must enter into these contracts to improve the effectiveness, efficiency, eco
beneficiaries. Toward those goals, Section 1154(a) of the Act requires the QIO Contractors to perf

3.5.2 Background
The QIO program focuses on three aims: better patient care, better population health, and lower h
effort, QIOs contribute to bold, national goals, like a 40-percent reduction in hospital-acquired con
accelerate the pace of change and rapidly spread best practices. Improvement initiatives encourage
way to patient- centered care by including an active role for Medicare beneficiaries.

QIOs are private, mostly not-for-profit organizations staffed by doctors and other health care prof
beneficiaries with complaints about the quality of care and to implement improvements in the qua

For the 12th Scope of Work (12th SoW), CMS redesigned its QIO Program to further enhance the
program structure maximizes learning and collaboration in improving care, enhances flexibility, s
of care, helps achieve the priorities of the National Quality Strategy and the goals of the CMS Qua
beneficiaries, patients, and taxpayers.
 Some of the recent QIO Program changes included separating case review from quality improvem
three (3) to five (5) years, removing requirements to restrict QIO activity to a single entity in each
a broad range of entities to perform the work.
3.5.3 QIO Types
3.5.3.1 Network of Quality Improvement and Innovation Contractors, Quality Im
Purpose: NQIIC-QIOs improve healthcare services through education, outreach,
areas, using data to measure improvement, working with patients and familie
communication and collaboration. NQIIC-QIOs also work to improve the quality
and priority populations and to reduce the incidence of healthcare- acquired c
priorities. the quality of healthcare for targeted health conditions and priority populations and to
to meet national and local priorities.
3.5.3.2 National Coordinating Center (NCC)
Purpose: To provide general and specific interventions, collect and analyze national level d
NQIIC-QIOs, CMS and other stakeholders and partners.
3.5.3.3 Beneficiary and Family Centered Care Quality Improvement Organization
Purpose: BFCC-QIOs improve healthcare services and protect beneficiaries through expedi
and quality of care reviews for people with Medicare. The BFCC-QIO ensures consistency in
consideration local factors and local needs for general quality of care, medical necessity, a
Background: The Center for Clinical Standards and Quality (CCSQ) is responsible for oversi
Case Review Program administered by BFCC-QIOs. The purpose of case reviews is to suppo
Program to improve the quality of care for Medicare Beneficiaries and facilitate the provisio
carrying out its charge, the Beneficiary Protection Program aims to protect beneficiaries by
notices, and appeals, such as: beneficiary complaints; provider-issued notices of non-cover
Notice of Discharge and Medicare Appeal Rights [NODMAR], and Medicare Advantage appe
(EMTALA) violations; and other related statutory QIO responsibilities. CCSQ seeks to ensure
efficient, functional, secure, and well documented in the provision of high-quality service in
3.5.3.4 Beneficiary and Family Centered Care - National Coordinating Center BF
Purpose: To communicate between CMS, QIOs, and other program stakeholders, to ensure
provide technical assistance to the BFCC-QIOs to improve healthcare services for Medicare
review functions.
3.5.4 Non-QIO Organizations
3.5.4.1 Strategic Innovation Engine (SIE)
Purpose: To rapidly identify, create, evaluate, and supply quality improvement intervention
improve the healthcare system.
3.5.4.2 Independent Evaluation Center (IEC)
Purpose: To provide information for ongoing program improvement, evaluate the effective
healthcare of 50 million Medicare beneficiaries, and advise CMS. The evaluation products s
Program’s impact on the three aims: better care, better health for populations, and afforda
3.5.5 QIO Applications
3.5.5.1 Active Applications
3.5.5.1.1 Quality Management and Review System
The Quality Management and Review System (QMARS) is based on an underlying commercial o
that can be configured to track the medical case review performed by the QIOs. The longer term g
system of record for all CMS case reviewed. The legacy system prior to the development of QMA
(CRIS).(See legacy applications for more information.)
Release Cycle: Bi-Weekly
Development Methodology: Agile
3.5.5.2 Data Deliverable and Submission Tool (DDST)
Web application that allows QIOs to upload their deliverables and to track other required informa
Release Cycle: Bi-Weekly
Development Methodology: Agile/Scrum
3.5.5.3 Financial Information and Vouchering System (FIVS) Next Generation (NG)
Vouchering system utilized by QIOs to record data regarding labor costs associated with Case Rev
their monthlyvouchers in support of the 12th SoW.
Release Cycle: Bi-Weekly
Development Methodology: Agile/Scrum
3.5.6 QIO Legacy Applications
3.5.6.1 Lyris Listserve
Used to create and maintain point of contact (POC) lists. The POC lists can be used to distribute H
(NCC) documentation and to facilitate additional communication activities.
3.5.6.2 Program Progress Reports (PPR)
Application is designed to allow CMS, QIOs, and CDACs to run and view reports from data enter
applications.
3.5.6.3 Program Resource System (PRS)
Web-based application which stores all physician, health service provider, beneficiary, Medicare A
Medicare Administrative Contractor (MAC) information for every state. Several applications link
system of record for the QIOs.

3.6 Quality Improvement and Evaluation System (QIES/iQIES) - (Optional)

3.6.1 Introduction
The Quality Improvement and Evaluation System (QIES/iQIES) is the key source of quality data
repository system for Medicare, Medicaid and the Clinical Laboratory Improvement Amendments
validates data on provider and beneficiary specific outcomes of care and performance for use in im
provided by the Medicare, Medicaid, and CLIA programs.
3.6.2 Background
3.6.2.1 Quality Improvement and Evaluation System (QIES)
QIES supports the following activities:
 Fully supports the Survey and Certification program
 Fulfills the agency’s quality initiatives for select provider settings;
 Aids in managing payment for services to beneficiaries; and
 Assists in the battle against fraud and abuse by providing resource data for Recovery Co
referencing
QIES may be divided into three major systems: 1) Assessments, 2) National Systems, and 3) Survey
 Assessments are maintained in the Assessment Submission and Processing (ASAP) syste
types of healthcare providers submit CMS-required patient/resident information to this syst
and analysis of data for patients/residents in various types of care settings.
 The QIES National Systems consist of Infrastructure and National Reporting. The Nationa
QIES users to access data relevant to their work. It includes the standard and ah-hoc repor
the ASPEN is replicated to the QIES National Systems for reporting purposes.
 Survey and Certification information is maintained in the Automated SurveyProcessing E
analysis, and data repository system for Medicare, Medicaid, and CLIA providers. ASPEN pr
of data for providers/suppliers: demographic, survey, certification, complaint/incident, and
3.6.2.2 Internet QIES (iQIES)
The development contractor supporting iQIES will:
 Add 2-factor authentication per the CMS security standards.
 Move all QIES applications off the CMS Extranet to eliminate the financial andtechnical b
connectivity for over 40,000 providers and surveyors in our user community.
 Implement a full 3-tier architecture.
 Redesign the infrastructure to centralize the QIES National Database and remove the us
control and account management for allQIES applications.
 Move the CASPER system off of the current outdated software platform by replacingthe
technology.
 Provide Tier 2/3 support for issues reported on pieces of the replacement system that have b

3.7 External Lines of Business Overview

3.7.1 Infrastructure and Operations
3.7.1.1 HCQIS IT Hardware/Software Procurement

The Contractor shall not develop or procure software products for use by other Contractors, partne
addition, no funds from this contract shall be used for data collection activities not specified in thi
accordance with other CMS administrative guidance. The Contractor shall maintain the CMS HHS

3.7.1.2 Hardware/Software
 Contractor-furnished equipment (CFE) includes, but is not limited to, hardware, software, comme
furnished by a contractor for the purpose of performing work under a contract. The Contractor wi
software, and internet connectivity (i.e., Contractor Furnished Equipment, or CFE).
The Contractor must connect to the HCQIS environment via an Internet Service Provider (ISP) ut

3.7.1.3 IPv6
IPv6 compliant product or system developed, acquired, or produced must:
1. Conform to the appropriate technical capabilities defined in the USGv6 Profile (National Institu
Publication [SP] 500-267) as certified in a System Declaration of Conformance (SDOC) defined i
test laboratory, per Title 48
2. Interoperate with both IPv6 and IPv4 systems and products, per OMB M-05-22
3. Have available contractor/vendor IPv6 technical support for development and implementation a
of IPv6 specific maintenance agreements, per OMB M05-22
3.7.1.4 Remote Access Software
CMS will only provide the necessary remote access software to connect to the HCQIS environme
software on CFE allows a user the ability to download data locally to a user’s laptop/workstation.
3.7.1.5 Software Acquisition

CMS has procured limited quantities of software licenses and will provide these to the Contractor
CMS Provided Software for more detailed information. The Contractor is responsible for covering
responsible for including software costs within its proposal. The Contractor must receive approva
software installation on equipment that connects to the HCQIS environment.
If the Contractor requires additional software outside the base award, the Contractor must receive
via the HCQIS Asset Procurement Committee (APC) procurement process. The APC will review
Accordingly, the Contractor shall be required to have access to the current tool used to request/tra

3.7.2 Operations and Maintenance Support

Contractor shall propose the necessary capacity (labor/cost/etc.) to support, at a minimum, the follow
 Contractor shall provide service desk and desk side support for SW related items, SW up
and recovery support.
 Contractor will maintain infrastructure to include network connectivity, systems, system
perform this contract.
3.7.2.1 Help Desk
The Service Center serves as the single point of contact for Tier 1 support, providing support for o
Network of Quality Improvement and Innovation Contractors (NQIICs), Beneficiary & Family- C
Improvement and Evaluation System (QIES), internet Quality Improvement and Evaluation (iQIE
Ambulatory Surgical Centers, Psych Facilities, Cancer Facilities, Submission Vendors for all com
(EPs) including Accredited Care Organizations (ACO), Group Practice Organizations (GPRO), R
Quality Clinical Data Registries and Support Contractors to provide support for all QualityNet IT

The Service Center creates a ServiceNow Case, Incident or Service Request for tracking each call
and resolution through responsive and accurate solutions where possible. Through this approach, t
customer satisfaction and make a positive contribution to overall productivity. The following outl
Center as well as the requirements for triaging to Tier 2 and 3 where applicable.
Tier 1 primary tasks include but are not limited to the following:
Provide assistance to callers on Program Initiatives and reporting options.
Provide assistance on how to participate in required programs.
Provide assistance to callers on how to submit and submission deadlines.
Provide assistance to callers on how to run/access/review reports.
Provide assistance with all HCQIS applications and QualityNet IT Products.
Provide assistance with multiple account registrations.
Reset login credential/passwords.
Maintain and update internal knowledge base.
Tier 1 AST (Advanced Support Team) tasks include but are not limited to the following:
Make outbound calls on unresolved incidents to provide in-depth troubleshooting.
Provide assistance on Submission issues by running/analyzing PL/SQL queries.
Provide technical assistance with application installs.
Provide technical assistance with account issues.
Provide technical assistance with report access issues.
Reviews all incidents prior to escalating to all external tiers.
Make outbound calls to all Physicians Value Individual's Authorized Access to CMS Systems (
Upload and route Hospital Specific Report.
Bug triage on all HCQIS applications and QualityNet IT Products.
Maintain and update internal knowledge base.
Tier 2 & Tier 3 Support extends beyond the roles and responsibilities of the Service Center and is
by the Contractor. If support for Tier 2 and/or 3 are required for any contract, the Contractor shall
providing, at a minimum, the following:
Tier 2 and/or 3 staffing resources to meet their needs.
Outline tasks associated with their Tier 2 and/or Tier 3 support.
 Triage requirements/models for Tier 2 and/or Tier 3.
Work with QualityNet Service Desk team to identify
processes/documentation required for the Helpdesk to integrate into process flow such as Troub
Get Started Guides and FAQs that are required to train Help Desk staff and provide support.
Provide support and feedback on monthly reports to the CMS COR.
Work through the CMS COR directly on issues and questions concerning the QualityNet Servic
In addition to providing the above support as needed, the contractor shall also:
Provide Human Centered Design (HCD) support for the Service Center. The HCD team will revie
order to enhance the customer service experience for CMS customers of the Service Center. The H
staff to gather documentation and feedback in support of their mission.
Provide Project Management (PM) support for Service Center process improvement projects. The
Service Center staff to implement the projects identified by CMS. The PM will help coordinate ac
the process improvement projects for the Service Center.

Provide Project Management (PM) support for the QIES/iQIES Service Center. The PM will cont
other Service Center metrics as defined by CMS to CMS QIES/iQIES team members. The PM wi
QIES/iQIES help desk teams to ensure proper service center processes are followed. The PM will
projects for the QIES/iQIES help desks. The PM will support post QIES/iQIES L1 Helpdesk trans

Document migration procedures related to QPP’s adoption of the

ServiceNow Customer Service Module (CSM) in order to provide a CMS- approved migration mo
Coordinate with each LOB on the development and incorporation of requirements for the respecti
CMS PMs for review and approval.
Using processes put in place by the QPP Service Center team, work with the HCQIS infrastructur
centersoftware.
Recommend adoption of ServiceNow modules pertinent to the HCQIS program, and support the m
requirements and coordinating approvals necessary for implementation.
Coordinate with other CMS contractors to fulfill IT Service Management (ITSM)and configuratio
Provide QPP Service Center oversight including but not limited to:

a.Monitoring and supporting all assignment groups, assigning cases to the appropriate group, an

b.Producing and reviewing reports to support the QCC, including but not limited to a QCC Exe
other ad hoc reports or queries as requested.
c.Providing data inputs as requested to support monthly presentations and reports.
Produce reports including but not limited to daily operational reports, weekly aging reports, and o
Manage all Product Team (Tier 3) cases from start to finish ensuring timely response.
3.7.2.2 Transition of Equipment
 The Contractor is responsible for adhering to the CMS HHS-565 and HHS-22 processes set (inclu
Operations Management, which focuses on asset management and transition of equipment (transfe

1. At the end of a contract period, the Contractor must work with and help coordinate the migra
group and Contractor(s) as needed to complete a successful closeout. This includes, but not lim
a. Identifying all CMS equipment procured and used by the incumbent
b. Planning and transitioning all equipment as outlined by CMS (either to successor or to an
packaging and shipping to identified location
c. Provide support to CMS with the closeout & closedown of all IT related items that the inc
3.7.3 System Development Life Cycle (SDLC)/ Investment Life Cycle (ILC)/ Targeted Life C
The Contractor will have the responsibility to develop and QA (Quality Assurance) test software b
meeting contract deliverables by providing the following environments as spelled out in the HCQ

 Sandbox with Enterprise System Services – for application development with access t
 Development – for application development
 QA/Testing – for application testing by the ADO
 Validation and Verification (V&V) – for testing to be conducted by an independent V&V
 Independent Testing Facility (ITF) – for performance testing by an independent Contra
Security Controls Assessment (SCA) testing is conducted by an independent Contractor
 Production – for hosting system subsequent to successful development/testing
The following 2-page chart shows the TLC artifacts required organized by:
 TLC phase
o Initiation, Concept, and Planning o Requirements Analysis and Design o Developmen
o Implementation
o Operations and Maintenance
 Component/Contractor lead o CMS
o PM3 Contractor
o Security Contractor
o Application Development Contractor (ADO) o V&V Testing Contractor (HIVVS)
o Infrastructure Contractor
 Type of Artifact
o Project Management
o Security
o Task-specific Security
3.7.4 Transition
 The Contractor shall provide transition services and plans. The Contractor shall work with C
continued, uninterrupted, successful operation of the ISG/HCQIS Program and Project Mana

3.7.4.1 Transition In
The new Contractor shall establish a Joint Operating Agreement (JOA) with the incumbent C
new contract. Contractor. The purpose of the JOA is to establish a process for managing the
establish a process to fully transition the workload from the incumbent contract tothe new co
two entities will maintain support during the transition of the work from the incumbent’s con
used to communicate and coordinate activities to communicate to CMS. The JOA shall be de
approved by the COR.

The Contractor shall submit a Transition-In Transition Plan (TITP) for review and approval

The Contractor shall maintain the TITP and submit updated version(s) to CMS for review an
The Contractor shall fully implement the CMS-approved TITP. The Contractor shall provide
transition.
The TITP shall provide detailed methods that will be used to ensure a smooth transition from
by the Successor Contractor.
The TITP shall provide all necessary information and process to ensure continued, uninterru
and Project Management activities. At a minimum, the TITP shall provide the following:
 A milestone chart detailing the timelines and phases of transition from the date
responsibility for the work as identified in this Performance Work Statement;
 A transition project plan that, at a minimum, consists of tasks, sub- tasks, start d
 An organizational chart that displays internal and external organizational relation
individuals, at all levels, who will be responsible for the transition and their respecti
 Plans to acquire all necessary hardware, software, equipment, and connectivity t
 Plans to communicate and cooperate with the Incumbent Contractor.
3.7.4.2 Transition Out

The Contractor shall work with the IPT to ensure that a comprehensive set of documentation
delivered per- baseline schedule to CMS. And, at the direction of CMS, forward the same do

As requested by CMS, the Contractor shall submit a Transition-Out Transition Plan (TOTP)
The Contractor shall maintain the TOTP and submit updated version(s) to CMS for review a
The Contractor shall fully implement the TOTP. The Contractor shall provide technical expe
successful transition.
The TOTP shall provide all necessary information and process to ensure continued, uninterru
and Project Management activities.
 The TOTP shall provide detailed methods that will be used to ensure a smooth transition of I
At a minimum, the TOTP shall provide for the following:
 A milestone chart detailing the time lines and phases of transition until the Succe
work as identified in this PWS;
 A project plan that, at a minimum, consists of tasks, sub-tasks, start dates, end d
 An organizational chart that displays internal and external organizational relation
individuals, at all levels, who will be responsible for the transition; and
 Plans to communicate and cooperate with the Successor Contractor.
3.7.5 Key Personnel
The Contractor shall submit an Organizational Chart along with the resumes of each key staf
Key Personnel include:
Portfolio Manager(s)
Program Manager(s)
Project Manager(s)
These Key Personnel positions require CMS CO approval based on the recommendation from
key personnel within three business days of the Contractor becoming knowledgeable of the v

3.8 Information Security Requirements

3.8.1 Federal Security Mandates
The Contractor must perform the following activities to ensure that any information generated, colle
maintained:
1. Protect government information and information systems in order to ensure:
o Confidentiality, which means preserving authorized restrictions on access and disclo
contract, including means for protecting personal privacy and proprietary information;
o Integrity, which means guarding against improper information modification or destru
authenticity; and o Availability, which means ensuring timely and reliable access to, a

o Comply with the HHS Standard for Encryption of Computing Devices and Information to
(available on the CMS Information Security and Privacy Library). Encrypt all sensitive feder
Personally Identifiable Information (PII), Protected Health Information (PHI), proprietary in
(i.e., via email, network connections, etc.) and at rest (i.e., on servers, storage devices, mobil
validated encryption solution.

o Secure all devices (including, but not limited to, desktops, laptops, and mobile devices) tha
devices meet HHS and CMS- specific encryption standard requirements. Maintain a complet
computers, and other mobile devices and portable media that store or process sensitive gover
 o Contractors connecting approved Contractor Furnished Equipment (CFE) to the CMS- own
controls are in place to ensure that the confidentiality, integrity, and availability of CMS-own
connecting to the Health Care Quality Information Systems (HCQIS) Network must comply
Quality Information Systems Contractor-Furnished Equipment (CFE) Guidelines and Requir

3.8.2 Training
 Role-based Training
All Contractor employees with significant security responsibilities (as determined by the Program M
commensurate with their role and responsibilities, and in accordance with HHS and CMS policies.
 Training Records
The Contractor must maintain training records for all its employees working under this contract in ac
to CMS upon request.
3.8.3 Rules of Behavior

All Contractor employees must adhere to all HHS, CMS and QNet Rules of Behavior (ROB) before
networks that store/process government information. Initially at the beginning of the contract, and at
CMS systems or with CMS data must provide a signed statement attesting to the fact that it understa
as part of annual OpDiv Information Security Awareness Training. If the training is provided by the
separate deliverable to the Contracting Officer (CO) and/or Contracting Officer’s Representative (CO

3.8.4 Incident Response & Reporting

FISMA defines an incident as “an occurrence that (1) actually or imminently jeopardizes, withou
availability of information or an information system; or (2) constitutes a violation or imminent th
procedures, or acceptable use policies.”
A privacy breach is a type of incident and is defined by FISMA as the loss of control, compromi
any similar occurrence where (1) a person other than an authorized user accesses or potentially a
potentially accesses PII for other than an authorized purpose.
Access to Government Owned Systems & HSPD-12
IT Management and IT Systems Development
3.8.5 CMS Control Implementation and Baselines: Acceptable Risk Safeguards (ARS)
The ARS is based on:
•National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev
Controls for Federal Information Systems and Organizations, dated April 2013
•Federal Risk and Authorization Management Program (FedRAMP)
•HHS Information Systems Security and Privacy Policy (IS2P)
•CMS Information Systems Security and Privacy Policy (CMS IS2P2) CMS-CIO-POL- SEC-
•CMS policies, procedures, and guidance
 •Other federal and non-federal guidance resources
•Industry-leading information security and privacy practices adopted by CMS
3.8.6 Security Assessment and Authorization (SA&A) Process
In efforts to support CMS SA&A, the Contractor must:
Comply with ATO requirements as mandated by federal laws and policies, including making
access needed to support this requirement. The level of effort for the ATO is based on the Sys
procedures (located on the CMS Information Security and Privacy Program website).
Coordinate with the CMS Business Owner to create, maintain, and update all applicable ATO
procedures.
Obtain an independent Security Controls Assessment (SCA) for all CMS systems and infrastr
the CMS Information Security and Privacy Program website. The SCA is a detailed evaluation
determines the extent to which controls are implemented correctly, operating as intended, and
the security requirements for the system. Requirements for control assessments are described
be found within the CMS Information Security and Privacy Library.

Allow CMS employees (or CMS CISO-designated third-party Contractors) to conduct SCA a
NIST SP 800-53/NIST SP 800-53A and CMS procedures and standards (located on the CMS

Apply appropriate security controls to meet CMS information security requirements, as define
amended), and in accordance with the below-listed parameters, for any/all tasks requiring the
of, or (4) host/maintain federal information (including software and/or infrastructure develope
federally-controlled facility (as defined in FAR Subpart 2.1):
o Systems Security Level: Low, Moderate, or High, as defined in the applicable appen
Information Security and Privacy Library).
o Information Type: is used to determine the information system security level. Howe
based on the specific type of data available within the system. For information identi
privacy requirements listed in the ARS manual Implementation Standards, as applica
o E-Authentication Level: 1 through 4, as defined in the CMS RMH, Volume III, Standa
identity proof and authenticate authorized users.
Identify gaps between required controls and the Contractor’s implementation as documented i
track mitigation in a Plan of Action and Milestones (POA&M). The POA&M must be comple
CMS Information Security and Privacy Program website). Depending on the severity of the ga
before an ATO is issued.

Mitigate all applicable security risks found during the ATO process and continuous monitorin
mitigated within 30 days from the date the vulnerabilities are formally identified, and all mod
days from the date the vulnerabilities are formally identified. The Government will determine
NOT receive an authority to operate with high-risk findings unless otherwise approved by the
 Create, maintain, and update all documentation associated with the CMS Assessment and Aut
CMS FISMA Controls Tracking System (CFACTS), unless otherwise stated by the ISSO. The

3.8.7 Security Test Procedures and Results

 Security Assessment Report (SAR)
 System Security Plan (SSP)
 IT System Contingency Plan (CP)
 IT System Contingency Plan (CP) Test Results
 FedRAMP Control Tailoring Workbook (Cloud Service Provider)
 Control Implementation Summary (CIS) (Cloud Service Provider)
 Software Code Reviews
 Interconnection Agreements/ Memorandum of Agreements/ Interagency Agreements
3.8.8 System Security Maintenance and Patch Management

The HHS (IS2P) and CMS (IS2P2) policies ensure that all systems are running baseline requir
management program to implement, and support activities pertaining to vulnerability scanning
HHS information technology (IT) resources. Systematic scanning of hardware and software, i
applications, and electronic devices are necessary to protect all HHS data and systems from m
vulnerability and patch management is critical to maintain the confidentiality, availability and

Contractors are required to maintain systems with the most secure configuration possible. Sec
related software and firmware updates are patched or installed within specified timeframes. C
follow the timeframes set within the HCQIS Vulnerability and Remediation Guidelines. The g
Management Policy and set by the CCSQ Information Systems Group and should be adhered
ISSO.
3.8.9 Cloud Services and FedRAMP ATO Compliance
The Contractor must comply with FedRAMP SA&A requirements and ensure that any inform
compliant (approved) ATO in accordance with the Federal Information Processing Standard (
a FedRAMP-compliant ATO has not been granted, the Contractor must obtain written approv
any services.
CMS may leverage the Provisional Authorization granted by FedRAMP and any documentati
CMS-issued ATO is required before any Production (vice Development or Testing) operation
placed in a cloud-based environment.
3.8.10 Security Roles & Responsibilities
 The Contractor must maintain security staff members on the contract at all times whose exper
of responsibility. Contracts working within HCQIS must assign and designate individuals to t
performed. Depending on the work being performed, an individual may obtain multiple securi
responsible for properly protecting, safeguarding, and disposing of all information used, gathe
The Contractor must also protect all government property or information, including, but not li
information as sensitive. The Contractor must consider all information about the systems gath
Unclassified Information (CUI).

For each of the applicable roles described below, the Contractor must identify the assigned pe
award (as required by the onboarding process). Further, the assigned personnel must be able to
within three days of the beginning of the contract’s period of performance.
3.8.10.1 Role 1: Security Point of Contact (SPOC):
The SPOC must fulfill the following responsibilities, including, but not limited to:
Maintain a general understanding of CMS and HCQIS security requirements and policies.
Assure all users complete necessary Security and Privacy training prior to accessing any HC
Manage and maintain all users’ Annual Security Awareness Training (SAT) certificates.
Fulfill incident management responsibilities, to include immediate response to security inci
involving PII or PHI in a timely manner (1 hour from the time of identification).
Coordinate the destruction of sensitive information.
3.8.10.2 Role 2: Security Official (SO) / Account Administrator (AA):
These applications may include, but are not limited to, the following:
 HCQIS WAN Network and VPN
 Desktop/VDI
 Office365
 CMS Quality Service Center (ServiceNow)
 Atlassian
3.8.10.3 Role 3: System Security Officer (SSO):
The SSO must fulfill the following responsibilities, including, but not limited to:
Support the CMS ISSO in the achievement and maintenance of an ATO for each applica
Have a full understanding of the CMS’ SA&A Processes.
Implement and maintain ARS controls for the appropriate system security level.
Develop and maintain FISMA system documentation.
Ensure systems adhere to Technical Reference Architecture (TRA) foundational and sup
specifications, when applicable (available upon request).
Use approved security tools for continuous monitoring and management of security base
Implement audit tools or processes for auditing and reporting services that support Conti
 Provide engineering services and participation in Continuity of Operations Planning (CO

Develop and implement Configuration Management and Change Management plans whe
Develop and maintain artifacts related to the CMS Targeted Life Cycle (TLC) and CASF
Perform or participate in threat and vulnerability management for applicable FISMA sys
Perform POA&M management.
Assist the CMS ISSO with other additional security support efforts within the scope of c
3.9 Non-Disclosure
Information collected before, during, and after the CMS period of performance shall be trea
designated CMS officials and CMS-authorized personnel.
The Contractor shall identify any actual, apparent, or potential organizational or personnel
issued hereunder, and in relation to specific work requirements awarded to the Contractor,
regarding any identified concerns in accordance with the requirements at FAR Subpart 9.5.
3.10 Section 508 – Accessibility of Electronic and Information Technology

(a) Pursuant to Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended
and information technology (EIT) supplies and services developed, acquired, or maintained
“Architectural and Transportation Barriers Compliance Board Electronic and Information T
the Architectural and Transportation Barriers Compliance Board (also referred to as the “A
Section 508 is available at http://www.hhs.gov/web/508. The complete text of Section 508
board.gov/guidelines-and- standards/communications-and-it/about-the-section-508-standar

(b) The Section 508 accessibility standards applicable to this contract or order are identified
Performance Work Statement. The contractor must provide any necessary updates to the su
of each contract or order exceeding the simplified acquisition threshold (see FAR 2.101) w
is determined by the Government that EIT supplies and services provided by the Contracto
in the contract, remediation of the supplies or services to the level of conformance specified
Contractor at its own expense.
(c) The Section 508 accessibility standards applicable to this contract are: (Contract staff m

(d) In the event of a modification(s) to this contract or order, which adds new EIT supplies
supplies or services, the Contracting Officer will require that the contractor submit a compl
any other additional information necessary to assist the Government in determining that the
accessibility standards. Instructions for documenting accessibility via the HHS Section 508
Section 508 policy on the HHS website: (http://www.hhs.gov/web/508). If it is determined
provided by the Contractor do not conform to the described accessibility standards in the co
level of conformance specified in the contract will be the responsibility of the Contractor at
 (e) If this is an Indefinite Delivery contract, a Blanket Purchase Agreement or a Basic Orde
include EIT supplies or services will define the specifications and accessibility standards fo
required to provide a completed HHS Section 508 Product Assessment Template and any o
Government in determining that the EIT supplies or services conform to Section 508 access
accessibility via the HHS Section 508 Product Assessment Template may be found at http:/
Government that EIT supplies and services provided by the Contractor do not conform to th
documentation, remediation of the supplies or services to the level of conformance specifie
Contractor at its own expense.

3.10.1 Section 508 Compliance for Communications

The Contractor shall comply with the standards, policies, and procedures below. In th
documents and this PWS the PWS shall take precedence.
Rehabilitation Act, Section 508 Accessibility Standards
29 U.S.C. 794d (Rehabilitation Act as amended)
36 CFR 1194 (508 Standards)
http://www.access-board.gov/guidelines-and-standards/communications-and-it/about- th
FAR 39.2 (Section 508)
CMS/HHS Standards, policies and procedures (Section 508)
In addition, all contract deliverables are subject to these 508 standards as applicable.
The following Section 508 provisions apply to the content or communications material ident
 36 CFR Part 1194.21 a - l
 36 CFR Part 1194.22 a - p
 36 CFR Part 1194.31 a - f
 36 CFR Part 1194.41 a – c
The Contractor shall provide a completed Section 508 Product Assessment Template and the
deliverable(s) meet or does not meet the applicable standards. The following Section 508 pro
identified in this PWS, PWS, or TO:
For software development, the Contractor/Developer/Vendor shall comply with the standard
 Rehabilitation Act, Section 508, Accessibility Standards
 29 U.S.C. 794d (Rehabilitation Act as amended)
 36 CFR 1194 (508 Standards) 36 CFR Part 1194.21 (a – l) 36 CFR Part 1194.31 (a
 http://www.access-board.gov/guidelines-and-standards/communications-and- it/a
 FAR 39.2 (Section 508)
 CMS/HHS Standards, policies and procedures (Section 508)
o Information Technology – General Information (http://www.cms.gov/Research-Stat
Technology/Section508/index.html)
For web-based applications, the Contractor shall comply with the standards, policies, and pro
 Rehabilitation Act, Section 508, Accessibility Standards
 29 U.S.C. 794d (Rehabilitation Act as amended)
 36 CFR 1194 (508 Standards) 36 CFR Part 1194.22 (a – p)36 CFR Part 1194.41 (a
 http://www.access-board.gov/guidelines-and-standards/communications-and- it/a
 FAR 39.2 (Section 508)
 CMS/HHS Standards, policies and procedures (Section 508)
o Information Technology – General Information (http://www.cms.gov/Research-Stat
Technology/Section508/index.html)
Company Name:

Able to provide
Ratings Able to provide Past
support for
(Refer Tab 1 performance? (Y/N)?
proposal write up
Instructions) If Y, Which Agency?
(Y/N)?