Last Wednesday, I reported that the federal health insurance exchange website, Healthcare.gov, appeared to be violating White House guidance on web security. But the Department of Health and Human Services has responded that it is not.
Under a 2002 cybersecurity law, the Federal Information Security Management Act, a government website must receive an "Authority to Operate" before going live in which an official overseeing the site's development certifies that it has met security requirements.
As Secretary of Health and Human Services Kathleen Sebelius testified before the House Energy and Commerce Committee last week, days before going live, the federal exchange website was granted a temporary authority to operate as security testing was ongoing.
But a September 2012 White House Office of Management and Budget memo on web security said "interim" certifications were not acceptable.
The memo was written by none other than Jeff Zients — the former acting director of OMB who has been brought in to oversee the "tech surge" initiated to fix problems surrounding the rollout of Obamacare's website.
In a response emailed to the Washington Examiner attributable to an HHS official, the department argued that the OMB guidance didn't apply to Healthcare.gov because there was a plan in place to test the website continuously.
"[A]ll ATOs are required to have a termination date under FISMA guidance," the HHS response read. "There is currently a six-month authority to operate in place for the [federal exchange]. OMB’s guidance on interim ATOs concerns instances where there is no risk mitigation framework in place. In the case of the [federal exchange], security testing is happening on an ongoing basis using industry best practices and we are undertaking a number of strategies to mitigate risks."
The OMB guidance did not differentiate among different types of temporary authorizations.
The OMB memo issued Sept. 27, 2012, by Zients simply read:
Does OMB recognize interim authority to operate for security authorizations?
No. The security authorization process has been required for many years, and it is important to measure the implementation of this process to improve consistency and quality government-wide. Introducing additional inconsistency to the government's security program would be counter to FISMA's goals.
At a Tuesday morning hearing before the Senate Health, Education, Labor and Pensions Committee, Sen. Pat Roberts, R-Kan., asked Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner about the OMB guidance.
It was Tavenner who signed off on the temporary authority to operate because CMS oversaw the rollout of the health exchange.
"OMB does approve of short-term authorizations so we were following the outline by OMB, and I double-checked that," Tavenner said.