Conditions for Enhanced Funding
Overview
As a condition of receiving enhanced federal financial participation (FFP) for Design, Development and Implementation (DDI) and Maintenance and Operations (M&O) state expenditures on Medicaid Enterprise Systems (MES), states must attest that the system complies with all of the applicable 22 conditions for enhanced funding (CEF) as provided in 42 CFR 433.112 and that the system remains compliant with federal Medicaid requirements for enhanced funding once it is in operation as provided in 42 CFR 433.116.
Conditions for Enhanced Funding
The following table contains the CEF described in 42 CFR 433.112, which is applicable to all MES modules.
This table and the applicable business area outcomes are a starting point for aligning the state’s goals for a MES project with applicable CMS-required outcomes.
| Ref # | Condition | Example Evidence |
|---|---|---|
| CEF01 | CMS determines that the system is likely to provide more efficient, economical, and effective administration of the State plan. | Documented in the CMS-approved APD, including, but not limited to, Analysis of Alternatives (AoA), State Self-Assessment (SS-A), or Cost Benefit Analysis (CBA), CMS-required and/or state-specific outcomes. |
| CEF02 | The system meets the system requirements, standards, and conditions, and performance standards in Part 11 of the State Medicaid Manual, as periodically amended. |
Refer to the applicable business area for modular implementation, streamlined business outcomes, and metrics.
Can be a state self-attestation. |
| CEF03 | The system is compatible with the claims processing and information retrieval systems used in the administration of Medicare for prompt eligibility verification and for processing claims for persons eligible for both programs. |
Provide evidence of processing dual-eligible beneficiaries.
Provide evidence of claims or eligibility and enrollment data loaded in the system being certified. Can be N/A depending on the MES module, if the module does not interface with the Claims, or Eligibility and Enrollment module. Can be a state self-attestation. |
| CEF04 | The system supports the data requirements of quality improvement organizations established under Part B of Title XI of the Act. |
Provide evidence on how the MES module interfaces with the quality improvement organizations (QIO).
Can be N/A depending on the MES module. |
| CEF05 | The State owns any software that is designed, developed, installed, or improved with 90 percent FFP. |
Documented in the contractual language between the State Medicaid Agency (SMA) and the vendor. If Software as a Service (SaaS), then the language would focus on owning data vs software.
Applicable procurement-related documentation. Documented in the CMS-approved APD, which includes the state attestation and/or supplemental material. |
| CEF06 | The Department has a royalty-free, non-exclusive, and irrevocable license to reproduce, publish, or otherwise use and authorize others to use, for Federal Government purposes, software, modifications to software, and documentation that is designed, developed, installed, or enhanced with 90 percent FFP. |
Documented in the contractual language between the SMA and the vendor.
Documented in the CMS-approved APD, which includes the state attestation and/or supplemental material. |
| CEF07 | The costs of the system are determined in accordance with 45 CFR 75, subpart E. |
Documented in the contractual language between the SMA and the vendor.
Documented in the CMS-approved APD, which includes the state attestation and/or supplemental material. |
| CEF08 | The Medicaid agency agrees in writing to use the system for the period of time specified in the advance planning document approved by CMS or for any shorter period of time that CMS determines justifies the Federal funds invested. |
Documented minimum timeframe for intended use in the CMS-approved APD.
Can be a state self-attestation. |
| CEF09 | The agency agrees in writing that the information in the system will be safeguarded in accordance with subpart F, part 431 of this subchapter. |
Required:
Most recent independent third-party security and privacy controls assessment report, performed at a minimum of every two years per 45 CFR 95.621(f)(3). Most recent independent third-party penetration test should be performed at a minimum of every two years per 45 CFR 95.621(f)(3). Most recent vulnerability scans recommend running monthly. Plan of Action and Milestones (POA&M) (see Reference section below). Or: Affordable Care Act (ACA) Authority to Connect (ATC) to CMS Hub. Optional: Most recent Security Incident Breach Notification. HIPAA Business Associate Agreement (BAA). HIPAA sanction rules. |
| CEF10 | Use a modular, flexible approach to systems development, including the use of open interfaces and exposed application programming interfaces; the separation of business rules from core programming, available in both human and machine-readable formats. |
Conceptual data model that depicts high-level data and relationships with other state Medicaid systems/modules.
Enterprise system diagrams should show how the open architecture is integrated with the overall solution (e.g., system architecture design showing adoption of an Application Programming Interface [API]- based architecture, automated arrangement, coordination, and management of the system). Screenshot of the business rules engine control panel. |
| CEF11 | Align to, and advance increasingly, in MITA maturity for business, architecture, and data. |
Documented in the CMS-approved APD, which includes the state attestation and/or supplemental material.
Can be the SS-A or a state self-attestation. |
| CEF12 | The agency ensures alignment with, and incorporation of, standards and implementation specifications for health information technology adopted by the Office of the National Coordinator for Health IT in 45 CFR part 170, subpart B. The agency also ensures alignment with the HIPAA privacy, security, breach notification, and enforcement regulations in 45 CFR parts 160 and 164; and the transaction standards and operating rules adopted by the Secretary under HIPAA and/or section 1104 of the Affordable Care Act. The agency meets accessibility standards established under section 508 of the Rehabilitation Act, or standards that provide greater accessibility for individuals with disabilities, and compliance with Federal civil rights laws; standards and protocols adopted by the Secretary under section 1561 of the Affordable Care Act; standards and protocols for reporting on the Child and Adult Core Sets as adopted by the Secretary under sections 1139A, 1139B, and 1902(a)(6) of the Act, and 42 CFR part 437 subpart A; and standards and protocols for reporting on the Health Home Core Sets as adopted by the Secretary under sections 1902(a)(6), 1945(c)(4)(B) and (g), and 1945A(g) of the Act and 42 CFR part 437 subpart A. |
Required:
Most recent independent third-party security and privacy controls assessment report, performed at a minimum of every two years per 45 CFR 95.621(f)(3). Most recent independent third-party penetration test, performed at a minimum of every two years per 45 CFR 95.621(f)(3). Most recent vulnerability scans, recommend running monthly. POA&M (see Reference section below). 508 test report or equivalent showing Level AA compliance. |
| CEF13 | Promote sharing, leverage, and reuse of Medicaid technologies and systems within and among States. |
Describe and document how the SMA leverages reuse opportunities.
Documented in the CMS-approved APD, which includes the state attestation and/or supplemental material, AoA, or SS-A. |
| CEF14 | Support accurate and timely processing, adjudications/eligibility determinations, and effective communications with providers, beneficiaries, and the public. |
Refer to applicable business outcomes and metrics related to the following, but not limited to, Claims, Pharmacy, Eligibility and Enrollment modules.
Can be N/A depending on the MES module. |
| CEF15 | Produce transaction data, reports, and performance information that would contribute to program evaluation, continuous improvement in business operations, and transparency and accountability. |
Confirmation of T-MSIS Outcome-Based Assessment (OBA) reporting compliance.
Confirmation of adherence to the T-MSIS Standard Operating Procedure (SOP). Metrics data reported in the Operational Report Workbook (ORW). Applicable service level agreement and/or key performance indicator showing the system can record and monitor the performance and utilization of resources. Payment Error Rate Measurement (PERM) report and/or enrollment data performance indicator report, as applicable. |
| CEF16 | The system supports seamless coordination and integration with the Marketplace, the Federal Data Services Hub, and allows interoperability with health information exchanges, public health agencies, human services programs, and community organizations providing outreach and enrollment assistance services as applicable. |
Refer to applicable business outcomes and metrics related to the following, but not limited to, Eligibility and Enrollment, and Health Information Exchange modules.
Can be N/A depending on the MES module. |
| CEF17 | For E&E systems, the State must have delivered acceptable MAGI-based system functionality, demonstrated by performance testing and results based on critical success factors, with limited mitigations and workarounds. |
Refer to applicable business outcomes and metrics related to the Eligibility and Enrollment module.
Can be N/A depending on the MES module. |
| CEF18 | The State must submit plans that contain strategies for reducing the operational consequences of failure to meet applicable requirements for all major milestones and functionality. |
Provide module-specific Disaster Recovery Plan and disaster recovery test results, which are coordinated with the other related SMA DRP.
POA&M with any deficiencies found during the IT system level DR test. |
| CEF19 | The agency, in writing through the APD, must identify key state personnel by name, type, and time commitment assigned to each project. |
Documented in the contractual language between SMA and the vendor.
Documented in the CMS approved APD, which includes the state attestation and/or supplemental material. |
| CEF20 | Systems and modules developed, installed, or improved with 90 percent match must include documentation of components and procedures such that the systems could be operated by a variety of contractors or other users. | Provide MES module-specific transition plan or relevant knowledge base (training) documentation, as well as the most current Concept of Operations (ConOps) documentation. |
| CEF21 | For software systems and modules developed, installed, or improved with a 90 percent match, the State must consider strategies to minimize the costs and difficulty of operating the software on alternate hardware or operating systems. |
Documented in the contractual language between SMA and the vendor.
Documented in the CMS approved APD, which includes the state attestation and/or supplemental material, and the AoA. |
| CEF22 | Other conditions for compliance with existing statutory and regulatory requirements, issued through formal guidance procedures, determined by the Secretary to be necessary to update and ensure proper implementation of those existing requirements. |
Other reporting metrics, such as CMS-37 and CMS-64 quarterly estimates and expenditure reports, as applicable.
Ongoing metrics submitted to CMS via ORW. Confirmation of T-MSIS OBA reporting compliance. Can be a state self-attestation, including, but not limited to, attesting that the system captures and stores relevant information necessary to support Medicaid Fraud Control Unit (MFCU) investigations. |
Click here for CEF Tips and Best Practices
Metrics
As part of the ongoing continuous monitoring process on the security and privacy risk posture for an approved MES Information Technology (IT) environment, the state must demonstrate the efficacy of its continuous monitoring program through annual metrics reporting to meet the security and privacy elements of the CEF.
Note: CMS is not changing the independent third-party security and privacy assessments or penetration testing timing. The requirement is on a biennial basis per 45 CFR § 95.621(f)(3) or annually if the state is following the Affordable Care Act (ACA) Administering Entity (AE) for the module.
It is expected that this metric data would come from the state’s existing POA&M(s), which would contain all vulnerabilities/findings (i.e., security and privacy assessments, vulnerability scans, penetration tests, internal or external security controls assessment, and disaster recovery testing).
The following table includes guidance on filling out the Metric Definition tab in the ORW. Note: “Frequency” refers to the capture of the metric data, while “cadence” addresses the timing of report submission to CMS.
| Metric Element | Description |
|---|---|
| ID | [StateAbbreviation]-CR-[ModuleAbbreviation]-CEF-01.1 |
| Name | Open privacy and security risks |
| Reference # | CEF09 | CEF12 | CEF18 |
| Description | Metric data will be sourced from the POA&M(s), reported quarterly in [list the months it will be reported in by the state here] on the Metric Values tab (using three measure counts), and sent to CMS, with each module’s ORW, quarterly along with the latest POA&M(s). |
| Value Type | Numerical |
| Reporting Frequency | Quarterly |
| Definitions | Definitions are based on NIST Special Publication 800-30 Revision 1; the latest published definitions should be followed. Very high risk means that a threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. High risk means that a threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. Moderate risk means that a threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. Low risk means that a threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. Very low risk means that a threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
| Additional Guidance | For all identified risks and vulnerabilities, a POA&M must be utilized to monitor progress and closure. All mitigated and closed POA&M entries must be tracked for at least one year. The POA&M should include all levels of findings, with at a minimum the following fields: - Identifier - Control Family - Description - Source - Date Identified - Scheduled Completion Date - Actual Completion Date - Status - Risk Level - Comments |
The following table includes guidance on filling out the ORW, Metric Values tab, Measure Count & Measure Count Description columns.
| Measure Count | Measure Count Description | Additional Guidance (do not include in the ORW) |
|---|---|---|
| 1 | Very High | Number of open privacy and security risks assessed at Very High |
| 2 | High | Number of open privacy and security risks assessed at High |
| 3 | Any Severity | Number of open privacy and security risks assessed at any severity. This is the sum of all risk levels: very high, high, moderate, low, very low |
Additional Resources
- SMC Guidance
- MES Testing Guidance Framework
- Operational Report Workbook (Please reach out to your State Officer to get the template.)
- Transformed Medicaid Statistical Information System (T-MSIS)
- Section 508 Guidance
- Accessibility Guidance
- Incident Response
- Address Gaps in Cybersecurity: HHS OCR releases crosswalk between HIPAA Security Rule and NIST Cybersecurity Framework and NIST SP 800-53 controls
- Risk assessment determination and scale as defined in NIST SP 800-30 Revision 1, see Appendix G (Likelihood of Occurrence), H (Impact), and I (Risk Determination)
- PERM
- Enrollment data performance indicator report
- 508 accessibility Level AA compliance new rule: Nondiscrimination on the Basis of Disability; Accessibility of Web Information and Services of State and Local Government Entities (ada.gov) Note: compliance is required 2 or 3 years from published date of April 24, 2024, depending on public entity size and has exceptions as noted in the rule.
References
- 28 CFR Part 35
- 42 CFR § 433.112
- 42 CFR § 433.116
- 45 CFR § 164.308
- 45 CFR § 95.621
- Medicaid.gov SMC Site
- State Medicaid Director Letter #22-001
- State Medicaid Director Letter #06-022
- State Medicaid Manual
- Business Associates
- Voluntary Product Accessibility Template (VPAT), see the latest WCAG version
- State Self-Assessment (SS-A)
- Example Risk Acceptance Form (see Attachment D)
- Example Concept of Operations template
- FedRAMP POA&M template
- Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE)