Streamlined Modular Certification Frequently Asked Questions (FAQs)

The following FAQs were prepared to help answer questions about the new Streamlined Modular Certification (SMC) process and requirements. This information is meant to help answer questions about SMC. The official SMC Guidance can be found on Medicaid.gov and is the primary source of information on SMC process and requirements. Other helpful information is on the Certification GitHub and you can always reach out to your State Officer with questions.

We will continue to add to the FAQ as new questions arise. Download the FAQs as a PDF.

• Overview of SMC
• How will SMC Impact States?
• Outcomes and Metrics
• Conditions for Enhanced Funding
• Intake Form
• Certification
• Reporting Requirements
• Metrics

Overview of SMC

Q: What is SMC?

A: SMC is a new process for certifying discrete Medicaid information Technology (IT) systems or services. Known as Medicaid Enterprise Systems (MES) modules, they are used by a state’s Medicaid agency to manage, monitor, and administer their Medicaid program. This guidance reinforces the emphasis on modularity and reducing the burden associated with certification.

The guidance replaces the existing processes for obtaining CMS approval for an enhanced Federal Financial Participation (FFP) rate, known as the Medicaid Enterprise Certification Toolkit (MECT) and the Medicaid Eligibility and Enrollment Toolkit (MEET).

SMC introduces a new set of certification elements:

• Conditions for Enhanced Funding for which states must ensure ongoing compliance.
• CMS-required outcomes, which are based on statutory or regulatory requirements to promote the efficient, economical, and effective administration of the state’s Medicaid program.
• State-specific outcomes that reflect the unique circumstances, characteristics, or program priorities which the state’s IT project will directly address.
• Metrics to provide evidence about whether the outcomes are achieved on an ongoing basis.
• Required Artifacts are still required for certification, but the SMC SMDL reduces the number from 29 to 7 (Appendix C).

For all systems that comprise the MES, SMC is designed to:

• Enhance collaboration between CMS and states to focus certification on demonstrated evidence to achieve business goals for state Medicaid programs
• Leverage data and testing to better inform our assessment of the successful delivery of systems and better inform subsequent funding decisions

Q: How can I learn about the new SMC process and requirements?

A: The SMC SMDL is the primary source of information on the new SMC process and requirements. There are materials and tools available to help facilitate the SMC process on Medicaid.gov and the CMS Certification Repository on GitHub.

Q: When was the SMC State Medicaid Directors Letter (SMDL) released?

A: CMS issued guidance introducing SMC on April 14, 2022. The release included the SMDL, the Certification Guidance document with appendices, the Testing Guidance Framework, the Intake Form template, and other tools to help states with SMC. This information can be found on Medicaid.gov.

Q: Will SMC be used to certify Electronic Visit Verification (EVV) investments?

A: No, Electronic Visit Verification (EVV) systems will still be certified using the “EVV Outcomes-based Certification (OBC)” guidance released on October 24, 2019, but SMC applies to all other MES modules, including Eligibility and Enrollment.

Q: How does SMC differ from MECT/MEET?

A: SMC has different tools and requirements than the MECT/MEET and should result in a more streamlined and efficient certification approach for states. Changes include:

• With the exception of the Certification Request Letter and the System Acceptance Letter, states are no longer required to submit the artifacts listed in MECT/MEET Appendix B.
• The Project Partnership Understanding (PPU) and IV&V Progress Report requirements have been eliminated, although states are required to submit Monthly Project Status Reports during DDI.
• There is no Project Initiation Milestone Review.
• Instead of MECT/MEET checklists, there is a focus on the Conditions for Enhanced Funding, Outcomes, and Metrics.
• States will have to report against metrics regularly when a system is in production.

Q: Why did CMS decide to create this new process?

A: SMC reduces the administrative burden for states so they can focus their resources on best serving Medicaid beneficiaries. For example, CMS required states to submit 29 artifacts under MECT/MEET, compared to 7 under SMC. SMC supports states in their goals for adopting or enhancing technology that is effective, efficient, and maximizes the capacity of the Medicaid agency to serve its beneficiaries. SMC is designed to ensure state Medicaid IT modules are compliant with conditions for enhanced funding and other requirements while also supporting the state’s goals.

Q: How does SMC differ from Outcomes-Based Certification (OBC)?

A: CMS has been piloting OBC methods for a few years. The EVV OBC Process and SMC represent the current state of the art of OBC for certification of Medicaid IT systems. CMS is committed to using outcomes and metrics to assess the performance of state systems. As we move forward with SMC, CMS will be collecting feedback from states and will continue to look for opportunities to improve the certification process and evolve the outcomes-based approach.

How will SMC Impact States?

Q: What requirements will states need to follow under SMC?

A: The process and requirements states need to follow under the new SMC process are described in the SMC SMDL. The SMC SMDL contains several key elements which were not present in MEET and MECT. These elements include outcomes, metrics, and operational reports. In addition, states will need to complete Operational Readiness Reviews (ORRs) and Certification Reviews (CRs) rather than the Milestone Reviews required under the toolkits.

Q: If my state is in the Planning phase, how does the SMC SMDL release affect my state?

A: When developing your IAPD, make sure it includes proposed state-specific outcomes and CMS-required outcomes, and metrics.

You should review Appendix B of the SMDL for the list of CMS-required outcomes, and determine which outcomes apply to your specific project. If you have questions about how to develop state-specific outcomes, you may request help from your CMS State Officer in developing state-specific outcomes. There is also information on outcomes and metrics on the CMS Repository on GitHub.

Q: If my state is in the Development phase, DDI, and has not yet gone through ORR and CR, how does the SMC SMDL release affect my state?

A: You should make sure your state has submitted outcomes and metrics and filled out the Intake Form. If not, your state should work with its State Officer to identify outcomes and metrics though an APD-Update (APD-U) or during preparation of the Intake Form for an ORR or CR.

You should also review Appendix B of the SMDL for the list of CMS-required outcomes and identify which ones will apply to your specific project so that you understand them and are ready to enter them into an intake form after the APD is approved.

Q: If my state is receiving enhanced match for operations and maintenance (O&M) of a previously certified system and operating a system of record, how does the SMC SMDL release affect them?

A: The state will need to work with CMS to coordinate and agree upon an approach, including selecting applicable outcomes and metrics, and a schedule to begin operational reporting.

Q: Can a state still use MECT/MEET if it is in the process of certifying their system?

A: States should work with their CMS State Officers to determine the best path forward and smoothest transition process. States that are significantly far along in their preparations for module certification under the MECT or MEET framework may elect to proceed with certification under the relevant legacy certification toolkit. However, states that elect to do so will also be expected to produce and submit operational reports for their systems.

Outcomes and Metrics

Please visit the Metrics and Ongoing Reporting page on GitHub for additional information.

Q: Are there resources to help states work with their State Officers to develop appropriate state-specific outcomes and metrics?

A: States should discuss their ideas for outcomes early in the planning process so that they can be included in the APD. State-specific outcomes should be specific to the IT investment the state is making and should allow the state to demonstrate progress towards meetings its goals. Please see the SMDL and other resources on Medicaid.gov and the CMS Certification Repository on GitHub.

Q: Where can states find examples and more information on CMS-required and state-specific outcomes and metrics?

A: The CMS Certification Repository on GitHub provides a collaborative space where states can learn, share, and contribute information about the MES Certification process and its related artifacts. Additionally, there are tools on the MES wiki to help State Officers work with states to develop state-specific outcomes.

Q: When should states develop state-specific outcomes?

A: States should begin to develop state-specific outcomes and related metrics early in the planning phase and update CMS on progress throughout the IT investment cycle.

States will need to submit to CMS for approval an Advance Planning Document (APD) that includes state-specific outcomes, and metrics. States should be in frequent contact with their CMS State Officer for support with drafting an APD that include state-specific outcomes and related metrics that clearly align the proposed IT project with the state’s goals.

Q: Do states need to develop state-specific outcomes for all projects?

A: In certain circumstances a project may only have CMS-required outcomes, (e.g., if a state is proposing a project to implement a new basic capability, or if the goal of the state’s project is to become compliant with a federal requirement). However, this should be exception rather than the rule.

Additionally, states with legacy systems that are already certified and in O&M do not need to go back and create new state-specific outcomes.

Q: Are states expected to have a metric for every outcome?

A: No, it is not expected that states have one metric for every outcome. One metric may be relevant for multiple outcomes in each module. Alternatively, multiple metrics may be appropriate for a single outcome. It is worth noting that not every outcome will require a metric – some may only require an attestation or demo during the Certification Review and should be noted in the Intake Form. States must work with their State Officer to discuss those outcomes that may not have metrics and receive approval.

Q: When and how should states report progress on CMS-required outcomes, state-specific outcomes, and metrics?

A: Once CMS approves the APD, the state should enter the CMS-required outcomes, state-specific outcomes, and metrics from the APD into the Intake Form for discussion and approval with their CMS State Officer. Together, they should agree on a preliminary list of evidence that will be used to demonstrate that outcomes have been achieved.

During ORR, the state must demonstrate that the system will support the collection and reporting of metrics described in the APD/APD-U. During CR, the state will need to demonstrate – with appropriate evidence – that the approved CMS-required and state-specific outcomes and metrics are being achieved by the system in production. States will also report on state-specific outcomes and related metrics and other elements in on-going operational reports after the CR. Please see the Guidance for more details.

CMS anticipates that states may need to revisit and update outcomes and metrics (as defined below) for their investment over time. Any revisions to a state’s CMS-required or state-specific outcomes or metrics may require submitting an APD-Update (APD-U). The state should regularly contact their CMS State Officer to discuss such updates.

Q: What module-specific outcome materials have been developed as part of SMC?

A: Under SMC, states will select CMS-required outcomes under each relevant module. CMS-required outcomes for specific MES modules can be found in Appendix B of the SMDL. These outcomes are aligned with regulatory and policy requirements that states must follow when implementing modules or capabilities. The lists in Appendix B are the “menu” the state chooses from to select the CMS-required outcomes that are applicable for a given project.

States should also propose their own state-specific outcomes that are informed by what they are trying to accomplish for their Medicaid program. State-specific outcomes should be specific to the IT investment the state is making and should allow the state to demonstrate progress towards meetings its programmatic goals.

Conditions for Enhanced Funding

Please visit the Conditions for Enhanced Funding (CEF) page on GitHub for example evidence. The CEF includes privacy and security (see CEF 9, 12, and 18).

Please visit the CEF Tips and Best Practices page on GitHub for additional tips and best practices.

Q: What is the recommended timeline for addressing privacy and security during the Design, Development, and Implementation (DDI) and Maintenance and Operations (M&O)?

A: CMS recommends the following:

• System Security Plan (SSP) – must be drafted early in the DDI as it is included in the SCA and maintained throughout M&O.
• Security Control Assessment (SCA) – must be completed prior to go-live and the Security and Privacy Assessment Report (SAR) provided for ORR evidence. SCA must be completed biennially unless following Affordable Care Act (ACA) Administering Entity (AE) then annually.
• Penetration Test – must be complete prior to go-live. Penetration testing must be completed biennially (strongly recommending annually) unless following ACA AE then annually.
• Vulnerability Scans – must be completed continuously (recommend monthly) throughout DDI and M&O.
• Plan of Action & Milestone (POA&M) – must be updated throughout DDI and M&O with all vulnerabilities, including at minimum those from the penetration test, SCA, vulnerability scans, and disaster recovery findings. Recommend using the Affordable Care Act (ACA) Administering Entity (AE) POA&M template.
• Disaster Recovery & Business Continuity Plan – must be drafted early in the DDI as it is included in the SCA. The plans must be reviewed yearly throughout DDI and M&O.
• Disaster Recovery Test – strongly recommended to be performed yearly throughout DDI and M&O. A test must be completed prior to go-live.

Intake Form

Q: What is the Intake Form and how should it be used?

A: The Intake Form is used by the states and CMS to track what a state is trying to achieve with a given project, including the CMS-required outcomes, state-specific outcomes, metrics, and associated evidence. Ideally, the Intake Form is started in between submission of the state’s APD and submission of the state’s RFP. After APD approval, states will fill out the Intake Form by including their state-specific outcomes as well as CMS-required outcomes. States will also need to identify the metrics they are using to evaluate their progress in achieving CMS-required and state-specific outcomes.

Given that states need to include state-specific outcomes and metrics in their APDs, it is important that the Intake Form match what is listed in the APD. When a state approaches ORR and CR, they will need to meet with CMS to finalize and approve the specific evidence that the state will provide as a part of the certification process.

The Intake Form template can be found on the GitHub Repository as well as Medicaid.gov.

Q: When should a state fill out the Intake Form?

A: States should start filling out the Intake Form once the APD has been approved. If a state did not complete the Intake Form as part of the APD approval and the project is nearing ORR, CMS will work with the state to complete the Intake Form with outcomes and metrics selected by the state.

Q: Are hyperlinks in the Intake Form required?

A: As a part of ORR and CR, states are required to identify evidence and provide “State Comments” for each outcome identified. The evidence and comments are critical to conveying context and any important information for CMS to review in advance of an ORR or CR. When identifying evidence, hyperlinks should be used to reference documents or information that is too long to put into the Intake Form. If the link is too a large document, references to applicable page numbers is needed to ensure CMS is reviewing the specific evidence for a given outcome. Box is now the preferred method for storing information so CMS can maintain the certification record and make access to information easier. Box supports hyperlinking.

Certification

Q: Does the state need at least six months of metrics reporting from a live system in order to request to schedule a CR?

A: No, a state does not need at least six months of metrics reporting of a live system to request a CR. However, the state must be able to provide at least six months of approved metrics (beginning from go-live) by the time of CR. Please see the SMC guidance for requirements for requesting a CR.

Q: Will CMS conduct an annual recertification of state investments?

A: CMS will not be “recertifying” systems on an annual basis. Rather, states will submit operational reports containing data and/or other evidence that modules continue to meet all applicable requirements for the state’s claimed federal matching funds. Operational reports should include metric data corresponding to the agreed-upon outcomes listed in the APD for each applicable MES module.

These reports should be submitted annually in support of the Operational APD (OAPD) request, however, more frequent reporting on key operational metrics may be necessary. States will coordinate with their CMS State Officers to determine which modules and metrics may need more frequent reporting.

Reporting Requirements

Q: What is the monthly project status report and which states will need to start submitting these reports?

A: The monthly project status report is required during the Development phase, or DDI, (i.e., after the IAPD is approved leading up to the CR). The monthly project status reports are required as part of ORR and CR evidence. The monthly project status report helps keep CMS apprised of the progress the project is making toward achieving the CEF and desired program outcomes. The elements of the monthly project status report are described in the SMC SMDL guidance document and include information and updates related to progress tracking, the testing framework, test results, and the defect and risk list. There is an example format available on the CMS Repository on GitHub for states to use. The monthly project status report should be submitted to the state’s CMS State Officer, and either the MES mailbox (MES@cms.hhs.gov) or CMS Box.

Please see the SMC Guidance for more information.

Q: What are operational reports?

A: After the CR, states will begin submitting operational reports. States must submit operational reports containing data and/or other evidence that modules are meeting all applicable requirements for the state’s claimed federal matching funds to demonstrate ongoing, successful system operations. These reports should be submitted at least annually in support of the OAPD request, however, more frequent reporting on key operational metrics may be necessary. Operational reports should include metric data corresponding to the agreed-upon outcomes listed in the APD for each applicable MES module. States should coordinate with their CMS State Officers to determine which modules and metrics may need more frequent reporting. Please see the SMC Guidance for more information.

Metrics

Q: What is the purpose of metrics? Why are they required under SMC?

A: Metrics reporting enhances transparency and accountability of Internet Technology solutions to help ensure the Medicaid Enterprise System (MES) and its modules are meeting statutory and regulatory requirements as well as the state’s program goals. In accordance with 42 C.F.R. §433.112(b)(15) and §433.116(b), (c), and (i), states must be capable of producing data, reports, and performance information from and about their MES modules to facilitate evaluation, continuous improvement in business operations, and transparency and accountability, as a condition for receiving enhanced federal matching for MES expenditures. State reporting also gives states and CMS early and ongoing insight into program evaluation and opportunities for continuous improvement.

Q: Are states required to report on all of the CMS-required metrics currently listed on GitHub?

A: States are required to report on metrics for all projects receiving enhanced FFP. The GitHub contains recommended metrics for states to use and and are the default set for their projects and subsequent operational reporting. If states believe they can produce high value data that is more relevant to their project and business needs with an alternative set of metrics, CMS encourages the state to propose them to their State Officer. As a general rule, states should start with what is listed on GitHub when identifying metrics for relevant CMS-required outcomes and then speak to their State Officer about on what they would like to report.

Q: What should states do if they do not think the GitHub metrics are relevant for their current module under review?

A: States should work with their State Officer to decide on the most appropriate and meaningful metrics for their project. Over time, CMS may consider periodically updating the GitHub based on the metrics proposed by states.

Q: What metric information are states expected to present at ORR? At CR?

A: At ORR, states should have their metrics clearly defined and mapped to relevant CMS-required and state-specific outcomes. The state should be prepared to discuss the outcomes and planned metrics. States should be prepared to discuss why some outcomes were selected and not others, how the state plans to generate the identified metrics, and the expected cadence and format of reporting.

At CR, states need to have been operational for at least 6 months to receive certification. States must also provide metric data back to the state’s requested retroactive certification date, for all months the system has been operational. States should be ready to discuss the numerical data presented in the operational report, anomalies in the data, changes to metric methodology, and any plans for future reporting.

Q: How much metric data are states expected to provide in order for a CR to be scheduled?

A: In accordance with SMD #22-001, states must submit all agreed upon operational metrics related to the module, beginning from the time the system became operational as the system of record and up until the end of the most recent quarter, in order for a state to schedule their CR date. The system must by live and the state must be able to show they are collecting and able to report metric data. For example, if your state is collecting metrics on a monthly basis and you are looking to schedule a CR, you should provide all available months of data before being able to request a CR.

Q: How often do states need to submit operational reports?

A: States are required to submit operational reports on an annual basis. Although states report annually, the data should be broken down by month. The State Officer may require more frequent reporting for specific metrics.