During Sebelius’s testimony, Rep. Mike Rogers, R-Mich., read from a memo addressed to CMS administrator Marilyn Tavenner in which CMS officials involved in healthcare.gov’s implementation warned days before the planned Oct. 1 launch that, “from a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as high risk” for the federal health insurance exchange.
Ultimately, the letter recommended that Tavenner issue an Authority to Operate for six months while security testing continued on the site, which she approved.
“This is a temporary Authority to Operate,” Sebelius said as she examined the document during the hearing.
She went on to say that it “discusses mitigation strategies for security that are ongoing and upgraded and an authorization to operate on a permanent basis will not be signed until these mitigation strategies are satisfied. It is under way right now, but daily and weekly monitoring and testing is underway.”
Yet Sebelius’s matter-of-fact description of the temporary authorization is a lot different from the 2012 memo from Zients on federal cyber-security.