MECL 04 - Appendix C - Std IV&V Language
Standard IV&V Language
This document contains standard language for states to include in their IV&V RFPs / contract modifications. The contractor performing the independent software testing should be separate from the IV&V contractor. The standard language stipulates activities that are the minimum required by CMS during planning, design, development, and implementation through certification, but is not intended to provide exhaustive coverage of IV&V contract scope. The language does not cover activities the state may require during ongoing operations and maintenance. Also, the language may be used in any order, not necessarily the order listed below, but the wording itself is to be used as written. The state may place the language where it fits best within its RFP / contract. Blue italicized text is explanatory; states will remove the italicized blue text.
Conflict of Interest
Any contractor (and its subcontractors) serving in the role of independent validation and verification (IV&V) service contractor / provider to the state [insert project name] project is prohibited from soliciting, proposing, or being awarded any project management, quality assurance, software design, development, or other manner of planning, design, development, or implementation phase activity on the [insert project name] project for which these IV&V services are being procured.
This exclusion likewise extends to any other project within the department that may interact with or otherwise provide services to the [insert project name] project or to the department during the full term of this contract. This exclusion is executed in accordance with federal regulations at 45 CFR 95.626, which require that this IV&V effort, "... be conducted by an entity that is independent from the State (unless the State receives an exception from the Department)".
For purposes of clarity, the Center for Medicaid and CHIP Services (CMCS) defines “the State” in the above regulatory citation as being a state’s IT project, the IV-D agency itself, and the IV-D agency’s umbrella agency or department. The primary purpose of this exclusion is to ensure the IV&V service provider avoids any real or perceived conflicts of interest. For federal purposes, the scope of IV&V includes planning, management, and other programmatic activities in conformance with the term’s usage in federal regulations at 45 CFR 95.626.
Independent V&V is the set of verification and validation activities performed by an agency not under the control of the organization developing the software. IV&V services must be provided and managed by an organization that is technically and managerially independent of the subject software development project. This independence takes two mandatory forms.
First, technical independence requires that the IV&V services provider organization, its personnel, and subcontractors are not and have not been involved in the software development or implementation effort or in the project’s initial planning and/or subsequent design. Technical independence helps ensure that IV&V review reports are free of personal or professional bias, posturing, or gold plating.
Second, managerial independence is required to make certain that the IV&V effort is provided by an organization that is departmentally and hierarchically separate from the software development and program management organizations. Managerial independence helps ensure that the IV&V service provider can deliver findings and recommendations to state and federal executive leadership and management without restriction, fear of retaliation, or coercion (e.g., reports being subject to prior review or approval from the development group before release to outside entities, such as the federal government).
Overview of the MMIS Certification Lifecycle
The Medicaid Certification Enterprise Lifecycle (MECL) administered by CMS contains four lifecycle phases and three types of certification milestone reviews. The milestone reviews occur at different phases of system / module development. The types of milestone reviews are the Project Initiation Milestone Review, the Operational Milestone Review, and the MMIS Certification Final Review. The life cycle and its milestone reviews are explained in detail in the CMS Medicaid Enterprise Certification Toolkit.
In the paragraph below, the state tailors the wording to reflect its particular plans for releasing modules. A module or set of modules being released at the same time may undergo the Operational Milestone Review together. If another set of modules is released later, then those modules undergo separate Operational Milestone Reviews. The same principle applies to the MMIS Certification Final Review(s).
Reviews should include a single Project Initiation Milestone Review, [#] of Operational Milestone Reviews, and [#] MMIS Certification Final Reviews, determined by [State Name]'s release plan. [Optional text][: The exact number of milestone reviews may change, however.]
IV&V Scope of Services
This list of services below covers only the tasks CMS requires in IV&V contracts. It is not an exhaustive list of all tasks the state may wish to include.
The contractor shall provide IV&V services for CMS and [state name] in support of the MECL in accordance with guidance found in the Medicaid Enterprise Certification Toolkit.
Certification Progress Reports
Periodically the IV&V service provider produces exception-based Certification Progress Reports that objectively illustrate the strengths and weaknesses of the project and provide recommendations for correcting any identified weaknesses. The IV&V contractor uses the provided report template [section # / appendix], the Medicaid Enterprise Certification Checklists, and the MMIS Critical Success Factors (CSFs) to prepare the reports. Certification Progress Reports are prepared in advance of MMIS certification milestone reviews with CMS.
The IV&V service provider staff will interview and observe [insert project name] project management staff, and the [insert project name] project development contractor staff (including any sub-contractors). Service provider staff also will observe project meetings and activities to understand the processes, procedures, and tools used in the MMIS program and [insert project name] project environments. They will review and analyze all applicable and available documentation for adherence to accepted, contractually-defined industry standards. The IV&V contractor will fill out the reviewer comment portion of the Medicaid Enterprise Certification Checklists and append them to the progress report.
In preparation for the MMIS certification milestone reviews, the IV&V provider shall evaluate state documents and evidence along with any working modules / code applicable to that particular review, and complete the reviewer comments portion of the Medicaid Enterprise Certification Checklists. The completed checklists are appended to the Certification Progress Report. The progress report shall be delivered [number of weeks] prior to the scheduled MMIS certification milestone review.
The IV&V service provider shall provide the certification progress reports to CMS at the same time they are presented to the state. This reporting process, in accordance with federal regulations, includes final report issuance as well as all draft report submissions.
The IV&V service provider will periodically submit project progress data to the CMS dashboard.
IV&V services will be part of the larger oversight of the day-to-day operations and management of the [insert project name] . The IV&V service provider shall have complete access to [insert project name] documents, facilities, and staff during normal business hours as required to carry out its oversight role. The IV&V contractor shall have access to all key staff on site at the [insert project name] project location(s) daily, as needed to observe meetings, review deliverables and documentation, and conduct interviews, etc., to ensure a high level of integrity and confidence in the IV&V service provider’s [insert project name] oversight and monitoring.
The IV&V service provider will review project and MMIS system processes and progress in areas including, but not limited to, the following:
- Project management
- Progress against budget and schedule
- Risk management
- Inclusion of state goals / objectives and all federal MMIS requirements in requests for proposal and contracts
- Adherence to the state’s software development lifecycle (SDLC)
- Incorporation of the standards and conditions for Medicaid IT into design and development
- Reasonability, thoroughness, and quality of MITA self-assessment, concept of operations, information architecture, and data architecture
- Reflection of the state’s MITA goals and plans into actual MMIS design and development
- Configuration management that is robust and includes state or developer configuration audits against configuration baseline
- Change management
- Adherence to service level agreements
- Modular development
- Completeness and reasonability of MMIS concept of operations, architecture, and designs
- Accuracy of capture of interfaces and data sharing requirements with systems external to the MMIS
- Viability and completeness of the data transition plan
- Traceability of requirements through design, development, and testing
- Adequacy of system security and privacy policies, plans, technical designs, and implementations
- Coverage and integrity of all system testing, including stress testing and testing of interfaces between modules and with external partner systems
- Capacity management, including consideration of future vendors’ support and release plans for underlying databases, software, and hardware
- Adequacy of disaster recovery planning
The IV&V service provider will evaluate and make recommendations about the state artifacts that are required for MMIS certification milestone reviews. A list of required artifacts is included in the CMS Medicaid Enterprise Certification Toolkit.