Security Requirements Guidance

  • Guidance is also available in Portable Document Format (PDF)
MCD Sponsorship Request Toolkit
Guidance: MCD Security Requirements
What are the Medicaid Confidential Data (MCD) security requirements?
  • MCD Security Requirements are a set of standards and procedures used to protect MCD.
  • MCD Security Requirements are based on, and consistent with the security provisions described in Centers for Medicare and Medicaid Services (CMS) Acceptable Risk Safeguards (ARS) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 at the Moderate level.
  • Additionally, the Department has augmented these federal standards with New York State Policies and Standards.
  • The Department requires adherence to the Moderate-Plus Security Controls Baseline for any system that will transfer, process, or store MCD.
What do I need to do to meet the MCD security requirements?
  • All MCD sponsored requestors must demonstrate that they will secure the MCD in accordance with all federal and state requirements, as measured by the Moderate–Plus Security Controls Baseline.
  • There are three models for performing these security assessments:
    • Restricted Access Model, for small, non-production environments;
    • Attestation Model, for small to moderate sized production environments; and
    • Full System Security Plan (SSP) Workbook Model, which is required of all vendors under contract to OHIP.
  • OHIP employs several methods to assess the sponsored requestors security readiness and compliance with federal and state laws and regulations.
    • There are different assessment methods associated with different types of data access.
    • Data access is determined based on the presented use case and the requested dataset.
    • OHIP will notify Sponsored requestors regarding data access and the specific security requirements that need to be met after the request has been sponsored.
  • For more information about security assessment requirements see [link to security page].
Questions? Contact us!