NAACCR 12 Updates on Registry Plus � 07/15/2010 by cH4YUtp


									                             NPCR Registry Plus Update

Status as of: 9/12/2011

Sections updated this week:
Conversion to NAACCR 12.1
Collaborative Stage Version 2 (CSv2)
Abstract Plus---Updated
Prep Plus
CRS Plus---Updated
Web Plus
Veterans Administration (VA): Review of SSL vs. TSL issues for Web Plus
Registry Plus Online Help (RPOH)
Link Plus
eMaRC Plus
Everything 2010 – NAACCR Link
Suggested text editors that will work with the NAACCR 12 record
Data Exchange with the Department of Defense (DOD)
Registry Plus Security Vulnerability Scan
Section 508 Compliance for NPCR-Registry Plus Applications
Consistency in all NPCR Tools Web Pages
SAS and SUDAAN Licenses

Conversion to NAACCR 12.1
     The major update in NAACCR version 12.1 from version 12.0 is the conversion
     from Collaborative Stage version 02.02 to version 02.03 (CS v0203). Extensive
     updates were done to enhance consistency and clarity of the schemas. One new
     schema was added, MyelomaPlasmaCellDisorder.

       A conversion of existing data is required before implementing v0203. Over 300
       codes can be automatically converted. Another few hundred codes will be listed
       for review and recoding. Review of some codes is required for stage derivation
       to be successful. Review of other codes is optional, depending on the registry’s
       interest in the derived components affected. The CS conversion specifications
       are provided in documents available from the CS website:
       Note: Use of v0203 is required for all 2011 cases, and v0203 may be used
       for earlier years’ cases.

Registry Plus Updates                                                  Page 1 of 15
        In addition to the CS changes, NAACCR version 12.1 includes new items related
        to the 2010 census; twenty new items for edit over-rides specific to CS data edits
        (not yet defined or used in the NAACCR metafile); new codes in Marital Status
        and Multiplicity Counter; and a few other changes of relative insignificance.

        A new version of Northcon121 is now available on the NPCR website. The
        update addresses issues with the program’s graphical interface, but does not
        contain any changes to the conversion operations. Nconv121.dll, the dynamic
        link library containing the field-by-field conversion functions has not changed.
        The HTML help within the program has been revised and expanded.

        The new version of Northcon121.exe has the version number 1.0.1. Users
        should replace the previous version 1.0.0.

        Once the conversion program has been released, we can begin converting
        databases (Abstract Plus, CRS Plus, etc.) to v12.1. Please contact Joe Rogers
        at to get your state on the list of registries to be converted; we
        will be converting registries in the order in which we receive requests for

        To prepare for collecting 2011 data using Registry Plus products, states should
        anticipate needing to complete the following steps.
            Reviewing any new NPCR and CoC data requirements or
            Reviewing CS conversion specifications to determine which optional code
               reviews the state will undertake
            Assessing when facilities in the state will be converting their registry
               software and when facilities will begin to submit 2011 cases
            Creating new edit sets once the NAACCR 12.1 metafile is released
            Deciding if any state-specific items will be added or dropped
            Updating the state’s hospital and doctor files

        All the EDITS tools have been updated for NAACCR 12.1. To download EDITS
        software tools, use this link:

        A new version of the NAACCR edits metafile, NAACCR v12D (version 12D), has
        been posted and can be downloaded from the NAACCR Web Site. Please note
        that this NAACCR metafile is for cases coded using the version 12 standards.

        Numerous changes have been made to the metafile. A spreadsheet of the
        changes is available along with the metafile on the NAACCR website. A PDF file
        of all edits, along with a table of contents, is also available.

Registry Plus Updates                                                     Page 2 of 15
       To download the new metafile and the corresponding spreadsheet and edit
       report, go to Standards and Registry Operations and click on Volume IV,
       Standard Data Edits. Under Version 12, you’ll find the NAACCR v12D metafile.

       A new version of the NAACCR edits metafile, NAACCR v12.1 (version 12.1), was
       posted to the NAACCR Web Site o n March 24th. The v12.1 metafile is for cases
       coded using the version 12.1 standards as provided in the documents below.

       The version 12.1 metafile is based on the following standards:
        NAACCR Standards for Cancer Registries, Volume II, Data Standards and
          Data Dictionary, Fifteenth Edition, Record Layout Version 12.1
        Collaborative Stage Data Collection System, Version 02.03
                 o Please note that this metafile should be used only after CSv02.03
                    has been implemented at your registry.

       To download the new metafile and the corresponding spreadsheets and edit
       report, go to Standards and Registry Operations and click on Volume IV,
       Standard Data Edits. Under Version 12.1 you’ll find the NAACCR v12.1 metafile.

       A new version of the NAACCR metafile, version 12.1A was released July 26,

       EditWriter version (updated 06/03/2011) All users of the EditWriter 4
       program should re-install using the installer program setup_ew_4.0.2.1.exe. .
       This includes accumulated minor bug-fixes and updates.

       GenEDITS Plus, version 1.2.4 (updated 05/20/2011) This version of the
       program has been updated for NAACCR version 12.1 and the setup file will
       install the latest NAACCR Metafile.

Collaborative Stage Version 2 (CSv2)
     A new version of CSv2 was released on April 28, 2010 to correct for Application
     Program Interface (API) bugs and certain schema table updates. Based upon
     the table validation results and the mapping team’s feedback, the Informatics
     Team put out another release in December 2010, which incorporated all changes
     resulting from vendor feedback, testing, and the data validation/proofreading
     process, as well as two additional schemas that went into effect for 2011. The
     CS Informatics team is work diligently towards the next release of CSv2, 02.04,
     which is scheduled to be released as early as possible in 2011.

Abstract Plus
      Abstract Plus Version 3.1 (for NAACCR 12) has been entirely re-programmed to
      accommodate all new standards, and now includes all-new casefinding,
      reabstraction, and recoding audit features. The program will automatically
      convert version 11 records upon import to the new version 12 standards. A

Registry Plus Updates                                                 Page 3 of 15
       preliminary generic version of the program was released on 07/30/2010 to the
       Programs for Program-specific customization.

       The Registry Plus Development team is currently in the process of hiring 2 new
       senior-level programmers which will help greatly with our current programming
       and support burden. Moving forward, for future releases of Abstract Plus, in
       addition to revising the application with NAACCR 12.1 standards, the Registry
       Plus Development team will be re-working certain areas of the application and
       adding the Auditing features back into the program.

       An updated issues list of any reported issues has been distributed with each
       release, and is posted to the RPUG website.

       We also have developed a new Abstract Plus tool called the Abstract Plus User
       Account Recovery Tool (RecoveryTool.exe). This new tool is being distributed
       upon request, and is meant for use by users that have been locked out of the
       application due to loss of User ID and password information and answers to
       security challenge questions. When this new tool is run, it clears out all
       information in the users table (currently inaccessible due to encryption), and
       upon next launch of the program, the user is taken through the Abstract Plus v3.1
       initial launch routine of creating their user account and answering their security
       challenge questions. If you would like to obtain the Recovery Tool, please
       contact Kathleen Thoburn at

       Please note that the NAACCR version 12.1A metafile has been posted to the
       NAACCR website---if you have a state-specific edit set we encourage you to
       update that to 12.1A. Please communicate any necessary revisions to Kathleen
       Thoburn at

       The new generic production version of the program will also be available upon
       request until it is posted to the NPCR website. If you would like to obtain the
       generic version, please contact Kathleen Thoburn at

       A NAACCR 12.1 compliant version of Abstract Plus was released on June 30,
       2011. A CER-compliant version of the software has also been released. Please
       note that a new version of the NAACCR metafile, version 12.1A was released
       July 26, 2011; you may want to consider waiting until this metafile is released
       prior to having your state-specific installation generated.

       Also please note that due to a lack of an automatic update feature for Abstract
       Plus at this time, in order to obtain an updated version of the application (i.e., the
       new 12.1 version) you will need to post your updated .rmf, updated hospital and
       doctor tables, and any new state-specific data items to the CDC ftp site. CDC
       will use this information to generate an initial 12.1 Abstract Plus installation for
       you and post it back to the ftp site. You will then need to download this initial
       version and generate your display types, and then post both of the .mdb files

Registry Plus Updates                                                      Page 4 of 15
       (master.mdb and absplus.mdb) in the C:\RegPlus\AbstractPlus3\MDBS folder
       back up onto the ftp site, and notify us that the files have been uploaded. We will
       then generate your final installation and post that to the CDC ftp site. When you
       are ready to post your updated .rmf, updated hospital and doctor tables, and any
       new state-specific data items to the CDC ftp site, please contact Kathleen
       Thoburn ( for instructions.
       We have been generating installations for some states and fixing identified
       issues (all minor). As of 9/12/2011 we have resolved all identified issues. All
       states that have already received final installations will receive new installations,
       and the corrected version of the program will be used to generate any future

       Please contact Joe Rogers at when you are ready to update
       your v12.0 software to this new v12.1 software to schedule your update.

Prep Plus
      Prep Plus is now ready to support the processing of NAACCR v12 standard
      abstracts. This version of Prep Plus automatically converts NAACCR v11
      abstracts to NAACCR v12. It also runs the CSv2 algorithm upon import. The
      NAACCR v12 version includes functionality to improve the usability when
      updating Collaborative Stage data items. This version is ready for production
      use by the Programs. An issue was identified with the update of the field of CS
      Version Input Current [item #2937] upon update of the CS input data items; an
      update will be released to correct this issue in the near future.

       A NAACCR 12.1-compliant production version of Prep Plus was released June
       30, 2011. A CER-compliant version of the software has also been released. This
       version of Prep Plus will automatically convert NAACCR v12.0 abstracts to
       NAACCR v12.1. It will also run the CSv0203 algorithm upon import. Programs
       should plan on installing and using this version of Prep Plus when they are ready
       to begin processing 2011 cases. Please contact Joe Rogers at
       to schedule implementation. States will be addressed in the order in which we
       receive requests for conversion.

CRS Plus
     CRS Plus has been fully converted to support NAACCR v12 and is now ready for
     production use. Conversion to the production version of CRS Plus (supporting
     NAACCR v12) can start immediately as the updated conversion program
     (NAACCR v11.x to v12) is now available.
     An updated generic CRS Plus install, CRSPlus_V12_generic_10292010.exe, has
     been posted the to the ftp site in the CRSPlus\V12 folder. This install includes
     latest changes to the NPCR and NAACCR call for data extracts (including SSF1
     for brain and CNS cases). NAACCR Version 11 CRS Plus with the updated
     NPCR and NAACCR call for data extracts are also available upon request.
     States that would like to obtain new customized installs should contact Sanjeev
     Baral at

Registry Plus Updates                                                      Page 5 of 15
       Please e-mail Sanjeev Baral at to request the software and to
       schedule your IT staff to work with Sanjeev on the conversion. Conversions,
       which are estimated to take 1-4 days based on registry size and availability of IT
       staff, will be staggered to achieve the most efficient and effective process for all
       registries involved.

       A NAACCR 12.1-compliant production version of CRS Plus was released June
       30, 2011. A CER-compliant version of the software has also been released. This
       version of CRS Plus will require conversion of your CRS Plus database from
       v12.0 to v12.1. It will also run the CSv0203 algorithm upon import. Programs
       should plan on installing and using this version of CRS Plus Prep Plus when they
       are ready to begin processing 2011 cases. Please contact Joe Rogers at to schedule a conversion. States will be addressed in the order
       in which we receive requests for conversion.

       In order to extract the data submission file for the NPCR CSS or NAACCR call-
       for-data, you must update the extraction utility within CRS Plus. We are
       currently updating the extract utility in CRS Plus to accommodate the revised
       specifications for the NPCR 2012 Call for Data. We will be supporting two
       extract formats, the one required for data from years 1995-2009 and optional for
       2010 cases, and the optional shorter format for 2010 cases. We’re asking for at
       least one registry to test the extracts before we release them more widely.
       Contact Sanjeev if you would be willing to test.

       NPCR provides an option for states that need to recode or omit data items (for
       example, County) in their extract for confidentiality reasons. We have never had
       a user requesting this feature in the past. If you need this feature for the 2012
       call for data, please alert Jennifer ASAP so it can be included in the extract

Web Plus
     A new version of Web Plus was released on April 1, 2011 that accommodates
     the online abstraction and upload of cancer reports in NAACCR version 12.0.
     Important information regarding this release follows:

   1. Please contact Sanjeev Baral ( for application download and
      installation instructions.
   2. In addition to updating the actual Web Plus application, your Web Plus database
      will be converted from v11 tov12:
           a. Once the Web Plus v3.0 application has been installed, CDC will be
              available to assist with all database conversions; please contact either Joe
              Rogers ( or Sanjeev Baral ( to schedule
              the conversion of your Web Plus database .

Registry Plus Updates                                                     Page 6 of 15
           b. Web Plus database conversion will include forward conversion of all online
              abstracts. Uploaded files will NOT be forward-converted, if a file was
              uploaded in v11 file format, it will remain in the v11 file format in the Web
              Plus database.
                    i. If you have a need to export or re-export a v11 file upload and
                       convert that file to the v12 file format and codes, it is recommended
                       that you download, install, and utilize the Registry Plus utility
                       program called Northcon12 to convert these files (available at:
   3. IMPORTANT: Once you have converted your Web Plus database, you must
      modify your existing display types to add new v12 fields and assign new v12-
      based edit sets.
           a. If you would like to be able to view the abstracts that are currently in your
              system that were originally abstracted using the v11-based display types,
              DO NOT create new v12 display types. Rather, modify the existing
              display types to update them so that they are compliant with your state’s
              v12 reporting requirements.
           b. Please note that the generic application includes the latest v12 edits
              metafile, NAACCRv12D.rmf.
   4. PLEASE NOTE: When online abstracting, the abstractor will need to enter dates
      in the new v12-compliant date format: YYYYMMDD.
           a. All other dates displayed within the program (e.g., when viewing individual
              abstracts from file uploads, entering date ranges for reports, viewing
              logging information, etc.) will continue to be displayed in the
              MM/DD/YYYY format.
   5. We have added a new facility-specific field called Reporting Category to the
      Facility account information and webpage. This new feature will allow for the
      labeling, grouping, and sorting of reporting facilities into standard reporting
      category types, based on the NAACCR field of Type of Reporting Source [item
      #500]. This field is available as a pull-down menu on the facility account page
      with the following values:
               1 = Hospital Inpatient
               2 = RT or Medical Oncology Centers
               3 = Pathology Laboratory
               4 = Physician’s Office
               5 = Nursing Home/Hospice
               8 = Other Outpatient/Surgery Centers
           a. Please note that use of this new feature is not required, i.e., you do not
              have to assign a Reporting Category to each facility account unless you
              want to.

Registry Plus Updates                                                     Page 7 of 15
   6. Follow-back features of the program are enabled but have not been fully tested.
      We are currently working with a couple of states to test, update, and validate the
      function of these features in the new v12-compliant software. It is strongly
      recommended that registries do not use the follow-back features until they have
      been fully tested for v12-compliance and full functionality, and an updated
      program has been released (if necessary).
   7. In addition, we have added a new file upload option to allow for the rejection of
      individual errant records in addition to the current error rejection threshold
      feature. Although these new error rejection features of the program are enabled
      they have not been fully tested.
           a. We will be working to ensure functionality of all of these new features,
              including the newly-added tracking features that have been added to the
              program to ensure re-submission of rejected records.
           b. To support the new error rejection features, a new File Upload Supervisor
              role has also been added to Web Plus. Please note that although this role
              is available to be added to a user account via the Manage Users window
              of the Administrator pages, the role is not yet fully functional.
           c. DO NOT use ANY of the new rejection of individual errant records
              features described above until you receive an updated application
              from CDC.
   8. New e-mail notification features have been added to the program that enable an
      e-mail to be sent upon the facility release of an online abstract, as well as an
      upload of a file.
           a. Currently the application includes new options (on the System
              Preferences window of the Administrator pages) to e-mail the central
              registry abstractor in the event of any individual abstract release or file
              upload. We are working to revise these preliminary features so that:
                    i. An e-mail is sent to the central registry abstractor at one point in
                       time during the day (e.g., each morning, or each evening), to notify
                       them regarding the release of all abstracts released that day (i.e.,
                       notification of abstract release via a single summary e-mail rather
                       than e-mail notification upon release of each individual abstract).
                   ii. An e-mail is sent to the Administrator and/or new File upload
                       Supervisor role either upon upload of individual file uploads or a
                       summary e-mail of all file uploads occurring on that day (it does not
                       make sense that the file upon notification e-mail is sent to the
                       central registry abstractor, as that role has no access to or
                       functions that deal with the file upload features of the program).
   9. A new version of the Web Plus Administration Tool that can be used to manually
      run edits on v11 files uploaded through Web Plus v3.0 was released on April 12,
      2011. Please note that this version of the Web Plus Administration Tool is meant
      for use with Web Plus version 3.0.x and later. Please contact Sanjeev Baral
      ( for application download and installation instructions.

Registry Plus Updates                                                      Page 8 of 15
   As with any newly-released program, please contact the Registry Plus Development
   team immediately if you identify any issue with the program.
   A new version of Web Plus that will accommodate the online abstraction and upload
   of cancer reports in NAACCR version 12.1 file format was released on June 30,
   2011. A CER-compliant version of this release of Web Plus was also released.
   NAACCR version 11.x and v12.0 file uploads will still be supported, however, the
   running of edits on file uploads in these versions will be automatically deferred, and
   the edits will need to be run on these files using the Web Plus Administration Tool.
   Please note that we are still working on the generic version of the program to be
   released to states that are newly implementing Web Plus. We are also still in the
   process of updating all of the training manuals that are associated with and can be
   used with the generic application to familiarize new users with the various functions
   included in the application. We expect to release the generic version in the near
   If you have already implemented Web Plus in your state and would like to convert to
   v12.1, Please contact Joe Rogers at to schedule a conversion.
   States will be addressed in the order in which we receive requests for conversion.

Veterans Administration (VA): Review of SSL vs. TLS issues for Web Plus
      Web Plus currently relies on the existence of a Secure Sockets Layer (SSL)
      channel between the web server and client browser for the protection of data
      exchanged over the Internet.

       Traffic between Web browsers, the SSL, and the SSL VPN device is encrypted
       with the SSL protocol or its successor, the Transport Layer Security (TLS)
       protocol. The VA is requesting that TLS protocol be used for secure transfer and
       data exchanged. TLS is based on Secure Sockets Layer Version 3.0 and is
       considered to be an improvement to SSL 3.0. While TLS 1.0 is based on SSL
       3.0, and the differences are not dramatic they are significant enough that TLS 1.0
       and SSL 3.0 do not interoperate. Both can be set on standard internet browsers
       advanced options.

       The Registry Plus Development team is currently investigating implementation of
       the TLS protocol within Web Plus. Tentative plans are to have Web Plus detect
       the Browser settings selected for traffic between Web browsers. Plans are to
       modify Web Plus to be disabled if TLS is not selected, and Web Plus will provide
       instructions to modify the browser settings to use TLS protocol.

Registry Plus Online Help (RPOH)
      Registry Plus Online Help for 2011 (compatible with NAACCR version 12.1) will
      be available within the updated Registry Plus products and currently contains the
      following manuals:
           NAACCR Data Dictionary
           CER Data Dictionary (for special projects, incorporated when appropriate)
           ICD-O-3, selected parts

Registry Plus Updates                                                   Page 9 of 15
              Multiple Primary and Histology rules through 2/4/08
              Abstract Plus Users Guide for version 3 (incorporated into Abstract Plus

       We plan to add the following manuals by the end of August:
          Edits help for the latest 12.1 NAACCR metafile
          Collaborative stage manuals, parts I (general instructions) and II
             (schemas) for version 02.03

       Updates to FORDS and the SEER manual will be added later in the year. A
       more-complete version will be distributed as the stand-alone Registry Plus Online
       Help system when all manuals are completed.

Link Plus
      The next production version of Link Plus (version 3.0) will be released in 2011.
      In the meantime, a beta version of the program is available, and includes the
      following features:
      Data Link
      1. Removes the limitation on the number of records included in file 2; the
          program works for any number of records in file 2 as long as the computer
          has sufficient memory to read in data from file 1
      2. Users can choose whether to write all potential matches (many-many
          linkages) or only the matches with the highest score to the linkage report
          (one-many linkages)
      3. Provides confirmation-like method for variables like address that contributes
          positive weight for the linkage score with agreement but 0 weight with
      4. Provides SSN-like matching method for a generic ID
      5. Provides a new name matching method that is more robust against the
          frequency of names or outlier of names such as misspelled names (The use
          of this method is expected to result in the robust linkage score and eventually
          enable the program to determine a cutoff value automatically for production
          mode linkages)
      6. Allows variables to be selected as matching variables multiple times to
          automatically perform array comparisons
      7. Users can provide their own name frequency files to be used by name
          matching methods

       Manual Review
       1. Users can use “Assign Set ID” to group matches into mutually exclusive
          match sets
       2. Removes the limitation of the maximum size of 30,000 pairs on manual
          review forms. (will be available in the next beta version the end of this month)

Registry Plus Updates                                                   Page 10 of 15
       3. Provides the option that allows users to assign match status by scores
          without overwriting the existing match status
       1. Users can export the results of manual review to a NAACCR formatted file
          (will be available in the next beta version the end of this month)
       2. Users can save the settings and layouts of exporting (will be available in next
          beta version the end of this month)

eMaRC Plus
    eMaRC Plus was showcased at the HIMSS Interoperability showcase (February
    21-24) in Orlando. Features that were showcased included the receiving of
    pathology reports of cancer diagnosis from pathology laboratories in the HL7
    2.5.1 format and the receiving of reports from physician offices in the Clinical
    Document Architecture format.

       eMaRC Plus version 4.1.1 was released April 1, 2011. You can download
       eMaRC Plus version 4.1.1 from the CDC ftp site. The filename of the install is
       eMaRCPlus_4_1_1.msi which is located in the eMaRCPlus folder on the CDC ftp
       site. States that are upgrading from the prior version (4.0.x) should also
       download files from the eMaRC Plus\upgrade_4_1_1 sub-folder in addition to the
       install file mentioned previously. This version of eMaRC Plus works with MS
       SQL Server and MS Access databases. We will release the Oracle compatible
       version with scripts to update from the previous version in about a week.
   New in this version
     1. NAACCR v12 complaint; produces abstracts in the v12 layout and has
         lookups for the v12 version.
     2. Improved filtering, reportability identification and auto-coding of site, histology,
         and behavior.
     3. Improved identification of non-reportable skin cancers.
     4. Refuses to import the same file twice.
     5. Consult button has been labeled Hold. The label Consult will be used in the
         next release to indicate duplicate/consult reports.
     6. Ability to process hl7 encoded electronic Cancer Checklist (eCC), and code
         site, histology and behavior.
     7. Various usability enhancements.

   Upgrade Instructions
   Note to MS Access users: If you have been using eMaRC Plus with Access
   database for production you should consider upgrading the database to MS SQL
   Server or Oracle as soon as possible. Both MS SQL Server and Oracle provide
   more robust database management and security functionality. Especially, when
   upgrading eMaRC Plus to newer versions we send out scripts to run on the
   database. These scripts can be directly run on SQL Server and Oracle databases

Registry Plus Updates                                                    Page 11 of 15
   but not on Access databases – so the changes will have to be made manually. In
   this particular upgrade there are a few dozen tables that will have to be created or
   refreshed (because of NAACCR v12 changes). Doing that manually is error prone.

   Upgrade steps:
      1. Back up the pathlab database.
      2. Upgrade database: Run createlookuptables.sql, loadlookupdata.sql, and
          upgrade.sql in that order.
      3. Run abstract conversion application to convert v11 abstracts to the v12
          format. See Abstract Conversion Application below.
      4. Uninstall the old version and install the new version. Before uninstalling save
          a copy of MyConfig.cfg file from C:\eMaRCPlus folder to a temporary location
          and copy it back after the new version is installed.
   Abstract Conversion Application: This is a console application that connects to
   the pathlab database and converts abstracts to the v12 format. Syntax to run the
   conversion program:

   V12conversion.exe dbtype=mssql server=your_server_name user=db_user_id

   If you have any questions about eMaRC Plus, please contact Sandy Jones at

Everything 2010 – NAACCR Link

Suggested text editors that will work with the NAACCR 12 record
     Text Pad:

Data Exchange with the Department of Defense (DOD)
      The DOD, through the Defense Manpower Data Center (DMDC), requires a
      completed Memorandum of Understanding (MOU) from the requestor of cancer
      registry data to ensure compliance with National Institute of Standards and
      Technology’s (NIST) Certification & Assurance (C&A) process.

       For continued reporting from DOD facilities, NPCR programs will be required to
       assure that the systems used to handle DOD registry cases be secure. The
       exact wording from the MOU states that the person signing the MOU will:
           “Ensure they have gone through an acceptable National Institute of
           Standards and Technology (NIST) Certification and Accreditation (C&A)
           process. Evidence of compliance will be attachment 1 of this agreement.

Registry Plus Updates                                                 Page 12 of 15
            Evidence of compliance must be on record with DMDC at all times. The
            requesting agency will complete annual security testing.”

       The objective of this MOU is to outline the roles and responsibilities with respect
       to DMDC providing data to the requesting agency.

       This C&A process is opposite that of the CDC’s typical approach, where CDC
       uses the C&A process to certify applications or systems installed within the CDC
       network. We have secured internal CDC C&A approval on all NPCR/Registry
       Plus developed software applications. The difficulties with this approach are
       encountered during the installation and maintenance of the software, which relies
       on other system platforms. To address these issues, CDC plans to provide
       documentation, in an Excel Spreadsheet format that will outline in detail how all
       of our tools meet the NIST requirements. This list is anticipated in the near

       We feel confident that this will meet the requirements specified in the DMDC
       MOU for providing the requested data and allow the NPCR programs to complete
       the MOU with the DMDC for the DOD data.

Security Vulnerability Scan
      Starting with Web Plus, we will test the NPCR Registry Plus software
      applications to ensure that the software is able to pass standardized vulnerability
      scans on all components, and ensure development maintains a safe and secure
      system. We will work with our contractor organization to see what vulnerability
      scanning software is available for our use to scan our applications. For Web Plus
      a code level scan and certificate will be supplied. If any vulnerabilities are found,
      we will fix all security issues on all recommended platforms. Standard practice
      when evaluating vulnerabilities will be to do a complete problem analysis.

       Through this process we will ensure that each of the Registry Plus applications
       are able to pass vulnerability tests and uphold security principles for the
       application module. We will be looking to identify vulnerability in:
           Web Application: Provide NPCR programs with visibility of the security
              and regulatory compliance risk our Web applications present to their
           Source code: Identify and remediate the root cause of any potential data
              breach risk from security defects in the source code during the early
              stages of the application lifecycle.

       Both the Web application and source code are addressed by the tool that we
       plan on using, IBM AppScan, which can be found at the following URL: Our Information Technology
       Specialist with OIIRM has stated that our version of AppScan will be able to
       perform both types of vulnerability scans.

Registry Plus Updates                                                   Page 13 of 15
       As of the date of this report we have executed vulnerability scans using IBM’s
       AppScan (Automated Web application security testing) on Web Plus. We are in
       the process of analyzing the reported results and make any changes as
       necessary. We have been in contact with the staff performing the scans multiple
       times a week throughout this process and anticipate this to be completed in the
       near future.

Section 508 Compliance for NPCR-Registry Plus Applications
      Recently we have been notified that state health departments are starting to
      require all web-based software applications installed within their networks meet
      section 508 Compliance. We will follow the U.S. Department of Health & Human
      Services (HHS) policy (found at: to
      ensure all NPCR/Registry Plus developed software applications meet the section
      508 policy for applications.

       We plan to have NPCR/Registry Plus-developed software installed on a CDC-
       hosted environment and then have 508 Compliance Staff review each software
       application. CDC has years of experience in performing section 508 compliance
       on documents and web sites, and can have the software reviewed through this
       process. We will be installing Web Plus in the CDC mid-tier environment; one of
       the CDC security specialists is going to install Web Plus internally so we can
       scan it for vulnerabilities and 508 compliance. Once we have a better
       understanding of security/508 we can move forward with installation for external
       access. As mentioned above, we have executed vulnerability scans on Web
       Plus. Once any vulnerability issues have been identified and resolved, Web Plus
       will be installed in the CDC mid-tier environment and the 508 compliance testing
       will start by a team of 508 experts.

Consistency in all NPCR Tools Web Pages
     Standardized review process of all NPCR Tools Web Pages will continually
     ensure all pages clear internal review for content, spelling & grammar, 508
     Compliance, and that all links are active and update inactive links. All Registry
     Plus manuals will clear standardized workflow review and recommended
     changes incorporated into final document that is posted to the website. All
     pages will be reviewed by original author at least once a year for all content on
     the web pages. New pages will be developed as needed and existing sections
     within the DAST “Software and Tools” section will be updated. This will ensure
     the NPCR community has a web source to find the most current information on
     cancer registry applications and operations. Starting in early February review
     and update of all NPCR Tools Web Pages will be performed.

SAS and SUDAAN Licenses
     All NPCR funded SUDAAN Licenses were renewed through the CDC SUDAAN
     License manager and the CDC Statistical License Management Team in
     December 2010. Permanent license were distributed for the SAS and SUDAAN

Registry Plus Updates                                                Page 14 of 15
       licenses in March. If you run into any difficulties updating your SAS or SUDAAN
       license or did not receive the licenses please contact Scott Van Heest
       ( directly for assistance.

Registry Plus Updates                                                Page 15 of 15

To top