The cmspriorauth.com eight-question RFP framework has become the practical test for whether a FHIR vendor can carry a health plan through CMS-0057-F. The framework is not vendor-specific; it works for both renewal evaluation and fresh RFP scoring. The questions look simple. The answers expose where the vendor actually sits versus where they claim to sit. Here are the eight, with notes on what a strong answer sounds like in 2026 and what a weak answer reveals. For broader context, CMS-0057-F readiness coverage covers the larger picture.
1. Do You Have All Four CMS-0057-F APIs Production-Ready
The first question is the simplest test. CMS-0057-F requires Patient Access, Provider Directory, Provider Access, Payer-to-Payer Data Exchange, and Prior Authorization. A strong answer names production reference customers for each. A weak answer cites the conformance pass and a roadmap.
2. Is the FHIR Layer a One-Way Gateway or a Reusable Data Store
This question reveals architectural intent. A strong answer describes a FHIR-native data tier that supports analytics, care management, and AI alongside compliance. A weak answer treats FHIR as a translation surface over existing systems, which means the payer needs a second platform when downstream needs emerge.
3. Does the Security Stack Work Out of the Box
CMS-0057-F requires SMART App Launch, OAuth 2.0, OIDC, and Bulk Data Access security across all the APIs. A strong answer demonstrates each piece working end to end across multiple APIs. A weak answer treats each piece as a separate project, which means the payer pays for integration on each.
4. Can You Prove SLA Compliance Across Internal and Delegated PA Decisions
Prior Auth SLAs (72 hours expedited, 7 days standard) apply across the full decision chain, including delegated entities. A strong answer ships SLA tracking that captures delegate timing and produces audit-ready reports. A weak answer tracks only the internal portion, leaving delegate timing for the payer to wire up.
5. Is Public Metrics Reporting Automated by the Vendor
CMS requires public PA reporting metrics (approval rate, denial rate, decision time, appeal volume) on the payer's website. A strong answer ships the reporting layer as part of the platform. A weak answer captures the raw data and leaves the report construction to the payer's engineering team, which becomes a permanent line item.
6. Are Provider Attribution and Patient Consent Built In
Provider Access requires attribution. Payer-to-Payer requires member consent. Patient Access requires member education materials. A strong answer ships these as platform features with audit trails. A weak answer treats them as services engagements priced separately during implementation.
7. Who Owns Ongoing IG Conformance Maintenance
US Core releases updates. Da Vinci CRD / DTR / PAS evolves. X12 ↔ FHIR mappings change. A strong answer commits the vendor to maintain IG conformance for the contract lifetime. A weak answer makes each IG update a separate project the payer scopes and pays for.
8. If We Are at 25 Percent Ready Today, Can You Close the Gap Before January 2027
The timeline test. A strong answer offers a 3 to 6 month go-live commitment with named reference customers who deployed in that window. A weak answer hedges on timeline or quotes the typical enterprise integration timeline of 12 to 18 months.
How to Score the Answers
A useful scoring pattern is to mark each of the eight as strong, weak, or in-between, then count. A vendor with six or more strong answers usually clears the renewal bar without major scope expansion. A vendor with three or fewer strong answers is more likely to fall behind the deadline regardless of contract terms. The middle is where the judgment calls live, and where most 2026 renewals actually land.
For the IG maintenance question (#7) specifically, the Best FHIR platforms with vendor-owned IG maintenance covers the vendors that handle this well. For the reporting question (#5), the Top 6 compliance reporting solutions for CMS annual API metrics covers the leading reporting layers.