Department of Health and Human Services

Office of Inspector General -- AUDIT

"Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2004," (A-18-05-02600)

September 27, 2006

The following is a PDF file Complete Text of Report is available in PDF format (1.04 mb). Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.


Our objectives were to (1) assess the scope and sufficiency of Medicare contractor information security program evaluations and data center technical assessments and (2) report the results of those evaluations and assessments. We found that the scope of the contractor information security program evaluations adequately encompassed the eight major requirements enumerated in the Federal Information Security Management Act (FISMA). Also, the scope of the data center technical assessments was adequate for testing information security controls. The work performed to evaluate contractor information security programs was sufficient to fully address the FISMA requirements referenced in Section 912 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, and the information included in the evaluation reports was supported by documented evidence. The documentation supporting the tests of information security controls for a subset of systems was generally sufficient to support the results reported in the technical assessment reports. Regarding the results of evaluations and assessments, in 32 evaluation reports, auditors identified a total of 217 gaps between FISMA or Centers for Medicare & Medicaid Services (CMS) core security requirements and the contractors’ implementation of those requirements. In addition, the 14 data center technical assessment reports prepared by CMS’s security consultant identified 412 gaps across all 14 data centers. CMS generally agreed with the information we presented.