Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

Change Font Size

Audit (A-18-06-02600)

Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2005

Executive Summary

In a review of the Centers for Medicare and Medicaid Services' (CMS) Federal Information Security Management Act (FISMA) evaluations of information security programs at Medicare fiscal intermediaries and carriers for fiscal year (FY) 2005, we found that the scope and sufficiency of the evaluations adequately encompassed the eight FISMA requirements. CMS contracted with an outside firm to provide a comprehensive program to perform testing of security, but we could not determine the scope or sufficiency of the work for the data center technical assessments because we could not determine the extent of the contractor's work.

Each Medicare contractor must have its information security program evaluated annually by an independent entity. The Inspector General must submit to Congress annual reports on the results of these evaluations, as well as their scope and sufficiency. This report fulfills that responsibility for FY 2005.

We recommended that CMS review contractor documentation related to future data center technical assessments and ensure that contractor documentation complies with CMS contractual requirements. In written comments on our draft report, CMS concurred with our recommendation. CMS also provided clarifying information on technical issues that we used to modify our report where appropriate.

Complete Report

Download the complete report (PDF)

Adobe® Acrobat® is required to read PDF files.

Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201