Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

U.S. Flag An official website of the United States government.
Change Font Size

Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2016

Federal law requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002 (FISMA). To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs using a set of agreed-upon procedures. The Office of Inspector General must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2016.

The scope of the work and sufficiency of documentation for all reported gaps were sufficient for the eight MACs reviewed by PwC. While the total number of gaps, which includes low-risk gaps, identified at the MACs had increased from FY 2015, the number of high-and medium-risk gaps decreased. Deficiencies remained in all of the FISMA control areas tested, including high- and medium-risk gaps repeated from the previous year. CMS should continue its oversight visits and ensure that the MACs remediate all gaps in a timely manner. CMS provided a technical comment, which we addressed. CMS had no other comments on the draft report.

Copies can also be obtained by contacting the Office of Public Affairs at

Download the complete report or the Report in Brief.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201