Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2017

The Office of Inspector General is required to report to Congress the results of annual independent evaluations of the information security programs of Medicare administrative contractors (MACs). The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs, using a set of agreed-upon procedures. This report fulfills that responsibility for fiscal year (FY) 2017.

PwC's evaluations of the contractor information security programs were adequate in scope and sufficiency. PwC reported a total of 109 gaps at the 8 MACs for FY 2017, which was 25 percent less than the number of gaps for the same 8 contractors in FY 2016. Deficiencies remained in eight of the nine Federal Information Security Modernization Act of 2014 control areas that were tested, including six high- and medium-risk gaps repeated from the previous year. CMS should continue its oversight visits and ensure that the MACs remediate all gaps in order to improve the MACs' information technology security. CMS had no comments on the draft report.

Filed under: Centers for Medicare and Medicaid Services