Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2022

Issued on  | Posted on  | Report number: A-18-23-11300

Why OIG Did This Review

The Social Security Act requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity. The Centers for Medicare & Medicaid Services (CMS) contracted with Guidehouse, LLP (Guidehouse), to evaluate information security programs at the MACs, using a set of agreed-upon procedures (AUPs). HHS OIG must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2022.

Our objectives were to assess the scope and sufficiency of MAC information security program evaluations and report the results of those evaluations.

How OIG Did This Review

We reviewed Guidehouse's working papers to determine whether Guidehouse sufficiently addressed all areas required by the AUPs. We also determined whether all security-related weaknesses were included in the Guidehouse reports by comparing supporting documentation with the reports. We determined whether all gaps in the Guidehouse reports were adequately supported by comparing the reports with the Guidehouse working papers.

What OIG Found

Guidehouse's evaluations of the contractor information security programs were adequate in scope and sufficiency. Guidehouse identified a total of 92 gaps at the 7 MACs in FY 2022, which was 3 percent less than the number of gaps for the same 7 MACs in FY 2021. The number of high- and moderate-risk gaps increased by 24 percent from FY 2021. Deficiencies remained in six of the nine Federal Information Security Modernization Act of 2014 control areas that were tested. The results warrant CMS continuing its oversight visits to ensure that the MACs remediate all gaps to improve the MACs' IT security, especially those with increased gaps from the previous year. Gaps that were similar to those from prior years should be considered repeat findings to highlight systemic problems and the existence of continued exposure to known weaknesses.

What OIG Recommends

This report contains no recommendations.