Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2005

In a review of the Centers for Medicare and Medicaid Services' (CMS) Federal Information Security Management Act (FISMA) evaluations of information security programs at Medicare fiscal intermediaries and carriers for fiscal year (FY) 2005, we found that the scope and sufficiency of the evaluations adequately encompassed the eight FISMA requirements. CMS contracted with an outside firm to provide a comprehensive program to perform testing of security, but we could not determine the scope or sufficiency of the work for the data center technical assessments because we could not determine the extent of the contractor's work.

Each Medicare contractor must have its information security program evaluated annually by an independent entity. The Inspector General must submit to Congress annual reports on the results of these evaluations, as well as their scope and sufficiency. This report fulfills that responsibility for FY 2005.

We recommended that CMS review contractor documentation related to future data center technical assessments and ensure that contractor documentation complies with CMS contractual requirements. In written comments on our draft report, CMS concurred with our recommendation. CMS also provided clarifying information on technical issues that we used to modify our report where appropriate.