Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2015

Federal law requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002 (FISMA). To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs using a set of agreed-upon procedures. To satisfy the requirement to evaluate the information security controls for a subset of systems, CMS expanded the scope of its evaluations to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the MACs.

The Office of Inspector General must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2015.

The scope of the work and sufficiency of documentation for all reported gaps were sufficient for the nine MACs reviewed by PwC. The total number of gaps identified at the MACs increased from the previous year mostly because new and revised controls were tested. Deficiencies remain in all of the FISMA control areas tested, including high- and medium-risk gaps repeated from the previous year. CMS should continue its oversight visits and ensure that the MACs remediate all high- and medium-risk gaps in a timely manner. CMS had no comments on the draft report.