Series: Review of Medicare Administrative Contractor Information Security Program Evaluations for FY 2023 (MMA 912)

OBJECTIVE

Section 912(b) of the Medicare Prescription Drug, Modernization and Improvement Act of 2003 (MMA) requires that Medicare fiscal intermediaries (FIs), carriers and Medicare Administrative Contractors (MACs) undergo annual, independent evaluations of their information systems security programs. MMA Section 912 stipulates that these evaluations address the eight major requirements enumerated in the Federal Information Security Management Act (FISMA), Section 3544(b) of title 44, United States Code. To comply with this requirement, the Centers for Medicare & Medicaid Services (CMS) contracted with Guidehouse, LLP (Guidehouse) to conduct evaluations of Medicare contractor information security programs. MMA Section 912 also requires that the information security program evaluations include tests of effectiveness of control techniques of a subset of systems. Beginning in 2010, CMS contracted with Guidehouse to perform additional work as part of their Section 912 evaluations. CMS expanded the scope of its AUP evaluations in FY 2010 to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the fiscal intermediaries, carriers, and MACs. Guidehouse performed additional testing to eliminate the need to contract with another entity to perform the assessments that had previously been performed at the fiscal intermediaries, carriers, and MAC data centers. This expanded testing at the MAC data centers will continue to provide CMS with a reasonable level of support for information security controls in place at Medicare contractors. It will also help CMS' efforts to understand the current security posture at contactor data centers. Guidehouse performed additional steps in 6 control areas, plus a network attack and penetration test. As of FY 2014, CMS no longer contracts with FIs and carriers, only MACs. Another requirement of MMA Section 912 is that the HHS OIG submits to Congress an annual report on the results of independent evaluations of the information security programs at the Medicare contractors. The report should also include an assessment of the scope and sufficiency of the evaluations.

There are 2 projects in this series.

Project titles will remain unpublished until projects are complete and reports are posted.

ACTIVE PROJECTS IN THIS SERIES (1)

COMPLETED PROJECTS IN THIS SERIES (1)

Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2023

Project A-18-24-11300 • Completed on September 30, 2024

TIMELINE

• February 1, 2024
  Series Number W-00-24-41010 Assigned
• February 1, 2024
  Project Announced

  Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2023 - A-18-24-11300

• September 30, 2024
  Project Complete - A-18-24-11300

  Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2023 has been marked as complete. Report Published

• February 20, 2025
  Project Announced

  Project OAS-25-18-064

• Today
  1 Audit In-Progress
• Est FY2026
  Estimated Fiscal Year for Series Completion

1 REPORT PUBLISHED

---