Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2004

EXECUTIVE SUMMARY:

Our objectives were to (1) assess the scope and sufficiency of Medicare contractor information security program evaluations and data center technical assessments and (2) report the results of those evaluations and assessments. We found that the scope of the contractor information security program evaluations adequately encompassed the eight major requirements enumerated in the Federal Information Security Management Act (FISMA). Also, the scope of the data center technical assessments was adequate for testing information security controls. The work performed to evaluate contractor information security programs was sufficient to fully address the FISMA requirements referenced in Section 912 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, and the information included in the evaluation reports was supported by documented evidence. The documentation supporting the tests of information security controls for a subset of systems was generally sufficient to support the results reported in the technical assessment reports. Regarding the results of evaluations and assessments, in 32 evaluation reports, auditors identified a total of 217 gaps between FISMA or Centers for Medicare & Medicaid Services (CMS) core security requirements and the contractors' implementation of those requirements. In addition, the 14 data center technical assessment reports prepared by CMS's security consultant identified 412 gaps across all 14 data centers. CMS generally agreed with the information we presented.

---