Public Summary Report: Wireless Penetration Test of Centers for Medicare & Medicaid Services' Data Centers

We performed a wireless penetration test of select Centers for Medicare & Medicaid Services' Data Centers and facilities to determine whether CMS's security controls over its wireless networks were effective.

Although the Centers for Medicare & Medicaid Services had security controls that were effective in preventing certain types of wireless cyber-attacks, we identified four vulnerabilities in security controls over its wireless networks.

The vulnerabilities that we identified were collectively and, in some cases, individually significant. Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations. In addition, exploitation could have compromised the confidentiality, integrity, and availability of CMS's data and systems. We promptly shared detailed information with CMS about our preliminary findings in advance of issuing our draft report.

We recommended that CMS improve its security controls to address the wireless network vulnerabilities we identified.