Report Materials
Why OIG Did This Audit
- The Social Security Act requires each Medicare administrative contractor (MAC) to have its information security program evaluated annually by an independent entity.
- CMS contracted with Guidehouse, LLP, to evaluate information security programs at seven, MACs using a set of agreed-upon procedures. OIG must submit to Congress annual reports on the results of these evaluations and include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year (FY) 2023.
- This audit assessed the scope and sufficiency of MAC information security program evaluations.
What OIG Found
- Guidehouse’s evaluations of MACs’ information security programs were adequate in scope and sufficiency. A total of 94 gaps at the 7 MACs were identified in FY 2023, which was a 2 percent increase in the number of gaps identified for the same 7 MACs in FY 2022. The number of high- and moderate-risk gaps increased by 19 percent from FY 2022. Deficiencies occurred in eight of the nine Federal Information Security Modernization Act of 2014 control areas that were tested.
- The results warrant CMS to continue its oversight visits to ensure that the MACs remediate all gaps to improve information technology security, especially those MACs for which there was an increase in the number of gaps identified compared to the previous year. Similar gaps identified in different systems being tested should be noted as systemic problems that result in continued exposure to known weaknesses.
What OIG Recommends
This report contains no recommendations.
CMS had no written comments on our draft report.
-
-
-
Notice
This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.