Audit of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2024

Why OIG Did This Audit

• The Social Security Act requires each Medicare administrative contractor (MAC) to have its information security program evaluated annually by an independent entity.
• CMS contracted with an Independent Public Accountant (IPA) to evaluate information security programs at the MACs using a set of agreed-upon procedures. HHS OIG is required to submit an annual report to Congress on the results of these evaluations and include an assessment of their scope and sufficiency. This report fulfills that responsibility for fiscal year (FY) 2024.

What OIG Found

• The IPA’s evaluations of the MAC information security programs were adequate in scope and sufficiency.
• The FY 2024 evaluations identified deficiencies in 7 of the 9 Federal Information Security Modernization Act of 2014 control areas, resulting in a total of 97 gaps across the 7 MACs.

• In FY 2024, the number of high-risk and moderate-risk gaps decreased, while the number of low-risk gaps increased. One moderate-risk gap was recurring from FY 2023; other gaps were similar to those identified in FY 2023 but were not identified by The IPA as recurring.

• The results support the need for CMS to continue its oversight of the MACs, including CMS’s site visits to address gaps and improve information technology security.

What OIG Recommends

This report contains no recommendations.

CMS received a draft version of this report and provided no written comments.

---