Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2018

The Social Security Act requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity. The Centers for Medicare & Medicaid Services (CMS) contracted with Guidehouse, LLP (Guidehouse), to evaluate information security programs at the MACs, using a set of agreed-upon procedures (AUPs). HHS OIG must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2018.