Massachusetts MMIS and E&E System Security Controls Were Generally Effective, but Some Improvements Are Needed

Date Issued

Tuesday, May 16, 2023

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Components

Centers for Medicare and Medicaid Services

Report Number

A-18-20-08003

Report Type

Audit

Location

MA,
United States

Number of Recommendations

Questioned Costs

Funds for Better Use

External Entity

Massachusetts Office of Health and Human Services

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
23-A-18-071.01	No	$0	$0
We recommend that the Massachusetts Department of Health and Human Services remediate the three security control findings OIG identified.
23-A-18-071.02	No	$0	$0
We recommend that the Massachusetts Department of Health and Human Services assess the effectiveness of all required NIST SP 800-53 controls according to theorganization's defined frequency.
23-A-18-071.03	No	$0	$0
We recommend that the Massachusetts Department of Health and Human Services assess and adjust if necessary, vulnerability management procedures to ensure anypertinent publicly disclosed computer security vulnerabilities are assessed for risk and remediated promptly, if necessary.