Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2016

Federal law requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002 (FISMA). To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs using a set of agreed-upon procedures. The Office of Inspector General must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2016.