Federal Reports

The information security program of the Corporation for National and Community Service (CNCS) has been assessed as not effective with little progress over the past three years. While security training remains an area of strength at CNCS, performance in this area is outweighed by the substantial risks resulting from the continuing control weaknesses in configuration management, identity, and access management, and data protection and privacy. For example, the CNCS network continues to be exposed to critical and high severity vulnerabilities stemming from un-patched software, improper configuration settings, and unsupported software. These types of gaps limit the protection of CNCS’s systems and data and may expose sensitive information, including Personally Identifiable Information, to unauthorized access and use.Our report offers 33 recommendations (22 new, 3 modified, and 8 repeats), which if implemented, will assist CNCS in addressing challenges in its development of a mature and effective information security program. Also, we again recommend that CNCS complete a strategic analysis of the government-wide metrics and the weaknesses identified in this evaluation, to develop a multi-year approach designed to realize steady, measurable improvements in information security in each of the domains and security function areas. Implementing such a plan will require CNCS to allocate sufficient resources, including staffing, and to be accountable for interim milestones, in order to reach an overall effective rating.

In 2011, CMS implemented a Competitive Bidding Program (CBP) for mail-order diabetes test strips (DTS) in limited areas, and in July 2013, CMS expanded the program nationally to include a national mail-order program (the National Mail-Order Program). The Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) currently prohibits CMS from awarding a CBP contract to a DTS supplier if the supplier's bid does not cover at least 50 percent, by volume, of the DTS types provided to Medicare beneficiaries. (This is known as the 50-percent rule.) This rule is intended to ensure that Medicare beneficiaries have access to top-selling DTS via the National Mail-Order Program. MIPPA requires OIG to determine the Medicare market shares for DTS before each round of bidding. The Bipartisan Budget Act of 2018 amended the 50 percent rule by requiring that, for bids to furnish DTS on or after January 1, 2019, CMS must use multiple sources of data (from the mail-order and non-mail-order Medicare markets). OIG's analysis assists CMS in determining whether bidding suppliers meet this 50-percent rule. Since 2010, OIG has released nine reports evaluating the Medicare market shares for mail-order and non-mail-order DTS. All CBP contracts expired on December 30, 2018. In October 2018, CMS issued guidance stating there would be a temporary gap in the CBP beginning January 1, 2019. CMS has not yet announced when the National Mail-Order Program for DTS will resume being included in the CBP.

Prior OIG audits of New Jersey's Medicaid mental health services identified a significant number of improper claims. On the basis of these audits, we initiated an audit of similar mental health services provided under New Jersey's Programs of Assertive Community Treatment (PACT).