Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Review of Medicare Administrative Contractor Information Security Program Evaluations for FY 2023 (MMA 912)

Section 912(b) of the Medicare Prescription Drug, Modernization and Improvement Act of 2003 (MMA) requires that Medicare fiscal intermediaries (FIs), carriers and Medicare Administrative Contractors (MACs) undergo annual, independent evaluations of their information systems security programs. MMA Section 912 stipulates that these evaluations address the eight major requirements enumerated in the Federal Information Security Management Act (FISMA), Section 3544(b) of title 44, United States Code. To comply with this requirement, the Centers for Medicare & Medicaid Services (CMS) contracted with Guidehouse, LLP (Guidehouse) to conduct evaluations of Medicare contractor information security programs.

MMA Section 912 also requires that the information security program evaluations include tests of effectiveness of control techniques of a subset of systems. Beginning in 2010, CMS contracted with Guidehouse to perform additional work as part of their Section 912 evaluations. CMS expanded the scope of its AUP evaluations in FY 2010 to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the fiscal intermediaries, carriers, and MACs. Guidehouse performed additional testing to eliminate the need to contract with another entity to perform the assessments that had previously been performed at the fiscal intermediaries, carriers, and MAC data centers. This expanded testing at the MAC data centers will continue to provide CMS with a reasonable level of support for information security controls in place at Medicare contractors. It will also help CMS' efforts to understand the current security posture at contactor data centers. Guidehouse performed additional steps in 6 control areas, plus a network attack and penetration test. As of FY 2014, CMS no longer contracts with FIs and carriers, only MACs.

Another requirement of MMA Section 912 is that the HHS OIG submits to Congress an annual report on the results of independent evaluations of the information security programs at the Medicare contractors. The report should also include an assessment of the scope and sufficiency of the evaluations.

Announced or Revised Agency Title Component Report Number(s) Expected Issue Date (FY)
Completed Health and Human Services Review of Medicare Administrative Contractor Information Security Program Evaluations for FY 2023 (MMA 912) Office of Audit Services WA-24-0032 (W-00-24-42029);
A-01-24-00001		 2023