Office of Inspector General Penetration Test of the Centers for Medicare & Medicaid Services Affordable Care Act Information Systems

Why OIG Did This Audit

This audit is one in a series of OIG audits using network and web application penetration testing to determine how well these information technology (IT) systems are protected against cyberattacks. As part of this body of work, we conducted a test of the Centers for Medicare & Medicaid Services’ (CMS) Affordable Care Act (ACA) information systems.

Our objectives were to determine whether security controls for CMS’s ACA information systems were effective in preventing certain cyberattacks, the likely level of sophistication an attacker needs to compromise CMS’s systems or data, and CMS’s ability to detect attacks and respond appropriately.

How OIG Did This Audit

To complete penetration testing of CMS’s ACA information systems, we contracted with Accenture Federal Services to provide knowledgeable subject-matter experts to conduct penetration testing on behalf of OIG. In accordance with the HHS OIG Penetration Testing and Reporting Guidelines, the testing methodology was divided into three main categories—discovery, vulnerability analysis, and exploitation. We performed the testing in accordance with the agreed-upon Rules of Engagement document.

What OIG Found

Overall, we determined that most security controls in place for CMS’s ACA information systems were operating effectively, but some controls needed further improvement to more adequately prevent certain cyberattacks. We identified a total of 18 vulnerabilities, of which, 2 were classified as “Critical,” 9 were classified as “High,” and 7 were classified as “Medium.”

Of the 18 vulnerabilities discovered, 2 critical vulnerabilities were identified that could potentially present a risk to CMS’s ACA data. We determined that the likely level of sophistication needed to exploit and compromise CMS’s ACA information systems was medium, as most of the attacks did not require significant technical knowledge to exploit the vulnerabilities; however, there were some security controls in place to delay or prevent our attacks. Finally, we determined that CMS’s IT security controls were somewhat effective at detecting and responding appropriately to our cyberattacks. This was largely attributed to the use of a security appliance that identified and appropriately stopped a subset of our initial attacks against certain CMS ACA web applications.

What OIG Recommends and HHS OS Comments

We made a series of recommendations for HHS OS to improve IT security controls in accordance with Federal requirements and address the vulnerabilities identified in our report.

In written comments to our draft report, CMS concurred with eight recommendations and did not concur with two recommendations. CMS also provided technical comments, which we addressed as appropriate.

We maintain that our findings and recommendations are accurate and valid.