Report Materials
Why OIG Did This Audit
We conducted this audit in response to a congressional request to determine whether the Centers for Medicare & Medicaid Services' (CMS's) enterprise risk management (ERM) process includes steps to identify and assess national security risks. The congressional request was prompted by a previous OIG audit that determined that national security risks were not adequately considered by the National Institutes of Health (NIH). Specifically, we found that NIH did not consider the risk presented by foreign principal investigators when permitting access to United States genomic data. The Congressmen stated that they are concerned that CMS also has not considered national security risks to its programs.
Our objective was to determine whether CMS's ERM process considered national security risks to all CMS programs in accordance with Federal requirements.
How OIG Did This Audit
We reviewed CMS's ERM process and risk assessment policies and procedures, reviewed additional supporting risk management documentation, and interviewed CMS and HHS personnel.
What OIG Found
CMS's ERM process did not consider national security risks for any of CMS's programs in accordance with Federal requirements. CMS lacked policies and procedures that required its programs to consider national security threats because it relied on HHS's ERM process. As a result, CMS was unable to ensure that it had implemented effective controls to protect against threats from foreign and domestic adversaries.
What OIG Recommends and CMS's Comments
We recommend that CMS, as part of its ERM program, implement a process to assess all of its programs for national security risks in accordance with OMB Circular No. A-123's requirement to include new or emerging risks in the risk profile.
In written comments to our draft report, CMS concurred with our recommendation. CMS also stated that it currently participates in the HHS enterprise risk management process, is in the early stages of establishing an agency enterprise risk management program, and it will consider how to assess national security risks across its programs.
Notice
This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.