This is a computer translation of the original webpage. It is provided for general information only and should not be regarded as complete nor accurate. Close Disclaimer
Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Centers for Medicare & Medicaid Services Did Not Account for National Security Risks in Its Enterprise Risk Management Processes

Issued on  | Posted on  | Report number: A-18-20-06200

Why OIG Did This Audit

We conducted this audit in response to a congressional request to determine whether the Centers for Medicare & Medicaid Services' (CMS's) enterprise risk management (ERM) process includes steps to identify and assess national security risks. The congressional request was prompted by a previous OIG audit that determined that national security risks were not adequately considered by the National Institutes of Health (NIH). Specifically, we found that NIH did not consider the risk presented by foreign principal investigators when permitting access to United States genomic data. Click to Translate text before this point Start of
Translation
The Congressmen stated that they are concerned that CMS also has not considered national security risks to its programs.

Our objective was to determine whether CMS's ERM process considered national security risks to all CMS programs in accordance with Federal requirements.

How OIG Did This Audit

We reviewed CMS's ERM process and risk assessment policies and procedures, reviewed additional supporting risk management documentation, and interviewed CMS and HHS personnel.

What OIG Found

CMS's ERM process did not consider national security risks for any of CMS's programs in accordance with Federal requirements. CMS lacked policies and procedures that are required by its programs to consider national security threats because it relied on HHS's ERM process. As a result, CMS was unable to ensure that it implemented effective controls to protect against threats from foreign and domestic adversaries.

What OIG Recommends and CMS's Comments

We recommend that CMS, as part of its ERM program, implement a process to assess all of its programs for national security risks in accordance with OMB Circular No. A-123's requirement to include new or emerging risks in the risk profile.

In written comments to our draft report, CMS concurred with our recommendation. CMS stated that it currently participates in the HHS enterprise risk management process, is in the early stages of establishing an agency enterprise risk management program, and it will be consider how to assess national security risks across its programs.