Why OIG Did This Audit
“We conducted this audit in response to a congressional request to determine whether the Centers for Medicare & Medicaid Services’ (CMS’s) enterprise risk management (ERM) process includes steps to identify and assess national security risks. The congressional request was prompted by a previous OIG audit that determined that national security risks were not adequately considered by the National Institutes of Health (NIH). Specifically, we found that NIH did not consider the risk presented by foreign principal investigators when permitting access to United States genomic data. The Congressmen stated that they are concerned that CMS also has not considered national security risks to its programs.”
“Our objective was to determine whether CMS’s ERM process considered national security risks to all CMS programs in accordance with Federal requirements.”
What OIG Found
“CMS’s ERM process did not consider national security risks for any of CMS’s programs in accordance with Federal requirements. CMS lacked policies and procedures that required its programs to consider national security threats because it relied on HHS’s ERM process. As a result, CMS was unable to ensure that it had implemented effective controls to protect against threats from foreign and domestic adversaries.”
What OIG Recommends and CMS’s Comments
“We recommend that CMS, as part of its ERM program, implement a process to assess all of its programs for national security risks in accordance with OMB Circular No. A-123’s requirement to include new or emerging risks in the risk profile.”
“In written comments to our draft report, CMS concurred with our recommendation. CMS also stated that it currently participates in the HHS enterprise risk management process, is in the early stages of establishing an agency enterprise risk management program, and it will consider how to assess national security risks across its programs…”
Read the full 11-page report here.
Source: The Centers for Medicare & Medicaid Services Did Not Account for National Security Risks in Its Enterprise Risk Management Processes – July 8, 2021. HHS OIG.
