Open Recommendations

Review and update guidance to program office staff to ensure they provide information to support all required FAR elements for contract type D&Fs.

Ensure timely development and approval of contract type D&Fs that address all FAR requirements, including a mechanism to track the timeliness of this process.

Provide training to PBGC staff involved in contracting on the requirements of FAR § 16.103(d)(1), highlighting how the staff are required to document contract type risk considerations in the contract file.

Develop guidance for staff on the requirements of FAR § 16.103(d)(1), including updating templates. The guidance should address all the required elements and specify whether it will be documented in the acquisition plan or another document in the…

Management should review existing OEM jobs and ensure that each job logs, detects, and alerts on job failures where there is potential impact to system processing routines. Further, a job monitoring process with escalation parameters and resolution paths…

PBGC should provide guidance and training to workflow developers and business testers to ensure that workflows supporting internal control over financial systems are configured to automatically reject rather than approve workflow items when all required…

Update procedures to ensure the signed COR designation letters are maintained in the required locations to evidence the acceptance of COR appointments.

Enhance procedures to ensure COR designation letters are appropriately created and signed by all parties upon award of the contract or modification to change the COR.

PBGC should strengthen its controls around verifying the identity of PBGC personnel prior to temporarily disabling their requirement for MFA for remote access should a user purportedly have a malfunctioning PIV card or other MFA token.

PBGC should implement an effective specialized security training program that includes steps to identify and prevent phone-based social engineering for all employees.