Office of Inspector General We recommend PBGC management to coordinate with its CSP to update its service agreement and shared responsibility matrix to address ambiguities regarding accountable parties for key controls and develop and implement a contingency plan for the system.
Periodically monitor the satisfaction of the system risk assessment and POA&M creation requirements to help ensure ongoing compliance associated with the timely completion of and updates to system risk assessments and documentation and tracking of POA&Ms.
Confirm the requirement that deficiencies identified by SPA&A reviews that are not remediated within 30 days after identification are tracked via POA&Ms with accountable personnel.
Provide training to ISSPOs, ISOs, and Information Owners on their roles and responsibilities to follow the PBGC RMF and POA&M processes.