Administration
Pension Benefit Guaranty Corporation’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2020 (AUD-2021-05), issued January 21, 2021
We contracted with Ernst and Young LLP (E&Y), an independent public accounting firm, to perform an evaluation of PBGC’s information security program as required by FISMA. Our independent public accountants concluded PBGC’s security program, as in the prior year, fell below the specified threshold of effectiveness, Managed and Measurable (Level 4). PBGC’s information security program achieved an overall Consistently Implemented (Level 3) maturity level. However, E&Y did note improvement in the configuration management and security training – each moving up one level. In addition, two functional areas, Detect and Respond, were found to meet the Managed and Measurable (Level 4) maturity level. E&Y issued recommendations and noted weaknesses in five of the eight Inspector General FISMA Metric Domains and have made a total of 17 new recommendations and 1 repeated recommendation to assist PBGC in strengthening its information security program. The financial statements audit report included 6 new recommendations; the 11 new remaining recommendations are issued in this report. PBGC agreed with the 11 new recommendations in this report and previously agreed with the 6 recommendations in the financial statements audit report.
