Administration
Pension Benefit Guaranty Corporation’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021 (AUD-2022-7), issued February 3, 2022
We contracted with Ernst and Young LLP (E&Y), an independent public accounting firm, to perform an evaluation of PBGC’s information security program as required by FISMA. Our independent public accountants reviewed a sample of six systems and completed fieldwork to address the FY 2021 IG FISMA Metrics developed by OMB, DHS, and the Council of the Inspectors General on Integrity and Efficiency (CIGIE). For FY 2021 PBGC's information security program was found to be effective with all five of the IG metric function areas assessed at Managed and Measurable. Improvements were noted in all five of the function areas and the maturity level for Identify, Protect and Recover were raised from Consistently Implemented to Managed and Measurable. However, continued focus is needed from PBGC management to maintain an effective program. In this report, E&Y issued three new recommendations related to PBGC's identity and access management program and noted additional attention is needed to mature the new supply chain risk management domain.
