Administration
Pension Benefit Guaranty Corporation’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2022 (AUD-2023-06), issued January 09, 2023
We contracted with Ernst and Young LLP (EY) to perform an evaluation of PBGC’s information security program as required by FISMA. EY reviewed a sample of six systems and completed fieldwork to address the FY 2022 IG FISMA Core Metrics developed by OMB, DHS, and the Council of the Inspectors General on Integrity and Efficiency. EY noted improvements in Information Security Continuous Monitoring and Supply Chain Risk Management. Weaknesses in Configuration Management and Identity and Access Management domains were identified. However, these domains and PBGC's overall information security program remained effective. PBGC's Information Security Continuous Monitoring function was assessed at Optimized, and the remaining four Cybersecurity Framework functions were found to be Managed and Measurable. In their report, EY issued four new recommendations related to PBGC’s configuration management and identity and access management programs.
