Evaluation of PBGC’s Data Protection at Contractor-Operated Facilities (EVAL-2019-08/PA-18-125), issued January 31, 2019
We found controls relating to data protection are, for the most part, suitably designed to protect sensitive information at contractor-operated PBGC facilities. At the same time, PBGC has opportunities to improve the operational effectiveness of some of these controls. We found controls relating to the monitoring of the personnel security process and oversight by Contracting Officer's Representatives (CORs) are not consistently executed in a manner to ensure the protection of sensitive information. We identified vulnerabilities in the employee separation process that require additional controls. We issued eight recommendations to management to improve monitoring and management oversight of the personnel security process, the COR oversight function at contractor-operated facilities, and controls over the employee separation process. Management agreed with the recommendations.