Fiscal Year 2011 Federal Information Security Management Act (FISMA) Independent Evaluation Report (EVAL-2012-9 / FA-11-82-7) , issued May 11, 2012

The Office of Inspector General contracted with CliftonLarsonAllen LLP, an independent certified public accounting firm, to independently evaluate the Pension Benefit Guaranty Corporation (PBGC) information security program in accordance with the Federal Information Security Management Act (FISMA). This narrative report is a follow-up to our FY 2011 FISMA submission to OMB on November 15, 2011 (LTR 2012-3/FA-11-82-3).

This evaluation report provides additional information on the results of CliftonLarsonAllen's review of the PBGC information security program. Overall, the auditors determined that PBGC has not established an effective information security program and has not been proactive in reviewing security controls and identifying areas to strengthen this program. The FISMA report contains five new FISMA findings with 10 recommendations. In addition, 22 FISMA-related findings with 47 recommendations were reported in the Corporation's FY 2011 internal control report based on our FY 2011 financial statements audit (AUD-2012-2 /FA-11-82-2). Those findings and recommendations support the two information technology material weaknesses and formed, in part, the adverse opinion on internal control. PBGC's response to the draft report indicates management's agreement with 9 of the 10 recommendations. PBGC management did not agree with one recommendation related to the eTalk application.