FY 2016 Federal Information Security Modernization Act (FISMA) Submission to the Office of Management and Budget (OMB) (LTR 2017-04/ FA-16-110-3), issued November 10, 2016
We contracted with CliftonLarsonAllen LLP, an independent public accounting firm, to perform an evaluation of PBGC’s information security program as required by the Federal Information Security Modernization Act (FISMA). In Fiscal Year 2016, PBGC made progress improving its information security program by publishing its Information Security Risk Management Framework Process and requiring the use of PIV for authentication; however, improvements are still needed. More specifically, PBGC needed to permanently fill its risk executive position and ensure current NIST controls are fully and consistently implemented including controls over access control. The Corporation also needed to fully implement its information system continuous monitoring program. The OIG’s Report on Internal Controls Related to the Pension Benefit Guaranty Corporation’s Fiscal Year 2016 and 2015 Financial Statements Audit (AUD 2017-3/FA-16-110-2) (link to report) presents additional details on the Corporation’s progress in mitigating IT control weaknesses identified in: (1) PBGC’s entity-wide security program and (2) access controls and configuration management.