Pension Benefit Guaranty Corporation’s Information Security Program and Practices for Fiscal Year 2024
PBGC should establish a comprehensive system for monitoring, analyzing, and reporting on quantitative performance measures to evaluate the effectiveness of its Data Breach Response policies and procedures.
PBGC’s Special Financial Assistance Program’s Policies and Procedures for the Annual Statement of Compliance Need Improvement
Revise its ASOC review procedures to require an annual reconciliation of SFA funds and to require the review analyst to conduct an analysis of material changes or outliers in the key elements to ensure full compliance with SFA conditions.
PBGC’s Software Self-Attestation Efforts Need Improvement
Update and maintain a complete Critical Software Inventory that staff may utilize to fulfill their responsibilities and provide transparency and tracking.
Create or update guidance to implement policies and procedures to guide and govern supply chain risk management activities related to attestations.
Fiscal Year 2025 Pension Benefit Guaranty Corporation Federal Information Security Modernization Act of 2014 (FISMA) Independent Performance Audit
Provide training to ISSPOs, ISOs, and Information Owners on their roles and responsibilities to follow the PBGC RMF and POA&M processes.
Confirm the requirement that deficiencies identified by SPA&A reviews that are not remediated within 30 days after identification are tracked via POA&Ms with accountable personnel.
Periodically monitor the satisfaction of the system risk assessment and POA&M creation requirements to help ensure ongoing compliance associated with the timely completion of and updates to system risk assessments and documentation and tracking of POA&Ms.
We recommend PBGC management to coordinate with its CSP to update its service agreement and shared responsibility matrix to address ambiguities regarding accountable parties for key controls and develop and implement a contingency plan for the system.
Audit of the Pension Benefit Guaranty Corporation’s Fiscal Year 2025 Financial Statements
Strengthen their risk assessment process by considering the gap period between the last SOC 1 reports and PBGC’s fiscal year end to determine the sufficiency of internal controls relevant to PBGC’s financial reporting processed by the service organizations. Such considerations should be documented.
Design and implement additional controls based on the results of PBGC’s risk assessment process.
Fiscal Year 2025 Financial Statement Audit Management Letter Report
Due to the sensitive nature of the findings and recommendations in this report, its disclosure has been restricted.
Due to the sensitive nature of the findings and recommendations in this report, its disclosure has been restricted.
Due to the sensitive nature of the findings and recommendations in this report, its disclosure has been restricted.
Due to the sensitive nature of the findings and recommendations in this report, its disclosure has been restricted.
Due to the sensitive nature of the findings and recommendations in this report, its disclosure has been restricted.