According to an Office of Inspector General (OIG) Pension Benefit Guaranty Corporation (PBGC) report, the PBGC’s overall cybersecurity performance independent assessment rating is “not effective.”
The Federal Information Security Modernization Act (FISMA) requires the Office of Management and Budget (OMB) to summarize the evaluations made by the OIG’s annual review of an agency’s information security program, practices, and internal controls.
Based on the CIO FISMA metrics, PBGC’s information security program was rated as “at risk” and significant gaps remain despite essential policies, processes, and tools being in place to mitigate overall cybersecurity risk.
“We concluded that the Corporation has implemented many of its policies, procedures, and strategies; but to be effective it still needed to establish and incorporate quantitative and qualitative measures for four of the five functional domains,” the OIG report said.
However, compared to other small agencies and CFO Act agencies, PBGC’s cybersecurity performance independent assessment was ranked above average in FY2018.
“While more work remains and continued vigilance is required, we recognize management’s attention and efforts to improve the Corporation’s information security program, controls, and practices,” the OIG report said.
OIG has submitted closure packages for 39 of 48 open IT audit recommendations. One of the closure packages has been closed, while the remaining 38 are pending an auditor’s review as of Sept. 30.