Fiscal Year 2015 Cybersecurity Act Evaluation

As part of the Consolidated Appropriations Act of 2016 (Public Law 114-113), Congress passed the Cybersecurity Act of 2015 which required Offices of Inspectors General to conduct an evaluation and submit a report on “covered” computer systems to the appropriate committees of jurisdiction in the Senate and the House of Representatives by August 14, 2016. We evaluated aspects of PBGC computer systems that provide access to personally identifiable information (PII). Our objective was to provide descriptions of certain policies, practices, and procedures identified in the statute and listed below. The scope of our work was limited to obtaining and analyzing PBGC’s information security policies, practices, and procedures governing computer systems that provide access to PII. We did not test the Corporation’s internal controls or compliance with the policies and procedures provided in this report. Information on whether the Corporation followed the appropriate standards was based on OIG open recommendations and the Corporation’s Plan of Actions and Milestones. Sensitive information contained in the evaluation report has been redacted.