FY 2016 Federal Information Security Modernization Act Independent Evaluation Report

This narrative report is a follow-up to our FY 2016 Federal Information Security Modernization Act (FISMA) Submission to the Office of Management and Budget (LTR 2017-04/FA-16-110-3) to provide findings and recommendations related to PBGC's information security program. We contracted with CliftonLarsonAllen LLP, an independent public accounting firm, to perform an evaluation of PBGC’s information security program as required by the Federal Information Security Modernization Act (FISMA). In FY 2016, PBGC made progress improving its information security program by publishing its Information Security Risk Management Framework Process and requiring the use of PIV for authentication; however, additional action is needed. More specifically, PBGC needs to permanently fill its risk executive position and ensure it fully and consistently implements current NIST access controls. The Corporation also needs to complete implementation of its information system continuous monitoring program. We reported 20 new recommendations based on the results of our FY 2016 independent evaluation. In addition to the recommendations in this report, there were eight FISMA-related recommendations reported in the Corporation’s FY 2016 internal control report AUD-2017-3/FA-16-110-2.