OIG: PBGC Cybersecurity Efforts Effective But More to Do

The Pension Benefit Guaranty Corporation (PBGC) has made progress in its cybersecurity efforts, says a report by the Office of the Inspector General (OIG), but it still has more work to do. 

The finding comes in the FY 2021 annual report that the OIG is required to make, which was released Feb. 3. The Federal Information Security Modernization Act of 2014 (FISMA) requires the OIG to conduct an annual performance audit regarding how well the terms of the act are being implemented.

Notable Progress

The OIG says that using the metrics set by FISMA, the PBGC’s information security program in the last year was effective, based on the PBGC meeting a “managed and measurable” maturity level for the functional categories “Identify, Detect, Protect, Respond and Recover” and the of upgrading the “Identify, Protect and Recover” functional areas from “consistently implemented” to a rating of “managed and measurable.” 

“Progress continues to be made to sustain cybersecurity maturity across all FISMA domains,” says the report. Nonetheless, says the OIG, “While PBGC can be considered effective, we identified opportunities where PBGC can strengthen its program within Identity and Access Management.”

Concerning identity and access management, the OIG noted that the PBGC’s cybersecurity program improvements supported an increased rating because of improvements it made in overall workforce assessment knowledge and in management dashboards, which allowed for (1) greater insight into user status throughout onboarding and (2) increased visibility into existing SOD issues and role assignments.

Regarding data protection and privacy, the OIG hailed the PBGC’s integration of tabletop exercises with contingency planning by involving members of the security communications and backup/restore teams which also make up the breach response team and improvements in workforce analysis to identify gaps associated with the DPP domain. 

Work to Do

The OIG was less impressed with the PBGC’s treatment of configuration management domain, observing that an issue it identified the year before related to the implementation of a strong cryptological ciphers remained unresolved. 

Similarly, the OIG was not happy with the PBGC’s progress with its identity and access management program, noting that: 

• Controls and processes related to administrative accounts and privileged functions had weaknesses that allowed for direct compromise of accounts and systems, which it says may indicate a gap in security policy or configuration, processes or procedures as they relate specifically to privileged access management.
• Security settings and configurations were found on network systems that allowed escalation of unauthorized access and/or privileges. “These issues,” it says “are typically related to weak baseline hardening policies and guidelines, lack of environmental awareness, a lack of technical capability or support or even intentionally insecure settings to support legacy services.”

Additionally, the OIG says that issues it brought up the year before concerning monitoring of internal disclosures of PII remain unresolved. 

Recommendations

The OIG made suggestions in a variety of areas. 

Supply Chain Risk Management. The PBGC should implement updated policies and procedures surrounding the sourcing of hardware and software in accordance with new Supply Chain Risk Management (SCRM) standards, says the report. 

Specifically, they say, the PBGC should:

• work toward an organization-wide SCRM strategy and implement policies, procedures and processes of managing supply chain risks; 
• continue to implement improvement throughout segregation of duties to minimize risk throughout the PBGC; and 
• continue to push in the areas in Risk Management, Supply Chain Risk Management, Configuration Management, Identity and Access Management, and Data Protection and Privacy domains.
• develop and implement a supply chain risk management plan to address supply chain risks regarding information systems and system components; and 
• educate the acquisition workforce on threats, risk and required security controls for acquired IT components. 

Configuration Management. Regarding configuration management, the OIG says that the PBGC should consider the following steps:

• harden the affected servers’ cipher suites to avoid the use of weak ciphers and RC4 ciphers, in accordance with the vendor’s security leading practices; and 
• continue to implement their plan to address the issue the OIG identified earlier related to an improved website vulnerability management program to address security deficiencies in the development of websites.

Identity and Access Management. The OIG had many recommendations for the PBGC regarding improving identity and access management: 

• Create organization-wide policies surrounding establishment of passwords and password protection to ensure constant implementation of new technology and standards. 
• Complete mitigations against password guessing attacks. 
• Schedule periodic password resets to prevent previously obtained or compromised credentials from being reused on PBGC domains. 
• Develop and update segregation of duty matrices to reflect the risk of multiple role assignments based on the current business operations of PBGC within the CMS system.
• Review existing role assignments and remediate them as appropriate.
• Enhance existing monitoring controls to mitigate risks associated with required role assignments that violate separation-of-duty requirements. 
• Develop, document and implement a process for the timely assessment of employees and contractors transferred or promoted to a new position or role to determine whether the risk level has changed. 
• Improve processes and implement oversight to ensure timeliness of background investigations to be completed for federal employees and contractors. 
• Update directives, policies and procedures to reflect current personnel security processes for the timely processing of background investigations. 

Data Protection and Privacy. As for data protection and privacy, the OIG says that the PBGC should: 

• conduct an analysis to determine if its internal network monitoring capabilities are sufficient to fully support their insider threat program, specifically around the monitoring and disclosure of PII and sensitive banking information;
• deploy additional toolsets to monitor internal transmissions of PII and sensitive banking information for insider threat behavior analytic modeling; and 
• conduct a risk assessment to consider the inclusion of the AU-13 optional control requirements for monitoring information disclosures by internal employees. 

“It is important for PBGC to continue to focus on remediating their cybersecurity deficiencies to maintain their effective rating. PBGC should work to integrate their information security architecture with its systems development lifecycle,” says the report. 

Comments are closed.