AmeriCorps’ Penetration Testing and Phishing Campaign Evaluation

AmeriCorps’ security program has not been effective in accordance with Federal Information Security Management Act (FISMA) since Fiscal Year 2017. In order to determine its current status, AmeriCorps OIG engaged an independent certified public accounting firm to conduct an internal penetration test of AmeriCorps’ network. The independent auditors tested AmeriCorps’ network to evaluate the effectiveness of its information security program and to identify areas of weakness. This evaluation was comprised of three phases: network penetration testing, a phishing campaign, and the testing the effectiveness of controls in preventing and detecting the execution of malicious code. The independent auditors found two weaknesses related to preventive and detective security controls. AmeriCorps concurred and agreed to implement our recommendations to (1) develop and implement a plan to modify external emails to include information to assist the recipient of the level of risk posed by external email, (2) implement a plan to increase the frequency of behavior training directed at the identification of unwanted spam emails, and (3) implement a process to improve the detection rate to reduce the occurrence of email spam that reaches the users’ inboxes. AmeriCorps Management’s response can be found in Appendix II of the report.