Fiscal Year 2021 Federal Information Security Modernization Act Evaluation of AmeriCorps

The information security program of AmeriCorps remains ineffective and has shown little progress since FY 2018. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: organization-wide risk management, IT asset inventory management, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management practices. AmeriCorps has not made significant progress in implementing prior FISMA recommendations. AmeriCorps has implemented only eight of the 39 open recommendations from the FY 2017- FY 2020 FISMA evaluations.. Implementing more of these recommendations will help AmeriCorps to mature its information security program and bring it closer to effectiveness. The failure to address critical deficiencies leaves AmeriCorps systems and data vulnerable to breach, which may expose sensitive information, including Personally Identifiable Information, to unauthorized access, use and disclosure. Our report offers 13 new recommendations, which together with the prior year recommendations, will assist AmeriCorps in developing a mature and effective information security program. AmeriCorps concurred with 12 of the 13 new recommendations and provided alternative actions to resolve the remaining recommendation.