Pursuant to the Federal Information Security Modernization Act of 2014 (FISMA), an independent external auditor, on behalf of OIG conducted an annual independent audit of AmeriCorps’ information security program and practices. The fiscal year (FY) 2025 FISMA audit concluded that AmeriCorps’ information security program remains ineffective, assessed as of July 31, 2025. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) Cybersecurity Governance, (2) Risk and Asset Management, (3) Configuration Management, (4) Information Security Continuous Monitoring, and (5) Contingency Planning. AmeriCorps concurred with the findings and recommendations and remains committed to addressing cybersecurity risks. AmeriCorps’ response is included in its entirety in Appendix D of the audit report. Nine new recommendations added as a result of this year’s audit and five recommendations related to prior years’ audits will remain open until corrective actions have been fully implemented.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | Yes | $0 | $0 | ||
| Review the NIST Cybersecurity Framework 2.0 and formalize documented policies and procedures for developing and maintaining current and target cybersecurity profiles that align with the CSF to include, at a minimum, consideration of AmeriCorps’ mission objectives, threat landscape, and resources (including personnel) and constraints. | |||||
| 2 | Yes | $0 | $0 | ||
| Develop, document, and maintain current and target cybersecurity profiles that align with the NIST Cybersecurity Framework 2.0 — including a gap analysis between the current and target cybersecurity posture—that consider anticipated changes in AmeriCorps’ cybersecurity posture. | |||||
| 3 | Yes | $0 | $0 | ||
| Document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for AmeriCorps’ data types. | |||||
| 4 | Yes | $0 | $0 | ||
| Develop and maintain a comprehensive and accurate inventory of data and corresponding metadata for AmeriCorps’ data types, to include data obtained from third party providers to meet the requirements of the Open Government Data Act and OMB Memorandum M-25-05. | |||||
| 5 | Yes | $0 | $0 | ||
| Perform and document a formal risk assessment associated with the use of the ARC system. | |||||
| 6 | Yes | $0 | $0 | ||
| Update the risk assessments for the GSS and eSPAN on an annual basis. | |||||
| 7 | Yes | $0 | $0 | ||
| Conduct a security control assessment for the GSS and eSPAN on an annual basis in accordance with AmeriCorps’ Security Control Standard Assessment, Authorization & Monitoring. | |||||
| 8 | Yes | $0 | $0 | ||
| Coordinate with relevant stakeholders to align the documented RTOs in the GSS and eSPAN BIAs, and ensure both BIAs are updated accordingly | |||||
| 9 | Yes | $0 | $0 | ||
| Implement the approved standard baseline configurations for all servers, workstations, and network devices in the AmeriCorps’ information system environment | |||||
