Pursuant to the Federal Information Security Modernization Act of 2014 (FISMA), an independent external auditor, on behalf of OIG conducted an annual independent audit of AmeriCorps’ information security program and practices. The fiscal year (FY) 2024 FISMA audit concluded that AmeriCorps’ information security program remains ineffective, assessed as of July 31, 2024. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) inventory management, (2) supply chain risk management program, (3) vulnerability and patch management program, (4) personnel screening process, (5) authorization packages, (6) logging, and (7) contingency planning. AmeriCorps did not specify the findings and recommendations with which they were in agreement or disagreement. AmeriCorps’ response is included in its entirety in Appendix IV of the audit report. The recommendations related to the seven findings will remain open until corrective actions have been fully implemented.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| Enforce the requirement for the Tier 2 lead to perform the monthly audit of the inventory report. (New) | |||||
| 2 | No | $0 | $0 | ||
| Develop, document, and communicate Supply Chain Risk Management procedures to address all FISMA Supply Chain Risk Management requirements. (Modified Repeat) | |||||
| 3 | No | $0 | $0 | ||
| Develop and implement a written oversight process to ensure that Contracting Officer’s Representatives regularly provide the Office of Human Capital with names of contractors who require background investigations and that the Office of Information Technology confirms those background investigations are complete before contractors receive system access. (New) | |||||
| 4 | No | $0 | $0 | ||
| Complete the Authorization To Use package that covers the Administrative Resource Center Financial System. (Modified Repeat) | |||||
| 5 | No | $0 | $0 | ||
| Perform a gap analysis by reconciling all Security Information and Event Management solutions that are capturing logs. (New) | |||||
