The information security program of the Corporation for National and Community Service (CNCS) has been assessed as not effective with little progress over the past three years. While security training remains an area of strength at CNCS, performance in this area is outweighed by the substantial risks resulting from the continuing control weaknesses in configuration management, identity, and access management, and data protection and privacy. For example, the CNCS network continues to be exposed to critical and high severity vulnerabilities stemming from un-patched software, improper configuration settings, and unsupported software. These types of gaps limit the protection of CNCS’s systems and data and may expose sensitive information, including Personally Identifiable Information, to unauthorized access and use.Our report offers 33 recommendations (22 new, 3 modified, and 8 repeats), which if implemented, will assist CNCS in addressing challenges in its development of a mature and effective information security program. Also, we again recommend that CNCS complete a strategic analysis of the government-wide metrics and the weaknesses identified in this evaluation, to develop a multi-year approach designed to realize steady, measurable improvements in information security in each of the domains and security function areas. Implementing such a plan will require CNCS to allocate sufficient resources, including staffing, and to be accountable for interim milestones, in order to reach an overall effective rating.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| Ensure that OIT monitors and promptly installs patches and antivirus updates across the enterprise when they are available from the vendor. Enhancements should include:Pending since FY 2017 | |||||
| 1a | Yes | $0 | $0 | ||
| Implement a process to track patching of network devices and servers by the defined risk-based patch timelines in CNCS policy. | |||||
| 1c | Yes | $0 | $0 | ||
| Monitor and record actions taken by the contractor to ensure vulnerability remediation for network devices and servers is addressed or the exposure to unpatchable vulnerabilities is minimized. | |||||
| 2 | No | $0 | $0 | ||
| Ensure that OIT evaluates if the internet connections at the National Civilian Community Corps Campuses and Regional Offices are sufficient to allow patches to be deployed to all devices within the defined risk-based patch timeline in CNCS policy. If the internet connections are determined to be inadequate, develop and implement a plan to enhance the current internet connections. | |||||
| 4 | No | $0 | $0 | ||
| Develop and implement a written process to ensure manual updates to the CMDB inventory and FasseTrack system are made simultaneously when the inventory is updated. | |||||
| 6 | No | $0 | $0 | ||
| Develop and implement a written process to perform periodic reconciliations between CMDB and the FasseTrack system. | |||||
| 7 | No | $0 | $0 | ||
| Perform and document analysis to determine the feasibility of completely automating the inventory management process. | |||||
| 23 | No | $0 | $0 | ||
| Physically or mechanically disable the networking capability of the laptop used for member badging at the NCCC Pacific Region Campus. | |||||
| 25 | No | $0 | $0 | ||
| Document and implement a process to validate that physical counselor files from the NCCC Southwest Region Campus are disposed of within six years after the date of the member’s graduation in accordance with the AmeriCorps NCCC Manual. | |||||
| 1b | Yes | $0 | $0 | ||
| Replacement of information system components when support for the components is no longer available from the developer, vendor or manufacturer. | |||||
| 1d | Yes | $0 | $0 | ||
| Enhance the inventory process to ensure all devices are properly identified and monitored. | |||||
