The information security program of the Corporation for National and Community Service, now called AmeriCorps, remains Not Effective and has shown little progress over the past four years. While AmeriCorps has demonstrated some improvement on configuration management, key areas of organization-wide risk management strategy, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management have remained stagnant at a low level of maturity. AmeriCorps continues to suffer a significant number of critical and high-risk vulnerabilities, which were not mitigated within the prescribed deadlines commensurate with their importance. Nor has AmeriCorps made significant progress in closing prior recommendations. Since last year, only eleven of the 58 open recommendations from the FY 2014 – FY 2019 FISMA evaluations have been resolved, yielding limited improvements in FISMA metric results. An inability to address critical deficiencies leaves AmeriCorps systems and data vulnerable to data breaches, which may expose sensitive information, including Personally Identifiable Information, to unauthorized access, use and disclosure. Our report offers nine recommendations (eight new and one modified repeat), which, together with the prior year recommendations, will assist AmeriCorps in addressing challenges in the development of a mature and effective information security program. AmeriCorps has committed to implementing corrective actions to our recommendations.
Report File
Date Issued
Submitting OIG
AmeriCorps, Office of Inspector General
Other Participating OIGs
AmeriCorps, Office of Inspector General
Agencies Reviewed/Investigated
AmeriCorps
Report Number
OIG-EV-21-03CNCS
Report Description
Report Type
Inspection / Evaluation
Agency Wide
Yes
Questioned Costs
$0
Funds for Better Use
$0
Open Recommendations
This report has 2 open recommendations.
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
4 | No | $0 | $0 | ||
Complete the process of configuring the scanning tool to account for the approved deviations for the standard baseline configurations. | |||||
9 | No | $0 | $0 | ||
Ensure all personnel whose responsibilities include access to PII complete annual privacy-role based training. |