Fiscal Year 2022 Federal Information Security Modernization Act (FISMA) Evaluation of AmeriCorps

The fiscal year 2022 FISMA evaluation concluded that AmeriCorps’ information security program remains ineffective. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) mobile devices, (2) IT asset inventory management, (3) vulnerability and patch management program, (4) Personal Identity Verification (PIV) multifactor authentication, (5) performance measures, (6) security assessments and (7) contingency planning. AmeriCorps has not made significant progress in implementing prior FISMA recommendations: it has implemented only 12 of the 42 open recommendations from the FY 2017- FY 2021 FISMA evaluations. The failure to address critical deficiencies leaves AmeriCorps systems and data vulnerable to breach, which may expose sensitive information, including Personally Identifiable Information, to unauthorized access, use, and disclosure. Implementing more of these recommendations will help AmeriCorps to mature its information security program and bring it closer to effectiveness. AmeriCorps concurred with the three new recommendations in our report, which together with the 30 remaining prior year recommendations, will assist AmeriCorps in developing a mature and effective information security program. The full report contains a summary and evaluation of management’s response.