Special Report on the Peace Corps’ Information Technology Environment

View Report

Date Issued

Friday, September 26, 2025

Submitting OIG

Peace Corps OIG

Agencies Reviewed/Investigated

Peace Corps

Report Number

IG-25- 05-SR

Report Description

In September 2025, the OIG issued a special report on the Peace Corps’ Information Technology environment. OIG contracted with technical subject matter experts to conduct three cybersecurity tests from January 2025 to March 2025. The three tests included a simulated phishing campaign, a review of the agency’s internal vulnerability management practices, and penetration tests that targeted critical Peace Corps systems.

While observing the agency’s security processes throughout the assessment, OIG found that the Peace Corps’ monitoring capabilities were able to identify the testing activities and demonstrate its incident response procedures. However, the cybersecurity tests also uncovered multiple vulnerabilities and misconfigurations, ranging from informational issues to critical severity risks that the Peace Corps needs to review and address.

Report Type

Other

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
3	No	$0	$0
The Chief Information Officer ensures that the actions shared with the agency in the detailed technical report are taken to properly configure and fully utilize anti-phishing protections.
4	No	$0	$0
The Chief Information Officer ensures that the actions shared with the agency in the detailed technical report are taken to properly configure and fully utilize anti-phishing protections.
5	No	$0	$0
The Chief Information Officer implements continuous improvement and emphasize a “Zero Click” mindset throughout the organization to reduce the threat from phishing campaigns.