15-03, The Federal Information Security Management Act, Fiscal Year 2014, evaluation of the Corporation for National & Community Service

Executive Summary

Kearney & Company, P.C. has concluded that the Corporation's Information Security and Privacy Program was not compliant in a number of respects with FISMA legislation, OMB guidance, and applicable NIST security publications as of September 30, 2014. Their testing found the controls were ineffective in seven of the 12 areas. In four of the seven areas, the deficiencies were severe enough to constitute a significant deficiency; these areas were Continuous Monitoring Management, Risk Management, Plans of Action and Milestones (POA&M), and Privacy.