We have determined that the Corporation for National and Community Service’s (CNCS’s) information security program is NOT EFFECTIVE. CNCS has in place the basic information technology policies, procedures and system security documentation needed for effective cybersecurity. To progress beyond the current maturity level, the Corporation must consistently implement and monitor security controls. We continued to find severe vulnerabilities on the network. CNCS has still not fully implemented baseline security configuration settings specific to the existing information technology environment. Further, CNCS has not implemented multifactor authentication for information system users and administrators. These gaps limit the protection of CNCS systems and data, and may expose sensitive information, including Personally Identifiable Information (PII), to unauthorized access and use.
The independent IG report offers 25 recommendations to assist CNCS in strengthening its information security program and reach an Effective rating. CNCS should undertake a strategic analysis of the government-wide metrics and the weaknesses identified in this evaluation, to develop a multi-year approach designed to realize steady, measurable improvements in information security in each of the component areas. Implementing such a plan will require CNCS to allocate sufficient resources, including staffing, and to be accountable for interim milestones in order to reach an overall Effective rating.