The information security program of AmeriCorps remains ineffective and has shown little progress since FY 2018. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: organization-wide risk management, IT asset inventory management, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management practices. AmeriCorps has not made significant progress in implementing prior FISMA recommendations.