The information security program of AmeriCorps remains ineffective and has shown little progress since FY 2018. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: organization-wide risk management, IT asset inventory management, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management practices. AmeriCorps has not made significant progress in implementing prior FISMA recommendations.

United States Government Accountability Office Office of the Inspector General's System Review Report of the Corporation for National and Community Service Office of the Inspector General 2018

In 2019, Congress enacted the Payment Integrity Information Act (PIIA) to update required reporting on agencies’ improper payments. PIIA requires agencies to review and identify programs and activities that may be susceptible to significant improper payments, estimate the improper payments rates in agency programs, and report on their actions to reduce and recover those payments. The Inspector General of each agency assesses compliance with these requirements annually.AmeriCorps implemented corrective actions in FY 2021 that improved its compliance with PIIA reporting requirements.

Since Fiscal Year (FY) 2017, AmeriCorps has not obtained an audit opinion on its financial statements. In FY 2021, independent auditors found nine material weaknesses and one significant deficiency, resulting in a total of 73 recommendations. In addition, each of AmeriCorps Office of Inspector General’s (OIG) annual Federal Information Security Modernization Act of 2014 (FISMA) evaluations since FY 2017 concluded that AmeriCorps’ cybersecurity and privacy program is ineffective.