Sorry, you need to enable JavaScript to visit this website.
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

AmeriCorps FY2025 FISMA Audit

Date Issued
Report Number
OIG-AR-25-03
Report Type
Audit
Description
Pursuant to the Federal Information Security Modernization Act of 2014 (FISMA), an independent external auditor, on behalf of OIG conducted an annual independent audit of AmeriCorps’ information security program and practices. The fiscal year (FY) 2025 FISMA audit concluded that AmeriCorps’ information security program remains ineffective, assessed as of July 31, 2025. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) Cybersecurity Governance, (2) Risk and Asset Management, (3) Configuration Management, (4) Information Security Continuous Monitoring, and (5) Contingency Planning. AmeriCorps concurred with the findings and recommendations and remains committed to addressing cybersecurity risks.  AmeriCorps’ response is included in its entirety in Appendix D of the audit report. Nine new recommendations added as a result of this year’s audit and five recommendations related to prior years’ audits will remain open until corrective actions have been fully implemented.
Joint Report
No
Agency Wide
Yes
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Open Recommendations

Body

Review the NIST Cybersecurity Framework 2.0 and formalize documented policies and procedures for developing and maintaining current and target cybersecurity profiles that align with the CSF to include, at a minimum, consideration of AmeriCorps’ mission objectives, threat landscape, and resources (including personnel) and constraints.

Body

Develop, document, and maintain current and target cybersecurity profiles that align with the NIST Cybersecurity Framework 2.0 — including a gap analysis between the current and target cybersecurity posture—that consider anticipated changes in AmeriCorps’ cybersecurity posture.

Body

Document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for AmeriCorps’ data types.

Body

Develop and maintain a comprehensive and accurate inventory of data and corresponding metadata for AmeriCorps’ data types, to include data obtained from third party providers to meet the requirements of the Open Government Data Act and OMB Memorandum M-25-05.

Body

Perform and document a formal risk assessment associated with the use of the ARC system.

Body

Update the risk assessments for the GSS and eSPAN on an annual basis.

Body

Conduct a security control assessment for the GSS and eSPAN on an annual basis in accordance with AmeriCorps’ Security Control Standard Assessment, Authorization & Monitoring.

Body

Coordinate with relevant stakeholders to align the documented RTOs in the GSS and eSPAN BIAs, and ensure both BIAs are updated accordingly

Body

Implement the approved standard baseline configurations for all servers, workstations, and network devices in the AmeriCorps’ information system environment