FISCAL YEAR 2019 FEDERAL INFORMATION SECURITY MODERNIZATION ACT EVALUATION OF THE CORPORATION FOR NATIONAL AND COMMUNITY SERVICE
Open Recommendations
Ensure that OIT monitors and promptly installs patches and antivirus updates across the enterprise when they are available from the vendor. Enhancements should include:
Pending since FY 2017
Implement a process to track patching of network devices and servers by the defined risk-based patch timelines in CNCS policy.
Replacement of information system components when support for the components is no longer available from the developer, vendor or manufacturer.
Monitor and record actions taken by the contractor to ensure vulnerability remediation for network devices and servers is addressed or the exposure to unpatchable vulnerabilities is minimized.
Enhance the inventory process to ensure all devices are properly identified and monitored.
Ensure that OIT evaluates if the internet connections at the National Civilian Community Corps Campuses and Regional Offices are sufficient to allow patches to be deployed to all devices within the defined risk-based patch timeline in CNCS policy. If the internet connections are determined to be inadequate, develop and implement a plan to enhance the current internet connections.
Develop and implement a written process to ensure manual updates to the CMDB inventory and FasseTrack system are made simultaneously when the inventory is updated.
Develop and implement a written process to perform periodic reconciliations between CMDB and the FasseTrack system.
Perform and document analysis to determine the feasibility of completely automating the inventory management process.
Physically or mechanically disable the networking capability of the laptop used for member badging at the NCCC Pacific Region Campus.
Document and implement a process to validate that physical counselor files from the NCCC Southwest Region Campus are disposed of within six years after the date of the member’s graduation in accordance with the AmeriCorps NCCC Manual.