U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


AmeriCorps’ Penetration Testing and Phishing Campaign Evaluation

Date Issued
Report Type
Inspection / Evaluation
AmeriCorps’ security program has not been effective in accordance with Federal Information Security Management Act (FISMA) since Fiscal Year 2017. In order to determine its current status, AmeriCorps OIG engaged an independent certified public accounting firm to conduct an internal penetration test of AmeriCorps’ network. The independent auditors tested AmeriCorps’ network to evaluate the effectiveness of its information security program and to identify areas of weakness. This evaluation was comprised of three phases: network penetration testing, a phishing campaign, and the testing the effectiveness of controls in preventing and detecting the execution of malicious code. The independent auditors found two weaknesses related to preventive and detective security controls. AmeriCorps concurred and agreed to implement our recommendations to (1) develop and implement a plan to modify external emails to include information to assist the recipient of the level of risk posed by external email, (2) implement a plan to increase the frequency of behavior training directed at the identification of unwanted spam emails, and (3) implement a process to improve the detection rate to reduce the occurrence of email spam that reaches the users’ inboxes. AmeriCorps Management’s response can be found in Appendix II of the report.
Joint Report
Agency Wide
Questioned Costs
Funds for Better Use

Open Recommendations

No recommendations at this time.