U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

AmeriCorps’ Penetration Testing and Phishing Campaign Evaluation

Date Issued
Report Type
Inspection / Evaluation
Description
AmeriCorps’ security program has not been effective in accordance with Federal Information Security Management Act (FISMA) since Fiscal Year 2017. In order to determine its current status, AmeriCorps OIG engaged an independent certified public accounting firm to conduct an internal penetration test of AmeriCorps’ network. The independent auditors tested AmeriCorps’ network to evaluate the effectiveness of its information security program and to identify areas of weakness. This evaluation was comprised of three phases: network penetration testing, a phishing campaign, and the testing the effectiveness of controls in preventing and detecting the execution of malicious code. The independent auditors found two weaknesses related to preventive and detective security controls. AmeriCorps concurred and agreed to implement our recommendations to (1) develop and implement a plan to modify external emails to include information to assist the recipient of the level of risk posed by external email, (2) implement a plan to increase the frequency of behavior training directed at the identification of unwanted spam emails, and (3) implement a process to improve the detection rate to reduce the occurrence of email spam that reaches the users’ inboxes. AmeriCorps Management’s response can be found in Appendix II of the report.
Joint Report
No
Agency Wide
Yes
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

Body

Develop and implement a plan to modify external emails to include information to assist the recipient of the level of risk posed by external email. For example, the Subject line of an email should be modified to identify the source of the email as external to the agency. In addition, the body of the email should contain warnings concerning the dangers of external email and attachments. Finally, warnings should include how frequently the sender has interacted with the recipient.

Body

Develop and implement a plan to modify external emails to include information to assist the recipient of the level of risk posed by external email. For example, the Subject line of an email should be modified to identify the source of the email as external to the agency. In addition, the body of the email should contain warnings concerning the dangers of external email and attachments. Finally, warnings should include how frequently the sender has interacted with the recipient.

Body

Implement a plan to increase the frequency of behaviortraining directed at the identification of unwanted spam emails with an emphasis on continual reminders of recognition techniques, appropriate actions, and confidence that self‐reporting poor behavioral actions will lead to a better outcome in the future.

Body

Implement a plan to increase the frequency of behaviortraining directed at the identification of unwanted spam emails with an emphasis on continual reminders of recognition techniques, appropriate actions, and confidence that self‐reporting poor behavioral actions will lead to a better outcome in the future.

Body

Implement a process to improve the detection rate to reduce the occurrence of email spam that reaches the users’ inboxes.

Body

Implement a process to improve the detection rate to reduce the occurrence of email spam that reaches the users’ inboxes.