U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

FISCAL YEAR 2019 FEDERAL INFORMATION SECURITY MODERNIZATION ACT EVALUATION OF THE CORPORATION FOR NATIONAL AND COMMUNITY SERVICE

Date Issued
Report Number
20-03
Report Type
Inspection / Evaluation
Description
The information security program of the Corporation for National and Community Service (CNCS) has been assessed as not effective with little progress over the past three years. While security training remains an area of strength at CNCS, performance in this area is outweighed by the substantial risks resulting from the continuing control weaknesses in configuration management, identity, and access management, and data protection and privacy. For example, the CNCS network continues to be exposed to critical and high severity vulnerabilities stemming from un-patched software, improper configuration settings, and unsupported software. These types of gaps limit the protection of CNCS’s systems and data and may expose sensitive information, including Personally Identifiable Information, to unauthorized access and use. Our report offers 33 recommendations (22 new, 3 modified, and 8 repeats), which if implemented, will assist CNCS in addressing challenges in its development of a mature and effective information security program. Also, we again recommend that CNCS complete a strategic analysis of the government-wide metrics and the weaknesses identified in this evaluation, to develop a multi-year approach designed to realize steady, measurable improvements in information security in each of the domains and security function areas. Implementing such a plan will require CNCS to allocate sufficient resources, including staffing, and to be accountable for interim milestones, in order to reach an overall effective rating.
Joint Report
No
Agency Wide
Yes
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

Body

Monitor and record actions taken by the contractor to ensure vulnerability remediation for network devices and servers is addressed or the exposure to unpatchable vulnerabilities is minimized.

Body

Enhance the inventory process to ensure all devices are properly identified and monitored.

Body

Enhance the inventory process to ensure all devices are properly identified and monitored.

Body

Implement a process to track patching of network devices and servers by the defined risk-based patch timelines in CNCS policy.

Body

Replacement of information system components when support for the components is no longer available from the developer, vendor or manufacturer.

Body

Monitor and record actions taken by the contractor to ensure vulnerability remediation for network devices and servers is addressed or the exposure to unpatchable vulnerabilities is minimized.

Body

Enhance the inventory process to ensure all devices are properly identified and monitored.

Body

Replacement of information system components when support for the components is no longer available from the developer, vendor or manufacturer.

Body

Implement a process to track patching of network devices and servers by the defined risk-based patch timelines in CNCS policy.

Body

Implement a process to track patching of network devices and servers by the defined risk-based patch timelines in CNCS policy.

Body

Replacement of information system components when support for the components is no longer available from the developer, vendor or manufacturer.

Body

Monitor and record actions taken by the contractor to ensure vulnerability remediation for network devices and servers is addressed or the exposure to unpatchable vulnerabilities is minimized.

Body

Monitor and record actions taken by the contractor to ensure vulnerability remediation for network devices and servers is addressed or the exposure to unpatchable vulnerabilities is minimized.

Body

Implement a process to track patching of network devices and servers by the defined risk-based patch timelines in CNCS policy.

Body

Enhance the inventory process to ensure all devices are properly identified and monitored.

Body

Replacement of information system components when support for the components is no longer available from the developer, vendor or manufacturer.

Body

Ensure that OIT monitors and promptly installs patches and antivirus updates across the enterprise when they are available from the vendor. Enhancements should include:

Pending since FY 2017

Body

Ensure that OIT monitors and promptly installs patches and antivirus updates across the enterprise when they are available from the vendor. Enhancements should include:

Pending since FY 2017

Body

Ensure that OIT evaluates if the internet connections at the National Civilian Community Corps Campuses and Regional Offices are sufficient to allow patches to be deployed to all devices within the defined risk-based patch timeline in CNCS policy. If the internet connections are determined to be inadequate, develop and implement a plan to enhance the current internet connections.

Body

Ensure that OIT evaluates if the internet connections at the National Civilian Community Corps Campuses and Regional Offices are sufficient to allow patches to be deployed to all devices within the defined risk-based patch timeline in CNCS policy. If the internet connections are determined to be inadequate, develop and implement a plan to enhance the current internet connections.

Body

Develop and implement a written process to ensure manual updates to the CMDB inventory and FasseTrack system are made simultaneously when the inventory is updated.

Body

Develop and implement a written process to ensure manual updates to the CMDB inventory and FasseTrack system are made simultaneously when the inventory is updated.

Body

Develop and implement a written process to perform periodic reconciliations between CMDB and the FasseTrack system.

Body

Develop and implement a written process to perform periodic reconciliations between CMDB and the FasseTrack system.

Body

Perform and document analysis to determine the feasibility of completely automating the inventory management process.

Body

Perform and document analysis to determine the feasibility of completely automating the inventory management process.

Body

Physically or mechanically disable the networking capability of the laptop used for member badging at the NCCC Pacific Region Campus.

Body

Physically or mechanically disable the networking capability of the laptop used for member badging at the NCCC Pacific Region Campus.

Body

Document and implement a process to validate that physical counselor files from the NCCC Southwest Region Campus are disposed of within six years after the date of the member’s graduation in accordance with the AmeriCorps NCCC Manual.

Body

Document and implement a process to validate that physical counselor files from the NCCC Southwest Region Campus are disposed of within six years after the date of the member’s graduation in accordance with the AmeriCorps NCCC Manual.