U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Fiscal Year 2021 Federal Information Security Modernization Act Evaluation of AmeriCorps

Date Issued
Report Number
Report Type
Inspection / Evaluation
The information security program of AmeriCorps remains ineffective and has shown little progress since FY 2018. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: organization-wide risk management, IT asset inventory management, standard baseline configurations, Personal Identity Verification (PIV) multifactor authentication, and vulnerability and patch management practices. AmeriCorps has not made significant progress in implementing prior FISMA recommendations. AmeriCorps has implemented only eight of the 39 open recommendations from the FY 2017- FY 2020 FISMA evaluations.. Implementing more of these recommendations will help AmeriCorps to mature its information security program and bring it closer to effectiveness. The failure to address critical deficiencies leaves AmeriCorps systems and data vulnerable to breach, which may expose sensitive information, including Personally Identifiable Information, to unauthorized access, use and disclosure. Our report offers 13 new recommendations, which together with the prior year recommendations, will assist AmeriCorps in developing a mature and effective information security program. AmeriCorps concurred with 12 of the 13 new recommendations and provided alternative actions to resolve the remaining recommendation.
Joint Report
Agency Wide
Questioned Costs
Funds for Better Use

Open Recommendations


Design and implement an effective accountability system that includes clear expectations of goals, performance measures, estimated target dates, and monitoring to hold OIT leadership accountable for improving AmeriCorps’ information security program to an effective level. (New


Develop, document, and communicate an overall SCRM strategy, implementation plan, and related policies and procedures to guide and govern supply chain risk management activities. If AmeriCorps intends to limit its IT purchases to GSA vendors, it should so state, and indicate who, if anyone, must approve exceptions. (New)