U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

Fiscal Year 2022 Federal Information Security Modernization Act (FISMA) Evaluation of AmeriCorps

Date Issued
Report Number
OIG-EV-23-03
Report Type
Inspection / Evaluation
Description
The fiscal year 2022 FISMA evaluation concluded that AmeriCorps’ information security program remains ineffective. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) mobile devices, (2) IT asset inventory management, (3) vulnerability and patch management program, (4) Personal Identity Verification (PIV) multifactor authentication, (5) performance measures, (6) security assessments and (7) contingency planning. AmeriCorps has not made significant progress in implementing prior FISMA recommendations: it has implemented only 12 of the 42 open recommendations from the FY 2017- FY 2021 FISMA evaluations. The failure to address critical deficiencies leaves AmeriCorps systems and data vulnerable to breach, which may expose sensitive information, including Personally Identifiable Information, to unauthorized access, use, and disclosure. Implementing more of these recommendations will help AmeriCorps to mature its information security program and bring it closer to effectiveness. AmeriCorps concurred with the three new recommendations in our report, which together with the 30 remaining prior year recommendations, will assist AmeriCorps in developing a mature and effective information security program. The full report contains a summary and evaluation of management’s response.
Joint Report
No
Agency Wide
Yes
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

Body

AmeriCorps enhance its process of performing enterprise risk management assessments to determine the respective risk posture of its systems to include the entity-wide performance metrics for measuring the effectiveness of its:
• Data exfiltration and enhanced network defenses;
• Incidence detection and analysis process; and
• Incidence handling process. (New)

Body

AmeriCorps enhance its process of performing enterprise risk management assessments to determine the respective risk posture of its systems to include the entity-wide performance metrics for measuring the effectiveness of its:
• Data exfiltration and enhanced network defenses;
• Incidence detection and analysis process; and
• Incidence handling process. (New)