The information security program of the Corporation for National and Community Service (CNCS) has been assessed as not effective with little progress over the past three years. While security training remains an area of strength at CNCS, performance in this area is outweighed by the substantial risks resulting from the continuing control weaknesses in configuration management, identity, and access management, and data protection and privacy. For example, the CNCS network continues to be exposed to critical and high severity vulnerabilities stemming from un-patched software, improper configuration settings, and unsupported software. These types of gaps limit the protection of CNCS’s systems and data and may expose sensitive information, including Personally Identifiable Information, to unauthorized access and use.
Our report offers 33 recommendations (22 new, 3 modified, and 8 repeats), which if implemented, will assist CNCS in addressing challenges in its development of a mature and effective information security program. Also, we again recommend that CNCS complete a strategic analysis of the government-wide metrics and the weaknesses identified in this evaluation, to develop a multi-year approach designed to realize steady, measurable improvements in information security in each of the domains and security function areas. Implementing such a plan will require CNCS to allocate sufficient resources, including staffing, and to be accountable for interim milestones, in order to reach an overall effective rating.