Review and update processes, procedures, and tools for reevaluating certified FEPAs. Specify and/or clarify: (a) the timeline for reevaluation, (b) required tool(s) and/or mechanism(s) for reevaluation, (c) HQ, State, Local, and Tribal (SLTP) roles and responsibilities for conducting or contributing to the process of reevaluation, and (d) the purpose of technical assistance reviews (TARs) and how they formally relate (or not) to the process of reevaluation. 

Review and update process and procedures for communication and working with FEPAs that inquire about certification. This includes the processes and procedures for new certification inquiries from non-certified FEPAs, as well as inquiries from certified FEPAs concerning problems with their certification. 

We recommend that the Office of the Chief Financial Officer of the US Equal Employment Opportunity Commission enhance the documentation, monitoring, and enforcement of its controls over the closure of charge card accounts. 

We recommend EEOC management update its policies and procedures to include all required safeguards and internal controls to be compliant with the Government Charge Card Abuse Prevention Act of 2012. In addition, EEOC should create a monitoring control to review the policy when changes or updates are made to federal law or Office of Management and Budget or General Services Administration guidance.   

For purchase cards, EEOC management should create a control where management reviews, on a sample basis, purchase cards transactions to ensure all obligating documents and purchase orders are in conformity with EEOC Directives Transmittal Order 360.003, Commercial Purchase Charge Card Program Practical User's Guide.

We recommend EEOC ensure that emailed policy memos are promptly updated in the appropriate EEOC Directives Transmittal Order.

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The Agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.

We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 5.);

We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 4.);

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) credential of the Agency's networks, including remote access sessions, in accordance with Federal targets.