We recommend that EEOC review and remediate the informational vulnerabilities identified during external penetration testing by: (1) Ensuring that passwords meet complexity requirements. (2) Requiring 2-Factor Authentication mechanisms for all externally accessible systems. (3) Recommending that employees not use their work email addresses for personal accounts. (4) Recommending that employees avoid using previously breached passwords.

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by: (1) Disabling IKE Aggressive Mode. (2) Refraining from the use of pre-shared authentication keys.(3) Implementing multi-factor authentication for all VPN access.

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.

The EEOC OIT should fully implement multifactor authentication for logical and remote access enterprise-wide. (Repeat finding)

The EEOC should develop and implement a Trusted Internet Connection (TIC) program in accordance with Office of Management and Budget (OMB) requirements to assist in protecting the agency’s network from cyber threats. (Repeat finding)

We recommend EEOC management create a control where management reviews, on a sample basis, at least quarterly, the approved PP&E disposals/retirements for conformity to EEOC SOP for OIT Excess Property that states, “When equipment is disposed of, an SF 120, SF 122, or SF 120 copy using GSAXcess, is approved by the EEOC Approving Official, CSD Backup or Property manager, evidenced by their signature and date.” EEOC management should follow-up with Approving Official(s), CSD Backup or Property management who have been found to not adhere to requirements of the SOPs for OIT Excess Property

We recommend EEOC management update its policies and procedures to include all required safeguards and internal controls to be compliant with the Government Charge Card Abuse Prevention Act of 2012. In addition, EEOC should create a monitoring control to review the policy when changes or updates are made to federal law or Office of Management and Budget or General Services Administration guidance

For purchase cards, EEOC management should create a control where management reviews, on a sample basis, purchase cards transactions to ensure all obligating documents and purchase orders are in conformity with EEOC Directives Transmittal Order 360.003, Commercial Purchase Charge Card Program Practical User's Guide.

We recommend EEOC ensure that emailed policy memos are promptly updated in the appropriate EEOC Directives Transmittal Order.

Complete revisions to the social media handbook and provide to all staff managing social media channels.