We recommend that EEOC: · Update to a recent BIRT viewer component, well past version 4.12. · Determine if the application should be publicly available. If not, implement NSG rules within Microsoft Azure or ACLs within firewalls to limit or block all external applications to the site. · Remove default and un-needed. rptdesign files that allow for passing a parameter with attacker controlled input. · Ensure BIRT viewer component is proxied through an authenticated connection and not via direct calls to the NXG servers. Implement the use of complex credentials for all systems. · Ensure it has a policy in place to address NIST 800-53, Rev 5, SI-2. · Ensure procedures are written in such a way to accomplish what is written in the policy. · Ensure it has people in assigned a role to remediate flaws in accordance with its policy and risk tolerance. · Consider how new or existing technologies it has can assist in these efforts.