We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 5.);
-To remediate vulnerabilities and prevent further exploitation, the Agency should implement certain user access rights, upgrading to the latest supported version, and removing vulnerable/obsolete hardware from its network.
-These vulnerabilities should be added and tracked on POAMS.
-Where risk acceptance is required for vulnerabilities based on EEOC’s network operations and risk assessments, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities.