EEOC must manage customer expectations by making customer service standards available to the public.

. EEOC should develop a customer service plan to include establishing goals and objectives, developing performance metrics that target the goals, and measuring performance against the goals. This plan must include goals and metrics for the IIG.

We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems.

We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems.

We recommend that EEOC:

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by:

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential of the agency's networks, including rem

Report the OIG's finding of non-compliance with the FY 2021 PIIA requirements, as outlined in OMB Memorandum M-21-19, Section VI.D, "Agency Responsibility When a Program is Non-Compliant."

Annually conduct an improper payment review in accordance with PIIA and follow the guidance outlined in OMB Circular A-136, section II.4.5 [Payment Integrity Information Act].

We recommend that EEOC review and remediate the informational vulnerabilities identified during external penetration testing by: (1) Ensuring that passwords meet complexity requirements. (2) Requiring 2-Factor Authentication mechanisms for all externally accessible systems. (3) Recommending that employees not use their work email addresses for personal accounts. (4) Recommending that employees avoid using previously breached passwords.