We recommend that EEOC defines, communicates, and implements an organization-wide SCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM.

Report the OIG's finding of non-compliance with the FY 2021 PIIA requirements, as outlined in OMB Memorandum M-21-19, Section VI.D, "Agency Responsibility When a Program is Non-Compliant."

Complete the OMB Annual Data Call reporting, and if necessary, contact OMB via email at MBX.OMB.OFFM.PaymentIntegrity@OMB.EOP.GOV to obtain access to the annual data call.

Annually conduct an improper payment review in accordance with PIIA and follow the guidance outlined in OMB Circular A-136, section II.4.5 [Payment Integrity Information Act].

We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems.(1)To remediate vulnerabilities and prevent further exploitation, the agency should implement risk mitigation procedures such as: applying vendor-released security fixes, disabling certain user access rights, upgrading to the latest supported version, and removing vulnerable/obsolete hardware from its network.

We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems.

We recommend that EEOC review and remediate the informational vulnerabilities identified during external penetration testing by: (1) Ensuring that passwords meet complexity requirements. (2) Requiring 2-Factor Authentication mechanisms for all externally accessible systems. (3) Recommending that employees not use their work email addresses for personal accounts. (4) Recommending that employees avoid using previously breached passwords.

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by: (1) Disabling IKE Aggressive Mode. (2) Refraining from the use of pre-shared authentication keys.(3) Implementing multi-factor authentication for all VPN access.

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by: (1) Modifying network firewalls to no longer allow external access to specific services. (2) Reviewing the NTP server’s configuration to ensure that this functionality is not abused. (3) Considering restricting or disabling NTP mode 6 query capabilities

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential of the agency's networks, including remote access sessions, in accordance with Federal targets. The agency should continue developing their plans for organization-wide use of strong authentication mechanisms for non-privileged users and require multifactor authentication to network access for all user accounts.