Office of Information Technology

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The Agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.

We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 5.);

We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 4.);

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) credential of the Agency's networks, including remote access sessions, in accordance with Federal targets.

We recommend that EEOC defines, communicates, and implements an organization-wide SCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM. 

We recommend that the EEOC ensure it has a policy in place to address NIST 800-53, Rev 5, SI-2, Flaw Remediation. · Ensure procedures are written in such a way to accomplish what is written in the policy.

We recommend that EEOC: · Update to a recent BIRT viewer component, well past version 4.12. · Determine if the application should be publi

We recommend that EEOC's information security team should, in conjunction with other EEOC offices: a. Identify and document all applicable policies and procedures to cybersecurity and information security; b. Develop and use an accessible repository, such as SharePoint, for all identified documents, regardless of what office they reside in; c.

EEOC should develop an executable plan to meet the requirements of OMB M-21-31 and ensure the plan is properly supported.

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The Agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.