OCIO and OEDA evaluate the feasibility and operational benefits of implementing more
fine-grained access controls within ARC and EDW.
OCIO implement capabilities to analyze ARC data directly, with an analytics tool within
ARC or through localized tools with direct connections to ARC, to reduce the creation and
use of manual workarounds by users.
We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The Agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.
We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 5.);
We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 4.);
We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) credential of the Agency's networks, including remote access sessions, in accordance with Federal targets.
We recommend that EEOC defines, communicates, and implements an organization-wide SCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM.
We recommend that the EEOC ensure it has a policy in place to address NIST 800-53, Rev 5, SI-2, Flaw Remediation. · Ensure procedures are written in such a way to accomplish what is written in the policy.
We recommend that EEOC: · Update to a recent BIRT viewer component, well past version 4.12. · Determine if the application should be publi
We recommend that EEOC's information security team should, in conjunction with other EEOC offices: a. Identify and document all applicable policies and procedures to cybersecurity and information security; b. Develop and use an accessible repository, such as SharePoint, for all identified documents, regardless of what office they reside in; c.