AOIG

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by: (1) Modifying network firewalls to no longer allow external access to specific services. (2) Reviewing the NTP server’s configuration to ensure that this functionality is not abused. (3) Considering restricting or disabling NTP mode 6 query capabilities

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential of the agency's networks, including remote access sessions, in accordance with Federal targets. The agency should continue developing their plans for organization-wide use of strong authentication mechanisms for non-privileged users and require multifactor authentication to network access for all user accounts.

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.

We recommend that EEOC defines, communicates, and implements an organization wide SCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM.

The EEOC OIT should fully implement multifactor authentication for logical and remote access enterprise-wide. (Repeat finding)

The EEOC should develop and implement a Trusted Internet Connection (TIC) program in accordance with Office of Management and Budget (OMB) requirements to assist in protecting the agency’s network from cyber threats. (Repeat finding)

We recommend that the Office of the Chief Financial Officer of the U.S. Equal Employment Opportunity Commission enhance the documentation, monitoring, and enforcement of its controls over the closure of charge card accounts.  For purchase cards, the Administrative Officer (AO) or District Resources Manager (DRM) should maintain documentation of all account closures electronically or in hard copy.

EEOC should ensure the existing policy in place is followed and documentation of the process is reviewed by the CFO or their designee on a quarterly basis.

We recommend EEOC management create a control where management reviews, on a sample basis, at least quarterly, the approved PP&E disposals/retirements for conformity to EEOC SOP for OIT Excess Property that states, “When equipment is disposed of, an SF 120, SF 122, or SF 120 copy using GSAXcess, is approved by the EEOC Approving Official, CSD Backup or Property manager, evidenced by their signature and date.” EEOC management should follow-up with Approving Official(s), CSD Backup or Property management who have been found to not adhere to requirements of the SOPs for OIT Excess Property

We recommend EEOC's Office of Information Technology (OIT) review and remediate critical-risk and high-risk vulnerabilities in accordance with EEOC OIT’s assessment of risk. Where risk acceptance is required for vulnerabilities based on EEOC's network operation, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities (Repeat Finding).