For Fiscal Year (FY) 2016, the U.S. Equal Employment Opportunity Commission (EEOC), Office of Inspector General (OIG) contracted with Brown & Company CPAs and Management Consultants, PLLC (Brown & Company) to conduct an independent evaluation of EEOC’s compliance with the provisions of the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Based on the results of our evaluation, Brown & Company concluded that the EEOC continues to make positive strides in addressing information security weaknesses; however, the agency still faces challenges to fully implement information security requirements as stipulated in various federal guidelines and mandates. This report contains eleven (11) FISMA findings and eleven (11) corresponding recommendations. The FY 2016 findings are as follows:
- EEOC OIT does not perform SCAP scanning to assess both code-based and configuration-based vulnerabilities for systems on its network.
- EEOC OIT has not implemented secure https connections for all of its public websites.
- EEOC’s network runs software applications that exceed end-of-life maintenance support.
- The EEOC did not fully implement multifactor authentication for logical and remote access to EEOC systems for privileged and non-privileged users.
- EEOC does not have automated mechanisms to support the management of information system accounts.
- EEOC did not resolve vulnerabilities within the organizational timeframe (within 30 days) for resolving known vulnerabilities.
- PIV cards are not required for physical access for all of EEOC’s offices.
- EEOC should prepare special security controls for its district, field and area offices to ensure that information systems and information located at these offices are protected.
- EEOC has not developed an organization-wide risk management strategy and processes to manage risk to organizational operations and assets.
- EEOC OIT continuous monitoring processes are not effective for identifying valid a FEPA contracts and IMS accounts issued to FEPA users.
- EEOC does not monitor physical access to EEOC local field offices.