Open Recommendations

We recommend that EEOC communicates and implements an organization-wide SCRM and CSCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM and C-SCRM. We recommend that EEOC offices of the Chief Financial Officer and the Chief Information Officer identify SCRM/C-SCRM as a risk to be included in their respective ERM risk registers until the issue is resolved so that commission management understand that SCRM/C-SCRM is a commission-wide requirement.

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The Agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.

We recommend that EEOC: · Update to a recent BIRT viewer component, well past version 4.12. · Determine if the application should be publicly available. If not, implement NSG rules within Microsoft Azure or ACLs within firewalls to limit or block all external applications to the site. · Remove default and un-needed. rptdesign files that allow for passing a parameter with attacker controlled input. · Ensure BIRT viewer component is proxied through an authenticated connection and not via direct calls to the NXG servers. Implement the use of complex credentials for all systems. · Ensure it has a policy in place to address NIST 800-53, Rev 5, SI-2. · Ensure procedures are written in such a way to accomplish what is written in the policy. · Ensure it has people in assigned a role to remediate flaws in accordance with its policy and risk tolerance. · Consider how new or existing technologies it has can assist in these efforts.

EEOC should develop an executable plan to meet the requirements of OMB M-21-31 and ensure the plan is properly supported.

We recommend that the EEOC ensure it has a policy in place to address NIST 800-53, Rev 5, SI-2, Flaw Remediation. · Ensure procedures are written in such a way to accomplish what is written in the policy.

We recommend that EEOC continue its full implementation in accordance with their plan. For the ZTA Identity pillar, to better meet ZT requirements for all agency-provided devices, the EEOC made a strategic decision to move away from the prior PIV-based device-login solution to a new password-less Multifactor Authentication (MFA) strategy - providing a strong, non-impersonable authentication process for all agency resource access.

We recommend that EEOC's information security team should, in conjunction with other EEOC offices: a. Identify and document all applicable policies and procedures to cybersecurity and information security; b. Develop and use an accessible repository, such as SharePoint, for all identified documents, regardless of what office they reside in; c. Design a risk-based approach to review and update all identified documents in the repository, including who is responsible for reviewing and updating each document. d. Document the review/update in each document, as well as the responsible party within the information security team who ensures that each document has been updated per the documented procedure for review. e. Designate a responsible official within the OIT to review and update the process as necessary on an annual basis.

Review and update processes, procedures, and tools for reevaluating certified FEPAs. Specify and/or clarify: (a) the timeline for reevaluation, (b) required tool(s) and/or mechanism(s) for reevaluation, (c) HQ, State, Local, and Tribal (SLTP) roles and responsibilities for conducting or contributing to the process of reevaluation, and (d) the purpose of technical assistance reviews (TARs) and how they formally relate (or not) to the process of reevaluation. 

Work with the OIT to generate more useful reports from the Agency Records Center (ARC) that are needed to monitor performance. 

Improve SLTP’s current mixed-modality training for the FEPA Program to address training needs for both EEOC and FEPA staff. Include an “on demand” digital training video library that provides FEPAs with open access to foundational training content. 

Clearly describe and label FEPA Program performance goals and metrics in the SLTP Handbook. 

Reinforce Substantial Weight Review (SWR) as the primary tool and method for case quality oversight by: (a) documenting in the SLTP Handbook how SWR is utilized to ensure case quality, and (b) training both SLTP and FEPA staff on SWR processes and criteria to ultimately improve case quality. 

Review and update process and procedures for communication and working with FEPAs that inquire about certification. This includes the processes and procedures for new certification inquiries from non-certified FEPAs, as well as inquiries from certified FEPAs concerning problems with their certification. 

Provide standardized onboarding and refresher training to SLTP Coordinators/Managers (C/Ms) to ensure more consistent practices across District Offices. Include training on practices to utilize performance goals and metrics for oversight and management of FEPA case quality. 

Improve the feedback loop for TARs to include written documentation of findings that are shared with FEPAs, EEOC District Directors, and SLTP C/Ms for continuous quality improvement and learning. 

Include requirements to use the US Web Design System in the Agency's Project Plan for designing, developing, and implementing the next generation of portals.

Make targeted improvements to address accessibility issues on the existing portals.

Implement mechanisms to ensure that the design and management of the portals are responsive to customer needs.

Ensure that the design and function of all portals accurately reflect EEOC’s business rules and applicable laws.

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) credential of the Agency's networks, including remote access sessions, in accordance with Federal targets. The Agency should continue developing their plans for organization-wide use of strong authentication mechanisms for non-privileged users and require multifactor authentication to network access for all user accounts. 

We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 4.);

-To remediate vulnerabilities and prevent further exploitation, the Agency should implement risk mitigation procedures such as: performing system updates, operating systems with administrative rights, downloading patches, uninstalling unprotected applications, etc;

-Where risk acceptance is required for vulnerabilities based on EEOC's network operations and risk assessments, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities; 

We recommend that EEOC defines, communicates, and implements an organization-wide SCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM. 

We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (See Attachment B for the full list of vulnerabilities identified, including those identified as Level 5.);

-To remediate vulnerabilities and prevent further exploitation, the Agency should implement certain user access rights, upgrading to the latest supported version, and removing vulnerable/obsolete hardware from its network.

-These vulnerabilities should be added and tracked on POAMS.

-Where risk acceptance is required for vulnerabilities based on EEOC’s network operations and risk assessments, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities.

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The Agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.

Develop an EEOC Organizational Communication Strategy and Plan.

Consider formulating a Digital Transformation Strategy, either as a strategic goal in the EEOC Strategic Plan for Fiscal Years 2023 – 2027 or as a standalone document.

Develop a Target-State Architecture Plan.

Task OEDA with a goal of building a Data Analytics Plan for EEOC.

Inventory and plan the decommissioning of outdated technologies and online content.

EEOC should develop a customer service plan to include establishing goals and objectives, developing performance metrics that target the goals, and measuring performance against the goals. This plan must include goals and metrics for the IIG.

For purchase cards, EEOC management should create a control where management reviews, on a sample basis, purchase cards transactions to ensure all obligating documents and purchase orders are in conformity with EEOC Directives Transmittal Order 360.003, Commercial Purchase Charge Card Program Practical User's Guide. For travel cards, EEOC management should create a control where management reviews, on a sample basis, travel card transactions to ensure all travel authorization or vouchers and receipts are in conformity with EEOC Directives Transmittal Order 345.001, Travel and Transportation Administrative Policies and Procedures Manual.

We recommend EEOC management update its policies and procedures to include all required safeguards and internal controls to be compliant with the Government Charge Card Abuse Prevention Act of 2012. In addition, EEOC should create a monitoring control to review the policy when changes or updates are made to federal law or Office of Management and Budget or General Services Administration guidance.   

We recommend EEOC ensure that emailed policy memos are promptly updated in the appropriate EEOC Directives Transmittal Order.

OCFO should revise EEOC Order 360.001 as needed to assist in performing their duties. Include implementation guidance for contract administrative activities such as submitting contract modifications. 

We recommend that the Office of the Chief Financial Officer of the US Equal Employment Opportunity Commission enhance the documentation, monitoring, and enforcement of its controls over the closure of charge card accounts. 

- For purchase cards, the Administrative Officer (AO) or District Resources Manager (DRM) should maintain documentation of all account closures electronically or in hard copy. Documentation should include evidence of the name of the AO or DRM who received the employee's charge card, the date the card was turned in, the date the card was physically destroyed, and the date that account closure was confirmed by the Charge Card Vendor. The policy or procedure should include monitoring by the Agency/Organization Program Coordinator (A/OPC) and/or Agency Alternative/Organization Program Coordinator (AA/OPC) and appropriate disciplinary actions for noncompliance. 

- For travel cards, the Charge Card Program Manager (CCPM) should maintain documentation of all account closures electronically or in hard copy. Documentation should include evidence of the name of the immediate supervisor and/or servicing personnel officer who received the employee's charge card, the date the card was turned in, the date the card was cut in half, and the date that account closure was confirmed by the Charge Card Vendor. The policy or procedure should include monitoring by the CCPM and appropriate disciplinary actions for noncompliance. (Repeat Finding)

Assign a target amount of days for intake so that management can determine if changes implemented impact the efficiency of the process.