Open Recommendations

We recommend EEOC OIT conduct a privacy impact assessment of the SharePoint
system to identify privacy issues and risks associated with the security settings; and to
provide recommendations to mitigate potential privacy risk.

We recommend EEOC OIT enforce its mobile device management compliance policies
for all enrolled mobile devices and report noncompliance to the user and OIT senior
management for corrective action.

We recommend EEOC OIT provide specialized training for SharePoint administrators
and users to reduce the risk of exposing sensitive information and PII.

We recommend EEOC OIT develop an action plan to address related policy and
procedural requirements of the SECURE Technology Act.

We recommend EEOC OIT review and remediate critical-risk, high-risk, and medium risk
vulnerabilities in accordance with EEOC OIT's assessment of risk. If the risk is not
remediated then we recommend EEOC OIT document the acceptance of the risk.

EEOC should enhance their current DATA Act internal control procedures over the
reliability and validity of their DATA Act submission by ensuring they meet all
aspects of OMB M-17-04, including documentation of all work performed to ensure
the alignment of data in Files C and D1. The enhanced internal control policy and
procedure developed should include categorical explanations for misalignments,
including legitimate differences between files C and D1.

EEOC should ensure the existing policy in place is followed and documentation of the
process is reviewed by the CFO or their designee on a quarterly basis.

ASD should establish a mechanism to provide oversight of CORs to ensure compliance
with documentation requirements consistent with the FAR and agency policy

OCFO should develop a mechanism to ensure that CORs are notified when invoices are
ready for their review, including reminder notifications when invoices remain in the
system longer than five days.

ASD should review and update the COR Appointment Letter as needed and specifically
address the maintenance of electronic contract files.

OCFO should review and update the Contract File Content Checklist to reflect current
documents maintained in the file.

OCFO should revise EEOC Order 360.001 as needed to assist CORs in performing their
duties. Include implementation guidance for contract administration activities, such as
submitting contract modifications.

We recommend that the Office of the Chief Financial Officer of the U.S. Equal Employment Opportunity Commission enhance the documentation, monitoring, and enforcement of its controls over the closure of charge card accounts.

We recommend the OIT employed an automated mechanism that ensures sensitive PII is encrypted on removable mobile media.

We recommend the OCHCO and OIT conduct a baseline assessment of the EEOC’s cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of preparedness of other cyber personnel without existing credentials to take certification exams; and (3) a strategy for mitigating any gaps identified with appropriate training and certification for existing personnel.

We recommend the OIT review and remediate critical-risk, high-risk and moderate-risk vulnerabilities. These vulnerabilities should be resolved to avoid compromise to EEOC’s systems; or the Agency should document acceptance of the risk or reclassification of the risk

Evaluate availability of resources dedicated to Alternative Dispute Resolution (ADR)
per office and determine if the agreement between EEOC and the Federal Mediation
and Conciliation Service (FMCS) would provide enough mediation support for the
District and Field offices. OFP should also analyze the impact of ADR pilot programs
implemented in certain Districts, such as WISE, the Washington Field Office Initiative
to Settle Equal Employment Opportunity (EEO) Complaints, to determine if these
programs can also be replicated in other Districts. In addition, OFP could record and
replicate best ADR practices from offices that report a higher percentage of cases
resolved through mediation.

OFO and OFP, in partnership with OIT, should consider development of an IMS
training guide or document that is consistently updated and reviewed following
upgrades, enhancements or modifications of the software. This guide should include all
necessary codes for every action item in the process and should be available for all
product users. This guide should ensure that product users track all mandated steps in
IMS. Given that each office’s staff has their own needs within IMS: One guide should
be made for OFP legal techs, AJs, and SAJs. A separate guide should be available for
OFO CCD staff, attorneys and supervisory attorneys.

Evaluate and assess timeline improvement after the use of the new contractors. If
significant improvements are verified by data, consider improvements to the ongoing
staffing model and the possible addition of these contractor positions as permanent
roles. OFO should determine and monitor metrics, such as improvement of targeted
timelines from one step to another (data can be gathered from IMS).

Standardize organizational structures used in the District and Field offices to include
all resources required for major tasks. OFP should create a guideline that describes the
desired standard organizational structure of District and Field offices.

The Office of Information Technology (OIT), in partnership with OFP and OFO, should
re-evaluate IMS requirements, and requirements for the framework of its successor
system, to determine what additional reporting functionalities are needed in order to
analyze data about staff and office productivity. A Voice of the Customer exercise or a
user requirement meeting could serve as starting point to gather current requirements
OFFICE OF INSPECTOR GENERAL SEMIANNUAL REPORT 10
from IMS main users (OFP and OFO) and to determine what other current systems need
to be integrated to make them function in alignment with IMS (Power BI, Complainant
Portal).

Examine the staffing model of the appeals intake process to determine if the dedicated
resources are sufficient for ensuring processes are completed in a timely manner.

Standardize on-boarding activities and training programs required for new AJs and
other staff working at the District and Field offices, so that the Federal hearings
experience is consistent for both complainants and agencies across offices.

Standardize the role of the administrative support for all District and Field offices. A
position review should be conducted to determine the job title held by support staff, as
well as their pay level and their level of responsibility (e.g., determine if legal techs
should be assigning cases). Any additional administrative support should be supported
by data analysis of caseloads and inventory.

OIT developers should meet directly with software users, such as OFO attorneys and
supervisory attorneys and OFP AJs and Supervisory AJs (SAJ) to determine additional
requirements.

Assign a target amount of days for intake so that management can determine if changes
implemented impact the efficiency of the process.

Ensure future process changes are implemented according to change management best
practices noted by GAO.

EEOC should implement an automated solution that provides a centralized, enterprise-wide view of risk across the agency.

EEOC should develop a Trusted Internet Connection (TIC) program that meets OMB requirements to improve the agency’s security posture.

EEOC should conduct an e-authentication risk assessment for its digital systems and has not fully implemented multifactor authentication for logical and remote access for privileged and non-privileged users. (Repeat finding since FY 2008)

EEOC OIT should review and analyze critical, high, and medium vulnerabilities. These vulnerabilities should be resolved to avoid compromise of EEOC’s systems; or the agency should document acceptance of the risk or reclassification of the risk.

Development of policies and procedures to properly manage physical security access cards.

EEOC update its personnel policy and procedures requiring screening and background checks for all individuals having access to information systems and information as defined by NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, PS-3 Personnel Screening. The agency should ensure all individuals are processed through the E-Verify program, and no exception exists for those who have previously been verified by a third-party.

Develop and implement policies and procedures to address the safeguarding, transfer, storage, or disposal of classified information. The policy should include the requirements for Memorandums of Understanding between agencies.

Implement a formalized training program for individuals who use classified information as a part of their duties. If an external agency is to assume the responsibility of training these individuals, this agreement should be documented in an MOU.

Immediately correct any known weaknesses. If EEOC determines not to correct a noted weakness, EEOC should document this analysis and their acceptance of the associated risk.