Open Recommendations

Complete the OMB Annual Data Call reporting, and if necessary, contact OMB via email at MBX.OMB.OFFM.PaymentIntegrity@OMB.EOP.GOV to obtain access to the annual data call.

Report the OIG's finding of non-compliance with the FY 2021 PIIA requirements, as outlined in OMB Memorandum M-21-19, Section VI.D, "Agency Responsibility When a Program is Non-Compliant."

Annually conduct an improper payment review in accordance with PIIA and follow the guidance outlined in OMB Circular A-136, section II.4.5 [Payment Integrity Information Act].

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by:

• Disabling IKE Aggressive Mode if supported;
• Refraining from the use of pre-shared authentication keys;
• If using a pre-shared key cannot be avoided, use strong keys;
• Do not allow VPN connections from an non-approved IP addresses, if possible.

We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems.

• To remediate vulnerabilities and prevent further exploitation, the agency should implement risk mitigation procedures such as: applying vendor-released security fixes, disabling certain user access rights, upgrading to the latest supported version, and removing vulnerable/obsolete hardware from its network.
• These vulnerabilities should be added and tracked on POAMS.
• Where risk acceptance is required for vulnerabilities based on EEOC's network operations and risk assessments, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities.

We recommend that EEOC defines, communicates, and implements an organization-wide SCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM.

We recommend that EEOC:

• Determine if listening ports or entire system should be blocked from public access;
• Regularly review network device search engines for new systems belonging to EEOC or those that may be masquerading as EEOC systems;
• Perform a forensic analysis on identified system to ensure no malicious access has taken place;
• For authorized remote sessions, create a control to address remote access being left open after the session has concluded. The controls should at minimum require the session owner to ensure the remote session was closed at the conclusion of the session as well as an overall control run on a set basis that will identify any open remote sessions on endpoints;
• Create an auditability feature that checks internally via an agent when a device with remote access is listening;
• Create an auditability feature that checks for remote connection software being installed.

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential of the agency's networks, including remote access sessions, in accordance with Federal targets. The agency should continue developing their plans for organization-wide use of strong authentication mechanisms for non-privileged users and require multifactor authentication to network access for all user accounts.

We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems.

• To remediate vulnerabilities and prevent further exploitation, the agency should implement risk mitigation procedures such as: performing system updates, operating systems with administrative rights, downloading patches, uninstalling unprotected applications, etc.
• Where risk acceptance is required for vulnerabilities based on EEOC's network operations and risk assessments, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities.

We recommend that EEOC defines, communicates, and implements an organization wide SCRM strategy to guide supply chain analyses, provide communication channels with internal/external partners and stakeholders, and assist in building consensus regarding the appropriate resources for SCRM.

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by: (1) Modifying network firewalls to no longer allow external access to specific services. (2) Reviewing the NTP server’s configuration to ensure that this functionality is not abused. (3) Considering restricting or disabling NTP mode 6 query capabilities

We recommend that EEOC review and remediate the level 4 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems. (1) To remediate vulnerabilities and prevent further exploitation, the agency should implement risk mitigation procedures such as: performing system updates, operating systems with administrative rights, downloading patches, uninstalling unprotected applications, etc.(2) Where risk acceptance is required for vulnerabilities based on EEOC's network operations and risk assessments, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities.

We recommend that EEOC plans and prepares to meet the goals of the TIC initiative, consistent with OMB M-19-26. The agency should define and customize, as appropriate, a set of policies, procedures, and processes to implement TIC 3.0, including updating its network and system boundary policies, in accordance with OMB M-19-26. This includes, as appropriate, incorporation of TIC security capabilities catalog, TIC use cases, and TIC overlays.

We recommend that EEOC review and remediate the medium level severity vulnerabilities identified during external penetration testing by: (1) Disabling IKE Aggressive Mode. (2) Refraining from the use of pre-shared authentication keys.(3) Implementing multi-factor authentication for all VPN access.

We recommend that EEOC review and remediate the level 5 severity vulnerabilities identified during internal vulnerability scanning to avoid compromises to agency systems.(1)To remediate vulnerabilities and prevent further exploitation, the agency should implement risk mitigation procedures such as: applying vendor-released security fixes, disabling certain user access rights, upgrading to the latest supported version, and removing vulnerable/obsolete hardware from its network. (2) These vulnerabilities should be added and tracked on PAOM(s).(3) Where risk acceptance is required for vulnerabilities based on EEOC's network operations and risk assessments, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities.

We recommend that EEOC implement strong authentication mechanisms for privileged and non-privileged users in accordance with Federal guidance, to meet the required use of PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential of the agency's networks, including remote access sessions, in accordance with Federal targets. The agency should continue developing their plans for organization-wide use of strong authentication mechanisms for non-privileged users and require multifactor authentication to network access for all user accounts.

We recommend that EEOC review and remediate the informational vulnerabilities identified during external penetration testing by: (1) Ensuring that passwords meet complexity requirements. (2) Requiring 2-Factor Authentication mechanisms for all externally accessible systems. (3) Recommending that employees not use their work email addresses for personal accounts. (4) Recommending that employees avoid using previously breached passwords.

Define a clear, consistent, and comprehensive vision of digital transformation at EEOC.

Inventory and plan the decommissioning of outdated technologies and online content.

Engage an independent organizational change management firm / entity to assist EEOC in implementing Recommendations 2 through 9.

Consider formulating a Digital Transformation Strategy, either as a strategic goal in the EEOC Strategic Plan for Fiscal Years 2023 – 2027 or as a standalone document

Develop an EEOC Organizational Communication Strategy and Plan.

Create a Digital Support Unit (DSU) of dedicated staff.

Plan at least three digital pilot projects with appropriate evaluation methods.

Develop a Target-State Architecture Plan.

Task OEDA with a goal of building a Data Analytics Plan for EEOC.

The IIG should explore and implement ways to reduce the call hold time and email response time for customers.

OFP should establish guidelines for generating 846 inquiries and other information sharing between the IIG and district offices.

EEOC must manage customer expectations by making customer service standards available to the public.

The IIG should design and implement a quality assurance program for customer emails.

The IIG must collect customer feedback and use the data to improve customer service efforts.

OFP should assess the usefulness of generating 846 inquiries (i.e.; return on investment) and assess whether automatic close out in the system is more practical,

. EEOC should develop a customer service plan to include establishing goals and objectives, developing performance metrics that target the goals, and measuring performance against the goals. This plan must include goals and metrics for the IIG.

We recommend EEOC ensure that emailed policy memos are promptly updated in the appropriate EEOC Directives Transmittal Order.

For purchase cards, EEOC management should create a control where management reviews, on a sample basis, purchase cards transactions to ensure all obligating documents and purchase orders are in conformity with EEOC Directives Transmittal Order 360.003, Commercial Purchase Charge Card Program Practical User's Guide. For travel cards, EEOC management should create a control where management reviews, on a sample basis, travel card transactions to ensure all travel authorization or vouchers and receipts are in conformity with EEOC Directives Transmittal Order 345.001, Travel and Transportation Administrative Policies and Procedures Manual.

We recommend EEOC management update its policies and procedures to include all required safeguards and internal controls to be compliant with the Government Charge Card Abuse Prevention Act of 2012. In addition, EEOC should create a monitoring control to review the policy when changes or updates are made to federal law or Office of Management and Budget or General Services Administration guidance

We recommend EEOC's Office of Information Technology (OIT) review and remediate critical-risk and high-risk vulnerabilities in accordance with EEOC OIT’s assessment of risk. Where risk acceptance is required for vulnerabilities based on EEOC's network operation, we recommend that EEOC formally document the risk acceptance along with any associated mitigation activities (Repeat Finding).

We recommend EEOC management create a control where management reviews, on a sample basis, at least quarterly, the approved PP&E disposals/retirements for conformity to EEOC SOP for OIT Excess Property that states, “When equipment is disposed of, an SF 120, SF 122, or SF 120 copy using GSAXcess, is approved by the EEOC Approving Official, CSD Backup or Property manager, evidenced by their signature and date.” EEOC management should follow-up with Approving Official(s), CSD Backup or Property management who have been found to not adhere to requirements of the SOPs for OIT Excess Property and require them to obtain additional training, to include certifying they have read the Approving Officials responsibilities, as it relates to the aforementioned control. (Repeat Finding)

Implement an on-going training series for all staff involved in the EEOC social media program.

Simplify the EEOC social media architecture by consolidating many of the existing social media channels and limiting creation of new channels.

Use paid media to support improved reach and engagement.

Implement a consistent content approval process run by OCLA.

Complete revisions to the social media handbook and provide to all staff managing social media channels.

EEOC should ensure the existing policy in place is followed and documentation of the process is reviewed by the CFO or their designee on a quarterly basis.

OCFO should review and update the Contract File Content Checklist to reflect current
documents maintained in the file.

ASD should review and update the COR Appointment Letter as needed and specifically
address the maintenance of electronic contract files.

OCFO should revise EEOC Order 360.001 as needed to assist CORs in performing their
duties. Include implementation guidance for contract administration activities, such as
submitting contract modifications.

We recommend that the Office of the Chief Financial Officer of the U.S. Equal Employment Opportunity Commission enhance the documentation, monitoring, and enforcement of its controls over the closure of charge card accounts.  For purchase cards, the Administrative Officer (AO) or District Resources Manager (DRM) should maintain documentation of all account closures electronically or in hard copy. Documentation should include evidence of the name of the AO or DRM who received the employee's charge card, the date the card was turned in, the date the card was physically destroyed, and the date that account closure was confirmed by the Charge Card Vendor. The policy or procedure should include monitoring by the Agency/Organization Program Coordinator (A/OPC) and/or Agency Alternative/Organization Program Coordinator (AA/OPC) and appropriate disciplinary actions for non-compliance.

 For travel cards, the Charge Card Program Manager (CCPM) should maintain documentation of all account closures electronically or in hard copy. Documentation should include evidence of the name of the immediate supervisor and/or servicing personnel officer who received the employee's charge card, the date the card was turned in, the date the card was cut in half, and the date that account closure was confirmed by the Charge Card Vendor. The policy or procedure should include monitoring by the CCPM and appropriate disciplinary actions for non-compliance (Repeat Finding).

Ensure future process changes are implemented according to change management best
practices noted by GAO.

OFO and OFP, in partnership with OIT, should consider development of an IMS
training guide or document that is consistently updated and reviewed following
upgrades, enhancements or modifications of the software. This guide should include all
necessary codes for every action item in the process and should be available for all
product users. This guide should ensure that product users track all mandated steps in
IMS. Given that each office’s staff has their own needs within IMS: One guide should
be made for OFP legal techs, AJs, and SAJs. A separate guide should be available for
OFO CCD staff, attorneys and supervisory attorneys.

The Office of Information Technology (OIT), in partnership with OFP and OFO, should
re-evaluate IMS requirements, and requirements for the framework of its successor
system, to determine what additional reporting functionalities are needed in order to
analyze data about staff and office productivity. A Voice of the Customer exercise or a
user requirement meeting could serve as starting point to gather current requirements
from IMS main users (OFP and OFO) and to determine what other current systems need
to be integrated to make them function in alignment with IMS (Power BI, Complainant
Portal).

Assign a target amount of days for intake so that management can determine if changes
implemented impact the efficiency of the process.

OIT developers should meet directly with software users, such as OFO attorneys and
supervisory attorneys and OFP AJs and Supervisory AJs (SAJ) to determine additional
requirements.

The EEOC should develop and implement a Trusted Internet Connection (TIC) program in accordance with Office of Management and Budget (OMB) requirements to assist in protecting the agency’s network from cyber threats. (Repeat finding)

The EEOC OIT should fully implement multifactor authentication for logical and remote access enterprise-wide. (Repeat finding)

Immediately correct any known weaknesses. If EEOC determines not to correct a noted weakness, EEOC should document this analysis and their acceptance of the associated risk.

Develop and implement policies and procedures to address the safeguarding, transfer, storage, or disposal of classified information. The policy should include the requirements for Memorandums of Understanding between agencies.

Implement a formalized training program for individuals who use classified information as a part of their duties. If an external agency is to assume the responsibility of training these individuals, this agreement should be documented in an MOU.