Created by the National and Community Service Trust Act of 1993, the Corporation provides opportunities for Americans to serve their communities through: Senior Corps, AmeriCorps, VISTA, National Civilian Community Corps and Learn and Serve America. The 1993 Act also established the Office of Inspector General, which conducts independent and objective audits and investigations of Corporation programs and operations to prevent and deter waste, fraud and abuse. It also recommends policies to Corporation management to promote economy and efficiency.
Each federal agency has an Office of Inspector General (OIG) that provides independent oversight of the agency’s programs and operations. The office is responsible for promoting efficiency and effectiveness in agency programs and for preventing and detecting fraud, waste, and abuse.
The Corporation for National and Community Service (the Corporation or CNCS) has made significant progress in addressing the information security and privacy weaknesses identified in last year’s Federal Information Security Modernization Act of 2014 (FISMA) evaluation, resolving eight of 17 findings from FY 2015 and closing 67 of 90 recommendations open from prior years. CNCS has improved and updated its policies and procedures for key security program areas, e.g., information security continuous monitoring (ISCM), risk management and Plan of Action and Milestones (POA&M) management. It has also entered into new service level agreements with the information technology (IT) contractor that manages the Corporation’s desktops, servers and network infrastructure. These improvements led evaluators to reduce the severity of two previous program weaknesses from Significant Deficiencies to Control Deficiencies. Evaluators determined that the Corporation implemented improvements to close all seven recommendations related to privacy controls for protection of personally identifiable information (PII).
Nevertheless, much work remains to make information security fully effective at CNCS. The FY 2016 FISMA evaluation uncovered two new weaknesses relating to: (1) secure configuration management policies, procedures and practices; and (2) monitoring and remediation of server backup failures. CNCS’s ISCM and Incident Response Program are rated at Level 2: Defined on a maturity scale that ranges from Level 1: Ad hoc to Level 5: Optimized. Of the 57 security metrics in the remaining areas, testing identified 25 instances of noncompliance with applicable laws, regulations and authoritative guidance governing information security.