The Peace Corps – an independent Federal agency that dispatches volunteers around the world – has made “significant progress” in enhancing its information security posture over the past year, but it is “falling short” of meeting what the White House defines as an “effective level of security.”
According to a new report from the Peace Corps Office of Inspector General (OIG) – which contracted with the independent public accounting firm Williams Adley to complete the report – the Peace Corps addressed four security-related recommendations from previous reports.
The report analyzes the Peace Corps’ information security program for fiscal year (FY) 2024 – meeting an annual review requirement set by the Federal Information Security Modernization Act of 2014 (FISMA).
The review identifies improvements in various FISMA domains, such as risk management, configuration management, and incident response, “which reflect a stronger commitment to meeting FISMA requirements.”
“However, the Peace Corps’ information security program remained at a Level 2, Defined, falling short of Level 4, the rating that the Office of Management and Budget (OMB) considers to be an effective level of security at the domain, function, and overall program level,” the report says.
“To further mature its information security program to the next level the Peace Corps will need to consistently implement its processes, as defined by the governing documentation (strategies, policies, and procedures) across all FISMA domains,” it adds.
The OIG issued five recommendations for the Peace Corps to bolster its information security program, including that the agency develop and implement a “cybersecurity risk register” to support the implementation of a fully integrated Risk Management and Information Security Continuous Monitoring (ISCM) program.
Additionally, the OIG recommends that the Peace Corps develop component authenticity policies and procedures; as well as periodically evaluate, review, and update its policies and procedures – as necessary – to align with an approved Identity, Credential, and Access Management (ICAM) strategy.
The OIG also recommends that the Peace Corps conduct, capture, and share lessons learned in its implementation of the incident response program.
Finally, the OIG recommends that the Peace Corps conduct agency-level Business Impact Assessments (BIA) and integrate the results into information security strategies and other plan development efforts.
The Peace Corps concurred with all five of the new recommendations, noting that it plans to complete all of them by October 2025.
