A new inspector general’s report finds that the Peace Corps struggles with information security, a fact that is especially concerning given the amount of personal volunteer data the agency holds.
Since the agency’s founding in 1961, more than 230,000 Americans have served in education, health and other peace-building capacities in 141 countries around the world. The Peace Corps collects all kinds of data on these volunteers — data on personal health, medical treatment, crime and more. But does the organization have the necessary practices in place to maintain the security of these records?
The office of the inspector general isn’t so sure.
“Our aggregated results demonstrate that the Peace Corps lacks an effective information security program,” the report notes. “We found problems relating to people, processes, technology, and culture.”
The agency has struggled with Federal Information Security Management Act (FISMA) compliance for years. While the office of the CIO has made some improvements over the past two years, the report finds that Peace Corps leadership isn’t sufficiently invested in information security. “Involvement from all levels of Peace Corps leadership is needed to advance and fully develop the agency’s information security program,” the report states.
The report runs through Peace Corps status on the five function areas of the National Institute of Standards and Technology Cybersecurity Framework — identify, protect, detect, respond and recover — and rates each according to five-level scale of maturity.
In all, Peace Corps’ information security practices don’t rise above a level one. Level four is considered “effective.”
So there’s some room for improvement. The report offers 20 recommendations, including that the agency improve its ability to detect threats with continuous security monitoring, and improve its ability to protect against threats by revamping employee security trainings.
“The Peace Corps needs to embrace a risk-based culture and place greater emphasis on the importance of a robust information security program by involving senior leadership, ensuring agency policies are comprehensive, and prioritizing the time and resources necessary to become fully FISMA compliant and eliminate weaknesses,” the report concludes.