Examination of the U.S. Department of Education’s Incident Response Coordination Efforts

Submitting OIG:

Report Description:

The objective of our inspection was to determine if the Department established and implemented controls throughout all phases of its incident response lifecycle to ensure compliance with Federal guidance and regulations. We found that although the Department established policies, procedures, and guidance governing its incident response program, we noted areas where it can improve its current process. We made 12 recommendations to improve the Department’s incident response program.

Date Issued:

Wednesday, May 22, 2024

Agency Reviewed / Investigated:

Department of Education

Submitting OIG-Specific Report Number:

I23IT0111

Component, if applicable:

Office of Chief Information Officer

Location(s):

Agency-Wide

Type of Report:

Inspection / Evaluation

Questioned Costs:

Funds for Better Use:

Number of Recommendations:

Report updated under NDAA 5274:

View Document:

Attachment	Size
FY24-I23IT0111-Summary-52224v100508SECURED.pdf	378.48 KB

Recommendation Number	Recommendation Status	Significant Recommendation
1.1	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Ensure the Threat Actor Attribution policy is fully implemented and procedures are in place to verify compliance with Federal rules, regulations, and mandates.
2.1	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Establish and execute a plan to periodically monitor IR plan compliance for third-party vendor SER requirements.
2.2	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Update and document any deviations from established IR plan policy and procedures.
2.3	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Create and maintain Incident Report Summaries for all incidents.
2.4	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Establish policies and procedures to provide oversight and monitoring of incidents reported by IHEs.
2.5	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Improve the existing DLP policies and processes to ensure they cover more formats of sensitive Department data or look for other solutions to safeguard the Department’s sensitive data.
2.6	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Conduct a risk assessment of DLP capabilities to identify limitations and determine whether to accept risk via the annual Risk Acceptance process.
2.7	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Conduct root-cause analysis of each incident prior to its closure.
2.8	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Verify procedures for incident closure to ensure that incidents are supported with a valid justification and included a root-cause analysis.
2.9	Open	Yes
We recommend that the Chief Information Officer require OCIO to— ·Assess and revise incidents closed with TLS justification, especially those that transmitted unencrypted emails outside the external boundary.

Recommendation Number

Recommendation Status

Significant Recommendation

Additional Details

1.1

Open

Yes

We recommend that the Chief Information Officer require OCIO to— ·Ensure the Threat Actor Attribution policy is fully implemented and procedures are in place to verify compliance with Federal rules, regulations, and mandates.

2.1

Open

Yes

We recommend that the Chief Information Officer require OCIO to— ·Establish and execute a plan to periodically monitor IR plan compliance for third-party vendor SER requirements.