The Department’s Compliance with FITARA Requirements

The objective of our audit was to assess the U.S. Department of Education’s (Department) compliance with Federal Information Technology Acquisition Reform Act (FITARA) Chief Information Officer (CIO) authority enhancements and other selected requirements. We found improvements are needed in the Department’s compliance with CIO authority enhancements. Specifically, we found that the Department has fully implemented and documented in policy only 8 of the 17 CIO authority enhancements (47 percent). The Office of the Chief Information Officer was unable to provide evidence that 6 of the 17 CIO authority enhancements (35 percent) have been fully implemented and the Department’s policies and procedures did not fully address 5 of the 17 CIO authority enhancements (29 percent) at the time we began our audit fieldwork, although 3 authority enhancements were later documented in revised guidance.In addition, we found that improvements are needed in the Department’s process for ensuring transparency and risk management of IT resources. Specifically, we found that the Department has not correctly classified all major IT investments, has not consistently adhered to its process for assessing the risk of IT investments, and has not always conducted TechStat sessions of high risk major IT investments as required by FITARA.