The objective of the FY 2025 Federal Information Security Modernization Act (FISMA) audit was to determine whether the U.S. Department of Education’s (Department) overall information technology (IT) security program and practices are effective as they relate to Federal information security requirements. To determine the effectiveness of the Department’s information security program, the audit team utilized the FY 2025 Inspector General FISMA reporting metrics, which required that an independent assessor evaluate core and supplemental reporting metrics identified by the Office of Management and Budget. To properly conclude on the effectiveness of the Department’s information security program and practices, a rotational strategy was used to select five in-scope systems not evaluated in the previous year’s audit. Overall, the audit team found that the Department’s information security programs and practices were effective supporting the five in-scope systems, as nine out of 10 FISMA domains were effective, and one FISMA domain was not effective. Additionally, a total of 16 conditions were identified and 5 recommendations were made across the ten FISMA domains indicating potential areas of improvement for the Department.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.1 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department to enhance its existing standardized processes to ensure that planned remediation activities addressing gaps are clearly documented. | |||||
| 1.2 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department to enhance its existing process to ensure that changes to system operational status are made accurately and timely in both the Governance, Risk, and Compliance Tool (GRCT) and the Cybersecurity Framework (CSF) Risk Scorecard. | |||||
| 2.1 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department to enhance its existing processes to ensure that updates to the Digital Identity Acceptance Statement (DIAS) are correctly made to the Governance, Risk, and Compliance Tool (GRCT). | |||||
| 2.2 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department to ensure that stronger mechanisms are implemented to consistently enforce its process to revoke privileged network access upon employee termination in a timely manner. | |||||
| 2.3 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require Federal Student Aid to develop and implement a process for properly creating, approving, and granting appropriate access to Department FIGMA for Government (EDFIGMA) users with privileged roles. | |||||
