Federal Information Security Modernization Act of 2014 (FISMA) Audit of the U.S. Department of Education’s Information Security Program and Practices for Fiscal Year 2025

The objective of the FY 2025 Federal Information Security Modernization Act (FISMA) audit was to determine whether the U.S. Department of Education’s (Department) overall information technology (IT) security program and practices are effective as they relate to Federal information security requirements. To determine the effectiveness of the Department’s information security program, the audit team utilized the FY 2025 Inspector General FISMA reporting metrics, which required that an independent assessor evaluate core and supplemental reporting metrics identified by the Office of Management and Budget. To properly conclude on the effectiveness of the Department’s information security program and practices, a rotational strategy was used to select five in-scope systems not evaluated in the previous year’s audit. Overall, the audit team found that the Department’s information security programs and practices were effective supporting the five in-scope systems, as nine out of 10 FISMA domains were effective, and one FISMA domain was not effective. Additionally, a total of 16 conditions were identified and 5 recommendations were made across the ten FISMA domains indicating potential areas of improvement for the Department.