The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Our FY 2013 FISMA review found that the Department had made progress in remediating issues identified in previous FISMA reviews. Specifically, it complied with 4 of the 11 reporting metrics: continuous monitoring, plan of action and milestones, contractor systems, and security capital planning. However, we found deficiencies with the remaining seven reporting metrics—configuration management, identity and access management, incident response and reporting, risk management, security training, remote access management, and contingency planning—many of which were repeat or modified findings from OIG reports issued over the last several years. Without adequate management, operational, and technical security controls in place, the Department’s systems and information are vulnerable to attacks that could lead to a loss of confidentiality and to a loss of integrity resulting from data modification or limited availability of systems. In addition to reiterating recommendations made in our FY 2012 FISMA report, we made 23 new recommendations to help the Department establish and sustain an effective information security program that complies with FISMA, Office of Management and Budget, and National Institute of Science and Technology requirements.