Our FY 2012 Federal Information Security Management Act of 2002 (FISMA) review found that the Department had made progress in addressing issues identified in previous FISMA reviews. Specifically, it was compliant in 3 of the 11 reporting metrics: continuous monitoring, contractor systems, and security capital planning. However, we found that 6 of the 11 security control areas we reviewed—risk management, configuration management, remote access management, identity and access management, security training, and contingency planning—contained repeat or modified findings from OIG and contractor reports issued during the prior 3 years. The remaining two metric areas—incident response and reporting, and plan of action and milestones—contained new findings. Without adequate management, operational, and technical security controls in place, the Department’s systems and information are vulnerable to attacks that could lead to a loss of confidentiality and to a loss of integrity resulting from data modification or limited availability of systems. In addition to recommendations we made in the FY 2011 FISMA report, we made 22 new recommendations to assist the Department in establishing and sustaining an effective information security program.
Report File
Date Issued
Submitting OIG
Department of Education OIG
Other Participating OIGs
Department of Education OIG
Agencies Reviewed/Investigated
Department of Education
Components
Office of Chief Information Officer
Report Number
A11M0003
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
22
Questioned Costs
$0
Funds for Better Use
$0
Additional Details