The U.S. Department of Education’s Federal Information Security Modernization Act of 2014

Our objective was to determine whether the U.S. Department of Education’s (Department) overall information technology (IT) security programs and practices were effective as they relate to Federal information security requirements.The Department made several improvements in implementing its cybersecurity posture. In FY21 the Department improved in three functional areas and three metric areas from Level 2 Defined to Level 3 Consistently Implemented.However, its overall IT security programs and practices were not effective in all the five security functions. We had findings in four of the nine metric domains, which included findings with the same or similar conditions identified in prior reports, as well as open findings from previous years where the corrective action plan was not completed.Although the Department made considerable progress in strengthening its information security programs, we found areas needing improvement in all nine metric domains.