The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 for Fiscal Year 2020

Although the Department had several notable improvements in implementing its cybersecurity initiatives, its overall IT security programs and practices were not effective in all of the five security functions. We had findings in all eight metric domains, which included findings with the same or similar conditions identified in prior reports. Specifically, we found that the Department can strengthen its controls in areas such as - (1) Risk Management. Remediation process for its Plan of Action and Milestones; enterprise supply chain assessment strategy; IT inventory reporting; and required IT security clauses for its contracts: (2) Configuration Management. Use of unsecure connections and appropriateapplication connection protocols; and reliance on unsupported operating systems, databases, and applications in its production environments:(3) Identify and Access Management. Removing access of terminated users to the Department’s network and database management: and(4) Incident Response. Timely reporting of incidents; and ensuring data loss prevention tools work accordingly. Until the Department improves in these areas, it cannot ensure that its overall information security program adequately protects its systems and resources fromcompromise and loss.