The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2015

We found that the Department and FSA made progress in strengthening its information security programs; however, weaknesses remained and the Department-wide information systems continued to be vulnerable to security threats. Specifically, we found that the Department was not generally effective in 4 of the 10 security areas reviewed—continuous monitoring, configuration management, incident response and reporting, and remote access management. Although we determined that the Department’s and FSA’s information technology security programs were generally effective in key aspects of three metric areas—risk management, security training, and contingency planning—we also noted that improvements were still needed in these areas. For the Department and FSA’s plan of action and milestones process, wedetermined that if implemented as intended, it should be effective. We also determined that the Department’s identity and accessmanagement programs and practices would be generally effective if implemented properly but that the Department’s controls overaccess to FSA’s mainframe environment need improvement.