The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 Report For Fiscal Year 2018

Our objective was to determine whether the U.S. Department of Education’s (Department) and Federal Student Aid’s (FSA) overall information technology security programs and practices were effective as they relate to Federal information security requirements. The Fiscal Year 2018 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics (FY 2018 IG FISMA Metrics) are grouped into five cybersecurity framework security functions that have a total of eight metric domains. Per the FY 2018 IG FISMA Metrics, we found the Department and FSA were not effective in any of the five security functions—Identify, Protect, Detect, Respond, and Recover. We also identified findings in all eight metric domains, of which seven are repeat findings.