Skip to main content
Report File
Date Issued
Submitting OIG
Department of Education OIG
Other Participating OIGs
Department of Education OIG
Agencies Reviewed/Investigated
Department of Education
Components
Office of Deputy Secretary
Report Number
A11T0002
Report Description

Our objective was to determine whether the U.S. Department of Education’s (Department) and Federal Student Aid’s (FSA) overall information technology security programs and practices were effective as they relate to Federal information security requirements. We found the Department and FSA programs were not effective in any of the five security functions—Identify, Protect, Detect, Respond, and Recover. We also identified findings in all eight metric domains, which included findings with the same or similar conditions contained in prior Office of Inspector General reports.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
37
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 37 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
3.1 No $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require OCIO and FSA to incorporate additional measures to, at a minimum, achieve Level 3 Consistently Implemented status of the Identity and Access Management program.

1.1 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require that OCIO and FSA incorporate additional measures to, at a minimum, achieve Level 3 Consistently Implemented status of the Risk Management program.

1.2 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require that OCIO and FSA ensure that POA&M remediation is performed within the required timeframe.

1.3 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require that OCIO and FSA ensure that all POA&Ms are assigned with the required appropriate remediation official.

2.1 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require that OCIO and FSA incorporate additional measures to, at a minimum, achieve Level 3 Consistently Implemented status of the Configuration Management program.

2.2 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require that OCIO and FSA migrate to Transport Layer Security 1.2 or higher as the only connection for all Department connections.

2.3 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require that OCIO and FSA review solutions to ensure that the default username and password has been changed.

2.4 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure that 51 websites are routed through a trusted internet connection or managed trusted internet protocol service.

2.5 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure that all existing websites and services are accessible through a secure connection as required by OMB M-15-13

2.6 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to discontinue the use of unsupported operating systems, databases, and applications.

2.7 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to ensure that all websites and portals hosting personally identifiable information are configured not to display clear text.

2.8 Yes $0 $0

We recommend that the Chief Operating Officer require FSA eliminate the use of Social Security numbers as an authentication element when logging into FSA websites by requiring the user to create a unique identifier for account authentication. (Repeat Recommendation FY 2018 & FY 2019).

2.9 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to immediately correct or mitigate the vulnerabilities identified during the security assessment

3.10 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to create corrective action plans to remedy database vulnerabilities for all database vulnerabilities identified.

3.2 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require OCIO and FSA to ensure that terminated users' network access is removed timely.

3.3 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require OCIO and FSA to ensure that access agreements for users accessing Department and FSA systems are documented and maintained. (Repeat Recommendation FY 2018 & FY 2019)

3.4 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require OCIO and FSA to consistently document position risk designations for background investigations.

3.5 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to fully implement the Department's ICAM strategy to ensure that the Department meets full Federal government implementation of ICAM. (Repeat Recommendation FY 2018 & FY 2019)

3.6 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure that the network access control solution is fully implemented to ensure identification and authentication of devices connected to the network.

3.7 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to validate the inactivity settings to ensure sessions time out after 30 minutes of inactivity.

3.8 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to fully implement the process for identifying, managing, and tracking activity of privileged user accounts.

3.9 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to enforce a two-factor authentication configuration for all user connections to systems and applications.

3.11 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to require system owners configure all websites to display warning banners when users login to Departmental resources and ensure that banners include approved warning language by October 31, 2019.

4.1 Yes $0 $0

We recommend that the Deputy Secretary and the Chief Operating Officer require OCIO and FSA to incorporate additional measures to, at a minimum, achieve Level 3 Consistently Implemented status of the Data Protection and Privacy program.

4.2 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure that Privacy Impact Assessments are reviewed every 2 years.

5.1 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to incorporate additional measures to, at a minimum, achieve Level 3 Consistently Implemented status of the Security Training program

5.2 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure that all new users complete the mandatory training requirements before they receive access to Departmental systems.

5.3 Yes $0 $0

We recommend that the Deputy Secretary and Chief Operating Officer require OCIO and FSA to ensure that the process for ensuring completion of role-based training is fully implemented.

6.1 Yes $0 $0

We recommend that the Deputy Secretary and the Chief Operating Officer require OCIO and FSA to incorporate additional measures to, at a minimum, achieve Level 3 Consistently Implemented status of the ISCM program.

6.2 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to automate its capabilities for monitoring the security controls effectiveness and overall implementation of the ISCM Roadmap. (Repeat Recommendation FY 2018 & FY 2019)

6.3 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure the completion of Phases 1 and 2 of the CDM program. (Repeat Recommendation FY 2018 & FY 2019)

6.4 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to implement a process that ensures data reported on the Cybersecurity Framework Risk Scorecard is accurate.

7.1 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to incorporate additional measures to, at a minimum, achieve Level 3 Consistently Implemented status of the Incident Response program.

7.2 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure that incidents are consistently submitted to the OIG within the required timeframe.

7.3 Yes $0 $0

We recommend that the Deputy Secretary require OCIO to ensure that data loss prevention technologies work as intended for the blocking of sensitive information transmission.

8.1 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to incorporate additional measures to, at a minimum, achieve Level 4 Managed and Measurable status of the Contingency Planning program.

8.2 Yes $0 $0

We recommend that the Chief Operating Officer require FSA to ensure that contingency plans, and other artifacts impacting contingency plans, are documented and updated in a consistent and timely manner.

Department of Education OIG

United States