Skip to main content
Report File
Date Issued
Submitting OIG
Department of Education OIG
Other Participating OIGs
Department of Education OIG
Agencies Reviewed/Investigated
Department of Education
Report Number
A23IT0118
Report Description

The Federal Information Security Modernization Act (FISMA) requires OIGs to annually assess the effectiveness of the agency’s information security program. Each independent evaluation must include a test of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. The FY 2023 FISMA review focused on 20 core and 20 supplemental reporting metrics identified by OMB, using criteria developed by the CIGIE and issued by OMB. Using this framework, we assessed the effectiveness of each security function using maturity level scoring as follows: (1) Ad-hoc, (2) Defined, (3) Consistently Implemented, (4) Managed and Measurable, and (5) Optimized. Level 1, Ad-hoc, is the lowest maturity level and Level 5, Optimized, is the highest maturity level. For a security function to be considered effective, an agency’s security programs must score at or above Level 4, Managed and Measurable. The auditors determined that the Department’s overall IT security program and practices are effective. In addition, the auditors identified potential areas of improvement involving (1) managing information security risks; (2) two-factor authentication enforcement; (3) implementing access provisioning controls for privileged users; and (4) implementing event logging requirements at the enterprise level.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 6 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1.1 Yes $0 $0

The auditors recommend that Chief Information Officer require the Department and FSA to take immediate correctiveactions to implement enhanced monitoring procedures to allow for timely review of system authorization packages andappropriate authorization prior to submission into CSAM.

3.1 Yes $0 $0

The auditors recommend that the Chief Information Officer require the Department to develop and implement an effectivequality control review process for its policies and procedures.

4.1 Yes $0 $0

The auditors recommend that the Chief Information Officer require the Department and Federal Student Aid to takeimmediate corrective actions to remove users from the PIV exempt list.

4.2 Yes $0 $0

The auditors recommend that the Chief Information Officer require the Department to take immediate corrective actions forestablishing quality control policies, procedures, and additional processes to ensure that user onboarding, elevated andnon-elevated user access forms are properly completed, tracked, and maintained for records.

4.3 Yes $0 $0

The auditors recommend that the Chief Information Officer require that the Department and FSA to take immediatecorrective actions to ensure appropriate resources and funding are available and dedicated to complete implementation ofthe required EL1 and EL2 event logging maturities.

5.1 Yes $0 $0

The auditors recommend that the Chief Information Officer require the Department to update Department PIA processes,quality control procedures, and monitoring controls to validate, track, and enforce the timely completion and review ofPIAs.

Department of Education OIG

United States