The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 for Fiscal Year 2022

Our objective was to assess the U.S. Department of Education’s (Department) progress at improving the maturity of its security program and practices as required by the Federal Information Security Modernization Act of 2014 (FISMA).We made 77 recommendations to improve the Department's cybersecurity posture in our FYs 2019, 2020, and 2021 reports. At the start of our fieldwork, there were 29 closed and 48 open recommendations. In FY 2022, we reviewed 38 open recommendations and found the Department took action to close 28 recommendations, with 10 remaining open. Additionally, there were another 10 open recommendations that were scheduled for implementation after the close of our fieldwork.At the completion of our FY 2022 inspection, out of 77 recommendations, 57 were closed and 20 remained open.To answer this objective, we rated the Department’s performance in accordance with OMB’s guidance on the 20 metric areas required for FY 2022. These metrics represent 20 of the 66 metrics that were used to assess the Department’s effectiveness for FY 2021. In September 2020, revision 5 of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations was issued. Usually, a 1-year period is allowed for implementation of the new requirements. With the removal of 46 metric questions, for FY 2022, we were not able to test if the Department implemented these new requirements for these questions.