By Owen Daugherty, NASFAA Staff Reporter
While the Department of Education (ED) has made progress in recent years with meeting its cybersecurity initiatives, it still has much room for improvement, according to a recent report from ED’s Office of Inspector General (OIG).
The report, published last week, aimed to measure how ED is meeting the standards laid out in the Federal Information Security Modernization Act of 2014 (FISMA), which included reporting metrics for federal agencies.
The eight metrics are grouped into five cybersecurity framework functions, and the OIG report noted ED’s “overall IT security programs and practices were not effective in all of the five security functions.”
OIG’s report scored ED’s effective level of security for each metric using a level 1-5 scale and found while the department did not score a level 1 (AdHoc) in any category, it failed to eclipse a level 3 (consistently implemented) in any category either. In most metrics, ED was rated as a level 2 (defined, but not consistently implemented) or level 3.
“Although [ED] made considerable progress in strengthening its information security programs, we found areas needing improvement” in each category, according to the report.
Notably, OIG found that ED can strengthen its processes in areas including risk management, configuration management, identify and access management, and incident response.
“Until [ED] improves in these areas, it cannot ensure that its overall information security program adequately protects its systems and resources from compromise and loss,” the report states.
As for ED’s and Federal Student Aid’s (FSA) websites, the report found both contain outdated protocols that leave them susceptible to cyberattacks.
“Until the [ED] and FSA ensure that all secure connections are configured to use secure encryption protocols, systems could be vulnerable to attacks that may lead to potential exposure of sensitive data and compromise confidentiality and integrity of departmental data,” the report stated.
As part of FSA’s five-year strategic plan released last month, it identified strengthening its data protection and implementing cybersecurity safeguards as a key goal. FSA pointed to the increase in data it obtains as a potential susceptibility to future cyberattacks.
Objectives detailed in the plan call for protecting borrowers who interact with FSA’s website by bolstering the IT system security and providing cybersecurity assistance to institutions. Reported cybersecurity breaches by institutions have increased exponentially in recent years, according to FSA.
The OIG report did acknowledge work on the part of both ED and FSA to address the concerns raised in previous audits, finding that as of July, they had completed corrective actions for 16 of the 37 previously issued recommendations.
ED and FSA are both expected to complete any remaining corrective actions by the end of fiscal year 2021, with the exception of one recommendation where an extension was issued.
However, the report indicated that several concerns it highlighted were the same as ones identified over the past three years.
Overall, the report issued 24 recommendations — eight of which are repeat recommendations — “to assist the [ED] with increasing the effectiveness of its information security programs.” In response to a draft of the report, ED agreed or partially agreed with 21 of the 24 recommendations.
Publication Date: 11/6/2020