By Allie Bidwell, NASFAA Senior Reporter

The Department of Education (ED) office charged with handling the data for millions of financial aid recipients and overseeing the distribution of billions of dollars in federal student aid each year did not effectively implement agency requirements for the security screening process for contracted employees, a new report from ED’s Office of Inspector General (OIG) found.

The 54-page final audit report released last week found that Federal Student Aid (FSA) staff and officials involved in the security screening process “were generally unaware of [ED] requirements and their related responsibilities for processing contractor employees’ security screenings.” OIG listed a number of areas in which FSA’s security screening process is weak, including the lack of written internal policies and procedures, flaws in designating contract positions and risk levels, notification and maintenance of security screening decisions, and contractor employee departure proceedings. As a result, the report said, there could be contracted employees working at FSA without the proper security screenings.

OIG specifically chose to review FSA, it said in the report, because its contracts involve systems that access “a considerable amount” of sensitive personally identifiable information, and have many contracted employees that require security screenings at the “high risk” level. OIG selected the five FSA contracts with the highest dollar value, including a sample of 110 contracted employees assigned to those contracts.

OIG selected the two highest-funded Title IV Additional Servicing (TIVAS) contracts (one with Navient and another with Great Lakes Educational Loan Services) and the next three highest-funded non-TIVAS contracts. Those contracts included a private collection agency, the contract for the Debt Management Collection System, and the contract for FSA’s Virtual Data Center, which hosts FSA systems that process federal financial aid applications, provide institutions and lenders with eligibility determinations, and support “payments from and repayment to lenders.”

“The Department’s information and systems might be vulnerable to unauthorized access, inappropriate disclosure, and abuse by contractor employees who may not meet security standards, including those in positions with the potential for moderate to serious impact on the efficiency of the Department,” the report said.

In its response, ED said it has found no evidence “of such disclosures or abuse” and is moving forward to address the concerns within the report.

One particular weakness the OIG report highlighted was the fact that FSA had not developed internal written policies and procedures to comply with an agency directive that outlines the key duties for certain FSA staff, and the requirements of the contract positions, risk designation, and other procedures. While FSA does have a manual for the security screening process, it does not outline requirements for the process, duties of FSA staff, and other information. Rather, it primarily focuses on the administrative steps to take during the screening process such as the required forms and directions for contracted companies and employees to follow through the application process.

The report also noted that the manual has not been updated since it was released in 2012, despite the fact that some elements of the screening process have changed since that time. An FSA staff member told OIG that the manual had not been updated “due to a lack of time and resources.”

OIG also found that FSA is not itself developing contract position lists or assigning risk levels for those positions, and is instead relying on the contractors to determine their positions and risk levels “without any further review of the adequacy of these determinations.”

FSA concurred with OIG’s recommendations to address those weaknesses and will continue to work with other parts of ED to ensure its policies and procedures comply with the agency directive.

OIG did find, however, that the majority of the 110 contracted employees — 87 employees, or 79 percent — did have an appropriate security screening completed. Overall, 18 employees (16 percent) did not have evidence of an appropriate screening, and four of those contracted employees were in “high risk” positions. For each of those 18 employees, OIG found that a screening had at least been initiated, but that there was “insufficient evidence” that one had been completed. Most of the employees (15, including the four at a high-risk level) had a completed background investigation, but for two there was no evidence of a completed background investigation. The one remaining employee had a background investigation completed, but at a lower risk level than was necessary. Of those 18 employees, four were working on their contracts without appropriate security screening for more than two years.

The report also found that FSA was not denying high-risk level access to some IT systems or other information before the contracted employees completed their preliminary security screenings. OIG found that 30 of 45 contracted employees on three contracts were given high-level access before completing their preliminary screenings.

“Further, FSA alerted us to the fact that three foreign national contractor employees were allowed to work with High Risk level access to IT systems under one of the contracts we reviewed for a period of [eight] months without an appropriate screening and appropriate documentation and approval,” the report said. FSA became aware of that error when the company asked for waivers for the employees, and then requested to remove access for those employees. FSA later found, however, that two of those employees continued to access the system “under different contractor employee logins, still without an appropriate security screening initiated or completed.” Those two employees were subsequently removed from the contract.

“We determined that FSA does not have proper controls in place over the access being
granted to IT systems or Department sensitive or Privacy-Act protected information,” the report said. “As noted above, we have found that this process lacks formality in the sense that no one involved in the process is taking ownership of their role in the process and there is confusion over who is responsible for what.”

OIG added in the report that broadly, FSA could not give an adequate explanation as to why high-level access was given to contracted employees before receiving confirmation that they had completed security screenings.

“Based on our findings, it appears there may have been instances of unauthorized access to Department information and systems,” the report said.

FSA told OIG that as of May 10, 2017, it had convened a task force to analyze the current process and develop an improved one.

In response to the report, Acting Under Secretary of Education James Manning wrote to OIG that FSA has “taken a number of steps to strengthen the contractor personnel security clearance process not only within [FSA], but also within the Department as a whole.”

But Manning also warned that delays in security screenings can come with costs.

“While the Department takes these findings very seriously, we need to also acknowledge that the extended delays in background investigations and the limitations on system access based on such delayed background investigations for contractors can result in fewer contractors being available to achieve expected operational or developmental requirements,” Manning wrote. “In turn, these unexpected delays and resource limitations may result in the need for millions of dollars in additional funding for project implementations, reductions in customer service for contact center operations, or risks of operational failures due to fewer properly skilled resources available for systems operations and maintenance.”

Publication Date: 4/23/2018

Comments Disclaimer: NASFAA welcomes and encourages readers to comment and engage in respectful conversation about the content posted here. We value thoughtful, polite, and concise comments that reflect a variety of views. Comments are not moderated by NASFAA but are reviewed periodically by staff. Users should not expect real-time responses from NASFAA. To learn more, please view NASFAA’s complete Comments Policy.