U.S. Department of Education: Information Security Review

Full House Committee on Oversight and Government Reform
Hearing Date: November 17, 2015 10:00 am 2154 Rayburn House Office Building

TAKEAWAYS:
• The Department of Education (DoEd) has at least 139 million unique social security numbers in its Central Processing System (CPS).
• Reminiscent of OPM’s dangerous behavior, DoEd is not heeding repeat warnings from the Inspector General (IG) that their information systems are vulnerable to security threats.
o In the IG’s latest report, there were 6 repeat findings and 10 repeat recommendations.
o The Department scored NEGATIVE 14% on the OMB CyberSprint for total users using strong authentication
o The Department received an “F” on the FITARA scorecard
• The Department maintains 184 information systems.
120 are managed by outside contractors
o 29 are valued by the Office of Management and Budget (OMB) as “high asset”
• The National Student Loan Database (NSLD) houses significant loan borrower information. There are 97,000 accounts/users with access to this significant data yet only 5,000, less than 20%, have undergone a background check to establish security clearance.
o The IG penetrated DoEd systems completely undetected by both the CIO or contractor
• The Department needs significant improvement in four key security areas:
o Continuous monitoring
o Configuration management
o Incident response and reporting
o Remote access management

PURPOSE:
• To examine information security at the U.S. Department of Education, including the Agency’s efforts to secure the personally-identifiable information (PII) provided by federal student aid applicants and their parents.
• To review recent findings of the U.S. Government Accountability Office and the Department’s Inspector General (IG).

BACKGROUND:
• The U.S. Department of Education is responsible for managing the portfolio of over 40 million federal student loan borrowers holding over $1.18 trillion in outstanding debt obligations. The Department also manages other student aid programs, such as the Pell Grant program that annually serves 8.3 million students. These programs often require applicants and their parents to provide the Department with their PII.
• In FY2014, the IG found that, “While the Department made progress in strengthening its information security program, many longstanding weaknesses remain and the Department’s information systems continue to be vulnerable to serious security threats.”

KEY VIDEOS:

Chairman Chaffetz (R-UT):
“Here they’re managing more than $1 trillion dollars in assets, liability for the United States, it’s basically the size of Citibank and the CIO meets with the Secretary maybe twelve times a year. That’s absolutely stunning. And looking at the vulnerability of almost half of the population of the United States of America has their personal information sitting in this database which is not secure.”

Rep. Jody Hice (R-GA):
“How in the world can you give yourself a 7 out of 10 when you’re using technology that isn’t even supported?…When can we expect the system to be secure?…This is an issue, Mr. Chairman, that hits every district in this country.”

Rep Will Hurd (R-TX):
“IG reports show that since 2011 there was no mechanism to restrict the use of unauthorized devices on the network. Having the ability to find devices on your network, does it really take four years to figure that out?…To implement controls on 6000 users should not take four years… This is completely unacceptable. This is the kind of issue that the American people are completely frustrated with.”

Witnesses and testimonies

Name Title Organization Panel Document
Mr. Greg Wilshusen Director, Information Security Issues U.S. Government Accountability Office Document
The Honorable Kathleen S. Tighe Inspector General U.S. Department of Education Document
Mr. Danny A. Harris Chief Information Officer U.S. Department of Education Document

Related Documents

Name Document
FY 2015 Cybersecurity Sprint Results Document
Dept. of Education FITARA Implementation Scorecard Document
Transcript