Federal student aid data isn't secure, IG says

IG makes seven recommendations to improve information security

The Education Department falls short on security for the computer systems that handle millions of students’ personal and financial information in the Federal Student Aid program, according to a new audit report from the department's inspector general.

The Federal Student Aid (FSA) program, which manages about $69 billion a year, has college students’ personally identifiable information and financial data. Although the audit does not say any breaches that affect that personal information took place, it does indicate that FSA's practices are putting that data at risk.

The IG's office made eight findings of lax security practices -- especially in the certification and accreditation process -- in the student aid systems, according to the report released Oct. 13. A redacted version was published on the IG's Web site.

“The FSA Chief Operating Officer and the Department Chief Information Officer must improve security controls over the certification and accreditation process for information systems to adequately protect the confidentiality, integrity and availability of department systems and the data residing in the systems,” Charles Coe, the department's assistant inspector general, wrote in the report.

Education officials generally agreed with the findings and recommendations. They stated that the recommended actions have either been enacted or are being worked on. In 2006, the department installed a new data center to improve its workflow.

The audit found that the FSA did not properly review system security plans before certification and accreditation, didn't effectively manage interconnection agreements, didn't have controls in place to manage authorizations to operate, didn't have proper controls in place to continuously monitor system documentation, and didn't properly conduct vulnerability scanning.

The FSA needs to improve contingency planning and needs to improve controls over privacy impact assessments and also needs to update certification and accreditation procedures to incorporate the Office of Management and Budget’s guidance regarding interim authorizations to operate, the report stated.

By allowing those authorizations, Education's systems were operating with identified security deficiencies and were susceptible to potential threats and vulnerabilities. It is important that those risks and deficiencies are resolved immediately rather than taking months to mitigate, or by issuing interim authorizations, the audit stated.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.