Federal student aid data isn't secure, IG says

IG makes seven recommendations to improve information security

The Education Department falls short on security for the computer systems that handle millions of students’ personal and financial information in the Federal Student Aid program, according to a new audit report from the department's inspector general.

The Federal Student Aid (FSA) program, which manages about $69 billion a year, has college students’ personally identifiable information and financial data. Although the audit does not say any breaches that affect that personal information took place, it does indicate that FSA's practices are putting that data at risk.

The IG's office made eight findings of lax security practices -- especially in the certification and accreditation process -- in the student aid systems, according to the report released Oct. 13. A redacted version was published on the IG's Web site.

“The FSA Chief Operating Officer and the Department Chief Information Officer must improve security controls over the certification and accreditation process for information systems to adequately protect the confidentiality, integrity and availability of department systems and the data residing in the systems,” Charles Coe, the department's assistant inspector general, wrote in the report.

Education officials generally agreed with the findings and recommendations. They stated that the recommended actions have either been enacted or are being worked on. In 2006, the department installed a new data center to improve its workflow.

The audit found that the FSA did not properly review system security plans before certification and accreditation, didn't effectively manage interconnection agreements, didn't have controls in place to manage authorizations to operate, didn't have proper controls in place to continuously monitor system documentation, and didn't properly conduct vulnerability scanning.

The FSA needs to improve contingency planning and needs to improve controls over privacy impact assessments and also needs to update certification and accreditation procedures to incorporate the Office of Management and Budget’s guidance regarding interim authorizations to operate, the report stated.

By allowing those authorizations, Education's systems were operating with identified security deficiencies and were susceptible to potential threats and vulnerabilities. It is important that those risks and deficiencies are resolved immediately rather than taking months to mitigate, or by issuing interim authorizations, the audit stated.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.