Federal student aid data isn't secure, IG says

IG makes seven recommendations to improve information security

The Education Department falls short on security for the computer systems that handle millions of students’ personal and financial information in the Federal Student Aid program, according to a new audit report from the department's inspector general.

The Federal Student Aid (FSA) program, which manages about $69 billion a year, has college students’ personally identifiable information and financial data. Although the audit does not say any breaches that affect that personal information took place, it does indicate that FSA's practices are putting that data at risk.

The IG's office made eight findings of lax security practices -- especially in the certification and accreditation process -- in the student aid systems, according to the report released Oct. 13. A redacted version was published on the IG's Web site.

“The FSA Chief Operating Officer and the Department Chief Information Officer must improve security controls over the certification and accreditation process for information systems to adequately protect the confidentiality, integrity and availability of department systems and the data residing in the systems,” Charles Coe, the department's assistant inspector general, wrote in the report.

Education officials generally agreed with the findings and recommendations. They stated that the recommended actions have either been enacted or are being worked on. In 2006, the department installed a new data center to improve its workflow.

The audit found that the FSA did not properly review system security plans before certification and accreditation, didn't effectively manage interconnection agreements, didn't have controls in place to manage authorizations to operate, didn't have proper controls in place to continuously monitor system documentation, and didn't properly conduct vulnerability scanning.

The FSA needs to improve contingency planning and needs to improve controls over privacy impact assessments and also needs to update certification and accreditation procedures to incorporate the Office of Management and Budget’s guidance regarding interim authorizations to operate, the report stated.

By allowing those authorizations, Education's systems were operating with identified security deficiencies and were susceptible to potential threats and vulnerabilities. It is important that those risks and deficiencies are resolved immediately rather than taking months to mitigate, or by issuing interim authorizations, the audit stated.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.