Federal student aid data isn't secure, IG says

IG makes seven recommendations to improve information security

The Education Department falls short on security for the computer systems that handle millions of students’ personal and financial information in the Federal Student Aid program, according to a new audit report from the department's inspector general.

The Federal Student Aid (FSA) program, which manages about $69 billion a year, has college students’ personally identifiable information and financial data. Although the audit does not say any breaches that affect that personal information took place, it does indicate that FSA's practices are putting that data at risk.

The IG's office made eight findings of lax security practices -- especially in the certification and accreditation process -- in the student aid systems, according to the report released Oct. 13. A redacted version was published on the IG's Web site.

“The FSA Chief Operating Officer and the Department Chief Information Officer must improve security controls over the certification and accreditation process for information systems to adequately protect the confidentiality, integrity and availability of department systems and the data residing in the systems,” Charles Coe, the department's assistant inspector general, wrote in the report.

Education officials generally agreed with the findings and recommendations. They stated that the recommended actions have either been enacted or are being worked on. In 2006, the department installed a new data center to improve its workflow.

The audit found that the FSA did not properly review system security plans before certification and accreditation, didn't effectively manage interconnection agreements, didn't have controls in place to manage authorizations to operate, didn't have proper controls in place to continuously monitor system documentation, and didn't properly conduct vulnerability scanning.

The FSA needs to improve contingency planning and needs to improve controls over privacy impact assessments and also needs to update certification and accreditation procedures to incorporate the Office of Management and Budget’s guidance regarding interim authorizations to operate, the report stated.

By allowing those authorizations, Education's systems were operating with identified security deficiencies and were susceptible to potential threats and vulnerabilities. It is important that those risks and deficiencies are resolved immediately rather than taking months to mitigate, or by issuing interim authorizations, the audit stated.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.