Education Department faces tough criticism from Congress on its IT security

Wikimedia image: Department of Education.

The Department of Education has faced scrutiny from both sides of the congressional aisle over its failing FITARA grade.

The Education Department's CIO faced bipartisan scrutiny during a House hearing earlier this week on the department's failing score on implementing the Federal IT Acquisition Reform Act and its ability to protect its core systems from cyberattacks.

The Education Department houses data on some 40 million federal student loan borrowers and manages $1 trillion in assets connected to those loans. The sensitive personal information in the department's system includes about 139 million Social Security numbers.

The House Oversight and Government Reform Committee released scorecards in early November that graded agencies on their FITARA implementation efforts to date. Education received an F overall and an F in data center consolidation.

During the committee hearing, Republican and Democratic lawmakers pressed CIO Danny Harris on whether the agency's information systems are vulnerable to a data breach like the one at the Office of Personnel Management that exposed 22 million people's personal information. Harris defended the security of Education's information systems, saying, "As of today, I would rank it a 7. We're making great progress, but I would rank it a 7."

Harris also disputed the failing FITARA grade, saying his department is meeting many of the act's requirements. "I think we're very solid with FITARA," he said. "I actually think we should have gotten a C."

Committee members disagreed, especially with Harris' statement that the department had securely consolidated its data centers. Education has 184 information systems, 120 of which are run by contractors. Harris said the department directly controls just three data centers, but some lawmakers raised concerns about who is in charge of information systems that are contracted out and who is responsible for protecting the data they contain.

If you've got hundreds of...database centers under the care of contractors," Rep. Gerry Connolly (D-Va.) said. "[The Office of Management and Budget] may not count that technically as a Department of Education database center, but it's still in your charge."

Education Inspector General Kathleen Tighe testified that she and her team detected serious vulnerabilities in the department's IT systems during a simulated attack. She said they penetrated the department's systems and gained access to the Education Department Utility for Communications, Applications and Technical Environment -- the department's general support system -- without being detected by the IT staff or the contractor.

"We could have really done anything in there," Tighe said.

Harris said his department is working hard to resolve the issues and completely modernize all its IT systems by the end of fiscal 2016.

Rep. Jason Chaffetz (R-Utah), the Oversight Committee's chairman, said Harris should meet with Education Secretary Arne Duncan more than once a month.

"They're managing more than $1 trillion in assets...for the United States," Chaffetz said. "It's basically the size of Citibank, and the CIO meets with the secretary maybe 12 times a year. That's absolutely stunning.... Almost half of the population of the United States of America has their personal information sitting in this database, which is not secure."

About the Author

Bianca Spinosa is an Editorial Fellow at FCW.

Spinosa covers a variety of federal technology news for FCW including workforce development, women in tech, and the intersection of start-ups and agencies. Prior to joining FCW, she was a TV journalist for more than six years, reporting local news in Virginia, Kentucky, and North Carolina. Spinosa is currently pursuing her Master’s degree in Writing at George Mason University, where she also teaches composition. She earned her B.A. from the University of Virginia.

Click here for previous articles by Spinosa, or connect with her on Twitter: @BSpinosa.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.