• The U.S. Department of Educati...

*Result*: The U.S. Department of Education's Federal Information Security Modernization Act of 2014 Report: For Fiscal Year 2025. ED-OIG/A25IT0212

Title:
The U.S. Department of Education's Federal Information Security Modernization Act of 2014 Report: For Fiscal Year 2025. ED-OIG/A25IT0212
Language:
English
Authors:
Office of Inspector General (OIG) (ED)
Source:
Office of Inspector General, US Department of Education. 2025.
Availability:
Office of Inspector General, US Department of Education. Available from: ED Pubs. P.O. Box 1398, Jessup, MD 20794-1398. Tel: 877-433-7827; e-mail: edpubs@edpubs.ed.gov; Web site: https://oig.ed.gov/reports/list
Peer Reviewed:
N
Page Count:
68
Publication Date:
2025
Document Type:
*Report* Reports - Research
Descriptors:
Public Agencies, Federal Legislation, Educational Legislation, Information Security, Information Technology, Information Systems, Computer Security, Program Effectiveness, Program Evaluation, Audits (Verification), Risk Management, Privacy, Training, Prevention, Database Management Systems, Federal Aid, Student Financial Aid, Contingency Management, Organizational Objectives
Entry Date:
2025
Accession Number:
ED677433
Database:
ERIC

*Further Information*

*The main objective of the Fiscal Year (FY) 2025 Federal Information Security Modernization Act of 2014 (FISMA) audit was to determine whether the United States Department of Education (Department)'s overall information security program and practices are effective as they relate to federal information security requirements. To meet this objective, Williams Adley utilized the FY 2025 Inspector General (IG) FISMA reporting metrics, issued on April 3, 2025, by the Office of Management and Budget (OMB). The reporting metrics provide independent assessors and IGs with a standardized framework to evaluate and report on the effectiveness and maturity of an agency's information security program. To properly conclude on the effectiveness of the Department's information security program and practices, Williams Adley utilized a rotational strategy to select five in-scope systems. The Background section of this report provides additional context on the Department, FISMA and the FY 2025 IG reporting metrics. At the conclusion of the FY 2025 audit, Williams Adley determined that the Department's overall information security program and practices are effective as nine out of the ten FISMA domains met the requirements needed to operate at a Level 4 maturity rating or higher. Although the Department has an effective information security program, Williams Adley identified a total of sixteen conditions across the ten FISMA domains -- five of which resulted in a Notice of Finding and Recommendations -- which represent potential areas of improvement for the Department. The identified conditions were evaluated from a risk-based standpoint and within the context of the overall information security program to determine their root cause and associated level of risk. Within this report, Williams Adley offers the Department recommendations on how to address each identified root cause. Williams Adley's secondary objective was to follow up on the status of outstanding recommendations to determine whether the Department has implemented their proposed corrective actions. Overall, Williams Adley determined that eight prior year recommendations were closed during the audit period and the status of the remaining open recommendations are found within Appendix B, along with their proposed target action dates. Lastly, Williams Adley prepared the responses to the core and supplemental metric questions identified within the CyberScope questionnaire, as shown in Appendix C. All Federal agencies are required to submit their IG FISMA metric determinations into the Department of Homeland Security's CyberScope application by August 1, 2025. [This audit and report was conducted and created by Williams, Adley & Company -- DC, LLC (Williams Adley).]*

*ERIC*