On Tuesday, November 17th, the House Committee on Oversight and Government Reform met to discuss the security of the United States Department of Education’s information security system. Their overall take on this: a resounding failure. Yes, your child’s information is not safe, despite assurances by your state and your federal government that nothing could happen based on protections they have implemented. We now know this to be an obvious falsehood. This is the reality, and it is starting to look like even the US DOE can not keep our children’s information safe.
This isn’t just social security numbers either. How much information does the US DOE have about our children? How many reports, grades, and behavior files do they house in their system? Do they have medical information in their system as well? This is a train wreck in the making. During Race To The Top, one of the mandates of the US DOE was for all states to create a Statewide Longitudinal Data System. This means all that information is in this pipeline. This affects all of us!
From the House Oversight Committee’s website:
• The Department of Education (DoEd) has at least 139 million unique social security numbers in its Central Processing System (CPS).
• Reminiscent of OPM’s dangerous behavior, DoEd is not heeding repeat warnings from the Inspector General (IG) that their information systems are vulnerable to security threats.
o In the IG’s latest report, there were 6 repeat findings and 10 repeat recommendations.
o The Department scored NEGATIVE 14% on the OMB CyberSprint for total users using strong authentication
o The Department received an “F” on the FITARA scorecard
• The Department maintains 184 information systems.
o 120 are managed by outside contractors
o 29 are valued by the Office of Management and Budget (OMB) as “high asset”
• The National Student Loan Database (NSLD) houses significant loan borrower information. There are 97,000 accounts/users with access to this significant data yet only 5,000, less than 20%, have undergone a background check to establish security clearance.
o The IG penetrated DoEd systems completely undetected by both the CIO or contractor
• The Department needs significant improvement in four key security areas:
o Continuous monitoring
o Configuration management
o Incident response and reporting
o Remote access management
• To examine information security at the U.S. Department of Education, including the Agency’s efforts to secure the personally-identifiable information (PII) provided by federal student aid applicants and their parents.
• To review recent findings of the U.S. Government Accountability Office and the Department’s Inspector General (IG).
• The U.S. Department of Education is responsible for managing the portfolio of over 40 million federal student loan borrowers holding over $1.18 trillion in outstanding debt obligations. The Department also manages other student aid programs, such as the Pell Grant program that annually serves 8.3 million students. These programs often require applicants and their parents to provide the Department with their PII.
• In FY2014, the IG found that, “While the Department made progress in strengthening its information security program, many longstanding weaknesses remain and the Department’s information systems continue to be vulnerable to serious security threats.”
Chairman Chaffetz (R-UT):
“Here they’re managing more than $1 trillion dollars in assets, liability for the United States, it’s basically the size of Citibank and the CIO meets with the Secretary maybe twelve times a year. That’s absolutely stunning. And looking at the vulnerability of almost half of the population of the United States of America has their personal information sitting in this database which is not secure.”