Chaffetz wants more answers from Education CIO
Lawmakers are looking for details about warnings that the Education Department's systems are ripe for a devastating hack.
Rep. Jason Chaffetz has called Education's IT vulnerabilities "absolutely stunning."
The House Oversight and Government Reform Committee will meet Feb. 2 to take a hard look at the Education Department's IT situation and to examine the conduct of CIO Danny Harris.
It's not clear what conduct issues will be in play, but the investigation of Education's information security and management will be the sequel to a contentious Nov. 17, 2015, hearing.
In that hearing, Chairman Rep. Jason Chaffetz (R-Utah) called Education's IT vulnerabilities "absolutely stunning."
Chaffetz has since warned that a breach of the department's databases, which manage $1 trillion in assets and hold personal information on half the U.S. population, could dwarf the Office of Personnel Management breach in terms of the number of records compromised.
Education's 184 information systems are largely run by contractors, and security is so poor the agency's inspector general was able to hack them.
"During our vulnerability and penetration testing of the Education Department Utility for Communications, Applications, and Technology Environment, we were able to exploit configuration weaknesses to access the department's network," Education's IG wrote in a November audit. "Additionally, of significant concern, neither [contractor] Dell Services Federal Government nor the Office of the Chief Information Officer detected our activity while we were performing the vulnerability assessment and penetration testing."
Part of the problem might lie with the department's approach to privileged-user access.
Although many federal agencies beefed up two-factor authentication and trimmed down the number of privileged users during 2015's cybersecurity sprint, Education was one of a handful of agencies that actually saw two-factor rates drop during the sprint, particularly for privileged users.
In fact, Education's drop was driven entirely by a decrease in privileged-user two-factor requirements because two-factor requirements rose slightly for non-privileged users, indicating that Education has a large number of privileged users.
In August 2015, an Education spokesperson told FCW that the numbers indicated progress because Education was going through the process of discovering how many privileged users it had, which skewed the results.
In the November 2015 hearing, lawmakers also took aim at Education's antiquated technology.
"We can't even fathom the kind of vulnerabilities [Education has] when you're utilizing technology that's not even supported any longer," said Rep. Jody Hice (R-Ga.), referring to the 962 operating systems used by Education that vendors no longer support. "And yet you said you'd give yourself a seven out of 10 [for modernization efforts]."
Harris was unable to say when modernization efforts would be completed. "I don't have an answer to that, sir, across the entire platform, but I can tell you that we're working hard," he said, claiming that Education's systems were reasonably secure for the time being, despite the IG's successful penetration.
Education was one of three agencies to receive an F grade on the committee's FITARA scorecard last year.
Unlike other agency CIOs who embraced poor grades as a brutal-but-honest baseline, Harris argued that his agency should have scored higher. In the November hearing, he claimed Education should have gotten a C.
He also claimed not to know where the oversight committee had gotten its scorecard data; the grades were based on data from the Government Accountability Office.
The Feb. 2 hearing is slated to feature testimony from Harris, Deputy IG Sandra Bruce, Assistant General Counsel for Ethics Susan Winchell and Acting Secretary John King Jr.
A spokesperson for the department said she could not say what issues would be discussed or how Harris was preparing for the hearing.
A spokesperson for the committee similarly declined to share details but said, "It should be good."