Education Department faces tough criticism from Congress on its IT security
The department’s CIO fielded questions from Democrats and Republicans alike during a House oversight hearing on information system shortcomings.
The Department of Education has faced scrutiny from both sides of the congressional aisle over its failing FITARA grade.
The Education Department's CIO faced bipartisan scrutiny during a House hearing earlier this week on the department's failing score on implementing the Federal IT Acquisition Reform Act and its ability to protect its core systems from cyberattacks.
The Education Department houses data on some 40 million federal student loan borrowers and manages $1 trillion in assets connected to those loans. The sensitive personal information in the department's system includes about 139 million Social Security numbers.
The House Oversight and Government Reform Committee released scorecards in early November that graded agencies on their FITARA implementation efforts to date. Education received an F overall and an F in data center consolidation.
During the committee hearing, Republican and Democratic lawmakers pressed CIO Danny Harris on whether the agency's information systems are vulnerable to a data breach like the one at the Office of Personnel Management that exposed 22 million people's personal information. Harris defended the security of Education's information systems, saying, "As of today, I would rank it a 7. We're making great progress, but I would rank it a 7."
Harris also disputed the failing FITARA grade, saying his department is meeting many of the act's requirements. "I think we're very solid with FITARA," he said. "I actually think we should have gotten a C."
Committee members disagreed, especially with Harris' statement that the department had securely consolidated its data centers. Education has 184 information systems, 120 of which are run by contractors. Harris said the department directly controls just three data centers, but some lawmakers raised concerns about who is in charge of information systems that are contracted out and who is responsible for protecting the data they contain.
If you've got hundreds of...database centers under the care of contractors," Rep. Gerry Connolly (D-Va.) said. "[The Office of Management and Budget] may not count that technically as a Department of Education database center, but it's still in your charge."
Education Inspector General Kathleen Tighe testified that she and her team detected serious vulnerabilities in the department's IT systems during a simulated attack. She said they penetrated the department's systems and gained access to the Education Department Utility for Communications, Applications and Technical Environment -- the department's general support system -- without being detected by the IT staff or the contractor.
"We could have really done anything in there," Tighe said.
Harris said his department is working hard to resolve the issues and completely modernize all its IT systems by the end of fiscal 2016.
Rep. Jason Chaffetz (R-Utah), the Oversight Committee's chairman, said Harris should meet with Education Secretary Arne Duncan more than once a month.
"They're managing more than $1 trillion in assets...for the United States," Chaffetz said. "It's basically the size of Citibank, and the CIO meets with the secretary maybe 12 times a year. That's absolutely stunning.... Almost half of the population of the United States of America has their personal information sitting in this database, which is not secure."