With cybersecurity threats mushrooming across the Federal government, members of a House committee said this week that the Education Department is failing to protect the data of millions of Americans.
DoEd’s systems have been penetrated many times by the inspector general, and the department has failed to correct many recommendations from the IG and General Accountability Office, according to testimony Tuesday at the House Committee on Oversight and Government Reform.
“Almost half of the population of the United States of America has their personal information sitting in this database which is not secure,” said committee chairman Rep. Jason Chaffetz, R-Utah.
DoEd is responsible for managing the portfolio of over 40 million Federal student loan borrowers holding over $1.18 trillion in outstanding debt obligations. The applications require applicants and their parents to provide extensive information about their finances. But security is weak to protect this massive data.
DoEd has at least 139 million unique Social Security numbers in its Central Processing System (CPS), according to the committee.
For example, the National Student Loan Database (NSLD) houses significant loan borrower information. There are 97,000 accounts/users with access to this significant data yet only 5,000, fewer than 20 percent, have undergone a background check to establish security clearance.
Last year, DoEd’s inspector general blew the whistle on the department’s failings.
“While the Department made progress in strengthening its information security program, many long-standing weaknesses remain and the department’s information systems continue to be vulnerable to serious security threats,” the IG found last year.
And the failure to protect the information still continues, according to the latest General Accountability Office report released Tuesday at the congressional hearing.
“It is important for federal agencies such as Education to implement information security programs that can help protect systems and networks,” the GAO said.
Members of the committee agreed.
“IG reports show that since 2011 there was no mechanism to restrict the use of unauthorized devices on the network. Having the ability to find devices on your network, does it really take four years to figure that out?” asked Rep. Will Hurd, R-Texas.
“When can we expect the system to be secure?…This is an issue that hits every district in this country,” said Rep. Jody Hice, R-Ga.
In prior reports, GAO and inspectors general have made thousands of recommendations to agencies, including Education, to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations were ignored, the GAO report said in its latest report.
“Until agencies implement these recommendations, sensitive information will remain at risk of unauthorized disclosure, modification, or destruction,” the GAO said.
Among the GAO’s latest findings:
• The Department scored negative-14 percent on the OMB CyberSprint for total users using strong authentication.
• The Department received an F on the latest FITARA scorecard.
• The Department maintains 184 information systems; 120 are managed by outside contractors.
• The IG penetrated DoEd systems completely undetected by both the CIO or contractor.
The department needs significant improvement in four key security areas:
• Continuous monitoring.
• Configuration management.
• Incident response and reporting.
• Remote access management.
Judi Hasson is a MeriTalk contributing writer.