U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The U.S. Department of Education's Federal Information Security Modernization Act of 2014 Report for Fiscal Year 2023

Report Information

Date Issued
Report Number
What We Did

The Federal Information Security Modernization Act (FISMA) requires OIGs to annually assess the effectiveness of the agency’s information security program. It specifically mandates that each independent evaluation include a test of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. The FY 2023 FISMA review focused on 20 core and 20 supplemental reporting metrics identified by OMB across 9 domains, using criteria developed by the CIGIE and issued by OMB. Using this framework, we assessed the effectiveness of each security function using maturity level scoring as follows: (1) Ad-hoc, (2) Defined, (3) Consistently Implemented, (4) Managed and Measurable, and (5) Optimized. Level 1, Ad-hoc, is the lowest maturity level and Level 5, Optimized, is the highest maturity level. For a security function to be considered effective, an agency’s security programs must score at or above Level 4, Managed and Measurable.

What We Found

The auditors determined that the Department’s overall IT security program and practices are effective as eight out of the nine FISMA domains met the requirements needed to operate at a Level 4 maturity rating, indicating the systems security is Managed and Measurable. In addition, the auditors identified potential areas of improvement involving (1) managing information security risks; (2) two-factor authentication enforcement; (3) implementing access provisioning controls for privileged users; and (4) implementing event logging requirements at the enterprise level.

What We Recommend

The auditors made 6 recommendations to assist the Department with increasing the effectiveness of its information security programs. In addition, the auditors looked at previously-issued FISMA reports to determine the status of recommendations. The auditors found that: (1) one recommendation from FY 2019 remains open; (2) eight out of nine FY 2020 prior year recommendations were closed; (3) all ten FY 2021 prior year recommendations were closed; (4) eight out of ten FY 2022 prior year recommendations were closed.

Management Challenge Area

Information Technology Security


No recommendations at this time.