The objective of the FY 2025 Federal Information Security Modernization Act (FISMA) audit was to determine whether the U.S. Department of Education’s (Department’s) overall information technology (IT) security program and practices are effective as they relate to Federal information security requirements. To determine the effectiveness of the Department’s information security program, the audit team utilized the FY 2025 Inspector General FISMA reporting metrics, which required that an independent assessor evaluate core and supplemental reporting metrics identified by the Office of Management and Budget. To properly conclude on the effectiveness of the Department’s information security program and practices, a rotational strategy was used to select five in-scope systems not evaluated in the previous year’s audit.
Overall, the team found that the Department’s information security programs and practices were effective supporting the five in-scope systems, as nine out of ten FISMA domains were effective, and one FISMA domain was not effective. The Team also identified 16 conditions across the 10 FISMA domains indicating potential areas of improvement.
The audit team made 5 recommendations to assist the Department with increasing the effectiveness of its information security programs.
Information Technology Security
See previous FISMA reports.