US Department of Education Principal Office Functional Statements
Office of the Chief Information Officer

Functional Statements > Office of the Chief Information Officer


Information Assurance Services (IAS) oversees the Department's information technology security program and ensures the confidentiality/privacy, integrity, and availability of the Department's information and information resources. IAS ensures that the Department is fully compliant with the Federal Information Security Management Act of 2002 (FISMA), and all related statutes and directives. The organization provides standardized security services and solutions in areas such as Risk Management; Access Controls; Identity and Access Management, Authentication; Encryption Solutions; Public Key Infrastructure (PKI) Technology; and, Certification and Accreditation (C&A). 
IAS also directs the agency’s Managed Security Services Program (MSSP) ensuring contractor compliance with MSSP requirements governing the management of the agency’s enterprise-wide security operations center; the mitigation of security vulnerabilities and improvement of the Department’s IT security posture; portal security; and sound configuration management of EDUCATE and its tenant systems.
The Director, IAS reports to the CIO and provides overall leadership and coordination to the Immediate Office staff of IAS and to the following components:


Policy and Planning Team
In performing its responsibilities, the Team:

  • Develops policies and guidance to prevent and defend against unauthorized access to networks, system, and data directly or indirectly related to the Department's activities;
  • Coordinates Department-wide policies regarding network and system security management, operational, and technical controls;
  • Directs and manages annual FISMA reporting, and coordinates Program Reviews with the OIG and Senior Action Officer for Privacy (SAOP), in accordance with OMB guidance;
  • Conducts annual Department-wide security reviews mandated by the Federal Information Security Management Act (FISMA) and periodically assists the agency's OIG with the conduct and resolution of Department IT security program and system audits;
  • Develops, maintains, and tracks performance of the IA Strategic Plan.  Also, ensures that the goals and objectives within the IA Strategic Plan, support and are in coordination with the Secretary’s Strategic Plan and the CIO’s IT Strategic Plan;
  • Develops, updates, and maintains IA metrics to measure effectiveness of the IA and Cyber Security Program;
  • Defines IT security curricula and provides specialized security training for the Department's technical staff and general security awareness/orientation training required of all Departmental employees; sets policy and standards for security training for contract personnel;
  • Maintains and serves as the Department's official repository for plans of action and milestones (POA&M) to address weaknesses disclosed by FISMA reviews, IG audits, C&A and Federal Managers Financial Management Integrity Act (FMFIA) annual certifications related to IT security matters.
  • Monitors acquisition and budget execution to ensure fiscally responsible usage of funds in accordance with the IAS and OCIO Strategic Plans.


Cyber Defense Team
In performing its responsibilities, the Team:

  • Manages and coordinates agency-wide IT security incident reporting and response activities, and serves as the Department liaison with the Office of General Counsel, US Computer Emergency Response Team (US-CERT), the FBI, OIG and other external law enforcement agencies concerning IT security incident reporting and follow-up activities;
  • Establishes and operates the agency’s Education Computer Incident Response Capability (EDCIRC) to maintain and provide situational awareness of the Department’s IT infrastructure;
  • Enforces Federal IT security standards, including review and evaluation activities prescribed by OMB Circulars A-123 and A-130;
  • Provide cyber threat and intelligence analysis;
  • Maintain a cyber incident forensics capability to support incident analysis activities;
  • Develops and maintains standard operating procedures (SOPs) for all functions and processes related to cyber defense;
  • Conducts annual security reviews, such as incident response exercises and continuity exercises, and evaluate and measure the effectiveness of security policies, procedures and standards
  • Oversee and execute the Department’s TICAP Program and certification through DHS.
  • Monitors acquisition and budget execution for operational cyber security programs and projects to ensure fiscally responsible usage of funds.


Security Engineering and Architecture Team
In performing its responsibilities, the Team:

  • Provides agency-wide leadership in maintaining and improving the availability, confidentiality and integrity of data maintained in the Department's information systems, including ongoing support of the agency's Data Integrity Board and data matching/exchange agreements with other agencies;
  • Develops and oversees a Risk Management Framework process for the Department;
  • Develops, maintains and enhances the Department’s Computer Network Defense (CND) architecture;
  • Maintains the IA Segment within the Department’s IA Segment of the Enterprise Architecture;
  • Maintains the Department’s FISMA reportable inventory of systems within the Operational Vulnerability Management System (OVMS) database;
  • Provides system security engineering support to system owners and developers, and maintains IA security process coordination within the Department’s System Development Life Cycle (SDLC);
  • Develops and maintains System Security Requirements Documents (SSRDs) to address technologies in place within the Department;
  • Creates, manages and maintains a master library of all technical and process documentation and supports the EDUCATE Certification and Accreditation program;
  • Reviews System Security Plans to include Certification Test and Evaluation Plans and Reports;
  • Conducts and reviews Risk Assessments;
  • Reviews system Security Control Assessments;
  • Monitors contractor compliance with conducting system Security Tests and Evaluations (ST&Es);
  • Monitors contractor compliance with assessing risks found during System Security Tests and Evaluations and Risk Assessments;
  • Assembles and checks Certification and Accreditation Packages and makes recommendations to the Chief Information Security Officer and the System Authorization authority.
  • Monitors acquisition and budget execution of architecture and engineering programs and projects to ensure fiscally responsible usage of funds.


Print this page Printable view Bookmark  and Share
Last Modified: 02/07/2012