Functional Statements > Office of the Chief Information Officer

Sections

• Mission and Responsibilities
• Organization
• Order of Succession
• Functions and Responsibilities of the Office of the Chief Information Officer (OCIO) Components
• Immediate Office
• Information Assurance Services
• Information Technology Program Services
• Enterprise Technology Services

I. Mission and Responsibilities

The Office of the Chief Information Officer (OCIO) provides advice and assistance to the Secretary and other senior officials to ensure that information technology is acquired and information resources are managed in a manner that is consistent with the requirements of:

• The Information Technology Management Reform Act of 1996 (The Act),
• The Federal Information Technology Acquisition Reform Act of 2014 (FITARA),
• The Federal Information Security Modernization Act of 2014 (FISMA),
• Chapter 35 of Title 44 U.S.C. as applicable to Federal agencies,
• 40 U.S.C. 11315(b) and (c),
• Executive Order 13800,
• Section 208 of the E-Government Act of 2002,
• The Government Paperwork Elimination Act of 2009,
• The Privacy Act of 1974 (5 U.S.C. 552a),
• The Paperwork Reduction Act of 1995 (PRA),
• The Social Security Number Fraud Prevention Act of 2017,
• The Data Quality Act,
• The Federal Records Act of 1950, as amended,
• The Records Disposal Act of 1943, as amended, and,
• 32 CFR Part 2002, Controlled Unclassified Information (CUI).

The agency's Chief Information Officer (CIO) is charged with implementing the operative principles established by legislation and regulation, establishing a management framework to improve the planning and control of information technology investments, and leading change to improve the efficiency and effectiveness of Departmental operations.

The CIO reports directly to the Secretary of Education and provides leadership and direction to:

• Develop, maintain, and implement a sound and integrated information technology enterprise architecture;
• Provide enterprise-wide information technology (IT) services that include technical infrastructure support, enhanced infrastructure services, and centrally supported application services;
• Promote the effective and efficient design and operation of major Departmental information resource management processes and recommend, as appropriate, improvements to agency business processes;
• Manage and maintain an agency Information Resource Management Strategic Plan to improve the productivity, efficiency, and effectiveness of Federal programs inclusive of information dissemination initiatives and efforts to reduce information collection burdens;
• Develop IT and information assurance (IA) requirements, complete cost/benefit analyses of proposed solutions, manage projects in accordance with sound systems life cycle management procedures, and establish performance standards and measures to assess success of short- and long-term solutions;
• Define and manage IT capital planning and investment management processes to ensure their successful implementation and integration with the Department's budget, acquisition, and planning processes;
• Manage and monitor the agency's IT and IA programs and investments, evaluating them against performance and other applicable measures, and advising the Secretary regarding their continuation, modification, or termination;
• Assess IT, IA and information management competencies defined for agency personnel to ensure that Departmental employees are technologically prepared to achieve the Department's strategic goals;
• Develop agency-wide policy and guidance for the design, implementation, protection, and control of information and information systems;
• Deploy and maintain all enterprise-wide IT;
• Develop recommendations and implement IT solutions that meet Federal accessibility requirements and are designed to enhance and enable agency business processes;
• Develop and provide technology standards to assure business alignment and promote a viable enterprise technology framework;
• Liaison with the Senior Agency Official for Privacy (SAOP) to ensure all information systems have appropriate privacy safeguards;
• Integrate the SAOP into incident response planning, coordination, and actions. Promptly provide privacy breach information to the SAOP so the Privacy Incident Response Team may be constituted, as needed.
• Manage and maintain the Department’s records management program;
• Manage the agency's participation and implementation of Federal CIO Council Initiatives and coordinate Council activities throughout the Department; and,
• Coordinate all e-Gov Initiatives and their status reporting to the Office of Management and Budget (OMB).

Top

II. Organization

OCIO is under the immediate supervision of the CIO who reports directly to the Secretary.

Top

III. Order of Succession

In the event that the CIO dies, resigns, or is otherwise unable to perform the functions and duties of the office and the office is thereby deemed to be vacant, and the Secretary has not designated in writing another individual to act as the CIO, the following officials, in the order shown, shall perform the functions and duties of the office in an acting capacity

In instances where the office of the CIO is filled, but the head of the Office is absent, unavailable, otherwise unable to perform the functions and duties of the position, and/or there is a disruption in the normal channels of direction and communication, and unless the head of the Office or the Secretary, in writing, designates another individual to act as the CIO, the following officials, in the order shown, shall serve in an acting capacity as the Acting CIO:

• Deputy Chief Information Officer
• Director, Information Assurance Services and Chief Information Security Officer
• Director, Information Technology Program Services
• Director, Enterprise Technology Services

Top

IV. Functions and Responsibilities of the Office of the Chief Information Officer (OCIO) Components

A. IMMEDIATE OFFICE OF THE CHIEF INFORMATION OFFICER

The Immediate Office of the Chief Information Officer provides oversight of OCIO’s budget, acquisition planning, execution, resource management, internal business processes, knowledge management, and compliance activities. The Immediate Office provides overall direction, coordination, and leadership to the following elements:

• Information Assurance Services (IAS)
• Information Technology Program Services (ITPS)
• Enterprise Technology Services (ETS)

B. INFORMATION ASSURANCE SERVICES

Information Assurance Services (IAS) oversees the Department's IT security program and ensures the confidentiality, integrity and availability of the Department's information and information resources. IAS ensures that the Department is fully compliant with the Federal Information Security Modernization Act of 2014 (FISMA) and all related statutes and directives. The organization provides standardized IA and cybersecurity services and solutions. IAS also directs the agency’s security operations and incident response activities.

The Director of IAS is the designated Chief Information Security Officer (CISO), reports to the CIO and provides overall leadership and coordination to the following components:

• Cyber Operations Branch
• Governance, Risk and Policy Branch
• Information Systems Security Branch
• Security Engineering and Architecture Branch

Top

Cyber Operations Branch

The Cyber Operations Branch manages the Department of Education Security Operations Center (EDSOC), leads the Department’s incident response activities, and maintains relationships with internal/external cybersecurity service providers such as the Department of Homeland Security (DHS). The Cyber Operations Branch establishes and implements the operational processes for detecting, protecting, and responding to cybersecurity threats and vulnerabilities and provides privacy safeguards coordination for the Department’s privacy program. In performing its responsibilities, the Branch:

• Manages and coordinates the Education Computer Incident Response Capability (EDCIRC) to oversee agency-wide IT security incident reporting and response activities, and serves as the Department liaison with the Office of the General Counsel, US Computer Emergency Response Team (US-CERT), Office of Inspector General (OIG), the Federal Bureau of Investigation and other external law enforcement agencies concerning IT security incident reporting and follow-up activities;
• Establishes and operates the EDSOC to maintain and provide situational awareness of the security posture of the Department’s IT environment;
• Provides cyber threat and intelligence analysis;
• Maintains a cybersecurity incident forensics capability to support incident analysis activities;
• Develops, maintains, and executes standard operating procedures (SOPs) for all functions and processes related to cybersecurity operations;
• Conducts annual security reviews, such as incident response exercises and continuity exercises, and evaluates and measures the effectiveness of security policies, procedures, and standards;
• Participates in the design and implementation of cybersecurity solutions to ensure operational requirements are fully satisfied;
• Establishes and maintains a comprehensive incident response program that ensures compliance with applicable privacy and breach notification requirements;
• Serves as OCIO’s primary liaison with the Department’s SAOP on intra/inter-agency privacy safeguards, compliance, and breach notification initiatives;
• In coordination with the SAOP, ensures Department-wide compliance with all applicable statutes, regulations, and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information (PII) by information systems;
• Contributes to Department-wide privacy policies;
• Coordinates privacy awareness and education across the agency to raise employees’ awareness of privacy safeguards and incident response issues;
• Provides guidance and instruction to Department staff regarding processes and procedures regarding the protection of PII through technology safeguards;
• Develops and provides print and web-based training to Department employees and contractors regarding the unit's mission;
• Oversees the implementation and management of Department-wide systems and databases that support the successful and efficient handling of privacy safeguards administration;
• Provides ongoing support for the Department's Data Integrity Board and data matching/exchange agreements with other agencies; and,
• Provides input as needed for inter-agency development, review and approval of Computer Matching Agreements (CMAs) in support of the Department’s Data Integrity Board.

The Cyber Operations Branch oversees the implementation and operations of privacy technical safeguards related to the following Federal statutes and guidelines:

• Privacy Act of 1974, as amended,
• Section 208 of the E-Government Act of 2002 and OMB M-03-22,
• Office of Management and Budget (OMB) Circular No. A-130,
• OMB Privacy Act Implementation: Guidelines and Responsibilities, 40 FR28948 (July 9, 1975),
• OMB Circular No. A-108,
• OMB’s Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988,
• The Social Security Number Fraud Prevention Act of 2017,
• OMB M-10-22 "Guidance for Online Use of Web Measurement and Customization Technologies,"
• OMB M-10-23 "Guidance for Agency Use of Third-Party Websites and Applications,”
• OMB M-17-12 “Preparing for and Responding to a Breach of Personally Identifiable Information,” and
• Section 6 of OMB M-17-06 "Policies for Federal Agency Public Websites and Digital Services."

Top

Governance, Risk and Policy Branch

The Governance, Risk and Policy Branch develops and maintains Department level cybersecurity policies that govern the implementation of the Department’s cybersecurity program, to include the development and professionalization of the cybersecurity workforce. The Governance, Risk and Policy Branch establishes and implements the governance processes and frameworks for identifying and reporting cybersecurity risks across the Department’s information system inventory.

In performing its responsibilities, the Branch:

• Develops Department-wide cybersecurity policies and guidance;
• Directs and manages annual FISMA reporting, and coordinates Program Reviews with the OIG and the Senior Agency Official for Privacy (SAOP), in accordance with OMB guidance;
• Conducts annual and ongoing Department-wide security reviews and risk assessments mandated by the FISMA and periodically assists the agency's OIG with the conduct and resolution of Department IT security program and system audits;
• Develops, maintains and tracks performance of the IA Strategic Plan. Also, ensures that the goals and objectives within the IA Strategic Plan support and are in coordination with the Secretary’s Strategic Plan and the CIO’s IT Strategic Plan;
• Develops and oversees a Cybersecurity Risk Management Framework process for the Department;
• Develops, updates, maintains, and reports on IA metrics to measure the effectiveness of the IA and Cybersecurity Program and provides situational awareness of cybersecurity risks in support of the Department’s IT governance and enterprise risk management activities;
• Defines IT security curricula and provides specialized security training for the Department's technical staff and general security awareness/orientation training required of all Departmental employees; and,
• Manages and maintains the Department's official repository for plans of action and milestones (POA&M) to address weaknesses disclosed by FISMA reviews, IG audits, security control assessments and authorizations and Federal Managers Financial Management Integrity Act (FMFIA) annual certifications related to IT security matters.

Top

Information System Security Branch

The Information System Security Branch provides direction and support to the Department’s information system security officers (ISSOs) and system stakeholders for the continuous monitoring of information systems and corresponding security controls. In performing its responsibilities, the Branch:

• Performs ongoing verification and validation activities to facilitate the identification of information system weaknesses, determination of risks, and identification of remediation actions to minimize organizational risk and improve the Department’s ability to recover from cybersecurity incidents;
• Provides system security expertise to assist ISSOs and system stakeholders with the development and maintenance of system security documentation;
• Coordinates across OCIO to develop and maintain system security documentation for enterprise IT infrastructures, platforms, and software;
• Reviews System Security Plans to include Security Control Assessment Plans and Reports;
• Conducts and reviews periodic Risk Assessments;
• Establishes and implements the Department’s vulnerability management program; and,
• Monitors and manages the Department’s information system inventory to ensure security controls are implemented and are effective.

Top

Security Engineering and Architecture Branch

The Security Engineering and Architecture Branch develops and maintains the cybersecurity portion of the Department’s enterprise architecture and provides Department-wide expertise for the integration of security tools and capabilities into system designs and architectures. In performing its responsibilities, the Branch:

• Provides agency-wide leadership in maintaining and improving the availability, confidentiality, and integrity of data maintained in the Department's information systems;
• Develops, maintains, and enhances the Department’s enterprise security architecture;
• Provides system security engineering, architecture and programmatic support for the design and implementation of enterprise security solutions;
• Provides system security engineering and architecture to Department system owners and developers and maintains IA security process coordination within the Department’s lifecycle management and governance processes; and,
• Develops and maintains the technical security configuration baselines that are minimally acceptable for use across Department information system.

Top

C. INFORMATION TECHNOLOGY PROGRAM SERVICES

Information Technology Program Services (ITPS) provides agency-wide leadership in the areas of enterprise oversight of Information Technology Management functions, to include Program and Information management. The organization is responsible for defining standards, building, and maintaining an Enterprise Architecture and establishing policies and processes to implement a sound and integrated IT Governance program for the lifecycle management of the Department’s IT systems and information therein. ITPS works collaboratively with the OCIO Executive Management Team and other stakeholders (e.g., the Department’s Investment Review Board (IRB) and Planning and Investment Working Group (PIRWG)) on promoting and ensuring compliance with legislation and policy governing the efficient and effective use of information technology resources.

The Director of ITPS reports to the CIO and provides leadership and direction to the following subordinate units:

• Investment and Acquisition Management Branch
• Enterprise Project Management Branch
• Information Management Branch

Investment and Acquisition Management Branch

The Investment and Acquisition Branch is responsible for developing and implementing policies, strategies, and programs designed to operate the Department’s Capital Planning and Investment Control (CPIC) program. In carrying out its responsibilities, the Branch:

• Provides IT acquisition support to the agency’s program offices and facilitates the implementation of the Department’s IT Acquisition Review Process;
• Oversees the CPIC process to ensure that long-range IT planning efforts are integrated with the Department’s budget and acquisition processes and that the agency’s IT investment portfolio is congruent with enterprise architecture;
• Provides Department executives and managers with accurate, timely information on IT investments, including life cycle costs, schedule and performance measures and metrics;
• Develops and submits recommendations to the PIRWG and IRB regarding IT investments;
• Defines capital planning and investment policies and procedures;
• Coordinates and supports agency compliance with investment management practices in accordance with goals and objectives prescribed by the FITARA;
• Develops and promotes Department-wide IT investment performance measures to assess agency progress in meeting requirements under the Government Performance and Results Act, the Information Technology Reform Act, and other relevant legislation;
• Administers and provides oversight for the procurement of IT services.

Top

Enterprise Project Management Branch

The Enterprise Project Management Branch acts as the Department’s Enterprise IT Project Management Office (PMO) to ensure the consistent implementation of project management practices, including the development of IT project management standards, techniques, and best practices. The Enterprise Project Management Branch provides support to Department Principal Office programs and project managers for the provisioning and lifecycle management of IT systems and services. In carrying out its responsibilities, the Branch:

• Provides Principal Offices with a single point of access across all OCIO branches and areas for coordinating the provisioning of IT services and capabilities;
• Maintains the Department's formal IT Project Management process and provides advice and guidance on adherence to the Department’s Life Cycle Management (LCM) to program offices;
• Develops IT project management standards, techniques, and best practices; and,
• Develops, manages, and implements OCIO’s enterprise IT communications and outreach strategy to ensure consistent stakeholder awareness of IT projects and initiatives.

Top

Information Management Branch

The Information Management Branch is responsible for developing and implementing strategies and programs designed to ensure compliance with Federal information management requirements and accessibility requirements. The Information Management Branch Chief is the Agency Records Officer. In carrying out its responsibilities, the Branch:

• Serves as the Department’s principal authority and representative on records management statutory, regulatory, and policy requirements to assure compliance with National Archives and Records Administration (NARA) and OMB directives relating to records management;
• Develops clear and consistent business rules (standards) for records management;
• Provides guidance and instruction to Department staff for the appropriate handling, maintenance, and disposition of records;
• Develops and provides print and web-based training to Department employees and contractors regarding the unit's mission;
• Oversees the implementation and management of Department-wide systems and databases that support the successful and efficient handling of records administration;
• Provides assistive technology solutions to the Department's employees with disabilities and ensures that the agency's electronic and information systems are accessible to employees and members of the public with disabilities;
• Assists ED employees with disabilities and their supervisors in the selection, purchase and installation of assistive technologies;
• Evaluates and tests software and web applications under development for the Department to ensure their compatibility with the legislative requirements of Section 508 of the Rehabilitation Act of 1973 (Section 508) and provides technical assistance and remediation strategies to developers and vendors to facilitate compliance;
• Provides advice to program offices regarding strategies for implementing Section 508;
• Provides technical assistance and support to grantees, schools, interagency, and e-Gov projects to ensure that electronic and information technology is accessible to students, Federal employees, and the public; and,
• Administers the Department’s CUI program.

Top

D. ENTERPRISE TECHNOLOGY SERVICES

Enterprise Technology Services (ETS) supports enterprise-wide initiatives that include infrastructure security, core infrastructure services, telecommunications engineering and operations, end user services, application development and testing environments, production server hosting services, and the agency’s intranet and Internet services. ETS maintains and operates the Department’s primary IT hosting environment and disaster recovery sites, as well as infrastructure, platform, and software as a service cloud environment. As assigned, ETS develops and maintains common business solutions that are required by multiple program offices and provides technical and functional support to internal and external users of the Department’s IT systems.

The Director of ETS reports to the CIO and acts as the Information System Owner for enterprise IT infrastructures and platforms. The Director provides overall leadership and coordination to the immediate office staff of ETS and to the following components:

• Technology Solutions Branch
• Technology Implementation and Integration Branch
• Operational Support Services Branch

Top

Technology Solutions Branch

The Technology Solutions Branch designs and implements the technical solutions that fulfill the agency’s information, communications, and business process automation requirements. In performing its responsibilities, the Branch:

• Provides system architecture and engineering expertise to design technical solutions that meet customer requirements;
• Defines IT design elements, and develops and tests solutions for emerging customer requirements;
• Performs tests and evaluations of technologies in support of innovation and delivery of technical solutions to meet current requirements;
• Administers and staffs the Department’s Technical Review Board as a key component of the Department’s IT Lifecycle Management and governance processes. Works with other OCIO organizations to ensure full coordination and approval of proposed solutions from program management, information assurance, and enterprise architecture functional areas; and,
• Develops and provides training to users on enterprise IT solutions prior to operational deployment.

Top

Technology Implementation and Integration Branch

The Technology Implementation and Integration Branch provides the technical guidance and services required for the integration of technical solutions with Department approved/authorized IT platforms and software. In performing its responsibilities, the Branch:

• Installs, configures, tunes/optimizes, and troubleshoots database, application software, and other various business process automation tools;
• Develops and maintains the technical guidance for implementing IT applications and integrating with Department approved/authorized IT platforms and software;
• In coordination with the Operational Support Services Branch, provides Tier II/III support to Department stakeholders and participates in configuration management activities for Department approved/authorized IT platforms and software;
• Provides input to the security implementation and contingency plan requirements for IT platforms and enterprise software;
• Manages the testing of all application software enhancements and modifications;
• Analyzes requirements for, investigates, recommends, and develops, as appropriate, new and enabling application software and related automation tools;
• Manages the web-based applications that support and enhance the agency's on-line business processes and provides additional application development support across the enterprise;
• Develops and manages Internet and intranet applications and coordinates the delivery of appropriate training for Departmental users;
• Enhances education information dissemination, developing new information resources and improving on-line business processes;
• Defines and explores opportunities for Government-to-Customer, Government-to-Business, and Government-to-School e-business initiatives and measures the effectiveness of new endeavors; and,
• Administers and maintains the Department's primary Internet and intranet websites.

Top

Operational Support Services Branch

The Operational Support Services Branch oversees and monitors all operational enterprise IT infrastructures, platforms, and software provisioned and authorized for use by the Department. The Branch works closely with other OCIO teams and vendors to ensure that all approved business solutions have met information assurance, enterprise architecture, program management, and customer support requirements prior to transitioning to operations. In performing its responsibilities, the Branch:

• Monitors and reports on operational enterprise IT infrastructures, platforms, and software to ensure their confidentiality, integrity, and availability, to include voice, video, and data communications networks, telecommunications, and multimedia services;
• Ensures that all Department employees have appropriate access to the Department's core IT services;
• Defines, administers, and staffs enterprise level configuration management processes, and associated boards, to review, vet, approve, and communicate changes to operational enterprise IT infrastructures, platforms, and software;
• Develops, maintains, and directs contingency and disaster recovery planning activities and procedures that ensure continuity of operations for essential Departmental systems in the event of an emergency or other disruption to normal operations;
• Develops and maintains system security documentation and authorizations to operate associated with enterprise IT infrastructures, platforms, and software;
• Develops and maintains operational processes and procedures to ensure the efficient and cost-effective use of ED IT resources for business communications and collaboration;
• Operates and manages enterprise IT service desk and associated services;
• Conducts operational outreach to Department users to proactively address IT issues and obtain customer feedback;
• Maintains and provides training to users on enterprise IT solutions; and,
• Oversees and executes the Department’s Trusted Internet Connection Access Provider (TICAP) Program and certification through the Department of Homeland Security.

Top