Education Dept CIO comes under fire from Congress for major security loopholes

According to CIO Danny Harris, who testified before the House Committee on Oversight and Government Reform Tuesday, the agency has had 91 data breaches this year.

Corinne Lestch
Corinne Lestch Education staff reporter - EdScoop, FedScoop and StateScoop

Corinne Lestch is a staff reporter covering education for EdScoop and its affiliate public sector technology news websites, FedScoop and StateScoop...

Danny Harris, the CIO of the Department of Education, testified before the House Oversight and Government Reform Committee on Tuesday. (EdScoop)

Congress on Tuesday grilled the chief information officer of the Department of Education on glaring holes in the agency's security system following a blistering Inspector General report, and its flunking score on benchmarks set by the Federal IT Acquisition Reform Act.

In the first of two hearings scheduled, members of the House Committee on Oversight and Government Reform took CIO Danny Harris to task for using outdated technology, failing to detect a test breach by the IG's office and quibbling about how many data centers the department oversees. The stakes, lawmakers said, are very high, because the department oversees more than 40 million federal student loan borrowers as well as student aid programs that require personally identifiable information.

And an IG report released last week found that the department has weaknesses in continuous monitoring, configuration management, incident response and reporting and remote access management.

"It has become a monster," said Rep. Jason Chaffetz, R-Utah, chairman of the committee, of the department's security systems. "We don’t know who’s in there, we don’t know what they're doing. We know there are improper payments the IG can’t even have access to because there are so many contractors who say no."

The department has 184 information systems, with 120 of them managed by outside contractors. But Harris insisted that the department only oversees three because he doesn't count the ones that are overseen by contractors.

"If you've got hundreds of data centers under contractors, it's still in your charge," said Rep. Gerry Connolly, D-Va., who chided Harris for offering, at times, vague answers.

"The Department of Education is responsible for all the data centers that hold these kids' [personal information]," added Rep. Will Hurd, R-Texas. "Who is remediating these vulnerabilities? Who is ultimately going to be held responsible?"

Kathleen Tighe, inspector general of the agency, said her office was able to hack the department's general support system, undetected by either Dell, the contractor that manages the platform, or the CIO's office.

"We were able to gain full access to the Educate platform – we really could have done anything in there," Tighe testified. "The fact that we could gain access means outsiders who have bad intentions can also come in the same that way we did and gain access, and that puts department systems and data and employees at risk."

Harris said the department, which spends roughly $32 million a year on security services, has added more firewalls to address weaknesses and implemented two-factor authentication long before other agencies did. Still, he added, the agency faced 91 data breaches and 250 "minor" incidents this year.

"While we have made significant progress, we are not satisfied and have solid plans to increase the security of our systems," Harris said.

He also defended the 'F' that the agency received on the FITARA scorecard, which exposed several agencies for weak security systems. Of the 24 agencies whose purchasing of IT equipment and services FITARA covers, a majority earned a 'D' grade or lower overall. The Energy Department and National Aeronautics and Space Administration also earned failing scores, and only two agencies, the Department of Commerce and the General Services Administration, scored a 'B', the highest grade received.

"I respectfully disagree with the rating," said Harris, adding that he thought his agency should have received a 'C'. "I am not aware of source of the information, but what I can tell you is that we have a solid plan in place for FITARA by this December."

When asked if the office needs more money to better secure the networks, Harris said he would prefer employees well versed in cyber operations.

"My biggest challenge is cybersecurity talent, even more than money," Harris said. "You can give me all money in the world, but if we can't retain cyber talent, then we are in big trouble."

Reach the reporter at or follow her on Twitter @clestch and @edscoop_news.

-In this Story-

Education IT News, Department of Education, Networks, Privacy & Security, Danny Harris, FITARA

Join the Conversation