Audit of the Department’s Efforts in Identifying IRM KSAs FINAL AUDIT REPORT ED-OIG/A07-E0002 August 2004 Our mission is to promote the efficiency, U.S. Department of Education effectiveness, and integrity of the Office of Inspector General Department’s programs and operations. Kansas City, Missouri Office NOTICE Statements that managerial practices need improvements, as well as other conclusions and recommendations in this report represent the opinions of the Office of Inspector General. Determinations of corrective action to be taken will be made by the appropriate Department of Education officials. In accordance with Freedom of Information Act (5 U.S. C. § 552) reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subject to exemptions in the Act. UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL AUG 2 02004 MEMORANDUM TO: William J. Leidinger, Assistant SecretarY for Management and Chief Information Officer FROM: Helen Lew Itt /-tt- ~ Ass istant Inspector General for Audit SUBJECT: Final Audit Report - Audit ofthe Department's Efforts in Identifying IRM KSA s COl/trol No. ED-O/G/A07-E0002 Attached is the subject final audit report that covers the results of our review of the Department ' s efforts in identifying Information Resource Management (JRM) knowledge, skills, and abilities (KSAs) in accordance with the Clinger-Cohen Act. An electronic copy has been provided to your Audit Liaison Officer. We received your comments concurring with the finding and recommendations in our draft report. Corrective actions proposed (resolution phase) and implemented (closure phase) by your office will be monitored and tracked through the Department' s Audit Accountability and Resolution Tracking System (AARTS). ED policy requires that you develop a final corrective action plan (CAP) for our review in the automated system within 30 days of the issuance of this report. The CAP should set forth the specific action items, and targeted completion dates, necessary to implement final corrective actions on the findin g and recommendations contained in this final audit report. In accordance with the Inspector General Act of 1978, as amended, the Office of Inspector General is required to report to Congress twi ce a year on the audits that remain unresolved after six months from the date of issuance. In accordance with the Freedom of Information Act (5 U.S.C. §552), reports issued by the Office of Inspector General are available to members of the press and general public to the extent information contained therein is not subj ect to exemptions in the Act. We appreciate the cooperation given us during this review. If you have any questions, please call Richard J. Dowd, Regional Inspector General for Audit, at 312-886-6503. Enclosure 600 INDEPENDENCE AVE .. S.W. WASH INGTON. D.C. 20202-1510 Our mission Is 10 ensure equal access to education and to promoLe edltCalional excellence throughout the Nation. Audit of the Department’s Efforts in Identifying IRM KSAs Table of Contents Executive Summary ………………………………………………………………………………1 Audit Results ……………………………………………………………………………...…..…..2 Finding - The Department May not be in Full Compliance With the Clinger-Cohen Act Requirements for Developing IRM KSAs .……………...……………………….….…....2 Background …………………………………………………………………………………….…5 Objectives, Scope, and Methodology……………………………………………………………..6 Statement on Management Controls ……………………………………………………………...7 Appendix I – Clinger-Cohen Core Competencies Appendix II – Auditee Comments ED-OIG/AO7-E0002 Audit of the Department’s Efforts in Identifying IRM KSAs Executive Summary The Department of Education (Department) has made progress in complying with the Clinger- Cohen Act1 requirements for obtaining KSAs necessary to effectively perform IRM functions through limited workforce planning efforts. However, it did not use a systematic process in evaluating knowledge, skills, and abilities (KSAs); nor did it address the KSA requirements for all IRM staff. Without having identified the needed KSAs for all IRM staff, the Department was not able to develop a comprehensive strategy to eliminate deficiencies between needed and actual KSAs. As such, the Department’s information resources management (IRM) may lack the basic KSAs needed to effectively manage information technology (IT) resources and investments; and to accomplish its goals. We recommend that the Department 1) use a systematic process such as the established core competencies in addressing the Clinger-Cohen requirements related to KSAs for IRM; and 2) ensure that skill assessments for the Office of the Chief Information Officer (OCIO) are tied to the IRM goals included in the Department’s overall strategic plan. We reviewed the Department’s efforts to comply with the Clinger-Cohen Act requirements for obtaining KSAs necessary to effectively perform IRM functions. The objectives of our review were to determine the Department’s progress in 1) identifying the KSAs needed for IRM; 2) developing a strategy to eliminate deficiencies between needed and actual KSAs; and 3) reporting progress made in improving IRM capability. The Act requires federal agencies to determine the KSAs required for agency personnel in IRM and identify the current IRM staff qualifications; develop a strategy for narrowing the gap between the required KSAs and those of the current IRM staff; and report progress made in improving IRM capability. The Act also requires the Chief Information Officer (CIO) to assess the KSA requirements established for IRM personnel and ensure that those requirements link to IRM performance goals. To assist federal agencies in complying with the requirements for assessing the IRM KSAs, the CIO Council developed the Clinger-Cohen Core Competencies to serve as a baseline for assessing KSAs. The established core competencies provide a systematic process and are endorsed by federal agencies. The Department did not use them in its KSA assessments for the OCIO workforce; nor has it used them in assessing whether the current requirements for its IRM workforce will enable it to meet its IRM performance goals. The Department also has not provided evidence that it used any specific guidance, criteria, or systematic process in its workforce planning efforts or that the future requirements for the IRM area have been coordinated with the Department’s overall strategic plan. OCIO concurred with our finding and recommendations. In addition, based on the Department’s response that it is no longer considering a merger of OCIO with the Office of Management (OM), we eliminated the discussion of our concern about the Department’s ability to maintain compliance with the Act given its plans to merge those two offices. 1 Previously referred to as the Information Technology Management Reform Act of 1996, Division E of Public Law 104-106, 110 Stat. 679 (1996). ED-OIG A07-E0002 Page 1 Audit of the Department’s Efforts in Identifying IRM KSAs Finding – The Department may not be Effectively Managing its IT Resources and Accomplishing Department Goals in Compliance With the Clinger-Cohen Act The Department’s workforce planning efforts have been limited – directed at identifying a strategy for replacing staff expected to retire in the next five years. However, the Department’s planning efforts did not address the KSAs required for the remaining IRM staff. Further, the Department has not provided evidence that it used any specific guidance, criteria, or systematic process in its limited workforce planning efforts or that the future requirements for the IRM area are consistent with the Department’s overall strategic plan. Without having identified the needed KSAs for all IRM staff, the Department was not able to develop a comprehensive strategy to eliminate deficiencies between needed and actual KSAs. Consequently, the Department may not be effectively managing its IT resources and accomplishing Department goals and, as a result, may not be in full compliance with Clinger-Cohen Act requirements. The Clinger-Cohen Act requires federal agencies to determine the KSAs required for agency personnel in IRM and identify the current IRM staff qualifications; develop a gap analysis and strategy for eliminating differences between the required KSAs and those of the current IRM staff; and report progress made in improving IRM capability. The Act also requires the CIO to assess the KSA requirements established for agency personnel in IRM and the adequacy of these requirements for meeting IRM performance goals. Specifically, the Clinger-Cohen Act (§ 5125(c)(3)) states that the CIO of an agency shall annually, as part of the strategic planning and performance evaluation process… (A) assess the requirements established for agency personnel regarding knowledge and skill in information resources management and the adequacy of such requirements for facilitating the achievement of the performance goals established for information resources management; (B) assess the extent to which the positions and personnel at the executive level of the agency and the positions and personnel at management level of the agency below the executive level meet those requirements; (C) in order to rectify any deficiency in meeting those requirements, develop strategies and specific plans for hiring, training, and professional development; and (D) report to the head of the agency on the progress made in improving information resources management capability. To assist federal agencies in complying with the requirements for assessing the IRM KSAs, the CIO Council developed the Clinger-Cohen Core Competencies to serve as a baseline for assessing KSAs. Although the core competencies give agencies a great deal of latitude in KSA assessments, they ED-OIG A07-E0002 Page 2 provide a systematic process for deliberations in developing a set of KSAs needed in the IRM area. According to the CIO Council, using the core competencies allows CIOs to assess KSA requirements in compliance with the Clinger-Cohen Act. These core competencies have been endorsed by government agencies as members of the CIO Council, including the Office of Management and Budget (OMB), the U.S. General Accounting Office (GAO), and the Office of Personnel Management (OPM); and are used at the CIO University for training IRM personnel in federal agencies. In addition to the Clinger-Cohen requirements, the President’s Management Agenda includes requirements, under the Human Capital initiative, to assess knowledge and skills for staff. It requires agencies to assess the KSA requirements for personnel and determine their adequacy in achieving the performance goals established for agencies. According to GAO, the most important consideration in identifying skills and competencies is clearly linking them to an agency’s mission and long-term goals. GAO stated that if an agency identifies staff needs without linking those needs to strategic goals, the needs assessment might be incomplete and premature. The Department completed limited workforce-planning efforts, including planning for the IT workforce, and reported the results of its efforts in a Recruitment Plan. The Department’s efforts focused on positions where possible retirements in the next five years could leave vacancies. The specific analyses performed included retirement eligibility, succession planning with a focus on supervisory and managerial positions, and an inventory of the skills and competencies needed by the workforce to successfully accomplish the Department’s mission. Although the Department’s plan identified a strategy for replacing staff expected to retire in the next five years, it did not evaluate the KSA needs for all IRM staff. Consequently, the Department’s recruitment plan may not accurately reflect its needs and any actions taken by the Principal Offices may not meet the needs of both current and future workforce. The Recruitment Plan stated that each Principal Office within the Department completed both a skills assessment and a skills gap analysis. However, without identifying the KSA needs for all IRM staff, the Department could not develop a comprehensive strategy to eliminate deficiencies between needed and actual KSAs. In addition, although the Department’s Recruitment Plan identified the most critical positions within OCIO, OCIO provided no evidence that it performed any kind of assessment of the actual position requirements, including an assessment of whether those requirements assisted in meeting the IRM goals within the Department's Strategic Plan. OCIO’s assessment focused on how it would fill positions that might become vacant over the next five years due to employees retiring. OCIO developed a plan for closing the gap in KSAs created through expected, future retirements. The plan provided possible approaches for backfilling positions, including 1) whether qualified individuals exist in OCIO who could step into vacated positions; and 2) recruitment strategies for filling vacated positions through identifying employees elsewhere in the Department or through recruitment actions. Because the Recruitment Plan focused only on retirement planning, it did not address the KSAs required for the remaining IRM staff. As such, the Department’s workforce planning efforts, to date, have been limited and do not fully comply with the Clinger-Cohen requirements for assessing IRM KSAs. The Department’s E-Government report to OMB provided information from the Department’s Recruitment Plan. The Department also reported that it had developed specific training curriculum ED-OIG A07-E0002 Page 3 to address identified deficiencies in the information security area; it would ensure that IT Project Managers have the skills necessary; and it would be tracking certifications of all IT Project Managers in the future. In addition, the report stated that the Department has developed a competency self-assessment tool that will assist in identifying individual competency development needs in the current workforce. This tool, known as the Employee Skills Inventory System (ESIS), is a voluntary, web-based electronic self-assessment tool that employees can use to identify competencies related to their jobs and assess their skills based on the competencies. Its E- Government report indicates the Department’s willingness to address identified deficiencies. The Department’s reported actions are in various stages of implementation, however, the effective implementation of all or any combination of the reported actions would not change our report findings. According to the CIO Council, performing effectively in the established competency areas and possessing the knowledge, skills, and abilities under each competency area assists agencies in complying with KSA requirements in the Clinger-Cohen Act. Failure to use a systematic approach such as the established core competencies could result in the Department’s failure to comply with the Act’s requirements. More specifically, because it did not assess its entire IRM workforce against established competencies, the Department may not have effectively determined where important skill gaps are and how to efficiently and effectively address those gaps. As a result, the Department’s information resource management may not have the basic core competencies or KSAs needed to effectively manage IT resources and investments. In addition, without a workforce plan that delineates the relationship between KSA requirements and the Department’s IRM goals, the Department could have difficulty identifying current and future KSAs needed to accomplish its goals. Recommendations We recommend that the Assistant Secretary, Office of Management and Chief Information Officer 1. Use a systematic process such as the established core competencies in addressing the Clinger- Cohen Act requirements related to KSAs for all IRM staff; 2. Develop a comprehensive strategy to eliminate deficiencies between needed and actual KSAs; and 3. Ensure that skill assessments for OCIO are tied to the IRM performance goals included in the Department’s overall strategic plan. The Department’s Comments and OIG Response OCIO concurred with our finding and recommendations and provided a corrective action plan. Based on the Department’s response that it is no longer considering a merger of OCIO with the Office of Management (OM), we eliminated the discussion of our concern about the Department’s ability to maintain compliance with the Act given its plans to merge those two offices. ED-OIG A07-E0002 Page 4 Audit of the Department’s Efforts in Identifying IRM KSAs Background The Clinger-Cohen Act was enacted to address longstanding problems related to federal IT management. Among other things, it requires federal agencies to • Determine the KSAs required for agency personnel in IRM; • Determine the extent positions and personnel at executive and management level meet those requirements; • Develop strategies for narrowing the gap between the required KSAs and those of the current IRM staff, including specific plans for hiring, training, and professional development for any identified deficiency; and • Report progress made in improving IRM capability. OMB, GAO, and OPM provide guidance for implementing the Clinger-Cohen Act, including requirements for obtaining and retaining the necessary KSA’s for IRM. This guidance defines what an agency would need to accomplish in order to comply with the Act. In addition, the CIO Council developed a set of core competencies to assist agencies in complying with the Clinger-Cohen Act’s requirements for assessing KSAs in the IRM area. The established core competencies are organized into12 areas with detailed core competencies or KSAs under each area. These areas include Leadership/Managerial, Project/Program Management, Information Resources Strategy and Planning, Enterprise Architecture, Capital Planning and Investment Assessment, and IT security/information assurance. For a complete list of the 12 areas and the core competencies associated with each see the Appendix. ED-OIG A07-E0002 Page 5 Audit of the Department’s Efforts in Identifying IRM KSAs Objectives, Scope, and Methodology The objectives of our audit were to determine the Department’s progress in 1) identifying the KSAs needed for IRM; 2) developing a strategy to eliminate deficiencies between needed and actual KSAs; and 3) reporting progress made in improving IRM capability. We did not assess the KSAs for OCIO organizationally nor did we assess KSAs of individuals within the Department’s IRM area. To accomplish our objective, we reviewed applicable policies and procedures, as well as laws, regulations, and agency guidelines. We interviewed officials in the CIO’s office, including the CIO, to obtain information on the Department’s goals, strategies, and staffing plans. We obtained and reviewed the Department’s strategic plan, including the IRM section on strategic planning and workforce analyses; and strategic program planning documents, including the plan that guided staffing and the annual staffing plan. To meet our objectives, we did not use electronic data from the Department. To assist in assessing the Department’s efforts, we reviewed GAO reports on human capital and workforce planning at other federal agencies. We also reviewed human capital literature-including OPM’s Human Capital Assessment and Accountability Framework as well as workforce planning models at OPM, OMB, and GAO. We conducted work at the Department’s CIO offices in Washington, D.C. and our OIG office in Kansas City, MO, during the period October 2003 to April 2004. We held an exit conference with Department officials on June 15, 2004. Our audit was performed in accordance with generally accepted government auditing standards appropriate to the scope of the review. ED-OIG A07-E0002 Page 6 Audit of the Department’s Efforts in Identifying IRM KSAs Statement on Management Controls As part of our review, we gained an understanding of the Department’s management control structure applicable to the scope of the review. For purposes of this review, we assessed and classified the significant management controls related to the Department’s IT efforts into the planning and assessment activities over the Department’s IRM capabilities. The assessment also included a determination of whether the processes used by the Department provided a reasonable level of assurance of compliance with the Clinger-Cohen Act. Because of inherent limitations, and the limited nature of our review, a study and evaluation made for the limited purpose described above would not necessarily disclose material weaknesses in the management control structure. However, our assessment identified a weakness in the Department’s efforts to identify the KSAs needed for its IRM as set out in the Findings section of this report. ED-OIG A07-E0002 Page 7 Audit of the Department’s Efforts in Identifying IRM KSAs Appendix I -- Clinger-Cohen Core Competencies (Revised June 2003) The Clinger-Cohen Core Competencies, developed by the CIO Council, have been endorsed to serve as a baseline to assist government agencies in complying with Section 5125(C)(3) of the Clinger-Cohen Act. To perform effectively in each competency area below, an organization should possess the knowledge, skills, and abilities in each competency. 1.0 Policy and Organizational 1.1 Department/Agency missions, organization, functions, policies, procedures 1.2 Governing laws and regulations (e.g., the Clinger-Cohen Act, E-Government Act, GPRA, PRA, GPEA, OMB Circulars A-11 and A-130, PDD 63) 1.3 Federal government decision-making, policy making process and budget formulation and execution process 1.4 Linkages and interrelationships among Agency Heads, COO, CIO, and CFO functions 1.5 Intergovernmental programs, policies, and processes 1.6 Privacy and security 1.7 Information management 2.0 Leadership/Managerial 2.1 Defining roles, skill sets, and responsibilities of Senior Officials, CIO staff and stakeholders 2.2 Methods for building federal IT management and technical staff expertise 2.3 Competency testing - standards, certification, and performance assessment 2.4 Partnership/team-building techniques 2.5 Personnel performance management techniques 2.6 Principles and practices of knowledge management 2.7 Practices which attract and retain qualified IT personnel 3.0 Process/Change Management 3.1 Techniques/models of organizational development and change 3.2 Techniques and models of process management and control 3.3 Modeling and simulation tools and methods 3.4 Quality improvement models and methods 3.5 Business process redesign/reengineering models and methods 4.0 Information Resources Strategy and Planning 4.1 IT baseline assessment analysis 4.2 Interdepartmental, inter-agency IT functional analysis 4.3 IT planning methodologies 4.4 Contingency planning 4.5 Monitoring and evaluation methods and techniques ED-OIG A07-E0002 Page 1 5.0 IT Performance Assessment: Models and Methods 5.1 GPRA and IT: Measuring the business value of IT, and customer satisfaction 5.2 Monitoring and measuring new system development: When and how to "pull the plug" on systems 5.3 Measuring IT success: practical and impractical approaches 5.4 Processes and tools for creating, administering, and analyzing survey questionnaires 5.5 Techniques for defining and selecting effective performance measures 5.6 Examples of, and criteria for, performance evaluation 5.7 Managing IT reviews and oversight processes 6.0 Project/Program Management 6.1 Project scope/requirements management 6.2 Project integration management 6.3 Project time/cost/performance management 6.4 Project quality management 6.5 Project risk management 6.6 Project procurement management 6.7 System life cycle management 6.8 Software development 7.0 Capital Planning and Investment Assessment 7.1 Best practices 7.2 Cost benefit, economic, and risk analysis 7.3 Risk management-models and methods 7.4 Weighing benefits of alternative IT investments 7.5 Capital investment analysis-models and methods 7.6 Business case analysis 7.7 Integrating performance with mission and budget process 7.8 Investment review process 7.9 Intergovernmental, Federal, State, and Local Projects 8.0 Acquisition 8.1 Alternative functional approaches (necessity, government, IT) analysis 8.2 Alternative acquisition models 8.3 Streamlined acquisition methodologies 8.4 Post-award IT contract management models and methods, including past performance evaluation 8.5 IT acquisition best practices 9.0 E-Government/Electronic Business/Electronic Commerce 9.1 Strategic business issues & changes w/advent of E-Gov/EB/EC 9.2 Web development strategies 9.3 Industry standards and practices for communications 9.4 Channel issues (supply chains) 9.5 Dynamic pricing 9.6 Consumer/citizen information services 9.7 Social issues ED-OIG A07-E0002 Page 2 10.0 IT security/information assurance 10.1 Fundamental principles and best practices in IA 10.2 Threats and vulnerabilities to IT systems 10.3 Legal and policy issues for management and end users 10.4 Sources for IT security assistance 10.5 Standard operating procedures for reacting to intrusions/misuse of federal IT systems 11.0 Enterprise Architecture 11.1 Enterprise architecture functions and governance 11.2 Key enterprise architecture concepts 11.3 Enterprise architecture development and maintenance 11.4 Use of enterprise architecture in IT investment decision making 11.5 Interpretation of enterprise architecture models and artifacts 11.6 Data management 11.7 Performance measurement for enterprise architecture 12.0 Technical 12.1 Emerging/developing technologies 12.2 Information delivery technology (internet, intranet, kiosks, etc.) 12.3 Desk Top Technology Tools Source: Chief Information Officers Council ED-OIG A07-E0002 Page 3 Appendix II – Auditee Comments on the Draft Report ED-OIG A07-E0002 UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF MANAGEMENT ASSISTANT SECRETARY July 16, 2004 TO: Richard J. Dowd Action Regional Inspector General for Audit Office of Inspector Gene{'X ./ FROM: William J. LeidingerW\r'-' Assistant Secretary for Management and Chief Information Officer SUBJECT: DRAFT AUDIT REPORT - Audit ofthe Department's Efforts in Identifying IRM KSAs Control No. ED-OIG/A07-E0002 Thank you for your draft audit report, Audit ofthe Department's Efforts in Identifying IRM KSAs, Control No. ED-OIG/A07-E0002 sent June 4,2004. The Office of the ChiefInformation Officer (OCIO) concurs with the single finding, "The Department may not be effectively managing its IT resources and accomplishing Department goals in compliance with the Clinger Cohen Act." The following is our proposed corrective action to address the three recommendations your office has provided related to this finding. Recommendation 1: Use a systematic process such as the established core competencies in addressing the Clinger Cohen Act requirements related to KSAs for all IRM staff. Proposed Corrective Action: OCIO will work with the Office of Management Human Resources Services (HRS) to use the Clinger-Cohen core competencies developed by the CIO Council, and included as an Appendix in your draft audit report, to expand the core competencies for the IT Critical Occupation in Employee Skill Inventory System (ESIS). OCIO and HRS will develop and implement a strategy using ESIS to evaluate the actual and needed IT Knowledge, Skills and Abilities (KSAs) of Department staff based on these competencies. Recommendation 2: Develop a comprehensive strategy to eliminate deficiencies between needed and actual KSAs. Proposed Corrective Action: OCIO will work with HRS to develop a comprehensive strategy that addresses IT KSAs for new hires and existing staff. HRS staff have begun meeting with all hiring managers prior to the posting of vacancies to strengthen the recruitment process. OCIO and HRS will review existing EdHlRES IT questions to ensure that the full range of desired competencies are included to further strengthen IT recruitments. The IT KSAs will continue to be reviewed and emphasized when posting for IT positions. OCIO and HRS will develop learning tracks associated with the core competencies for the IT Critical Occupation to address the needed KSAs for existing staff. 400 MARYLAND AVE., S.W., WASHINGTON, D.C. 20202-4500 www.ed.gov Our mission is to ensure equal access to education and to promote educational excellence throughout the Nation. Response to Draft Audit a/the Department's Efforts in IdentifYing IRM KSAs Control No. ED-OIG/A07-E0002 Recommendation 3: Ensure that skill assessments for OCIO are tied to the IRM performance goals included in the Department's overall strategic plan. Proposed Corrective Action: OCIO will work with the Strategic Accountability Service to add IRM performance goals to the Department's overall strategic plan. Your draft audit report also included an "Other Matters" section that addressed a proposed reorganization ofOCIO that would merge it with the Office of Management. This proposed merger is no longer being considered. Attached is the OCIO reorganization package that has received Department approval and is now being reviewed by the Union. The final proposal only includes internal restructuring. Please contact Nina Aten on my staff if you have any questions. Ms. Aten can be reached on 202-401-5846. Attachment Page 2 of2 UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF MANAGEMENT JUL - 9 2004 MEMORANDUM TO: James Keenan, Director FROM: ::~::::::5":t~ C.CJ Executive Office SUBJECT: Reorganization of OCIO The OM Executive Officer has approved the attached request to reorganize the Office of the Chief Information Officer. Please arrange to notify the Union of this action if you believe that they should be notified. Your contact is Michell Clark who can be reached on (202) 260-7337. Please let me know when and ifthe Union consultative meetings are scheduled. Attachments cc: Michell Clark 400 MARYLAND AVE., s.w., WASHINGTON, D.C. 20202-4500 www.ed.gov Our mission is to ensure equal access to education and to promote educational excellence throughout the Nation. J UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF THE CHIEF INFORMATION OFFICER THE CHIEF INFORMATION OFFICER June 16,2004 MEMORANDUM To: Keith Berger, Executive Officer From: William J. Leidinger W~ Subject: Necessary Organizational Changes for the Office of the Chief Information Officer This memorandum requests approval of a reorganization of the Office of Chief Information Officer (OCIO). This reorganization is intended to enhance OCIO's ability to serve the Department while better aligning the structure of the OCIO with the busihess needs of the Department. In addition, the reorganization establishes direct responsibility for those areas that require coordination on IT assets, policies and functions across the Department. The resulting OCIO organization will achieve these purposes: .,,; Better enables the accomplishment of the CIO responsibilities as outlined in the Government Information Security Reform Act (GISRA) and the Federal Information Sec'urity Management Act (FISMA) . .,,; Aligns and prioritizes the information technology security policies, procedures and control functions under the CIO that are vested in the ChiefInformation Security Officer (CISO) . .,,; Aligns the CISO directly under the CIO as required under GISRA and FISMA. .,,; Provides a central focus for training and overseeing personnel with significant information technology security responsibilities . .,,; Enhances the coordination and execution of the critical infrastructure protection responsibilities vested in the Department's Critical Infrastructure Officer (CIAO) as required in Presidential Decision Directive (PDD) 63. PDD 63 provides a framework for protecting critical infrastructure, which is generally referred to as those physical and cyber based systems essential to the minimum operations of the economy and government. The directive requires every department and agency to appoint a CIO who shall be responsible for the protection of its critical infrastructure. 400 MARYLAND AVE., S.W., WASHINGTON, D.C. 20202-4580 www.ed.gov Our mission is to ensure equal access to education and to promote educational excellence throughou.t the Nation. Keith Berger - Page 2 The specific changes proposed are as follows: • Move the Development Services Group from Information Management to Information Technology Operations and Maintenance Services. This will enable the Development Services Group, which develops, maintains and updates the department's web sites, to be part of, and integrated with, the group that it works most closely with and which supports and operates the Department's web sites. • Move the information collection, FOIA, the Government Paperwork Elimination Act and records management functions from Information Management to the new Regulatory and Information Management Services. The performance improvement of these functions is a high Department priority. These functions will receive more focus and attention, and closer supervision and direction than was possible when these functions were in Information Management. • Move the enterprise architecture, data architecture, system development life cycle development process, and the business-technology interface functions from Information Management to an Enterprise Architecture Team in the new Business and Enterprise Integration Services. • Move the Investment Management Group from Information Management to the new Business and Enterprise Integration Services. • The co-locating of Enterprise Architecture and Investment and Acquisition Management as the components of Business and Enterprise Integration Services will effectively link the knowledge of the Department's business with the development and upgrading of the Department's enterprise architecture and its' ongoing IT investment planning and decision process. • Eliminate the Information Management Group. • Move the Information Assurance Group directly under the CIO. This will strengthen the Department's adherence to the requirements outlined in Clinger Cohen as well as full integration and coordination of all security and critical infrastructure protection functions. The OM Executive Office will formally service the Office of the ChiefInformation Officer. It has been doing so by agreement with the Chief Information Officer for the past year. The staffing of the Executive Office is unchanged and is not included in the staffing patterns. Keith Berger - Page 3 Although there will be necessary personnel moves because of movement of functions, we are committed to assuring that there will be no adverse personnel impact on any OM or OCIO employees as a result of this reorganization. We will work with The Department's Delegations Control Officer to develop any necessary changes to existing delegations of authority that will be affected the reorganization. Attachments: Tab A: Current Organization Chart Tab B: Proposed Organization Chart Tab C: Current Functional Statements Tab D: Proposed Functional Statements Tab E: Current Staffing Pattern for Affected Units Tab F: Proposed Staffing Pattern for Affected Units TABB Proposed Organization Chart OFFICE OF THE CHIEF INFORMATION OFFICER PRINCIPAL DEPUTY CHIEF INFORMATION OFFICER DEPUTY CHIEF INFORMATION OFFICER! - CHIEF TECHNOLOGY OFFICER I T 1 INFORMATION TECHNOLOGY BUSINESS AND REGULATORY OPERATIONS INFORMATION ASSURANCE ENTERPRISE INTEGRATION INFORMATION MANAGEMENT AND MAINTENANCE SERVICES SERVICES SERVICES SERVICES INVESTMENT AND ACQUISITION PRODUCTION SECURITY AND INFORMATION POLICY MANAGEMENT TEAM MANAGEMENT f- RELIABILITY ASSURANCE AND STANDARDS I- TEAM TEAM TEAM ENTERPRISE ARCHITECTURE DEVELOPMENT INFORMATION MGMT NETWORK SERVICES TEAM TEAM f- SERVICES CASE SERVICES f- TEAM TEAM END USER ASSISTIVE SUPPORT SERVICES TECHNOLOGY TEAM TEAM PROJECT MANAGEMENT TEAM TABD Proposed Functional Statements OFFICE OF THE CHIEF INFORMATION OFFICER SECTIONS I. MISSION AND RESPONSIBILITIES II. ORGANIZATION III. ORDER OF SUCCESSION IV. FUNCTIONS AND RESPONSIBILITIES OF THE OFFICE OF THE CHIEF INFORMATION OFFICER (OCIO) COMPONENTS A. IMMEDIATE OFFICE OF THE CHIEF INFORMATION OFFICER B. INFORMATION MANAGEMENT C. INFORMATION TECHNOLOGY D. ENTERPRISE STRATEGY AND INFORMATION ASSURANCE IV. PRIMARY DELEGATIONS OF AUTHORITY I. MISSION AND RESPONSIBILITIES The mission of the Office of the ChiefInformation Officer (OCIO) is to provide advice and assistance to the Secretary and other senior officers to ensure that information technology is acquired and information resources are managed for the Department in a manner that is consistent with the requirements of the Clinger-Cohen Act (40 U.S.C. 11315), the Paperwork Reduction Act of 1995 (44 U.S.C. chap. 35) and industry best practices. The agency's Chief Information Officer is charged with implementing the operative principles identified in the Act requiring the establishment of a management framework to improve the planning and control of information technology investments and leading change to improve the efficiency and effectiveness of agency operations. The CIO reports directly to the Secretary and UnderSecretary and provides leadership and direction to: • Develop, maintain, and facilitate the implementation of a sound and integrated information technology enterprise architecture; • Promote the effective and efficient design and operation of major Departmental information resource management processes and recommend, as appropriate, improvements to agency business processes; • Manage agency information resources to improve the productivity, efficiency, and effectiveness of Federal programs inclusive of information dissemination initiatives and efforts to reduce information collection burdens; OCIOIIO - Page 1 P,ROPOSED: 07114/04 OFFICE OF THE CHIEF INFORMATION OFFICER • Develop Information Technology (IT), Information Management (IM), and Information Assurance (IA) requirements, completing costlbenefit analysis of proposed solutions, managing projects in accordance with sound systems life cycle management procedures and establishing performance standards and measures to assess success of short and long term solutions; • Define and manage IT, 1M, and IA capital planning and investment management processes to ensure that they are successfully implemented and integrated with the Department's budget, acquisition and planning processes; • Develop and submit recommendations to the Investment Review Board (IRB) regarding IT, 1M, IA capital investments to assure that investment decisions are mission aligned, cost justified and approved only after careful and systematic reVIew; • Monitor the performance of the agency's IT, 1M, and IA programs and investments, evaluating them against performance and other applicable measures, and advising the Secretary regarding their continuation, modification or termination; • Assess IT, 1M, and IA competencies defined for agency personnel to ensure that Departmental employees are technologically prepared to achieve the Department's strategic goals; • Develop IT and 1M requirements, analyze the projected cost and benefits of alternative IT and 1M solutions, and establish performance standards and measures to assess short and long range solutions; • Administer the Department's information resource management program, including records management, automated data processing activities, the Paperwork Reduction Act, Government Paperwork Elimination Act, Freedom of Information Act, Privacy Act, and the Information Quality Guidelines; • Manage the agency's IT Security Program for automated information systems, developing agency-wide policy for the protection and control of information resources directly or indirectly related to the activities of the Department; • Implement a Department-wide communications Internet/Intranet strategy; • Deploy and maintain all enterprise-wide information technology; • Develop recommendations and implement information technology solutions designed to enhance and enable agency business processes; • Develop and provide technology standards to assure business alignment and promote a viable enterprise technology framework; oelOIIO - Page 2 PROPOSED: 07/14/04 OFFICE OF THE CHIEF INFORMATION OFFICER • Provide administrative and technical support to the agency's Data Integrity Board and monitor the Department's compliance with the Computer Matching and Privacy Protection Act. II. ORGANIZATION The Office of the Chief Information Officer (OCIO) is under the immediate supervision of the Chief Information Officer (CIO). In carrying out the responsibilities of the Department described in 44 U.S.C. 3506,40 U.S.C. 11315(b) and (c), and Executive Order 13011, the ChiefInformation Officer reports directly to the Secretary and Under Secretary. III. ORDER OF SUCCESSION The Order of Succession for the Office of the Chief Information Officer is as follows: Principal Deputy Chief Information Officer Deputy Chief Information Officer/Chief Technology Officer Director, Information Technology Director, Information Management. OCIOIIO - Page 3 PROPOSED: 07/14/04 OFFICE OF THE CHIEF INFORMATION OFFICER IV. FUNCTIONS AND RESPONSIBILITIES OF OCIO COMPONENTS A. THE CHIEF INFORMATION OFFICER The Chief Information Officer (CIO) provides advice and other assistance to the Secretary and Under Secretary in information technology (IT) matters and other IT activities and functions as directed. The CIO is responsible for developing and maintaining a sound and integrated IT architecture for the Department while also promoting the efficient design and operation of all major information resources processes for the agency. The CIO provides strategic leadership and executive direction to the office's organizational components to ensure successful accomplishment of the office's mission. The CIO manages the agency's relationship to Federal CIO Council Initiatives and coordinates Council activities throughout the Department. The Principal Deputy Chief Information Officer ( PD CIO) serves as the alter ego for and supports the CIO in IT matters and other activities and functions as directed. The PD CIO assists the CIO by providing day-to-day operational priorities, strategic leadership and executive direction to the Office's organizational components to ensure successful accomplishment of the Office's mission. The PD CIO performs administrative duties such as performance evaluations for the Deputy CIO/CTO and other senior leadership within the Office. The PD CIO provides advice to the Secretary, other Senior Officers and the CIO, and promotes the effective and efficient design and operation of all major information resources processes for the Department. The Deputy Chief Information Officer/Chief Technology Officer (CTO) assists the CIO in the development of standards, guidelines, and policies to transform current ED data collection and information management processes. The CTO advises the ASM/CIO and PD CIO on new and emerging technologies in the areas of communication, information technology, and IT system development that may benefit the Department. The CTO supervises the operation of Business and Enterprise Integration Services. B. INFORMATION TECHNOLOGY OPERATIONS AND MAINTENANCE SERVICES Information Technology Operations and Maintenance Services supports the CIO's efforts in all activities related to network information enterprise, to include network security, network and telecommunications design and operations, end user services, production server hosting services, and ED's intranet and Internet services as well as maintains and operates ED's disaster recovery facility. The Office is headed by a Director who reports to the Chief Information Officer. Information Technology Operations and Maintenance Services is divided into the following seven teams: • Production Management Team; • Network Services Team; • End User Support Services Team; • Security and Reliability Assurance Team; OCIO - Page 1 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER • Development Services Team. • Assistive Technology Team; and • Project Management Team Production Management Team The Production Management Team administers all servers that comprise EDNET which process all shared applications used throughout the Department. In performing its responsibilities, the Team: • Manages the daily operation and maintenance of all departmental servers that are hosted within EDNet. • Provides scheduled backups, upgrades, and maintenance of EDNet hosted servers. • Coordinates the overall operation of the Department's IT infrastructure. • Reccomends the Server Technology component of the enterprise architecture. • Manages all mainframe, timesharing and related server services that offer cent~alized support to users Department-wide, including the Department's network. • Designs and maintains the Department messaging services that allows it to quickly communicate with its employees, contractors, the citizenry, schools, municipalities, states, and researchers. Network Services Team The Network Services Team provides amd maintains the infrastructure that allows individual Departmental end users to access shared applications that are hosted throughout the world from their local personal computers. Also, this Team maintains the telephone and video conferencing systems. In performing its responsibilities, the Team: • Orders and implements telecommunications services including local, long distance and dedicated services. • Operates and maintains video telecommunications services for the Department. • Administers the Network Control Center for the Department. OCIO - Page 2 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER • Champions emerging collaborative technologies to make Department-wide users more effective in dealing with their peers and customers. • Provides an access path for all End Users to be able to use IT infrastructure down to individual workstations, telephone handsets, IPTV displays, and video conferencing rooms. • Manages the IT cabling plan. End User Support Services Team The End User Support Services Team ensures that all departmental employees regardless of their locations have appropriate access to the Department's services and that their personal computers work properly. In performing its responsibilities, the Team: • Manages the Help Desk, which is the entry point for virtually all requests for IT services. • Provides work station on-site support. • Manages and provides operational support for all office automation activities throughout the Department. • Provides project management support for ED technology customers that are relocating offices. • Oversees installation and disposal of workstation equipment. • Provides operations support and serves as a liaison in the field for the Secretary's Regional Representatives (SRRs). • Supports SRR implementation of agency-wide technology and applications solutions in the regional offices and provides ongoing customer and technical support. Security and Reliability Assurance Team The Security and Reliability Assurance Team protects the overall network from hostile attacks as well as manages a disaster recovery facility for all of the Department's critical applications. Also, the team ensures that all additions to hardware and sofware are adequately tested prior to their inclusion into EDNET. In performing its responsibilities, the Team: • Performs multi-tiered indepth defense against cyberterrorist attacks from viruses, worms, and hackers. OCIO - Page 3 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER • Ensures reliable execution of all hosted servers through executing a production promotion process that test all updates to the production environment prior to implementation. • Directs all activities related to the agency's alternate site for redundant systems as prescribed by the Department's system Disaster Recover Plans and Continuity of Operations Plan. • Provides facility management support to the agency's alternate data processing center. • Maintains portal security. • Tests and evaluates all EDNet equipment. • Provides administrative support to the Change Control Review Board. • Develops and enforces processes and procedures to ensure sound configuration control and change management of EDNet and its tenant systems. Development Services Team The Development Services Team manages the web-based applications that support and enhance the agency's on-line business processes and provide additional application development support across the enterprise. In performing its responsibilities, the Team: • Develops and manages internet and intranet applications and coordinates the delivery of appropriate training for Departmental users. • Enhances education information dissemination, develop new information resources and improve on-line business processes. • Defines and explores opportunities for Government-to-Customer, Government-to-Business and Government-to-School e-business initiatives and measures effectiveness of new endeavors • Maintains and operates ED's internet Web site, ed.gov. • Maintains and operates ED's intranet Web site, connectED. • Takes responsibility for putting content on the Web sites, including providing tools for adding Web site content. • Works with Principal Offices on developing new content and updating existing content on the ed.gov and connectED Web sites. OCIO - Page 4 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER Assistive Technology Team The Assistive Technology Team evaluates and tests software applications and hardware to ensure compatibility with the legislative requirements of Section 508 of the Rehabilitation Act of 1973 (29 USC 794d) and the agency's operating environment. In performing its responsibilities, the Team: • Assists program offices with the evaluation, testing and implementation of assistive technology solutions for individuals with disabilities. • Serves as liaison to schools and other federal agencies to facilitate the evaluation and implementation of assistive technology solutions in the classroom and the workplace. • Provides advice to program offices regarding section 508 requirements for grant competitions. Project Management Team The Project Management Team ensures that all IT operation's projects are professionally managed and that IT delivers on its commitments. In performing its responsibilities, the Team: • Provides a core of qualified project managers that executes the OCIO's formal project management process in support of EDNET customers who require new solutions to be developed. • Performs technology assessment and analysis. • Provides administrative support to the Technology Review Board. • Defines IT design elements and develops and tests solutions for emerging customer requirements. C. BUSINESS AND ENTERPRISE INTEGRATION SERVICES Business and Enterprise Integration Services (BEIS) provides leadership, oversight, and coordination of the Department's effort to ensure that its Information Technology (IT) investments support ED's strategic plan and are business driven. In particular, this relates to the following activities within the Department of Education: • Capital Planning and Investment Control (CPIC); • Enterprise Architecture development, usage and change management; • Enterprise Architecture product quality and compliance measurement; • Business Technology Interface; OCIO - Page 5 PROPOSED: 7/07/04 -, OFFICE OF THE CHIEF INFORMATION OFFICER • Systems Development Life Cycle; and • IT Acquisition support. BEIS is responsible for providing policies, standards, and procedures that ensure ED offices comply with the Department's investment review process and enterprise architecture. In addition, BEIS provides instruction to customers to help educate and support them in their investment review and enterprise architecture efforts. The Deputy CIO/CTO is responsible for leadership, policy guidance, quality control, and coordination for Business & Enterprise Integration Services. The Deputy CIO/CTO also ensures that the operations of BEIS are consistent with federal laws and directives as well as Department standards, policies, and procedures. Furthermore, BEIS ensures that its operations are carried out in an effective and efficient manner, and are customer-oriented. BIES is comprised of two Teams: • Investment and Acquisition Management Team; and • Enterprise Architecture Team. Investment and Acquisition Management Team The Investment and Acquisition Management Team is responsible for developing and implementing strategies and programs designed to enhance the Department's business case preparation ahd capital investment management and planning. The Team is also responsible for providing IT acquisition support to OCIO and the Department In performing its responsibilities, the IT Investment Management Team: • Develops and submits recommendations to the Investment Review Board (IRB) regarding IT investments (including projects, systems, IT workforce and initiatives) to assure that investment decisions are mission aligned, cost justified and approved only after careful and systematic review. • Defines and manages IT investment management processes through a long-range planning and a disciplined budget decision making process to achieve performance goals and objectives with minimal risk, lowest life-cycle costs and greatest benefits for the agency. Ensures that the processes are successfully implemented and integrated with the Department's budget, performance-based acquisition and planning processes • Oversees business case preparation for IT activities and services. • Defines capital planning and investment policies and procedures so that the Department can best manage its resources and can measure and evaluate the benefits of investment decisions. OCIO - Page 6 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER • Coordinates and supports investment decision processes across the agency that are prescibed by the Clinger-Cohen Act of 1996. • Coordinates activities with the OCIO and across offices that link mission needs and capital assets in an effective and efficient manner. • Develops and promotes Department-wide IT investment performance measures to assess agency progress in meeting requirements under the Government Performance and Results Act, the Information Technology Reform Act, and other relevant legislation. • Administers and provides oversight for procurement and contract management of IT activities, and provides acquisition support to IT staff. • Facilitates Department IT acquisition activities and manages the office's relationships with vendors and other OCIO contractors. • Manages Department-wide software and system licenses, including procurement, test, and implementation phases. Enterprise Architecture Team The Enterprise Architeture Team is responsible for capturing the description of how the Department does its business, and what information, data, and technology are required to support the business. Furthermore, the Enterprise Architeture Team is responsible for the Department's system development life cycle and the business technology interface. The Team also includes Business Technology Advisors who provide direct coordination services between OCIO and the Principal Offices. In performing its responsibilities, the Enterprise Architecture Team: • Develops, maintains, and facilitates the implementation of a sound and integrated IT enterprise architecture. • Provides written organizational policy, for approval by the Executive Management Team and the Investment Review Board, regarding the governance of the enterprise architecture. • Uses the enterprise architecture to analyze IT solutions and ensure that they support the business of the Department. • Leverages methodologies to eliminate redundancies, reduce cost, and manage change. • Provides Business Technology Interface support to document requirements for, analyze, and justify each business case presented to the Investment Review Board. OCIO - Page 7 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER • Uses the enterprise architecture to analyze deliverables proposed by Principal Offices to ensure the statements of work are complete, as outlined in the Systems Development Life Cycle (SDLC). • Monitors and provides reviews for enterprise (information, data, systems, and technology) within the SDLC, CPIC, and acquisition processes. • Ensures enterprise architecture products are identified, tracked, monitored, documented, reported, and audited. • Manages and provides enterprise architecture repository maintenance, oversight, training, and version control. • Ensures enterprise architecture products and supporting processes are prepared to undergo an independent verification and validation. • Applies metrics for measuring enterprise architecture progress, quality, compliance, in order to calculate the return on investment. D. Regulatory Information Management Services Regulatory and Information Management Services (RIMS) provides leadership, oversight, and coordination to ensure Departmental compliance with government initiatives regarding the acquisition, release and maintenance of information. In particular, this relates to the following activities within the Department of Education: • Freedom ofInformation Act (FOIA); • Privacy Act; • Records Retention and Management; • Information Collection; • Government Paperwork Elimination Act (GPEA); and • Information Quality Guidelines (lQG). RIMS is responsible for providing policies, standards, and procedures that ensure ED complies with governmental information management requirements in the above areas. In addition, RIMS provides instruction to assure that customers are educated and supported in the performance of these efforts. The office is headed by a Director who reports to the Chief Information Officer. RIMS includes two teams: • Information Policy and Standards Team; and • Information Management Case Services Team. OCIO - Page 8 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER The office of the Director includes a Special Assistant for Appeals Services who is responsible for the oversight, coordination and disposition of all agency appeals regarding the Freedom ofInformation Act (FOIA) and the Department's IQGs. Information Policy and Standards Team The Information Policy and Standards Team is responsible for developing and implementing strategies and programs designed to enhance the Department's responsiveness to government information management requirements regarding the acquisition, release and maintenance of information. In performing its responsibilities, the Information Policy and Standards Team: • Promotes the effective and efficient design and operation of major ED information resource management processes; and, as appropriate, examines and recommends improvements to agency business processes. • Supports the policies and procedures of management, analysis and protection of federal, state, and local data collected and disseminated by the Department. • Articulates standards for the Department's IQG's, and provides guidance and technical assistance to program offices on quality, dissemination, privacy, and security issues. • Issues directives and handbooks to support and enhance the performance of agency responsiveness to information management initiatives. • Provides instruction designed to help agency personnel better coordinate intra- and inter agency efforts regarding the acquisition, release and maintenance of information. • Supports agency information to improve the productivity, efficiency, and effectiveness of federal programs including information dissemination initiatives and efforts to reduce information collection burdens. • Champions e-records management and works to ensure that enterprise-wide e-records policies are adopted. • Works with client offices to plan for and coordinate enterprise-wide information access, data collection and records management activities. • Manages the implementation of the Government Paperwork Elimination Act (GPEA) across the agency. • Provides leadership and coordination in the resolution of sensitive and high-risk information management cases. OCIO - Page 9 PROPOSED: 7/07/04 OFFICE OF THE CHIEF INFORMATION OFFICER Information Management Case Services Team The Information Management Case Services Team is responsible for the comprehensive operation of the agency case management system that responds to FOIA and Privacy Act requests. The Team also is responsible for supporting ED information collection, records retention and management, and GPRA activities. In performing its responsibilities, the Team: • Oversees agency compliance with FOIA, Privacy Act and Departmental records retention and management policies. • Ensures the successful handling of all requests regarding FOIA and the Privacy Act received by the Department. The team also is responsible for furnishing reliable, accurate, and timely information on FOIA and the Privacy Act in compliance with relevant laws, statutes, regulations and directives. • Administers the agency's information collection activities, overseeing the Department's collection and reporting prpcesses under the Paperwork Reduction Act and preparing the annual Information Collection Budget for transmittal to OMB. • Supports Department systems and databases associated with information collections, FOIA, Privacy, and records retention and management. • Oversees and monitors the administration of contracts to support operation and maintenance of systems and databases relating to the mission of RIMS. E. Information Assurance Services Information Assurance Services oversees the Department's IT security program and implementation of the Federal Information Security Management Act. The Director of Information Services reports directly to the Chief Information Officer. In performing its responsibilities, the Information Assurance Team: • Directs the Department's enterprise-wide information assurance activities, developing policies and guidance to prevent and defend against unauthorized access to networks, system, and data directly or indirectly related to the Department's activities. • Provides agency-wide leadership in maintaining and improving the accuracy, confidentiality and integrity of data maintained in the Department's information systems, including ongoing support of the agency's Data Integrity Board and data matching/exchange agreements with other agencies. OCIO - Page 10 PROPOSED: 7/07/04 -, OFFICE OF THE CHIEF INFORMATION OFFICER • Coordinates agency-wide IT security incident reporting and emergency response activities and serves as the Department liaison with the Office of General Counsel, Fed CIRC, the FBI, and other external law enforcement agencies concerning IT security incident reporting and follow-up activities. • Implements and coordinates activities regarding the agency's Critical Infrastructure Protection (CIP) focusing on protecting mission essential infrastructure, promoting best practices in infrastructure management, and developing and promulgating policies to implement requirements of Presidential Direction (PDD) 63. • Enforces Federal ADP Security standards, including review and evaluation activities prescribed by OMB Circulars A-123 and A-130. • Coordinates agency-wide policies regarding authentication and message encryption techniques inclusive of digital signatures and PKI technology. • Conducts annual Department-wide security audit reviews mandated by the Government Information Security Reform Act (GISRA) and periodically assists the agency's OIG with the conduct and resolution of Department IT security program and system audits. • Manages the operation of the agency's Information and Critical Infrastructure Assurance Steering Committee. • Develops and maintains a comprehensive and effective disaster recovery planning program that ensures continuity of operations for essential Departmental systems in the event of an emergency or other disruption to normal operations. • Develops corrective action plans to address weaknesses disclosed by GISRA reviews, IG audits, and Federal Managers Financial Management Integrity Act (FMFESIA) annual certifications related to IT security matters. • Defines IT security curricula and provides specialized security training for agency's technical staff and general security awareness/orientation training required of all Departmental employees. OCIO - Page 11 PROPOSED: 7/07/04
Audit of the Department's Efforts in Identifying IRM KSAs.
Published by the Department of Education, Office of Inspector General on 2004-08-20.
Below is a raw (and likely hideous) rendition of the original report. (PDF)