TDI performed a complete Risk Assessment of the Postsecondary Education Participants System (PEPS); at the Department of Education. PEPS is Federal Student Aid's (FSA) management information system of all organizations that have a role in administering Federal Student Aid and other Higher Education Act programs. PEPS stores and maintains eligibility, certification, demographic, financial, review, audit, and default rate data about Schools, Lenders and Guarantors participating in the Title IV programs. The Risk Assessment was part of an overall Federal Information Security Management Act (FISMA) evaluation.
To complete the task, TDI performed a comprehensive examination of the security measures and controls, of both a technical and practical nature, used by the PEPS information technology (IT) system. We gathered information about vulnerabilities through interviews, site visits, review of documentation, and on-site observation of procedures. TDI followed multiple guidelines during this process including National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, SP 800-26, and Office of Management and Budget (OMB) Circular A-130.
This evaluation assured that PEPS adhered to a given set of security requirements. When it was completed, the certification process revealed pertinent information about the threats, vulnerabilities, and risks that existed in the PEPS IT system. Each identified risk received an associated qualitative form of measurement to evaluate it on a relative scale. The risk assessment as a whole provided the foundation for the PEPS Department of Education accreditation decision.