Exhibit 300 FY2009

I. A. 1. Date of Submission:
2007-09-10

I. A. 2. Agency:
018

I. A. 3. Bureau:
24

I. A. 4. Name of this Capital Asset:
(short text - 250 characters)
Information Assurance (IA)

I. A. 5. Unique Project (Investment) Identifier:
For IT investment only, see section 53. For all other, use agency ID system.
018-24-03-00-01-1010-00

I. A. 6. What kind of investment will this be in FY2009?
Please NOTE: Investments moving to O&M in FY2009, with Planning/Acquisition activities prior to FY2009 should not select O&M. These investments should indicate their current status.
Mixed Life Cycle

I. A. 7. What was the first budget year this investment was submitted to OMB?
FY2006

I. A. 8. Provide a brief summary and justification for this investment, including a brief description of how this, closes in part or in whole, an identified agency performance gap:
(long text - 2500 characters)
This investment provides funding for the Department of Education?s, Information Assurance (IA) Program. The IA program is administered by Information Assurance Services (IAS) which is located in the Office of the Chief Information Officer. The funding for this investment enables the Department to comply with the Federal Information Security Management Act (FISMA), National Institute of Standards and Technology Security guidance, OMB requirements and as other information technology security related laws, standards and guidance. IAS provides Department-wide oversight and governance for a secure and reliable computing environment for the Department's customers who access, process and store information on Department information systems. Additionally, the IA program will provide reasonable assurances that sensitive customer and Department data residing within information systems are protected and maintain their confidentiality, integrity and availability properties. Major initiatives funded by this investment include the Managed Security Services Contract, which provides 24X7 monitoring of the Department?s network, vulnerability management and auditing services and contractor services required to provide support to IA?s mission in the area of policy development, identity assurance, analysis and assessment, and security training. This investment will also fund three information systems that provide support for FISMA reporting, Security Training and secure document storage.

I. A. 9. Did the Agency's Executive/Investment Committee approve this request?
yes

I. A. 10. Did the Project Manager review this Exhibit?
yes

I. A. 11. Contact information of Project Manager

I. A. 12. Has the agency developed and/or promoted cost effective, energy-efficient and environmentally sustainable techniques or practices for this project?
no

I. A. 13. Does this investment directly support one of the PMA initiatives?
yes

I. A. 14. Does this investment support a program assessed using the Program Assessment Rating Tool (PART)? (For more information about the PART, visit www.whitehouse.gov/omb/part.)
no

I. A. 15. Is this investment for information technology?
yes

I. A. 16. What is the level of the IT Project? (per CIO Council PM Guidance)
Level 1 - Projects with low-to-moderate complexity and risk. Example: Bureau-level project such as a stand-alone information system that has low- to-moderate complexity and risk.
Level 2 - Projects with high complexity and/or risk which are critical to the mission of the organization. Examples: Projects that are part of a portfolio of projects/systems that impact each other and/or impact mission activities. Department-wide projects that impact cross-organizational missions, such as an agency-wide system integration that includes large scale Enterprise Resource Planning (e.g., the DoD Business Mgmt Modernization Program).
Level 3 - Projects that have high complexity, and/or risk, and have government-wide impact. Examples: Government-wide initiative (E-GOV, President's Management Agenda). High interest projects with Congress, GAO, OMB, or the general public. Cross-cutting initiative (Homeland Security).
Level 2

I. A. 17. What project management qualifications does the Project Manager have? (per CIO Council's PM Guidance):
(1) Project manager has been validated as qualified for this investment;(2) Project manager qualification is under review for this investment;(3) Project manager assigned to investment, but does not meet requirements;(4) Project manager assigned but qualification status review has not yet started;(5) No Project manager has yet been assigned to this investment
(1) Project manager has been validated as qualified for this investment

I. A. 18. Is this investment identified as "high risk" on the Q4-FY 2007 agency high risk report (per OMB Memorandum M-05-23)?
yes

I. A. 19. Is this a financial management system?
no

I. A. 20. What is the percentage breakout for the total FY2009 funding request for the following? (This should total 100%)

I. A. 21. If this project produces information dissemination products for the public, are these products published to the Internet in conformance with OMB Memorandum 05-04 and included in your agency inventory, schedules and priorities?
no

I. A. 22. Contact information of individual responsible for privacy related questions:

I. A. 23. Are the records produced by this investment appropriately scheduled with the National Archives and Records Administration's approval?
no

I. A. 24. Does this investment directly support one of the GAO High Risk Areas?
Question 24 must be answered by all Investments:
yes

I. B. 1. Provide the total estimated life-cycle cost for this investment by completing the following table. All amounts represent budget authority in millions, and are rounded to three decimal places. Federal personnel costs should be included only in the row designated "Government FTE Cost," and should be excluded from the amounts shown for "Planning," "Full Acquisition," and "Operation/Maintenance." The "TOTAL" estimated annual cost of the investment is the sum of costs for "Planning," "Full Acquisition," and "Operation/Maintenance." For Federal buildings and facilities, life-cycle costs should include long term energy, environmental, decommissioning, and/or restoration costs. The costs associated with the entire life-cycle of the investment should be included in this report.
Note: For the cross-agency investments, this table should include all funding (both managing and partner agencies).
Government FTE Costs should not be included as part of the TOTAL represented.

PY-1 and Spending Prior to 2007 PY 2007 CY 2008 BY 2009 BY+1 2010 BY+2 2011 BY+3 2012 BY+4 2013 and Beyond Planning 0.000 0.000 0.000 0.000         Acquisition 1.969 0.450 1.790 1.790         Subtotal Planning & Acquisition                 Operations & Maintenance 8.689 10.175 5.358 5.003         Total                 Government FTE Costs 3.360 1.095 1.128 2.044         Number of FTE represented by cost 28 17 17 17

I. B. 2. Will this project require the agency to hire additional FTE's?
no

I. C. 1. Complete the table for all (including all non-Federal) contracts and/or task orders currently in place or planned for this investment. Total Value should include all option years for each contract. Contracts and/or task orders completed do not need to be included.
SIS - Share in Services contract; ESPC - Energy savings performance contract ; UESC - Utility energy efficiency service contract; EUL - Enhanced use lease contract; N/A - no alternative financing used.
(Character Limitations: Contract or Task Order Number - 250 Characters; Type of Contract/Task Order - 250 Characters; Name of CO - 250 Characters; CO Contact Information - 250 Characters)

Type of Contract/Task Order Has the contract been awarded? If so what is the date of the award? If not, what is the planned award date? Start date of Contract/Task Order End date of Contract/Task Order Total Value of Contract/Task Order ($M) Is this an Interagency Acquisition? Is it performance based? Competitively awarded? What, if any, alternative financing option is being used? Is EVM in the contract? Does the contract include the required security & privacy clauses? Name of CO CO Contact Information (phone/email) Contracting officer certification level If N/A, has the agency determined the CO assigned has the competencies and skills necessary to support this aquistion?

I. C. 2. If earned value is not required or will not be a contract requirement for any of the contracts or task orders above, explain why:
(long text - 2500 characters)

I. C. 3. Do the contracts ensure Section 508 compliance?

I. C. 4. Is there an acquisition plan which has been approved in accordance with agency requirements?

I. D. 1. Table 1. Performance Information Table
In order to successfully address this area of the exhibit 300, performance goals must be provided for the agency and be linked to the annual performance plan. The investment must discuss the agency's mission and strategic goals, and performance measures (indicators) must be provided. These goals need to map to the gap in the agency's strategic goals and objectives this investment is designed to fill. They are the internal and external performance benefits this investment is expected to deliver to the agency (e.g., improve efficiency by 60 percent, increase citizen participation by 300 percent a year to achieve an overall citizen participation rate of 75 percent by FY 2xxx, etc.). The goals must be clearly measurable investment outcomes, and if applicable, investment outputs. They do not include the completion date of the module, milestones, or investment, or general goals, such as, significant, better, improved that do not have a quantitative measure.

Agencies must use the following table to report performance goals and measures for the major investment and use the Federal Enterprise Architecture (FEA) Performance Reference Model (PRM). Map all Measurement Indicators to the corresponding "Measurement Area" and "Measurement Grouping" identified in the PRM. There should be at least one Measurement Indicator for each of the four different Measurement Areas (for each fiscal year). The PRM is available at www.egov.gov. The table can be extended to include performance measures for years beyond FY 2009.

Strategic Goal(s) Supported Measurement Area Measurement Grouping Measurement Indicator Baseline Target Actual Results 2007 Cross-goal Strategy on Management Processes and Activities Compliance Communicate a major emergency event to the ED operations Director or designee (ITD Manager or designee within 15 minutes of becoming aware of any major IT issues 100% of the time.) 100% 100% 100% 2007 Cross-goal Strategy on Management Mission and Business Results Corrective Action IT Security - % of all systems certified & accredited 100% 100% Available 10.2007 2007 Cross-goal Strategy on Management Customer Results Customer Complaints Customer Training - % of employees receiving Security Awareness Training 97% 100% 97% 2007 Cross-goal Strategy on Management Processes and Activities Privacy Maintain Number of Contingency Plan tested 100% 100% Available 10/30/2007 2007 Cross-goal Strategy on Management Technology Accessibility Information systems meet Section 508 Requirements 80% 90% 90% 2008 Cross-goal Strategy on Management Processes and Activities Compliance Communicate a major emergency event to the ED operations Director or designee (ITD Manager or designeeed within 15 minutes of becoming aware of any major IT issues 100% of the time.) 100% 100% TBD 2008 Cross-goal Strategy on Management Mission and Business Results Program Evaluation IT Security - % of all systems certified & accredited 100% 100% TBD 2008 Cross-goal Strategy on Management Customer Results Customer Training Customer Training - % of employees receiving Security Awareness Training 97% 97% TBD 2008 Cross-goal Strategy on Management Processes and Activities Privacy Maintain Number of Contingency Plan testing 100% 100% TBD 2008 Cross-goal Strategy on Management Technology Accessibility Information Systems meet Section 508 requirements 90% 95% TBD 2009 Cross-goal Strategy on Management Customer Results Compliance Communicate a major emergency event to the ED operations Director or designee (ITD Manager or designeeed within 15 minutes of becoming aware of any major IT issues 100% of the time.) 100% 100% TBD 2009 Cross-goal Strategy on Management Mission and Business Results Program Evaluation IT Security - % of all systems certified & accredited 100% 100% TBD 2009 Cross-goal Strategy on Management Customer Results Customer Training Customer Training - % of employees receiving Security Awareness Training 97% 97% TBD 2009 Cross-goal Strategy on Management Processes and Activities Privacy Maintain Number of Contingency Plan testing 100% 100% TBD 2009 Cross-goal Strategy on Management Technology Accessibility Information Systems meet Section 508 requirements 95% 95% TBD 2008 Cross-goal Strategy on Management Mission and Business Results Compliance Number of Systems Implemented with Secure Configurations 60% 70% TBD 2009 Cross-goal Strategy on Management Mission and Business Results Compliance Number of Systems Implemented with Secure Configurations 80% 90% TBD

I. E. 1. Have the IT security costs for the system(s) been identified and integrated into the overall costs of the investment?

I. E. 2. Is identifying and assessing security and privacy risks a part of the overall risk management effort for each system supporting or part of this investment?

I. E. 3. Systems in Planning and Undergoing Enhancement(s) – Security Table:
The questions asking whether there is a PIA which covers the system and whether a SORN is required for the system are discrete from the narrative fields. The narrative column provides an opportunity for free text explanation why a working link is not provided. For example, a SORN may be required for the system, but the system is not yet operational. In this circumstance, answer "yes" for column (e) and in the narrative in column (f), explain that because the system is not operational the SORN is not yet required to be published.

Agency/or contractor Operated System Planned Operational Date Planned or Actual C&A Completion Date

I. E. 4. Operational Systems - Security:

Agency/or contractor Operated System? NIST FIPS 199 Risk Impact level (High, Moderate, Low) Has C & A been Completed, using NIST 800-37? (Y/N) Date Completed: C & A What standards were used for the Security Controls tests? (FIPS 200/NIST 800-53, Other, N/A) Date Completed: Security Control Testing Date the contingency plan tested

I. E. 5. Have any weaknesses related to any of the systems part of or supporting this investment been identified by the agency or IG?

I. E. 6. Indicate whether an increase in IT security funding is requested to remediate IT security weaknesses?

I. E. 7. How are contractor security procedures monitored, verified, and validated by the agency for the contractor systems above?
(long text - 2500 characters)

I. E. 8. Planning & Operational Systems - Privacy Table:
Details for Text Options:
Column (d): If yes to (c), provide the link(s) to the publicly posted PIA(s) with which this system is associated. If no to (c), provide an explanation why the PIA has not been publicly posted or why the PIA has not been conducted.

Column (f): If yes to (e), provide the link(s) to where the current and up to date SORN(s) is published in the federal register. If no to (e), provide an explanation why the SORN has not been published or why there isn't a current and up to date SORN.

Note: Links must be provided to specific documents not general privacy websites.

(b) Is this a new system? (Y/N) (c) Is there a Privacy Impact Assessment (PIA) that covers this system? (Y/N) (d) Internet Link or Explanation (e) Is a System of Records Notice (SORN) required for this system? (Y/N) (f) Internet Link or Explanation

I. F. 1. Is this investment included in your agency's target enterprise architecture?
yes

I. F. 2. Is this investment included in the agency's EA Transition Strategy?
yes

I. F. 3. Is this investment identified in a completed (contains a target architecture) and approved segment architecture?
no

I. F. 4. Service Component Reference Model (SRM) Table :
Identify the service components funded by this major IT investment (e.g., knowledge management, content management, customer relationship management, etc.). Provide this information in the format of the following table. For detailed guidance regarding components, please refer to http://www.egov.gov.

a. Use existing SRM Components or identify as "NEW". A "NEW" component is one not already identified as a service component in the FEA SRM.
b. A reused component is one being funded by another investment, but being used by this investment. Rather than answer yes or no, identify the reused service component funded by the other investment and identify the other investment using the Unique Project Identifier (UPI) code from the OMB Ex 300 or Ex 53 submission.
c. 'Internal' reuse is within an agency. For example, one agency within a department is reusing a service component provided by another agency within the same department. 'External' reuse is one agency within a department reusing a service component provided by another agency in another department. A good example of this is an E-Gov initiative service being reused by multiple organizations across the federal government.
d. Please provide the percentage of the BY requested funding amount used for each service component listed in the table. If external, provide the percentage of the BY requested funding amount transferred to another agency to pay for the service. The percentages in this column can, but are not required to, add up to 100%.

Agency Component Description FEA SRM Service Type FEA SRM Component (a) Service Component Reused - Component Name (b) Service Component Reused - UPI (b) Internal or External Reuse? (c) BY Funding Percentage (d) Information Assurance Department-wide governance for a secure and reliable computing environment for the Department's customers who access Department information systems. Security Management Certification and Accreditation     No Reuse 10 Information Assurance Department-wide governance for a secure and reliable computing environment for the Department's customers who access Department information systems. Security Management FISMA Management and Reporting     No Reuse 4 Information Assurance Department-wide governance for a secure and reliable computing environment for the Department's customers who access Department information systems. Security Management Incident Response     No Reuse 4 Information Assurance Department-wide governance for a secure and reliable computing environment for the Department's customers who access Department information systems. Human Resources Education / Training     No Reuse 0

I. F. 5. Table 1. Technical Reference Model (TRM) Table:
To demonstrate how this major IT investment aligns with the FEA Technical Reference Model (TRM), please list the Service Areas, Categories, Standards, and Service Specifications supporting this IT investment.

a. Service Components identified in the previous question should be entered in this column. Please enter multiple rows for FEA SRM Components supported by multiple TRM Service Specifications
b. In the Service Specification field, agencies should provide information on the specified technical standard or vendor product mapped to the FEA TRM Service Standard, including model or version numbers, as appropriate.

FEA TRM Service Area FEA TRM Service Category FEA TRM Service Standard Service Specification (i.e., vendor and product name) Education / Training Service Access and Delivery Service Transport Service Transport Macromedia Cold Fusion Education / Training Service Platform and Infrastructure Database / Storage Database Microsoft SQL Server Education / Training Service Platform and Infrastructure Delivery Servers Web Servers Macromedia Cold Fusion Certification and Accreditation Service Platform and Infrastructure Hardware / Infrastructure Servers / Computers Compaq Proliant provided by EDNet Certification and Accreditation Component Framework Presentation / Interface Static Display Macromedia Cold Fusion FISMA Management and Reporting Component Framework Presentation / Interface Dynamic Server-Side Display Macromedia Cold Fusion FISMA Management and Reporting Component Framework Presentation / Interface Content Rendering Macromedia Cold Fusion Incident Response Component Framework Data Management Reporting and Analysis ED PIP Portal Software Incident Response Component Framework Data Management Database Connectivity Microsoft SQL Server Incident Response Service Platform and Infrastructure Support Platforms Platform Dependent Microsoft Windows Server (Provided by EDNet) FISMA Management and Reporting Service Platform and Infrastructure Delivery Servers Portal Servers ED PIP Portal Software FISMA Management and Reporting Component Framework Security Supporting Security Services Macromedia Cold Fusion FISMA Management and Reporting Component Framework Business Logic Platform Independent ED PIP Portal Software Certification and Accreditation Component Framework Security Supporting Security Services Cyber-Ark?s Network Vault

I. F. 6. Will the application leverage existing components and/or applications across the Government (i.e., FirstGov, Pay.Gov, etc)?
no

II. A. 1. Did you conduct an alternatives analysis for this project?
yes

II. A. 2. Use the results of your alternatives analysis to complete the following table:
(Character Limitations: Alternative Analyzed - 250 characters; Description of Alternative - 500 Characters)

Description of Alternative Risk Lifecycle Cost Estimate Risk Lifecycle Benefits Estimate 1. Centralized Security Program (Government and Contractor Staff) Centralized Security Program - This alternative involves the combined efforts of both contractors and government staff to implement: 1) Governance of ED?s Information Assurance Program, which is compliant with NIST/Federal standards; 2) Implement an ED-wide C&A Program; 3) Implement an IT Security Risk Management Program: 4) Implement an IT security training & awareness program; 5) IT Security integration; 6) Security Operations; 7) Configuration Management and 8) Disaster Recovery Facility.     2 Sole Use of Government Staff This alternative involves the sole use of government staff, no contractor support to maintain the following functions: 1) Governance of ED?s Information Assurance Program, which is compliant with NIST/Federal standards; 2) Implement an ED-Wide C&A Program; 3) Implement an IT Security Risk Management Program: 4) Implement an IT security training & awareness program; 5) IT Security integration; 6) Security Operations; 7) Configuration Management and 8) Disaster Recovery Facility.     3. Centralized Security Program w/ Outsourcing DRF (Government and Contractor Staff) Centralized Security Program with Outsourcing of Disaster Recovery Facility - This alternative involves the combined efforts of both contractors and government staff. It involves a centralized approach to all functions and outsourcing of the Disaster Recovery Facility.     4 Decentralized Security Program (Government and Contractor Staff) This alternative involves a decentralized security program. Each Program Office (PO) would be responsible to maintain the following functions: 1) Governance of ED?s Information Assurance Program, which is compliant with NIST/Federal standards; 2) Implement an ED-wide C&A Program; 3) Implement an IT Security Risk Management Program: 4) Implement an IT security training program; 5) IT Security integration; 6) Security Operations; 7) Configuration Management and 8) Disaster Recovery Facility

II. A. 3. Which alternative was selected by the Agency's Executive/Investment Committee and why was it chosen?
(long text - 2500 characters)
Alternative 1 was chosen because it greatly decreases the possibility that the Department's mission would be adversely affected. It also decreases the likelihood the Department would incur higher costs later - such as costs associated with restoration/verification of lost/altered information, hardware, software, telecommunications, staff, facilities, as well as costs associated with possible legal actions - Privacy Act lawsuits. It will ensure adequate protection of the Department's infrastructure assets to the greatest extent possible. Alternative 1 will allow the Department to be more responsive to numerous OIG audit findings and recommendations and allow the Department to be more fully in compliance with security/infrastructure protection requirements specified in Federal regulations, policies, guidelines, and Presidential directives.

II. A. 4. What specific qualitative benefits will be realized?
(long text - 2500 characters)
The Department will be provided with reasonable assurances that sensitive customer and Department data residing within information systems are protected and maintain their confidentiality, integrity and availability properties.

II. A. 5. Will the selected alternative replace a legacy system in-part or in-whole?
no

UPI if available Date of the System Retirement

II. B. 1. Does the investment have a Risk Management Plan?
yes

II. B. 2. If there currently is no plan, will a plan be developed?

II. B. 3. Briefly describe how investment risks are reflected in the life cycle cost estimate and investment schedule:
(long text - 2500 characters)
This investment contains funding for a Security Services Blanket Purchase Agreement. A portion of this funding is typically used to respond unfunded OMB mandates, emerging risks and vulnerabilities. Additionally, work is managed by using a risk adjusted schedule.

II. C. 1. Does the earned value management system meet the criteria in ANSI/EIA Standard - 748?
yes

II. C. 2. Is the CV or SV greater than 10%?
no

II. C. 3. Has the investment re-baselined during the past fiscal year?
yes

II. C. 4. Comparison of Initial Baseline and Current Approved Baseline
Complete the following table to compare actual performance against the current performance baseline and to the initial performance baseline. In the Current Baseline section, for all milestones listed, you should provide both the baseline and actual completion dates (e.g., "03/23/2003"/ "04/28/2004") and the baseline and actual total costs (in $ Millions). In the event that a milestone is not found in both the initial and current baseline, leave the associated cells blank. Note that the 'Description of Milestone' and 'Percent Complete' fields are required. Indicate '0' for any milestone no longer active. (Character Limitations: Description of Milestone - 500 characters)

Initial Baseline - Planned Completion Date Initial Baseline - Total Cost Current Baseline - Planned Completion Date Current Baseline - Actual Completion Date Current Baseline - Planned Total Cost Current Baseline - Actual Total Cost Current Baseline Variance - Schedule Current Baseline Variance - Cost Percent Complete

III. A. 1. Does the investment have a Risk Management Plan?

III. A. 2. If there currently is no plan, will a plan be developed?

III. B. 1. Was operational analysis conducted?

III. B. 2. Complete the following table to compare actual cost performance against the planned cost performance baseline. Milestones reported may include specific individual scheduled preventative and predictable corrective maintenance activities, or may be the total of planned annual operation and maintenance efforts).

(Character Limitations: Description of Milestone - 250 Characters)

IV. A. 1. Stakeholder Table
As a joint exhibit 300, please identify the agency stakeholders. Provide the partner agency and partner agency approval date for this joint exhibit 300.

Joint exhibit approval date

IV. A. 2. Partner Capital Assets within this Investment
Provide the partnering strategies you are implementing with the participating agencies and organizations. Identify all partner agency capital assets supporting the common solution (section 300.7); Managing Partner capital assets should also be included in this joint exhibit 300. These capital assets should be included in the Summary of Spending table of Part I, Section B. All partner agency migration investments (section 53.4) should also be included in this table. Funding contributions/fee-for-service transfers should not be included in this table. (Partner Agency Asset UPIs should also appear on the Partner Agency's exhibit 53)

Partner Agency Asset Title Partner Agency Exhibit 53 UPI

IV. A. 3. Partner Funding Strategies ($millions)
For jointly funded initiative activities, provide in the "Partner Funding Strategies Table": the name(s) of partner agencies; the UPI of the partner agency investments; and the partner agency contributions for CY and BY. Please indicate partner contribution amounts (in-kind contributions should also be included in this amount) and fee-for-service amounts. (Partner Agency Asset UPIs should also appear on the Partner Agency's exhibit 53. For non-IT fee-for-service amounts the Partner exhibit 53 UPI can be left blank) (IT migration investments should not be included in this table)

Partner Exhibit 53 UPI CY Contribution CY Fee-for-Service BY Contribution BY Fee-for-Service     NaN NaN NaN NaN