Update on Steps to Improve TNReady & Protect Taxpayers' Investments

Wednesday, June 20, 2018 | 11:43am

The department has been diligently working to strengthen TNReady based on what we have learned. Over the last several weeks, we have identified and announced several important adjustments to our contract with Questar and our plans for the assessment program as a whole. We also are announcing a new step today.

  • We have informed Questar that the department is reducing the invoice for our spring online assessment administration by $2.5 million to account for the substandard performance issues we experienced under the current contract and the costs incurred by the state in addressing the issues this spring.

This action complements the changes we shared last week:

  • We are developing a new Request for Proposals (RFP) to identify the vendor or vendors that can successfully administer the state test in 2019-20 and beyond.
  • We are amending the state’s current contract with Questar to improve the assessment experience in 2018-19.
  • We are adjusting the pace of the state’s transition to online testing.
  • And, at our request, Questar is executing a contract with a third-party expert to do an in-depth analysis of their technological capabilities.

We believe these steps are the right ones to move us forward; strengthen TNReady administration for students, parents, and teachers; and protect taxpayers’ investment. These proactive steps reflect what we have learned so far from a variety of formal and informal reviews of the testing experience this spring. These reports and analyses collectively have already provided a number of key takeaways about Questar’s service to the state:

  • It appears, thankfully, that there was not an outside actor who attacked Questar’s data system. No student data was breached.
  • It is now clear that the event that Questar initially thought presented like a denial of service attack on Tuesday, April 17 was not created by an external actor with malicious intent, but, rather, can be traced in large part to the caching issues connected to how text-to-speech was configured by Questar.
  • Questar implemented a significant and unauthorized change to text-to-speech, which had previously operated successfully during the state's fall administration. We now know this decision led to the severity of other issues we experienced during online testing.
  • Questar continues their internal investigation and is cooperating with additional external audits to make sure we have all of the facts.

Questar’s Chief Operating Officer Brad Baumgartner has provided this statement: “Questar’s internal and external investigations indicate that the source of the anomalous data pattern is believed to be the result of a configuration with the cache server. We have applied a configuration change and believe to have resolved the issue. We will continue to work with our internal technology team and external partners to validate this.”

As other external reports are completed, we will share the key takeaways with you, as we have done so here. Please note that per state law (see below), we are not permitted to provide information about the third-party reviewers nor copies of their reports. Please feel free to reach out with any other questions.

T.C.A. § 10-7-504

(i) (1) Information that would allow a person to obtain unauthorized access to confidential information or to government property shall be maintained as confidential. For the purpose of this section, "government property" includes electronic information processing systems, telecommunication systems, or other communications systems of a governmental entity subject to this chapter. For the purpose of this section, "governmental entity" means the state of Tennessee and any county, municipality, city or other political subdivision of the state of Tennessee. Such records include:·

  • (A) Plans, security codes, passwords, combinations, or computer programs used to protect electronic information and government property;
  • (B) Information that would identify those areas of structural or operational vulnerability that would permit unlawful disruption to, or interference with, the services provided by a governmental entity; and
  • (C) Information that could be used to disrupt, interfere with, or gain unauthorized access to electronic information or government property.
    • (2) Information made confidential by this subsection (i) shall be redacted wherever possible and nothing in this subsection (i) shall be used to limit or deny access to otherwise public information because a file, document, or data file contains confidential information.
    • (3)
      • §   (A) Documents concerning the cost of protecting government property or electronic information shall not be confidential.
      • §   (B) The identity of a vendor that provides to the state goods and services used to protect electronic information processing systems, telecommunication and other communication systems, data storage systems, government employee information, or citizen information shall be confidential.
      • §   (C) The identity of a vendor that provides to a governmental entity other than the state goods and services used to protect electronic information processing systems, telecommunication and other communication systems, data storage systems, government employee information, or citizen information shall not be confidential; provided, that the identity of the vendor shall be confidential if the governing body of the governmental entity votes affirmatively to make such information confidential.
      • §   (D) Notwithstanding subdivisions (i)(3)(B) and (C), a governmental entity shall, upon request, provide the identity of a vendor to the comptroller of the treasury, the fiscal review committee of the general assembly, and any member of the general assembly. If the identity of the vendor is confidential under subdivision (i)(3)(B) or (i)(3)(C), the comptroller, fiscal review committee, or member shall exercise reasonable care in maintaining the confidentiality of the identity of the vendor obtained under this subdivision (i)(3)(D).