800-171 Compliance on the Horizon

A few days before Christmas last year, Federal Student Aid (FSA), an office of the US Department of Education (ED), released a notice providing a high-level overview of its cybersecurity compliance plans. Despite the efforts of EDUCAUSE and our higher education association partners to engage with FSA and ED over the last few years, FSA posted the notice with little warning or opportunity to provide feedback in advance. As a result, the notice raises more questions from a higher education perspective than it answers.

The notice begins with FSA announcing its intention to establish a Campus Cybersecurity Program framework. At this point, what FSA means by a "Campus Cybersecurity Program" remains unclear, as does the role, if any, that higher education cybersecurity leaders and professionals might play in its development and application. The notice does make clear, however, that the NIST SP 800-171 controlled unclassified information (CUI) guidelines will form the foundation of the program that FSA is envisioning:

This Electronic Announcement is meant to inform IHEs [institutions of higher education] and their third-party servicers about upcoming activities to ensure compliance with NIST 800–171 Rev. 2. Institutions' compliance is in accordance with 32 C.F.R. Part 2002 and the federal government-wide requirement that institutions receiving CUI from the U.S. Department of Education (Department) comply with NIST 800-171 Rev. 2.^Footnote1

FSA further reinforces its emphasis on NIST SP 800-171 as its emerging compliance focus by announcing that it plans to begin "[a] multi-year phased implementation" of its Campus Cybersecurity Program with "a self-assessment of NIST 800-171 readiness and outreach activities."^Footnote2 However, later in the notice, FSA indicates that the "self-assessment" in question may be an FSA-designed self-assessment for institutions, rather than a self-assessment by FSA of its 800-171 readiness and outreach:

In 2021, FSA plans to initiate a self-assessment effort to understand the IHE community's readiness to comply with NIST 800-171 Rev 2. The self-assessment effort will help the Department determine the cybersecurity posture, maturity, and future compliance of each IHE with NIST 800-171 and other cybersecurity requirements. (Emphasis added.) Our intention is to partner and collaborate with IHEs, and other organizations, to enhance the resilience and maturity across IHEs by establishing a cybersecurity baseline, sharing information, and overseeing compliance with NIST 800-171 Rev. 2 and other cybersecurity requirements.^Footnote3

The above paragraph alone leads to a host of questions from the perspective of our community:

• If the self-assessment in question has institutions and not FSA as its target, which the text seems to imply, will the self-assessment be voluntary or mandatory?
• If FSA intends to require institutional completion of a self-assessment, what is the legal or regulatory basis for that mandate?
• To what extent will the higher education cybersecurity community have input into the development and implementation of the assessment to ensure that it aligns with higher education cybersecurity operations and practices and that completing it won't impose an undue burden?
• Given the level of sensitive information involved in determining "the cybersecurity posture, maturity, and future compliance of each IHE with NIST 800-171 and other cybersecurity requirements," how will FSA ensure secure submission and storage of such information and shield it from Freedom of Information Act (FOIA) requirements to the extent appropriate?
• What "other cybersecurity requirements" does FSA have in mind? If the term refers to the Federal Trade Commission (FTC) Safeguards Rule requirements (which stem from the Gramm-Leach-Bliley Act), FSA has already implemented an audit objective in the federal single-audit process that identifies what Safeguards Rule compliance means in the context of FSA. What will the new 800-171-focused process mean for this preexisting compliance responsibility, and how will changes to the Safeguards Rule that the FTC still has under consideration be taken into account?
• What organizational capacity does FSA (either alone or in conjunction with ED) have to oversee institutional compliance with 800-171 and the as-yet-undetermined "other cybersecurity requirements?" With whom will institutions work on cybersecurity compliance issues, and what processes and staff can they expect to encounter as that work unfolds? Currently, institutions are told to send an email to a given address, and very little information is available about the process that will be initiated or who will be involved.

EDUCAUSE members will likely find these questions all the more compelling because of the possible scope of compliance that FSA's plans and requirements seem to entail:

We expect federal student aid partners to develop, implement, and enhance information security programs with requisite controls and monitoring that supports all aspects of the administration of Title IV federal student aid programs. These security programs must encompass all systems, databases, and processes that collect, process, and distribute information—including PII—in support of applications for and receipt of Title IV student assistance.^Footnote4 (Emphasis added.)

The reference to "applications for and receipt of Title IV student assistance" conceivably may provide some limiting boundaries on the compliance scope that is envisioned. "All systems, databases, and processes" seems to imply, though, that FSA mandates on NIST SP 800-171 compliance may follow FSA data wherever it goes in an institution's administrative systems and related databases, potentially making 800-171 the de facto baseline for institutional cybersecurity.

The notice raises a variety of other considerations as well. For example, EDUCAUSE and its members have previously asked (without success) for a clear breakdown of the FSA data elements that reasonably fall under the student records category in the National Archives and Records Administration (NARA) CUI Registry, which determines whether the CUI requirements apply. Per EDUCAUSE member feedback, however, this is key to understanding when, where, how, and to what extent institutions will have to implement 800-171 controls across their IT environments. The concerns that colleges and universities have about this issue are heightened by the following statement in the notice: "Most data sourced from the Department and information used in the administration of Title IV funds are considered CUI."

Likewise, EDUCAUSE had previously understood that ED and FSA would need to incorporate the pending uniform Federal Acquisition Regulation (FAR) clause established under the NARA CUI Program into its agreements with institutions in order to impose 800-171 compliance on colleges and universities. The clause remains stuck in the federal regulatory approval process, however. Current information indicates that the rulemaking notice on its implementation should emerge this month, with a May deadline for comment. Previous listings for releasing the uniform clause have followed a similar pattern without the clause finally coming to light. In addition, and perhaps more importantly, the December 18, 2020, FSA cybersecurity notice under discussion seems to imply that FSA may believe it can require institutions to sign an agreement on 800-171 compliance whether it includes the uniform FAR clause or not.

EDUCAUSE continues to seek a renewed dialogue with FSA to get answers to the questions and concerns I have highlighted and establish ongoing engagement between FSA and the EDUCAUSE cybersecurity community. EDUCAUSE, in conjunction with other associations, has consistently stressed that this engagement will help higher education and FSA to achieve our shared objectives regarding the security of student financial aid data. In the meantime, though, FSA's December notice makes one thing clear, even if it leaves many other issues unresolved: FSA intends to begin moving this year toward requiring institutional compliance with the NIST SP 800-171 guidelines in relation to the FSA data that institutions receive. FSA acknowledged in the notice that fully achieving this will require a "multi-year phased implementation," so institutions still have time to pursue 800-171 on their own timetable. However, colleges and universities that have not yet started down the road to implementing 800-171 may not have the luxury of waiting much longer to begin.

Notes

1. Federal Student Aid, "Protecting Student Information – Compliance with CUI and GLBA," US Department of Education Office of Federal Student Aid, December 18, 2020. Jump back to footnote 1 in the text.↩
2. Ibid. Jump back to footnote 2 in the text.↩
3. Ibid. (emphasis added). Jump back to footnote 3 in the text.↩
4. Ibid. Jump back to footnote 4 in the text.↩

---

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.