Higher education institutions that do not achieve cybersecurity compliance are in danger of losing their ability to receive Title IV Federal Student Aid program funding. Approximately seven out of ten students on HBCU campuses receive federal student aid to pay their tuition. The Student Freedom Initiative and Cisco have begun working directly with HBCUs to identify and address cybersecurity compliance gaps at these institutions.
Over the last year, several higher education institutions, including more than six historically black colleges and universities (HBCUs), have been victims of cyberattacks. These attacks resulted in class closures, registration delays, and data ransoms. Cybersecurity vulnerabilities at the campus level put critical data, such as family and institutional finances, personally identifiable information (PII), and even medical records, at risk of being stolen during a cyberattack.
In addition to the harm such attacks cause, the absence of updated cybersecurity safeguards comes with additional penalties and sanctions, such as the U.S. Department of Education (ED) edict that requires higher education institutions to reach a specified level of cybersecurity compliance to continue to receive Title IV Federal Student Aid program funding.Footnote1 According to U.S. News & World Report, seven out of every ten HBCU students rely on federal student aid to pay their tuition; the loss of this aid would be devastating for students and the HBCUs that serve them.Footnote2
Through its campus cybersecurity partnership with Cisco, which donated $150 million ($100 million of which was for the cause), the Student Freedom Initiative (SFI) has begun working directly with HBCUs to identify and address gaps between their existing IT infrastructure and ED compliance requirements. EDUCAUSE is supporting this work by advising and consulting with SFI staff. Jarret Cummings, the senior advisor of policy and government relations at EDUCAUSE, provides federal policy guidance, and Brian Kelly, director of the Cybersecurity Program at EDUCAUSE, shares cybersecurity best practices.
SFI works with its HBCU partners to complete the cybersecurity compliance checklist and issue a gap analysis and bill of materials. SFI also provides the labor to achieve compliance, including twelve months of free maintenance. Nine HBCUs signed on to the program in the first year, and more agreements are expected.Footnote3 Xavier University of Louisiana (XULA) is one of the inaugural program participants. As SFI Executive Director, I sat down with XULA Chief Information Officer Mable Moore to discuss the progress the university has made and how XULA can provide a blueprint for other schools.
Mark A. Brown: In the wake of the increased number of cybersecurity attacks on HBCUs, can you discuss the importance of your partnership with the SFI in terms of shoring up the cybersecurity infrastructure at XULA?
Mable Moore: In the wake of increases in cybersecurity attacks on HBCUs and other colleges, universities, and organizations across the country, XULA has been aggressively preparing for a more robust cybersecurity technology environment since we had our first external cybersecurity assessment in the fall of 2019. We received an assessment report in early 2020.
The timeliness of the SFI partnership was highly beneficial to XULA. As with most HBCUs, the technology resources at XULA are stretched thin. Finding experienced technology staff to meet the daily technology operational and project management needs of the university is challenging. Our goals are to receive a National Institutes of Standards and Technology (NIST) SP 800-171 assessment and cybersecurity certification, which NIST recommends for all higher education institutions. SFI has helped XULA accelerate the timeframe to meet these goals.
SFI's assistance in providing a phased cybersecurity project management system with methodology, technology resources, support, and training has helped XULA accelerate the cybersecurity certification process. At XULA, we feel fortunate to have been one of the first institutions to participate in Phase 1 of the SFI program.
Brown: Would XULA have been able to modernize its infrastructure independently?
Moore: XULA was in the process of modernizing some of the campus infrastructure and cybersecurity plans; however, it would have taken much more time and resources to create a comprehensive cybersecurity approach. XULA did not have adequate resources to do this promptly. We updated our entire network infrastructure in 2019, and toward the end of 2019, we started to address cybersecurity issues using a few cybersecurity products with multi-factor authentication (MFA). There are only so many items an institution can manage each year with limited technology resources, and XULA was at least three years out from having the type of comprehensive cybersecurity solution that we wanted when we signed on to the SFI cybersecurity program. Our partnership with SFI has accelerated the process of finding the right security tools for our environment and training IT staff to use them.
Over the last nine months, we have completed our cybersecurity assessment with SFI, received and reviewed our cybersecurity feedback report, and obtained a cybersecurity solution for the campus. We are now working toward cybersecurity certification.
Brown: What would the cybersecurity solution have cost without SFI as a partner? How long would it have taken to get this done?
Moore: XULA did not have enough staff or technology resources (funding, people, affordable hardware, and software solutions) to address a comprehensive cybersecurity solution.
When I arrived at XULA in 2019, the university's information security officer (ISO) had begun the process; however, we lost that ISO within my first three months at the university. It took another ten months to find and hire a new ISO to continue our cybersecurity project and plans. It would have taken about three years longer to complete the work we have done in the last nine months. The scope of the project and much of the work and product installations are complete. SFI brought in all the resources we needed immediately, which allowed XULA to advance its cybersecurity timeline and project much more quickly.
Brown: How does the capacity-building partnership with SFI increase efficiencies in the process?
Moore: SFI brought in a project manager, ISO, and two technical partners (vendors) to work with me and my technology staff to review and discuss possible cybersecurity solutions for our campus and to do product training after new cyber solution installations. SFI kept XULA's technology staff engaged in every step of the process. This support has helped the project advance much more quickly, accelerating the timeline for XULA to achieve cybersecurity certification.
Brown: In terms of targeted capacity-building, what advantages have you already experienced because of your partnership with SFI?
Moore: One of the biggest advantages is having others to call on to provide networking and support (especially in a crisis). After Hurricane Ida last year, XULA (as well as the rest of New Orleans and the surrounding areas) experienced a power outage and a brown-out. Several SFI team members reached out and provided support and additional resources to help me rebuild our data center infrastructure and analyze our firewall and other network security issues. Although this work was not related to our SFI cybersecurity project, they reached out and were willing to assist us (on a weekend call) to provide support. I have also called on SFI project team members to discuss issues and ask questions as they arose. SFI was just a telephone or Webex call away, and it was nice to have a second or third opinion when making critical technology decisions for our campus.
Brown: How do students benefit from capacity-building and infrastructure upgrades?
Moore: Students don't have to worry about interruptions in service due to a system breakdown or cyberattack and know they have reliable, consistent access to critical technology campus resources during the semester. About 50 percent of the XULA student population live on campus in residence halls, and they rely on working in a secure, safe environment while living on campus. This becomes their home for most of the year, and students want to know that they will have access to technology whenever they need it.
Brown: Can your students see and feel the changes that come with a more secure infrastructure in their daily campus lives, or are the improvements more subtle?
Moore: Not all technology changes are visible. However, changes related to cybersecurity are announced in advance such that we can have full participation and adoption from all students, faculty, and staff. For example, when we were ready to turn on MFA for all faculty, staff, and students, we gave them a heads up and explained their options for supplying a secondary piece of information (text or call). Other changes were more subtle, such as more layers of security at the firewall or network level and enhanced security through the migration of critical applications and servers to the cloud.
Brown: How will this capacity-building partnership with SFI make XULA more competitive?
Moore: Becoming cybersecurity certified and having a stable wireless and network environment will make XULA more attractive to new and continuing students as a school of choice. There is always "chatter" among students about colleges and universities that do not service or provide a robust and stable technology environment for students. XULA is currently recognized as a national leader in the sciences and the liberal arts, maintaining its position as the number one institution in the nation for producing the most African American graduates who complete medical school. XULA was recently recognized by U.S. News & World Report as the number-three HBCU in the United States, and a report released by the United Negro College Fund (UNCF) found that XULA is the most successful HBCU in terms of upward mobility.Footnote4
New and continuing XULA students have a significant social media presence, and they actively discuss college and university rankings based on the environment and available resources. If XULA were successfully targeted by a cyberattack, the current operations and environment at the university and potential new students would be affected. Students could wonder what type of security controls were in place at XULA to prevent these actions and if their student data or PII were at risk.
We want XULA students to know that the university is moving toward NIST SP 800-171 assessment and Cybersecurity Maturity Model Certification (CMMC) as defined by the U.S. Department of Defense (DoD) and ED. CMMC Level 3 indicates that an organization has established, maintained, and resourced a plan to administer and implement cybersecurity activities. XULA has been working toward this since 2019 with our first cybersecurity assessment. CMMC Level 3 also requires the organization to practice good cyber hygiene focused on protecting controlled unclassified information (CUI). XULA intends to certify at both NIST SP 800-171 and CMMC Level 3 standards for cybersecurity.
Brown: How does a secure campus infrastructure benefit and foster growth within the local and surrounding communities?
Moore: A secure infrastructure on the XULA campus benefits everyone who works on campus and anyone in the connecting and surrounding communities who visits XULA and utilizes its resources. XULA partners with the surrounding communities in offering pre-college, summer, and selective programming for students. A secure environment makes the relationship more secure and stable for all stakeholders.
Brown: What does a secure infrastructure mean in terms of the university's ability to qualify for and access federal funding?
Moore: In December 2020, all vice presidents and chief information officers at colleges and universities across the country received a letter from the Department of Education stating that all institutions receiving Title IV Federal Student Aid funding (financial aid for students) would be required to meet NIST SP 800-171 cybersecurity standards for higher education.
Brown: Will the impact be felt immediately?
Moore: According to the Department of Education letter, universities and colleges would be given up to three years to meet NIST 800-171 cybersecurity standards.
Brown: What cybersecurity compliance gaps will you be able to close due to your partnership with SFI?
Moore: As a result of the cybersecurity assessment XULA completed with SFI, the university was able to identify CUI data within the environment, understand how our infrastructure should be controlled, and determine whether our current IT security and processes were enough to protect the university. A score for the university was generated after the assessment, which found several critical areas that need improvement. The information security officer and staff at XULA are currently working on these.
Brown: How would students be impacted if these gaps were to remain unaddressed?
Moore: If these cybersecurity gaps remained unaddressed, the question would not be "if" the university and its data would be at risk but "when" it would be at risk. Gaps that go unaddressed are exploited over time. Student, faculty, and staff operations and data at the university would all be at risk.
Brown: What about the risk to the university itself?
Moore: The university is "at risk" should a cyberattack and a data breach involving stakeholder data occur. Most universities, including XULA, carry cybersecurity insurance. Not having a cybersecurity assessment or a plan for certification could prove costly for higher education institutions. Increased risk leads to higher cybersecurity insurance rates and increased requirements for coverage approval.
The process to renew cybersecurity insurance for XULA in May 2021 was intensive. Today's renewal process comes down to cost, compliance, and the insurer's confidence in the ability of the organization to ward off bad actors. Understanding those three factors are critical in acquiring cybersecurity insurance. Cyber insurance rates are skyrocketing globally in response to a barrage of recent high-profile ransomware attacks. Rates are hovering between 40 percent to 60 percent higher than the prior year. Most insurance providers require institutions to complete a cybersecurity pre-assessment with the vice president of technology (or someone in a similar role) and implement some technology security improvements before renewal. Cyber insurance providers now require institutions to complete an unprecedented amount of work to earn a renewal.
As cybersecurity risk increases, so does coverage cost. Payouts impact the bottom line of the insurance industry. With no end to cyber threats in sight, brokers need to consider their ability to provide sustainable, reliable service and coverage to colleges and universities. Most technology leaders understand that while system improvements are essential, keeping technology staff current on how to maintain and finesse computer systems is critical in combating an ever-changing cyber threat environment. Educating non-technical users—all faculty, students, and staff—on security awareness is also vital.
MB: Is there anything else EDUCAUSE readers should know about this partnership?
Moore: I recommend that every HBCU get a cybersecurity assessment as soon as possible to understand the need for a comprehensive cybersecurity plan, the importance of adhering to NIST SP 800-171 standards, and the technology staffing required to complete the processes and project. Once the partnership with SFI has commenced, the institution will understand that this is a resource-intensive and timely project and will welcome the partnership with SFI. Every institution should prioritize cybersecurity planning and adjust information technology scheduling and staffing to get the work done. As this initiative has shown, collaboration is key to cybersecurity. EDUCAUSE has dedicated community groups for 800-171 and HBCUs. I encourage people to join these communities and take part in the conversations.
Around 300,000 students attend HBCUs. HBCUs represent only 3 percent of colleges in the country, yet they produce 40 percent of Black engineers, 40 percent of Black U.S. Congress Members, and 50 percent of black lawyers.Footnote5 The partnership between SFI, Cisco, and HBCUs is helping to secure the IT infrastructure at these institutions and preserve the HBCU as a valuable national resource.
- Jarret Cummings, "800-171 Compliance on the Horizon," EDUCAUSE Review, March 24, 2021. Jump back to footnote 1 in the text.
- Sarah Wood, "How HBCUs Are Addressing the Cost of College," U.S. News & World Report, September 29, 2021. Jump back to footnote 2 in the text.
- Student Freedom Initiative, "Student Freedom Initiative Inaugurates Launch at HBCU Campuses Across U.S.," news release, August 30, 2021. Jump back to footnote 3 in the text.
- Briana Boyington and Sarah Wood, "Top 20 Historically Black Colleges and Universities," U.S. News & World Report, February 15, 2022; Xavier University of Louisiana, "Xavier #1 in Upward Mobility According to Report," November 21, 2021. Jump back to footnote 4 in the text.
- Michael Lomax, "Six Reasons HBCUs Are More Important Than Ever," UNCF (website), April 21, 2020; Thurgood Marshall College Fund, "Thurgood Marshall College Fund, UNCF, and Partnership for Education Advancement Announce Historic Collaboration to Serve and Improve Socioeconomic Outcomes for Black Communities Impact-Oriented Coalition Formed to Drive Tangible and Long-Term Progress," March 16, 2022. Jump back to footnote 5 in the text.
Mark Brown is the Executive Director at the Student Freedom Initiative.
Mable Moore is the Vice President and Chief Information Officer at Xavier University of Louisiana.
© 2022 Mark Brown and Mable Moore. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.