FY22 Federal Single Audit: Safeguards Rule Objective Unchanged

Several new Safeguards Rule provisions set to take effect in early December raise the question of when the Office of Federal Student Aid (FSA) at the U.S. Department of Education (ED) might seek matching revisions to the Safeguards Rule compliance objective in the federal single audit process.^Footnote1 A few years ago, FSA requested that the Office of Management and Budget (OMB) add a Safeguards Rule objective to the federal single audit process. Including this check in the single audit ensures that it takes into account that compliance with the Safeguards Rule is one of the conditions institutions agree to when they sign the Title IV Program Participation Agreement (PPA), which they must do to participate in federal student financial aid programs.

So far, the Safeguards Rule objective, which dates back to the 2019 fiscal year audit process, has focused on a relatively straightforward checklist approach that institutional auditors can address without any special IT or cybersecurity knowledge.^Footnote2 Auditors are required to confirm whether the institution has done the following things:

• Appointed an individual or team to coordinate its information security program
• Conducted a data security risk assessment that covers employee training and management, covered networks and information systems, and incident response
• Implemented safeguards to address the risks that are identified in its assessment

While institutions may include other aspects of the Safeguards Rule in their compliance audits for their own purposes—and some do—the federal single audit thus far has only addressed these compliance elements.

The Safeguards Rule requirements are set to expand considerably before the end of the year, though. The expanded requirements will change various aspects of what it means to be in compliance with the regulation. For example, the Federal Trade Commission (FTC), which oversees the Safeguards Rule and is technically the regulator of record for it, will no longer accept the appointment of an individual or team to coordinate the information security program at an institution as sufficient for compliance. Under the revised regulation, an institution must designate a specific individual to lead the planning, implementation, and enforcement of its Safeguards Rule-compliant information security program. Likewise, the new provisions of the regulation mandate that the institution's data security risk assessment include many more (and much more specific) security elements, and that its information security program incorporate a number of specific safeguards above and beyond those that the institution might decide are necessary to mitigate its identified risks.^Footnote3

Given the major expansion of the scope and increased details of the Safeguards Rule, it seems like a foregone conclusion that FSA will pursue a revised federal single audit objective that encompasses at least some of the regulation's new and revised requirements. That said, the increased complexity of the underlying regulation makes designing a new audit objective a significant challenge. Also, because an institution's participation in federal financial aid programs is part of the compliance equation, FSA must seek an objective that balances its compliance interests with the capacity of a diverse institutional population to actually meet the requirements of the objective.

Accomplishing those tasks will take significant time and engagement with higher education IT and cybersecurity leaders. Therefore, I am happy to report that FSA did not seek to change the Safeguards Rule objective for the 2022 fiscal year (FY22) federal single audit process, which will begin at most institutions in the next few months. As the compliance supplement for the FY22 process shows (see pages 5-3-68 to 5-3-69, or pages 1848–1849 of the PDF file),^Footnote4 the objective remains the same for the FY22 audit. As a result, institutions should be able to focus their Safeguards Rule energies on the December FTC compliance deadline, at least to the extent that the federal single audit is the Commission's primary concern when it comes to Safeguards Rule audit issues. For those whose compliance audits take a broader scope due to institutional or other considerations, the extent of their relief from near-term audit concerns may rest more with how the FTC's compliance deadline falls in relation to the institution's fiscal year.

FSA has not yet indicated how or when it will revisit the Safeguards Rule audit objective, given the significant changes to the regulation. Revising the objective for future federal single audits will require FSA to determine what its primary compliance interests are in relation to the many new provisions of the regulation and how those translate into an audit objective that colleges and universities could conceivably meet. FSA will then have to work through OMB's process for reviewing and approving proposed changes to the federal single audit guidance, which could take considerable time. As a result, it is also not certain that a new, more expansive Safeguards Rule audit objective will emerge in time for the FY23 federal single audit. EDUCAUSE will continue to watch for that possibility, however, as well as any new information that might help members prepare for a further expansion of Safeguards Rule compliance concerns. 

Notes

1. For more information, see Jarret Cummings, "Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule," EDUCAUSE Review, December 2, 2021; and Jarret Cummings, "Higher Ed Responds to Proposed Safeguards Rule Reporting Requirement," EDUCAUSE Review, March 3, 2022. Jump back to footnote 1 in the text.↩
2. Jarret Cummings, "The Safeguards Rule Audit Objective Is Here!" EDUCAUSE Review, July 11, 2019. Jump back to footnote 2 in the text.↩
3. For more details about the Safeguards Rule revisions, see Cummings, "Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule." Jump back to footnote 3 in the text.↩
4. 2 CFR Part 200, Appendix XI: Compliance Supplement, Office of Management and Budget, Executive Office of the President, April 2022,
   5-3-68–5-3-69. Jump back to footnote 4 in the text.↩

---

Jarret Cummings is Senior Advisor, Policy and Government Relations, at EDUCAUSE.