Federal Student Aid (FSA) has released a new version of its Student Aid Internet Gateway Agreement. The new version omits a NIST SP 800-171 compliance requirement, but FSA cites a provision of the agreement as the basis for its controlled unclassified information marking guidance regarding Federal Tax Information. FSA is urging institutions to sign the new agreement as soon as possible to avoid a delay in receiving 2024-25 FAFSA data from students and their families.
As promised, the U.S. Department of Education (ED) Office of Federal Student Aid (FSA) released the new version of its Student Aid Internet Gateway (SAIG) Agreement on October 23.Footnote1 FSA has urged institutions to sign the new agreement as quickly as possible since colleges and universities will not be able to receive students' 2024–25 Free Application for Federal Student Aid (FAFSA) information until they do. FSA recently announced that the new FAFSA will be available to students and their families on December 31, and student data from it will likely become available to institutions at the end of January.Footnote2
In May, FSA notified the higher education community that all institutions participating in federal student financial aid programs would have to sign a new SAIG agreement to account for compliance requirements related to the use of federal tax information (FTI) in completing and processing the FAFSA.Footnote3 In its announcement, FSA acknowledged that the IRS cybersecurity requirements that normally accompany FTI (IRS 1075) would not apply to colleges and universities when they receive FTI as part of the FAFSA process. However, the announcement also provided a detailed discussion of the status of FTI as controlled unclassified information (CUI). In particular, FSA explained what CUI markings should accompany the relevant FTI data elements, what those elements are, and how the markings should be applied to the FTI data elements wherever they go in institutional data systems.
FSA's extensive review of the CUI considerations related to FTI references the National Archives and Records Administration (NARA) CUI Registry. Combined with the CUI marking information, the NARA reference gave the impression that the subsequent changes to the SAIG agreement to account for FTI would cite the NARA CUI program regulations, including the NIST SP 800-171 CUI cybersecurity requirements that those regulations mandate.
Partners that receive [Institutional Student Information Records] ISIRs must protect federal student aid information provided to them by the Department or otherwise obtained in support of the administration of the federal student aid programs. As previously described above, all FTI received by our partners is classified as CUI//SP-TAX and is permitted, with approval by the applicant and, if applicable, their parent(s) or spouse, for redisclosure by the Department to our partners under Section 6103(l)(13)(D)(iii) of the IRC . . . . Again, our partners are required to maintain appropriate receipt, handling, marking, and safeguarding of CUI data since FTI is a subcategory of CUI.Footnote4
However, the EDUCAUSE Policy team did not find any references to NARA CUI program regulations (32 CFR 2002), including NIST SP 800-171 compliance, in the new SAIG agreement. This presents a confusing situation for colleges and universities because it would seem that a reference to the CUI program regulations in the new agreement would be necessary to support the following guidance:
Partners that receive ISIR data must retain the CUI labeling of FTI wherever the data is stored and used within their student information system(s). This includes ensuring CUI labels appear when FTI is inspected or used for purposes of determining an aid applicant's eligibility and the awarding of federal, state, and/or institutional financial aid programs. For example, when a financial aid administrator inspects or uses FTI for the purpose of federal student aid, the appropriate CUI labels (above) must appear with the FTI. CUI labels may appear at the beginning and end of FTI (as outlined above), or FTI may be labeled individually with CUI//SP-TAX.Footnote5
The new SAIG agreement does include a new provision on protecting FTI:
My organization has ensured the standards for protecting federal tax information (FTI) have been implemented according to Internal Revenue Code (IRC) 26 U.S.C. §6103 – Confidentiality and disclosure of returns and return information and pursuant to 20 U.S.C.§483 of the Higher Education Act, as amended – Use of FAFSA® and FTI data. I further acknowledge violations of the IRC may lead to criminal and/or civil penalties pursuant to 26 U.S.C. 7213; 7213A; and §7431. Penalties apply to willful unauthorized disclosure and inspection of tax return or return information with punishable fines or imprisonment. Additionally, I further acknowledge a taxpayer may bring civil action for damages against an officer or employee who has inspected or disclosed, knowingly or by reason of negligence, such taxpayer's tax return or return information in violation of any provision of IRC §6103.Footnote6
Readers will note, though, that the standards to which this provision requires institutions to attest do not refer to CUI or CUI program regulations.Footnote7 Furthermore, current law excludes higher education institutions from the entities that must comply with the IRS 1075 cybersecurity requirements for FTI, which FSA reaffirmed in its May announcement.Footnote8
FSA also describes the civil and criminal penalties for violating federal tax laws under 26 U.S.C. 7213, 7213A, and §7431; those citations do not address CUI regulatory requirements. The other legal reference in the provision, "20 U.S.C.§483 of the Higher Education Act," pertains to 20 U.S.C. 1090, which covers Section 483 of the Higher Education Act (HEA), "Forms and regulations." This part of the HEA governs the development and use of the FAFSA. It discusses the need for entities using the electronic version of the FAFSA to "maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information, and to protect against security threats, or unauthorized uses or disclosures of the information provided on the electronic version of the forms."Footnote9 However, the general reference to appropriate safeguards does not cite the CUI program regulations (32 CFR 2002) or NIST SP 800-171 CUI cybersecurity requirements as the basis for the safeguards that must be applied. (I will elaborate on 20 U.S.C. 1090 below, given the amendments to it that take effect on July 1, 2024.)
So, on what basis does FSA believe its CUI marking requirements for FTI extend to colleges and universities? In communications with the EDUCAUSE Policy team, FSA officials pointed to the text in the new SAIG agreement that commits users of "Federal Student Aid systems or other Federal agencies' systems for the purposes of administering the HEA programs" to "ensure that all Electronic Services information is marked according to its sensitivity and is properly controlled and stored."Footnote10 However, the May announcement from FSA does not cite this provision of the SAIG agreement as the basis for its CUI marking requirements, and the SAIG agreement itself does not reference the May announcement or NARA CUI program regulations. The May guidance could conceivably be viewed as explaining the "sensitivity" of the data in question, though, and, therefore, its associated marking requirements.
That said, the definition of FTI in the agreement derives from the IRS, which continues to use the "Sensitive But Unclassified"—or SBU—designation for FTI.Footnote11 In its FAQs for the CUI program, NARA indicates that it expects the CUI designation to replace the SBU designation over time as federal agencies implement the CUI program requirements.Footnote12 However, the continued reference to FTI as SBU in the SAIG agreement, while the May announcement from FSA focuses on the CUI Registry FTI category, creates additional confusion about compliance since the IRS has its own marking guidance for SBU.Footnote13
In terms of institutions securing the FTI that they receive, the new SAIG agreement carries over the expanded Safeguards Rule compliance provision that first appeared in the September 2022 version of the agreement.Footnote14 Under this provision, when institutions sign the agreement, they attest to full compliance with all nine major elements of the Safeguards Rule that took effect in June 2023. These elements include appointing a "qualified individual" to develop and enforce the institution's information security program, developing a written information security program that includes specific provisions, and reporting on the information security program to the institution's governing board annually (at least).Footnote15
As indicated above, the amendments to 20 U.S.C. 1090 (the legal provisions for the development and use of the FAFSA) that will go into effect on July 1, 2024, introduce a new section of specific interest to EDUCAUSE members:
(8) Security of data
The Secretary shall, in consultation with the Secretary of the Treasury-
(A) take all necessary steps to safeguard the data required to be transmitted for the purpose of this section between Federal agencies and to States and institutions of higher education and secure the transmittal of such data;
(B) provide guidance to States and institutions of higher education regarding their obligation to ensure the security of the data provided under this section and section 6103 of title 26; and
(C) provide guidance on the implementation of section 6103 of title 26, including how it intersects with the provisions of section 1232g of this title (commonly known as the "Family Educational Rights and Privacy Act of 1974"), and any additional consent processes that may be available to applicants in accordance with title 26 regarding sharing of Federal tax information.Footnote16
All three parts of this new section seem relatively open-ended in scope and could give FSA broad latitude to shape the cybersecurity and privacy practices that colleges and universities must adopt concerning FTI. What FSA might do given its authority via these new aspects of the HEA—and whether its thinking could encompass NIST SP 800-171 compliance—remains to be seen. Currently, the EDUCAUSE Policy team does not see an 800-171 compliance requirement in the new SAIG agreement or FSA's related guidance.
However, FSA has identified a basis for the CUI marking guidance related to FTI in the SAIG agreement, so EDUCAUSE members should consider how their institutions can best accommodate this guidance.Footnote17 In addition, member representatives should pay special attention to the Safeguards Rule provision in the new agreement, in which institutions must attest to compliance with all major elements of the rule. This provision takes effect when an institution signs the new SAIG agreement.
FSA is encouraging colleges and universities to sign the agreement as soon as possible to avoid a delay in receiving 2024-25 FAFSA data from students and their families. As previously mentioned, FSA expects to make the new version of the FAFSA available online on December 31, 2023, and release student data from completed FAFSAs to institutions by the end of January 2024. FSA states that it takes ten business days for it to process a new agreement once it receives an institution's signature pages, at which point it will add the functionality necessary to receive student data from the FAFSA to the institution's SAIG account.Footnote18 Therefore, colleges and universities will most likely target the end of the year or early in the new year to submit their signed agreements to give themselves some margin for error and ensure that they have access to data from the new FAFSA as soon as FSA makes it available.
- Federal Student Aid, U.S. Department of Education, "(GENERAL-23-79) Updated SAIG Enrollment Agreement Available Oct. 23, 2023 – Required Steps to Receive 2024–25 ISIRs," October 23, 2023. Jump back to footnote 1 in the text.
- Federal Student Aid, U.S. Department of Education, "(General-23-100) Update on the Simplified, Streamlined, Redesigned 2024-25 FAFSA," November 15, 2023. Jump back to footnote 2 in the text.
- Federal Student Aid, U.S. Department of Education, "(GENERAL-23-34) Access and Use of Federal Tax Information (FTI) for Federal Student Aid Programs Beginning with the 2024-25 FAFSA Processing Cycle," May 12, 2023. Jump back to footnote 3 in the text.
- Ibid. Jump back to footnote 4 in the text.
- Ibid. Jump back to footnote 5 in the text.
- Federal Student Aid, U.S. Department of Education, U.S. Department of Education's Student Aid Internet Gateway Enrollment Form for Postsecondary Educational Institutions Institutional Third-Party Servicers FFELP Guaranty Agencies and Guaranty Agency Servicers Federal Loan Servicers FFELP Lenders and Lender Servicers, October 22, 2023, 36. Jump back to footnote 6 in the text.
- Ibid. Jump back to footnote 7 in the text.
- According to Internal Revenue Code 26 U.S.C §6103, FTI disclosures to higher education institutions (6103(l)(13)(D)(iii)) are excluded from the section of the law that requires the application of IRS cybersecurity requirements (6103(p)(4)). Jump back to footnote 8 in the text.
- Higher Education Act of 1965, 20 U.S.C. 1090: Forms and regulations, (a)(3)(E). Jump back to footnote 9 in the text.
- Federal Student Aid, Student Aid Internet Gateway Enrollment Form, 46. Jump back to footnote 10 in the text.
- Ibid., 41. Jump back to footnote 11 in the text.
- "CUI Frequently Asked Questions," National Archives and Records Administration, accessed November 3, 2023. Jump back to footnote 12 in the text.
- Internal Revenue Service, U.S. Department of the Treasury, "10.5.1.6.5: Marking," in Internal Revenue Manuals, accessed November 3, 2023. Jump back to footnote 13 in the text.
- Federal Student Aid, Student Aid Internet Gateway Enrollment Form, 37. Jump back to footnote 14 in the text.
- For more details, as well as my review and analysis, see Federal Student Aid, U.S. Department of Education, "(GENERAL-23-09) Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements," February 9, 2023; Jarret Cummings, "FSA Issues Guidance on Safeguards Rule Compliance," EDUCAUSE Review, February 28, 2023, and Jarret Cummings, "Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule," EDUCAUSE Review, December 2, 2022. Jump back to footnote 15 in the text.
- Higher Education Act of 1965, 20 U.S.C. 1090(a)(8): Forms and regulations. Jump back to footnote 16 in the text.
- Federal Student Aid, "(GENERAL-23-34) Access and Use of Federal Tax Information," May 12, 2023. Jump back to footnote 17 in the text.
- See questions 8 and 9 under "Questions and Answers" in Federal Student Aid,
"(GENERAL-23-79) Updated SAIG Enrollment Agreement Available Oct. 23, 2023 – Required Steps to Receive 2024–25 ISIRs," updated October 23, 2023. Jump back to footnote 18 in the text.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2023 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.