A recent notice from the office of Federal Student Aid (FSA) provides a brief review of the pending changes to the Safeguards Rule and explains how FSA plans to ensure institutional compliance with the new requirements.
On February 9, the U.S. Department of Education (ED) office of Federal Student Aid (FSA) released a notice on Safeguards Rule compliance. Consistent with the information that I provided to EDUCAUSE community groups last November, the notice highlights that the Federal Trade Commission (FTC) has set June 9, 2023, as the effective date for most of the new requirements of the Safeguards Rule.Footnote1 It also summarizes the major elements of the Safeguards Rule following the revisions the FTC made in December 2021, noting FSA's compliance expectation that the written information security program an institution must develop to comply with the Rule will need to address all of the identified elements.
One of the more helpful aspects of the notice is that it applies the definition of "customer information" to the FSA context. The definition of the term in the Safeguards Rule must be general enough to cover the broad array of organizations and industries that fall under the oversight of the FTC. However, FSA's Safeguards Rule compliance concerns only apply to higher education, and thus the guidance from FSA describes how "customer information" fits into that scope.
For the purpose of an institution's or servicer's compliance with [the Gramm-Leach-Bliley Act] GLBA, customer information is information obtained as a result of providing a financial service to a student (past or present). Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.Footnote2
While the explanation provided by FSA still only provides a very general framing for "customer information" in the student financial aid context, it draws a clearer line around the data that institutions must address for FSA compliance purposes. Institutions will likely find that this makes identifying what they do and don't have to consider covered by the Safeguards Rule requirements somewhat easier.
Among the new provisions of the Safeguards Rule that are currently set to take effect in June, the notice from FSA specifically emphasizes the importance of the following two requirements:
- Encrypting customer information when at rest in institutional systems or in transit across external networks
- Ensuring that anyone accessing customer information via institutional systems must use multifactor authentication (MFA) to gain such access
The direct references to encryption and MFA in the notice may serve as important indicators of what FSA has prioritized when it comes to institutional compliance with the Safeguards Rule. As a result, I would not be surprised to see those provisions specifically included in whatever updates FSA ultimately makes to the Safeguards Rule audit objective in the federal single audit process.Footnote3
Unfortunately, the section of the notice on FSA's enforcement process for Safeguards Rule compliance leaves important questions unanswered. The section essentially says that FSA will start pursuing the resolution of compliance findings related to the new Safeguards Rule provisions, whether identified via audits or "other means," once they take effect on June 9, adding that FSA will seek resolution of those findings through institutional Corrective Action Plans (CAPs) in cases that don't stem from data breaches or system compromises. However, no explanation or examples of the "other means" that could trigger an FSA compliance inquiry are provided. Likewise, FSA does not offer any model or framework for the CAPs that affected institutions would have to develop or implement, nor does it indicate whether it envisions a threshold for the CAP requirement, either in terms of the number or significance of the findings in question.
While likely unintentional, the "other means" reference raises concerns related to a problem from several years ago when a former FSA cybersecurity official sent compliance letters to institutional presidents that, in some instances, were based on media reports of alleged cybersecurity incidents. FSA has certainly come a long way since then in terms of its outreach and engagement with the higher education community. This past experience, though, emphasizes the need for FSA to provide a clear explanation of what indicators, besides federal single audit findings, might generate compliance attention.
In addition, the text regarding enforcement implies that FSA might automatically consider a breach or compromise as a failure to comply with the Safeguards Rule. Again, that may not be intentional, but it is important to clarify since such events can occur even when an institution has fully and effectively implemented the many requirements of the current version of the Safeguards Rule. Given the compliance penalties that might be on the table, which I believe are covered in the "Program Reviews, Sanctions, & Closeout" chapter of the 2022–2023 Federal Student Aid Handbook, FSA should work with institutions to achieve a shared understanding of how noncompliance might reasonably be determined.
FSA closes the notice by reiterating that institutions should be implementing the NIST SP 800-171 cybersecurity guidelines related to federal student financial aid data if they aren't already. Under the federal government's controlled unclassified information (CUI) regulations, FSA will eventually require institutional compliance with NIST SP 800-171, and the notice indicates that FSA will soon provide guidance to that end. In the meantime, EDUCAUSE continues to engage with FSA on its compliance interests in both the Safeguards Rule and 800-171. We remain focused on working with our members and FSA officials to ensure that the needs of our community and its concerns related to each compliance area are effectively considered in FSA guidance and enforcement.
Notes
- Federal Student Aid, U.S. Department of Education, "(GENERAL-23-09) Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements," February 29, 2023; Jarret Cummings, "Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule," EDUCAUSE Review, December 2, 2022. Jump back to footnote 1 in the text.
- Federal Student Aid, "(GENERAL-23-09)." Jump back to footnote 2 in the text.
- For more information about the Safeguards Rule audit objective, see Jarret Cummings, "FY22 Federal Single Audit: Safeguards Rule Objective Unchanged," EDUCAUSE Review, August 10, 2022. Jump back to footnote 3 in the text.
Jarret Cummings is Senior Policy Advisor at EDUCAUSE.
© 2023 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.