New and Potential SAIG Agreement Revisions Include Safeguards Rule, Federal Tax Information

There were two important policy developments for higher education IT professionals in the first half of 2023. First, as of June 9, 2023, all institutions must comply with the Federal Trade Commission's (FTC's) revised Safeguards Rule. The second development concerns changes the U.S. Department of Education (ED) Office of Federal Student Aid (FSA) will implement related to the handling of federal tax information (FTI) and the redisclosure of such data to higher education institutions. The current Student Aid Internet Gateway (SAIG) Agreement already includes language requiring institutions to attest to full compliance with the new Safeguards Rule regulation.^Footnote1 The SAIG Agreement will be revised this fall to incorporate new provisions on the use of FTI in financial aid processes and institutional obligations associated with that data.

The Safeguards Rule

A recently uncovered copy of the current version of the SAIG Agreement from September 25, 2022, includes attestation that an institution is in full compliance with the updated Safeguards Rule.^Footnote2 Since institutions renew SAIG agreements at different times, it is unclear how many institutions have signed this version. The quiet incorporation of the Safeguards Rule language into the agreement may be because in November 2022, the FTC extended the compliance deadline for entities covered under the Safeguards Rule to June 9, 2023.

The Office of Management and Budget (OMB) recently released the FY23 Compliance Supplement, which includes a newly revised audit objective for institutional compliance with the revised Safeguards Rule.^Footnote3 Members should note that the new audit objective requires auditors to take a checklist approach in certifying that an institution has designated a qualified individual to implement and monitor its Safeguards Rule-compliant written information security program and that the institution has a written information security program that addresses seven out of nine elements of the Safeguards Rule. This language differs from the language in the SAIG Agreement. As discussed above, the SAIG Agreement includes attestation that the institution is compliant with all nine elements of the Safeguards Rule, while the audit objective directs auditors to certify that the institution's written information security program addresses seven of the nine elements.^Footnote4

So, while an auditor will only need to certify that an institution's written information security program covers seven elements, it is clear that FSA considers full compliance with the rule to mean that all nine elements of the Safeguards Rule are incorporated in an institution's written program. FSA issued a notice earlier this year regarding Safeguards Rule compliance. The notice describes FSA's expectation that the written information security program complies with all elements.^Footnote5

Federal Tax Information Implications

FSA issued an electronic announcement on May 12 regarding forthcoming changes to how it receives and handles the FTI used to calculate financial aid awards for families and applicants seeking assistance.^Footnote6 As of July 1, 2024, the IRS will disclose FTI directly to ED. The May 12 announcement describes FSA's "expectations pertaining to the treatment of FTI received for the 2024–2025 award year and beyond and addresses an institution's obligation to ensure the privacy and security of FAFSA data (including FTI)." In particular, FSA notes that any FTI that ED rediscloses to higher education institutions will be marked as controlled unclassified information (CUI), which would carry NIST SP 800-171 security requirements with it once ED has an agreement with an institution establishing the institution's responsibility for 800-171 compliance.^Footnote7 (Note that the National Archives and Records Administration's [NARA's] CUI program regulations require federal agencies sharing CUI with non-executive branch entities to establish such compliance by agreement once doing so is feasible.)

The May 12 announcement from FSA includes an acknowledgment that modifications to the SAIG Agreement related to the transmission of FTI would be necessary. On May 30, FSA provided additional information about SAIG software upgrades, noting that these upgrades will include updated security protocols to ensure the protection of FTI.^Footnote8 The May 30 announcement also makes it clear that institutions will need to sign an updated SAIG Agreement. While the May 30 announcement is silent on the specifics of this new agreement, given FSA's communication that FTI will be marked as CUI, the Policy team's view is that the updated SAIG Agreement may include a provision on NIST SP 800-171 compliance for FTI and FSA data.^Footnote9 The effective date of such compliance is unclear, but if institutions are required to attest to 800-171 compliance in the SAIG Agreement starting this fall, it may be reasonable to think that the date on which changes in the use of FTI in student financial aid will take effect—July 1, 2024—could be the deadline for 800-171 compliance as well.

EDUCAUSE will continue monitoring developments related to these changes to the SAIG Agreement and collaborating with ED and FSA officials to register our community's concerns and feedback. In the meantime, EDUCAUSE members should communicate with their colleagues in financial aid administration and other relevant departments regarding pending (and possible) updates to the SAIG Agreement.

Notes

1. All institutions must sign the SAIG Agreement as a condition of exchanging financial aid data electronically with ED. Jump back to footnote 1 in the text.↩
2. "U.S. Department of Education's Student Aid Internet Gateway Enrollment Form for Postsecondary Educational Institutions, Institutional Third-Party Servicers, FFELP Guaranty Agencies and Guaranty Agency Servicers, Federal Loan Servicers, FFELP Lenders and Lender Servicers," (U.S. Department of Education Office of Federal Student Aid, 2022), 36–37. Jump back to footnote 2 in the text.↩
3. Kathryn Branson, "FY23 Federal Single Audit Includes a New Safeguards Rule Audit Objective," EDUCAUSE Review, June 20, 2023. Jump back to footnote 3 in the text.↩
4. Institutions maintaining information on fewer than five thousand customers are exempted from the board reporting and written incident response plan requirements. These two elements are omitted from the audit objective but are included in the SAIG Agreement text. Jump back to footnote 4 in the text.↩
5. (GENERAL-23-09) Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements, U.S. Department of Education Office of Federal Student Aid, February 9, 2023; For an overview of the notice, read Jarret Cummings, "FSA Issues Guidance on Safeguards Rule Compliance," EDUCAUSE Review, February 28, 2023. Jump back to footnote 5 in the text.↩
6. Kathryn Branson, "FSA Federal Tax Information Announcement: Is NIST 800-171 Compliance on the Horizon?" EDUCAUSE Review, June 28, 2023; (GENERAL-23-34) Access and Use of Federal Tax Information (FTI) for Federal Student Aid Programs Beginning with the 2024-25 FAFSA Processing Cycle, U.S. Department of Education Office of Federal Student Aid, May 12, 2023. Jump back to footnote 6 in the text.↩
7. Ibid. Jump back to footnote 7 in the text.↩
8. (GENERAL-23-40) SAIG Software Upgrade for FTI Data Transmission – Preliminary Information for SAIG Software Users, U.S. Department of Education Office of Federal Student Aid, May 30, 2023. Jump back to footnote 8 in the text.↩
9. Both FTI and FSA data are marked as relevant categories of CUI in the NARA CUI Registry. Jump back to footnote 9 in the text.↩

---

Kathryn Branson is a Partner at Ulman Public Policy.