New Agency Head Appointed at FSA While Policy Activity Remains Uncertain

On November 14, 2025, the U.S. Department of Education (ED) announced that Richard Lucas will serve as the chief operating officer of Federal Student Aid (FSA).^Footnote1 Lucas previously served as chief financial officer for FSA and, most recently, as assistant secretary and chief financial officer in the ED Office of Finance and Operations. As the lead official at FSA, Lucas will have administrative and oversight responsibilities for Title IV federal student assistance programs, as well as any new policymaking and regulatory activities at the agency.

Of particular interest to the higher education IT community is the possibility that FSA may issue requirements to safeguard student financial aid data transmitted to institutions. Given recent legislative changes that permit the IRS to disclose federal tax information (FTI) directly to ED—and ED to redisclose that information to institutions for federal student aid purposes—the EDUCAUSE policy team anticipated that FSA may establish cybersecurity standards that incorporate NIST SP 800-171.^Footnote2 Indeed, in 2023, the Biden administration announced that FSA would pursue a notice of proposed rulemaking (NPRM) to incorporate NIST SP 800-171 requirements for processing, storing, and transmitting controlled unclassified information (CUI).^Footnote3

The Trump administration removed NIST SP 800-171 from FSA's list of anticipated regulatory actions in the Spring 2025 Regulatory Agenda, signaling that the agency is unlikely to pursue formal rulemaking in the near term.^Footnote4 However, the agency did issue guidance in late September 2025 reiterating its intention to establish institutional compliance requirements incorporating NIST SP 800-171 controls for CUI. The guidance does not specify how, when, or through what process the agency intends to establish those requirements.^Footnote5 The guidance reads, "[T]he Department will ensure the security of FTI by holding schools and state agencies to the National Institute of Standards and Technology (NIST) Special Publication 800-171, Rev. 3 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) CUI security standards, and they, in turn, will be required to ensure that any external entities that receive FTI from them are held to the same standards." The guidance states that, as of the publication of the letter, no compliance obligations exist regarding NIST SP 800-171.

EDUCAUSE will continue to monitor FSA activity for regulatory announcements or processes regarding cybersecurity requirements for student financial aid data, particularly considering the newly installed leadership at FSA, and will keep members apprised of relevant developments.

For more information about policy issues affecting the higher education IT community, visit the EDUCAUSE Policy page.

Notes

1. U.S. Department of Education, "U.S. Department of Education Announces Richard Lucas to Serve as Acting Chief Operating Officer of Federal Student Aid," press release, November 14, 2025. Jump back to footnote 1 in the text.↩
2. FTI is considered controlled unclassified information (CUI), a category of data subject to NIST SP 800-171 under the National Archives and Records Administration's (NARA) CUI program. Jump back to footnote 2 in the text.↩
3. U.S. Department of Education, Office of Federal Student Aid,"Cybersecurity Standards for Institutions of Higher Education to Comply with EO 13556 and NIST 800-171," proposed rule, The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, July 2024. Jump back to footnote 3 in the text.↩
4. Kathryn Branson, "Spring 2025 Regulatory Agenda Highlights," EDUCAUSE Review, December 4, 2025. Jump back to footnote 4 in the text.↩
5. U.S. Department of Education, Office of Federal Student Aid,"Guidance on the Use of Federal Tax Information (FTI), Free Application for Federal Student Aid (FAFSA®) Data, and Non-FAFSA Data," Dear Colleague Letter GEN-25-08, September 30, 2025. Jump back to footnote 5 in the text.↩

Kathryn Branson is a Partner with Ulman Public Policy.