(July 14, 2016 – Jarret Cummings) (Note: Special thanks go to Joanna Grama, Director, Cybersecurity and IT GRC Programs, EDUCAUSE, for her contributions to this post.) Earlier this month, the Federal Student Aid (FSA) office of the U.S. Department of Education (ED) released new guidance for colleges and universities on the security of student financial aid information. Dear Colleague Letter GEN-16-12: Protecting Student Aid Information expands on a similar July 2015 letter in which FSA highlighted institutional responsibilities under the Student Aid Information Gateway (SAIG) Enrollment Agreement as well as the Gramm-Leach-Bliley Act (GLBA) and other laws to protect student financial aid information from unauthorized disclosure or access.
FSA’s current letter emphasizes GLBA compliance by stating that it will soon begin holding institutions accountable for fulfilling GLBA Safeguards Rule requirements. Higher education institutions have had to comply with the Safeguards Rule since 2003 (see NACUBO’s “GLB Act Resource Page” for more details). FSA added a specific provision on GLBA compliance to the FSA Program Participation Agreement last year, though, and is now moving toward enforcing it:
… the Department is beginning the process of incorporating the GLBA security controls into the Annual Audit Guide in order to assess and confirm institutions’ compliance with the GLBA. The Department will require the examination of evidence of GLBA compliance as part of institutions’ annual student aid compliance audit.
All institutions must sign the participation agreement in order to make federal financial aid available to their students. FSA’s new focus on GLBA compliance therefore offers another reason to regularly assess where your institution stands in relation to those requirements. The Safeguards Rule1 mandates that institutions develop a written information security program that includes the following elements:
- Designating an employee or employees to coordinate the information security program.
- Identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of customer information, and assessing the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in operational areas, including employee training and management; information systems, including network and software design, as well as information processing, storage, transmission and disposal; and detecting, preventing and responding to attacks, intrusions, or other systems failures.
- Designing and implementing information safeguards to mitigate the risks identified in the required risk assessment, and regularly testing and monitoring the effectiveness of those safeguards.
- Overseeing service providers by taking reasonable steps to select and retain service providers that are capable of implementing and maintaining appropriate safeguards for the customer information at issue.
- Evaluating and adjusting the information security program in light of changed circumstances.
In addition to emphasizing compliance with the GLBA Safeguards Rule, the recent letter “strongly encourages” colleges and universities to use the federal guidelines for “controlled unclassified information” (CUI) presented in NIST Special Publication (SP) 800-171 to assess and improve the security of student financial aid information in their systems. FSA reinforces this recommendation by highlighting specific 800-171 requirements in the letter, including access control, awareness and training, audit and accountability, identification and authentication, incident response, risk assessment, security assessment, and system and information integrity, among others.
For more information about GLBA, a NACUBO brief summarizes compliance requirements, and members are encouraged to review EDUCAUSE Library resources on the topic. To get a better understanding of 800-171 and its implications for colleges and universities, members should review An Introduction to NIST Special Publication 800-171 for Higher Education Institutions, which was developed earlier this year by the association’s Higher Education Information Security Council (HEISC).
Jarret Cummings is director of policy and government relations at EDUCAUSE.