It is unclear at this point whether a compliance supplement for FY18 will be published, or whether it will include the Safeguards Rule audit objective if it is.
Late last summer, EDUCAUSE posted information about the draft Gramm-Leach-Bliley Act (GLBA) Safeguards Rule audit objective that the Office of Federal Student Aid (FSA) and Office of Management and Budget (OMB) would likely include in the FY18 federal single audit process. For that to happen, the audit objective would have to be published in OMB's annual "compliance supplement," which is usually available by this point in the year but has yet to emerge.
It is unclear at this point whether a compliance supplement for FY18 will be published, or whether it will include the Safeguards Rule audit objective if it is. The draft text of the objective is no longer available from the FSA Cybersecurity Compliance webpage [https://fsapartners.ed.gov/knowledge-center/topics/fsa-cybersecurity-compliance], although the blog post identified above presents the text as it appeared on FSA's site through the end of 2017. Meanwhile, the Government Accountability Office (GAO) issued a report late last year on FSA data security and related institutional oversight that states:
According to Education's Assistant Inspector General for Audit, the Office of Inspector General, along with the Office of the Chief Financial Officer and the Office of the Chief Information Officer, are working with OMB to develop audit steps that would include evaluating schools' adherence to the Federal Trade Commission information security program requirements. According to an FSA official, the anticipated update to the OMB Compliance Supplement is planned for 2019. (p. 55; emphasis added)
Since neither OMB nor FSA have publicly stated this themselves, EDUCAUSE members should not consider it confirmed. An FY18 compliance supplement that would introduce the Safeguards Rule audit objective into the federal single audit process is still possible. Therefore, members would be well-advised to continue working with their business offices and institutional auditors as if they will have to meet the requirements during the FY18 audit cycle. This means clearly establishing with their institutional auditors what documentation the auditors will need to see, and in what form, to confirm institutional compliance with the Safeguards Rule audit objective as it is currently understood.
Again, the good news is that institutions may have more time to prepare for an eventual audit of their GLBA Safeguards Rule compliance along the lines indicated in FSA's draft objective. But until FSA and/or OMB provide final confirmation, EDUCAUSE members should take this opportunity to conduct a compliance "dry run" to ensure they are ready regardless of whether the objective emerges in the FY18 or FY19 federal single audit.
Jarret Cummings is Director of Policy and Government Relations at EDUCAUSE.
© 2018 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.