FSA Notice on Handling Safeguards Rule Audit Findings

min read

At the end of February, the Office of Federal Student Aid (FSA) posted a notice on how it would address institutional audit findings indicating Safeguards Rule compliance problems. EDUCAUSE asked FSA to reconsider the notice given the numerous compliance questions it leaves unanswered.

Just before the COVID-19 pandemic and the nationwide responses to it came to dominate institutional concerns and operations, the Office of Federal Student Aid (FSA) at the US Department of Education (ED) released a notice explaining how FSA would handle compliance enforcement related to Safeguards Rule audit findings. With institutions facing a Safeguards Rule audit objective for the first time during the FY19 federal single audit process, the possibility that institutions and their auditors may not see eye-to-eye on institutional compliance with the elements covered by the objective cannot be dismissed. This is especially the case given that a shared understanding of what an institution must produce to establish compliance has yet to emerge.

In reviewing the notice, EDUCAUSE staff and members found, however, that it raises more questions and concerns than it resolves, including the following:

  • FSA states that it will refer any Safeguards Rule audit findings to the Federal Trade Commission (FTC), which serves as higher education's regulator of record for the Safeguards Rule. The FTC will then have to determine what, if anything, it wants to do about the findings. Unfortunately, the notice leaves critical issues about this referral process unaddressed.
    • For example, an affected institution would have no idea which part of the FTC would receive the referral, what information the referral would contain, and what opportunity, if any, the institution would have to include a possible rebuttal to the finding within it.
    • In addition, the institution would remain in the dark about what response it might see from the FTC as well as what compliance steps the FTC might take based on the finding.
  • In terms of FSA compliance enforcement, the office indicates that its "Postsecondary Institution Cybersecurity Team" will receive the findings and "may request additional documentation from the institution in order to assess the level of risk to student data presented by the institution['s] . . . information security system."1
    • However, neither the notice nor the FSA provides information about the nature and composition of the team, the scope of its authority, the placement of the team within the structure of the FSA, points of contact for the team, or processes and procedures the team will use to address concerns with institutions.
    • In addition, institutions cannot currently access information about how the FSA cybersecurity team would define the relevant risk levels, what types of documentation institutions might be asked to provide, or how the FSA will maintain the confidentiality of the information it receives given Freedom of Information Act requirements.
  • The notice states that the FSA cybersecurity team can "temporarily or permanently disable the institution['s] . . . access to the Department's information systems" if the team "determines that the institution . . . poses substantial risk to the security of student information."2 Neither the notice nor the FSA provides information about how the team would reach such a determination, the extent to which the institution would be engaged in that process, or the appeals process, if any, that institutions would have available to them before a crippling loss of access to the FSA systems would take effect.
  • In addition, the team can also refer cases it deems as exhibiting "very serious internal control weaknesses" to an ED administrative enforcement unit for possible fines or other enforcement actions. Again, though, the process or basis the enforcement unit uses to reach such decisions is not described, and the basis of the enforcement unit's authority for levying fines or other punishments—much less the size and scope that the fines and punishments might take or how they might be appealed—is not provided.

In light of these issues, EDUCAUSE has asked ED and FSA to consider withdrawing the notice until they can provide a more comprehensive set of guidance, hopefully working in consultation with the higher education information security community. Fortunately, the federal agency that oversees the federal single audit process has extended the reporting deadline for any audits with a fiscal year-end date on or before June 30, 2020, by six months.3 With any luck, this will allow time for ED and FSA to rethink key aspects of the guidance provided and augment it with the detailed information that institutions need to ensure compliance. EDUCAUSE continues to engage with ED and FSA in pursuit of those interests, and we will update the community as new information becomes available.

For more information about policy issues impacting higher education IT, please visit the EDUCAUSE Review Policy Spotlight blog as well as the EDUCAUSE Policy web page.

Notes

  1. US Department of Education, Office of Federal Student Aid, "Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act" (electronic announcement), February 28, 2020.
  2. Ibid.
  3. Margaret Weichert, "Memorandum to the Heads of Executive Departments and Agencies," official memorandum, Washington DC: Executive Office of the President Office of Management and Budget, M-20-17, March 19, 2020.

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.

© 2020 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.