When the IRS and Information Security (Almost) Meet

In December 2019—which seems almost like a lifetime ago in pandemic time—Congress passed the Fostering Undergraduate Talent by Unlocking Resources for Education (FUTURE) Act to reauthorize and make permanent federal funding for science, technology, engineering, and math (STEM) programs at historically black colleges and universities (HBCUs) and other minority-serving institutions (MSIs). At the same time, Congress incorporated into the bill authorization for the US Department of Education (ED) Office of Federal Student Aid (FSA) to directly access federal taxpayer information to support a variety of student financial aid purposes. This authorization also allows FSA to share taxpayer information with colleges and universities to facilitate their role in administering federal student aid, and this is where the plot thickens.

After the FUTURE Act passed, the reality started to set in that the relevant tax law requires organizations receiving federal taxpayer information to follow IRS information security guidelines in relation to storing and handling that data. Furthermore, a review of the requirements in IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies made clear that colleges and universities would have to meet the NIST SP 800-53 federal agency information security standards at the "moderate" level. Feedback from members of the EDUCAUSE information security community led the EDUCAUSE Policy team and Cybersecurity Program staff to conclude that most colleges and universities simply wouldn't be able to comply.

Fortunately, the largest of the COVID-19 emergency funding bills to have passed to date, the Coronavirus Aid, Relief, and Economic Security (CARES) Act, included a set of technical amendments (see Section 3516) that spared higher education institutions from the no-win information security situation that was inadvertently created by the FUTURE Act. In essence, the CARES amendments specified which uses of federal taxpayer information authorized under the FUTURE Act would have to comply with the "safeguards" section of the tax law on which IRS 1075 is based. The redisclosure of taxpayer information by FSA to colleges and universities is conspicuously absent from those uses, and thus higher education institutions do not have to comply with IRS 1075 as a condition of receiving taxpayer information from FSA, thanks to the CARES Act.

The amendments left unanswered, however, the question of how higher education institutions would ensure appropriate security for taxpayer information received from FSA. Key policymakers identified this as an important consideration that they might seek to address in the next COVID-19 emergency relief bill, indicating they might possibly go so far as to reverse the CARES Act fix altogether. This would leave institutions and ED/FSA with a difficult information security problem to navigate.

The EDUCAUSE Policy team, with support from EDUCAUSE members and Cybersecurity Program staff, worked with congressional staff for several weeks to help them understand the higher education information security environment and how IRS 1075 would not fit within it. We also explained the ongoing, constructive dialogue between our community, ED, and FSA regarding information security for federal financial aid data and how that was likely a better avenue for resolving security concerns associated with federal taxpayer information that is used for FSA purposes. While the Policy team won't have full confirmation until we can review the text of the next pandemic relief bill—which will probably remain in limbo until at least after Labor Day—discussions with various stakeholders indicate that our efforts and those of other organizations have borne fruit, and we believe that Congress is unlikely to apply the information security framework outlined in IRS Publication 1075 to colleges and universities.

The EDUCAUSE Policy team continues to watch for definitive signs that the CARES Act "fix" will remain in place, and we will share the final news on that score once we have it. In the meantime, ED and FSA continue to indicate that they see federal financial aid data shared with or managed by colleges and universities as controlled unclassified information (CUI), which will fall under the provisions of the National Archives and Records Administration (NARA) CUI Program. This means that institutions will eventually have to apply the NIST SP 800-171 CUI security requirements to the student financial aid systems and data they manage.

At present, the lack of the uniform Federal Acquisition Regulation (FAR) clause that federal agencies need to integrate the NARA CUI Program (i.e., 800-171) requirements into their grants and contracts remains the primary source of delay. The clause could emerge at any time, though, starting the clock on ED and FSA implementation, and thus on the countdown for when colleges and universities will have to comply with federal CUI guidelines. ED and FSA could also explore other administrative mechanisms for mandating 800-171 compliance if the FAR clause continues to be delayed or doesn't fully encompass the security needs that ED and FSA consider significant. Higher education has seen this before in the context of the Federal Trade Commission (FTC) Safeguards Rule, which FSA pulled into federal financial aid compliance by making it part of the Title IV Program Participation Agreement (PPA). With that in mind, the EDUCAUSE Policy team will maintain a strong focus on policy developments impacting the security of federal financial aid data and work with other associations as well as policymakers and regulators to seek policies that will allow our members to viably secure the financial aid data with which they are charged.

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.