Last Updated on March 23, 2021
Cyber attacks against higher education institutions continue to escalate, and the reason is simple: these organizations remain vulnerable. Technology use on campus is evolving faster than corresponding data protections, exposing sensitive student financial and personal data.
Against this longstanding backdrop, the US Department of Education Federal Student Aid Office (FSA) on December 18, 2020 released an Electronic Announcement entitled, “Protecting Student Information – Compliance with CUI and GLBA.” Citing the need for universities to protect Controlled Unclassified Information (CUI) used to administer federal student aid programs authorized under Title IV of the Higher Education Act, the letter announces “a multi-year phased implementation” of the FSA’s new Campus Cybersecurity Program framework.
Who does the Campus Cybersecurity Program impact?
The Campus Cybersecurity Program will directly impact any institutions of higher education (IHEs) that participate in an FSA Title IV program. This includes all an IHE’s business units that handle CUI from an FSA program, such as the registrar and student aid office.
The program could also impact federal student aid partners (e.g., churches, community organizations) that “… collect, process and distribute information—including PII—in support of applications for and receipt of Title IV student assistance.”
Why was the Campus Cybersecurity Program created?
Mia Jordan, DoE CIO, stated in a virtual FSA training conference presentation that the mission of the Campus Cybersecurity Program is to:
“Monitor and reduce cybersecurity risks to enhance the protection of FSA student financial assistance program data, which are collected, received, processed, stored, transmitted, or destroyed by FSA, IHEs, and third-party servicers.”
In the same presentation, Ms. Jordan outlined goals for the program, including:
- Understanding risks, by offering visibility into IHE compliance with federal guidelines and their cyber maturity level
- Identifying trends that differentiate IHEs with more mature cybersecurity security postures versus those that need some support to enhance their programs
- Gaining a holistic view of the cybersecurity posture of IHEs to facilitate program aid decisions
What are the phases of the Campus Cybersecurity Program?
While the FSA’s announcement left many questions unanswered, it did cite these initial program steps:
- The first step will be “… a self-assessment of the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800-171 2).” The purpose of the self-assessment effort is to help the DoE gauge IHEs’ current cybersecurity postures in relation to NIST 800-171 and in general.
- The ultimate goal is to drive NIST 800-171 and GLBA compliance across all universities that handle FSA data. This could well entail a compliance audit.
Beyond that, Ms. Jordan has outlined an implementation plan for the program:
- Electronic Announcement (December 2020)
- Engage community stakeholders
- IHE self-assessment
- Educate IHEs
- Collect IHE cybersecurity data
- Implement IHE risk profiles
- Initiate pilot using risk profiles
- Fulfill ED and FSA CUI mandate
- Refine IHE support structure
The FSA has promised to provide additional information and guidance in 2021, “including the cybersecurity self-assessment.”
What can IHEs do now to prepare for the Campus Cybersecurity Program?
Despite all the unknowns, there are a number of pragmatic steps that higher ed organizations can take today to prepare for Campus Cybersecurity Program compliance. These include:
- Review the December 2020 announcement
- Make sure you’re GLBA compliant, since this will likely be part of any DoE audit process
- Evaluate your current security posture in relation to NIST 800-171 to identify the gaps and decide how best to close them
- Explore best practices for handling CUI, such as segregating it within “secure enclaves” (popular among forward-looking organizations in the US Department of Defense (DoD) supply chain) or other forms of physical/logical separation
- Identify any NIST 800-171 controls that are not “in scope” in your environment
if you need to protect student data and meet emerging compliance requirements, contact Pivot Point Security to discuss your current environment and how we can help.
For more information:
- Guidance from EDUCAUSE on NIST 800-171 for HEIs
- New GLBA compliance oversight from the Office of Management and Budget (OMB)
- A “coffee chat” with NIST Fellow Ron Ross on NIST 800-171 and CUI (from EDUCAUSE)
- A NIST 800-171 compliance template (also from EDUCAUSE)
- A 2016 FSA letter encouraging IHEs to comply with NIST 800-171