March 23, 2021

Last Updated on January 15, 2024

Cyber attacks against higher education institutions continue to escalate, and the reason is simple: these organizations remain vulnerable. Technology use on campus is evolving faster than corresponding data protections, exposing sensitive student financial and personal data.

Against this longstanding backdrop, the US Department of Education Federal Student Aid Office (FSA) on December 18, 2020 released an Electronic Announcement entitled, “Protecting Student Information – Compliance with CUI and GLBA.” Citing the need for universities to protect Controlled Unclassified Information (CUI) used to administer federal student aid programs authorized under Title IV of the Higher Education Act, the letter announces “a multi-year phased implementation” of the FSA’s new Campus Cybersecurity Program framework.

Who does the Campus Cybersecurity Program impact?

The Campus Cybersecurity Program will directly impact any institutions of higher education (IHEs) that participate in an FSA Title IV program. This includes all an IHE’s business units that handle CUI from an FSA program, such as the registrar and student aid office.

The program could also impact federal student aid partners (e.g., churches, community organizations) that “… collect, process and distribute information—including PII—in support of applications for and receipt of Title IV student assistance.”

Why was the Campus Cybersecurity Program created?

Mia Jordan, DoE CIO, stated in a virtual FSA training conference presentation that the mission of the Campus Cybersecurity Program is to:

“Monitor and reduce cybersecurity risks to enhance the protection of FSA student financial assistance program data, which are collected, received, processed, stored, transmitted, or destroyed by FSA, IHEs, and third-party servicers.”

In the same presentation, Ms. Jordan outlined goals for the program, including:

  • Understanding risks, by offering visibility into IHE compliance with federal guidelines and their cyber maturity level
  • Identifying trends that differentiate IHEs with more mature cybersecurity security postures versus those that need some support to enhance their programs
  • Gaining a holistic view of the cybersecurity posture of IHEs to facilitate program aid decisions

What are the phases of the Campus Cybersecurity Program?

While the FSA’s announcement left many questions unanswered, it did cite these initial program steps:

  • The first step will be “… a self-assessment of the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800-171 2).” The purpose of the self-assessment effort is to help the DoE gauge IHEs’ current cybersecurity postures in relation to NIST 800-171 and in general.
  • The ultimate goal is to drive NIST 800-171 and GLBA compliance across all universities that handle FSA data. This could well entail a compliance audit.

Beyond that, Ms. Jordan has outlined an implementation plan for the program:

Near-Term

  • Electronic Announcement (December 2020)
  • Engage community stakeholders
  • IHE self-assessment
  • Educate IHEs

Intermediate-Term

  • Collect IHE cybersecurity data
  • Implement IHE risk profiles
  • Initiate pilot using risk profiles

Long-Term

  • Fulfill ED and FSA CUI mandate
  • Refine IHE support structure

The FSA has promised to provide additional information and guidance in 2021, “including the cybersecurity self-assessment.”

What can IHEs do now to prepare for the Campus Cybersecurity Program?

Despite all the unknowns, there are a number of pragmatic steps that higher ed organizations can take today to prepare for Campus Cybersecurity Program compliance. These include:

  • Review the December 2020 announcement
  • Make sure you’re GLBA compliant, since this will likely be part of any DoE audit process
  • Evaluate your current security posture in relation to NIST 800-171 to identify the gaps and decide how best to close them
  • Explore best practices for handling CUI, such as segregating it within “secure enclaves” (popular among forward-looking organizations in the US Department of Defense (DoD) supply chain) or other forms of physical/logical separation
  • Identify any NIST 800-171 controls that are not “in scope” in your environment

if you need to protect student data and meet emerging compliance requirements, contact Pivot Point Security to discuss your current environment and how we can help.

For more information: