As instances of data and information breaches rise, it is vital that institutions of higher education (IHEs) protect Controlled Unclassified Information (CUI) used in the administration of federal student aid programs authorized under Title IV, of the Higher Education Act, as amended1. FSA is finalizing the Campus Cybersecurity Program framework. A multi-year phased implementation will begin with a self-assessment of the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800–171 Rev. 2) readiness and outreach activities. We are committed to fully advancing and encouraging all postsecondary institutions implementation of NIST 800-171 controls.
This Electronic Announcement is meant to inform IHEs and their third-party servicers about upcoming activities to ensure compliance with NIST 800–171 Rev. 2. Institutions’ compliance is in accordance with 32 C.F.R. Part 2002 and the federal government-wide requirement that institutions receiving CUI from the U.S. Department of Education (Department) comply with NIST 800–171 Rev. 22. FSA has previously encouraged IHEs to review and adopt NIST 800–171 Rev. 2 as a security standard and to support continuing obligations under the Gramm-Leach-Bliley Act (GLBA). Since 2018, many institutions have adopted some or all of the NIST 800–171 recommended requirements. We further encourage use of NIST 800–171 Rev. 2 to help mitigate risks related to CUI.
In 2021, FSA plans to initiate a self-assessment effort to understand the IHE community’s readiness to comply with NIST 800–171 Rev 2. The self-assessment effort will help the Department determine the cybersecurity posture, maturity, and future compliance of each IHE with NIST 800–171 and other cybersecurity requirements. Our intention is to partner and collaborate with IHEs, and other organizations, to enhance the resilience and maturity across IHEs by establishing a cybersecurity baseline, sharing information, and overseeing compliance with NIST 800–171 Rev. 2 and other cybersecurity requirements.
Instances of data breaches at organizations entrusted with personally identifiable information (PII) continue to proliferate and reinforce the need for the Department and IHEs to work together to combat cybersecurity threats and strengthen cybersecurity infrastructure at IHEs. Ensuring the confidentiality, security, and integrity of Title IV information depends on cooperation between the Department, IHEs, and other entities, including state grant agencies, lenders, contractors, and third-party servicers.
We expect federal student aid partners to develop, implement, and enhance information security programs with requisite controls and monitoring that supports all aspects of the administration of Title IV federal student aid programs. These security programs must encompass all systems, databases, and processes that collect, process, and distribute information—including PII—in support of applications for and receipt of Title IV student assistance.
Protecting Student Information – Next Steps
The Department looks forward to continued collaboration with IHEs to protect student data. We are committed to supporting IHEs and are working to provide additional guidelines and best practices to implement the government-wide CUI requirements, leveraging NIST security guidance. In 2021, we will post additional information to provide further information and guidance, including the cybersecurity self-assessment. In the meantime, institutions are strongly encouraged to learn more about NIST 800–171 Rev. 2 and sharing with your IT team to reduce risk surrounding CUI.
The Student Aid Internet Gateway (SAIG) Enrollment Agreement entered into by each Title IV-participating institution includes a provision that the institution “[m]ust ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.” Institutions are reminded that under various federal and state laws and other authorities—including the HEA;3 the Family Educational Rights and Privacy Act (FERPA); the Privacy Act of 1974, as amended; the GLBA; and state data breach and privacy laws—institutions may be responsible for losses, fines, and penalties (including criminal penalties) as a result of data breaches.
CUI is government-created or -owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. National Archives and Records Administration’s CUI rule, effective Nov. 14, 2016, 32 C.F.R. Part 2002.16, establishes that agencies must enter into an agreement with a non-executive branch entity to share CUI and require compliance with the standards set forth in the NIST 800–171 Rev. 2. The CUI program standardizes the way the Executive branch agencies handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and federal government-wide policies. Most data sourced from the Department and information used in the administration of Title IV programs are considered CUI.
If you have questions about compliance with CUI and GLBA, please contact the Cybersecurity Team at FSA_IHECyberCompliance@ed.gov or by phone at 202-245-6550.
National Institute of Standards and Technology Special Publication 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)
1 20 U.S.C. § 1070, et seq.
2 32 CFR § 2002.16 (5) (“Agencies should enter into agreements with any non-executive branch or foreign entity with which the agency shares or intends to share CUI.”).
3 See 20 U.S. Code § 1018b (“Any entity that maintains or transmits information under a transaction covered by this section shall maintain reasonable and appropriate administrative, technical, and physical safeguards.”).