The Federal Student Aid’s (FSA) senior advisor of cybersecurity recently updated the Cybersecurity Compliance Frequently Asked Questions (FAQ). The updates include reminders from the Department of Education (ED) about the following key points:
- Data breaches. The Student Aid Internet Gateway (SAIG) Agreement requires that institutions “report actual data breaches, as well as suspected data breaches ... on the day that a data breach is detected or even suspected.”
- Reporting breaches. To report a breach, institutions should email email@example.com and include the date, impact, and method of the breach, information security program point of contact, remediation status, and next steps.
- Violation fines. The ED can fine institutions “up to $54,789 per violation per 34 C.F.R. § 36.2” if they don’t comply with data breach self-reporting requirements.
The following insight explores ED’s guidance and additional changes to the Cybersecurity Compliance FAQ page. More resources are available on ED’s Cybersecurity Compliance webpage.
In 2016, the Department of Education FSA office issued a notification reminding institutions of their obligations and responsibilities to protect student financial aid data. The notification stated their intent to incorporate the Gramm-Leach-Bliley Act (GLBA) security controls into the Annual Audit Guide as well as require evidence examinations of GLBA compliance.
The current status appears to be that the ED is considering the procedures it may suggest an external auditor perform on cybersecurity measures with regards to student financial information. The actual audit requirements that’ll be included in the Annual Audit Guide and OMB Compliance supplement—as well as when compliance will be enforced—remains to be seen. Nonetheless, institutions should implement the necessary cybersecurity measures that align with the GLBA, if they haven't already.
Key Compliance Changes
To be in compliance with the GLBA, institutions must do the following:
Develop, implement, and maintain a written information security program.
An overarching information security policy should be a foundational part of an institution’s written policies and procedures. A strong security policy explains the importance of protecting student financial aid data—or any sensitive or confidential data—and provides data protection procedures for ensuring its confidentiality.
The institution’s data protection procedures may include many components—such as a vulnerability management plan, incident response plan, and disaster recovery plan, among others. For example, the institution can include a requirement to mandate the use of encryption when transmitting sensitive data across public networks. They can also introduce a documented governance process that considers the risk when implementing new technologies.
Designate the employee(s) responsible for coordinating the information security program.
Institutions should designate an individual or committee to spearhead the information security program. This individual may be from executive management—or be supported by executive management—and may serve in the role of chief information security officer or information security manager.
The committee could be an information security governance committee made up of members of executive management, department managers, and IT management. Their responsibilities include raising awareness of information security and instilling cybersecurity concepts into the institution’s culture.
Identify and assess risks to customer information.
This requirement states institutions should perform regular risk assessments. An institution should trace the lifecycle of student financial aid data, noting the systems and networks that touch the data and taking note of any potential threats.
Once each threat is identified, the institution should develop protections against each one. They should also assign a risk rating that considers the nature of the threat, its probability, and its impact. The institution can then document its understanding of each risk, the threat it presents, and its compensating controls.
Design and implement information safeguards.
The information safeguards requirement helps ensure appropriate systems are in place given the results of the risk assessment exercise. For example, to protect against the threat of software virus infection and propagation, an institution should have antivirus software implemented on endpoints and gateway devices. While this is one example of a plausible threat, there are many others that need to be considered and addressed with the appropriate controls and protections.
Select appropriate service providers that are capable of maintaining appropriate safeguards.
If an institution contracts a third-party service provider—such as a colocation facility or cloud-based application provider—to handle student financial data, the institution should conduct due diligence on the provider and include contract terms to help ensure they have safeguards in place to protect student financial aid data. The institution’s due-diligence process could include reviewing any third-party attestation report on the provider’s internal controls, such as a cybersecurity assessment or service organization controls (SOC) audit.
Periodically evaluate and update the security program.
An institution should continually monitor the operating effectiveness of its information security program, and update the program as needed. For example, an institution may want to update its security program as new technology platforms are introduced—such as migrating to cloud-based solutions for critical business systems.
These changes may result in the institution needing to update its policies, standard operating procedures, or disaster recovery and incident response plans, among other cybersecurity-related documentation.
Stay in Compliance
As institutions work to implement the GLBA’s requirements, they should also make sure they’re in compliance with technology framework NIST SP 800-171 Rev. 1. This is currently the best practice cybersecurity framework recommended by FSA upon which to base an information security program.
About the Framework
The National Institute of Standards and Technology (NIST) SP 800-171 Rev. 1 framework consists of 14 requirements for protecting controlled unclassified information (CUI). Institutions that receive federal grants for defense-related research activities need to have been compliant with NIST SP 800-171 Rev. 1 by December 31, 2017, or risk losing federal funding. The Department of Education hasn’t yet provided concrete compliance dates for other institutions.
To gauge your institution’s compliance with NIST SP 800-171 Rev. 1, you can perform a gap assessment to identify misalignments with the framework and begin addressing them.
We’re Here to Help
For more information on how to improve cybersecurity at your organization and help your business comply with GLBA security controls, contact your Moss Adams professional.