The Federal Student Aid (FSA) office of the U.S. Department of Education published a letter to institutions emphasizing their obligation to protect student financial aid information from unauthorized disclosure or access.
“Postsecondary educational institutions entrusted with student financial aid information are continuing to develop ways to address cybersecurity threats and to strengthen their cybersecurity infrastructure,” wrote Ted Mitchell, the under secretary of the Department of Education.
While institutions have had to comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule previously, now the Department of Education is requiring compliance as part of its annual student aid audit if schools want to continue to have financial aid available for students.
GLBA requires universities to:
- Develop, use, and maintain a written information security program.
- Determine employees responsible for coordinating the information security program.
- Identify and assess risks.
- Design and use an information safeguard program.
- Evaluate and update security program as needed.
“It is imperative that organizations continue to enhance cybersecurity in order to meet evolving threats to Controlled Unclassified Information (CUI) and challenges to the security of such organizations,” wrote Mitchell.
The National Institute of Standards and Technology (NIST) released recommendations on appropriately securing CUI, defined as “a subset of Federal data that includes unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Federal policies,” stated the FSA letter.
Specific recommended requirements instruct institutions to limit information system access to authorized users, ensure users are properly trained, conduct risk assessments, and identify, report, and correct any information flaws in a timely manner.
“We strongly encourage those institutions that fall short of NIST standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model,” wrote Mitchell.