TL;DR:
The Department of Education announced the finalization of the CCP, which will be rolled out over the next few years and involve initiatives to improve cybersecurity maturity at Title IV EDUs by enforcing the GLBA and requiring compliance with NIST 800-171 to protect CUI.
On December 18, 2020, the Department of Education (ED) Federal Student Aid (FSA) Office released a letter titled, “Protecting Student Information – Compliance with CUI and GLBA.” The letter announced that it is finalizing its Campus Cybersecurity Program (CCP) and will roll out over the next few years.
It is still unclear the full extent of the CCP. However, it will broadly involve initiatives to improve cybersecurity maturity at Title IV EDUs by continuing to enforce the Gramm-Leach-Bliley Act (GLBA) and requiring compliance with NIST 800-171 to protect Controlled Unclassified Information (CUI). FSA had previously encouraged EDUs to comply with NIST 800-171 in its 2016 “Dear Colleague” letter (GEN-16-12), strongly encouraging those falling short to assess their current gaps and design and implement plans to close those gaps using the 110 NIST 800-171 standards as a model.
TL;DR:
The FSA launched the CCP to monitor and reduce cybersecurity risks related to student financial assistance program data, with the goals of understanding risks, providing visibility into EDU compliance and maturity levels, identifying trends, and aiding program decisions.
The CCP is a new initiative by the FSA with a mission to “Monitor and reduce cybersecurity risks to enhance the protection of FSA student financial assistance program data, which are collected, received, processed, stored, transmitted, or destroyed by FSA, EDUs, and third-party servicers.” FSA hopes to achieve several goals with the CCP, including:
Like the GLBA, the CCP affects any EDU that participates in a Title IV FSA Program and its subsequent units that handle FSA data (e.g., registrar’s office, student aid office, bookstore, etc.). It also applies to institutions outside the US that administer FSA funds.
TL;DR:
The CCP will strengthen the FSA’s efforts to ensure GLBA compliance and protect CUI through the assessment of NIST 800-171, with a likely compliance audit in the future and a self-assessment in 2021, while also promoting education, support, and incentives for partners to enhance their cybersecurity postures, data breach capabilities and processes.
Although there are still many unknowns regarding the CCP, we know it will entail a few things:
More broadly, the CCP will educate, support, and incentivize partners to mature their cybersecurity postures and mature the FSA’s data breach capabilities and processes.
TL;DR:
The multi-year implementation plan consists of short-terms goals such as an electronic announcement and EDY self-assessment, intermediate goals including collecting EDU cybersecurity data and implementing risk profiles, and long-term goals such as fulfilling the ED and FSA CUI mandate and refining the EDU support structure.
Mia Jordan, Chief Information Officer (CIO) at the Department of Education, released a multi-year implementation plan that includes near-term, intermediate-term, and long-term goals.
TL;DR:
To prepare for a Department of Education audit, ensure GLBA compliance for covered units and begin understanding NIST 800-171 controls and amending policies and processes accordingly, and leveraging existing efforts towards NITS 800-171.
TL;DR:
Isora GRC from SaltyCloud is the powerfully simple CCP solution making regulatory compliance easier while helping organizations improve their cyber resilience.
The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.
With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.
Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how Isora GRC from SaltyCloud can streamline your CCP and GLBA compliance.
Learn everything you need to know to approach your audit with confidence. Get a FREE copy of our GLBA Definitive Step-by-Step Guidebook.
GET YOUR FREE COPYThis guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.
This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.
This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data