Table of Contents

Introduction
What is the purpose of the Campus Cybersecurity Program?
Who does the Campus Cybersecurity Program affect?
What does the Campus Cybersecurity Program entail?
How will the Campus Cybersecurity Program be rolled out?
How can I prepare for the Campus Cybersecurity Program?
I still have questions. Can SaltyCloud help?

Introduction

On December 18, 2020, the Department of Education (ED) Federal Student Aid (FSA) Office released a letter titled, “Protecting Student Information – Compliance with CUI and GLBA.” The letter announced that it is finalizing its Campus Cybersecurity Program (CCP) and will roll out over the next few years. It is still unclear the full extent of the CCP. However, it will broadly involve initiatives to improve cybersecurity maturity at Title IV EDUs by continuing to enforce the Gramm-Leach-Bliley Act (GLBA) and requiring compliance with NIST 800-171 to protect Controlled Unclassified Information (CUI). FSA had previously encouraged EDUs to comply with NIST 800-171 in its 2016 “Dear Colleague” letter (GEN-16-12), strongly encouraging those falling short to assess their current gaps and design and implement plans to close those gaps using the 110 NIST 800-171 standards as a model.

What is the purpose of the Campus Cybersecurity Program?

The CCP is a new initiative by the FSA with a mission to “Monitor and reduce cybersecurity risks to enhance the protection of FSA student financial assistance program data, which are collected, received, processed, stored, transmitted, or destroyed by FSA, EDUs, and third-party servicers.” FSA hopes to achieve several goals with the CCP, including:

• Understand Risks
  • Provide visibility into EDU compliance with Federal guidelines and their maturity level.
• Identify Trends
  • Identify trends that differentiate EDUs with more mature cybersecurity security postures vs. EDUs that need some support to enhance their program.
• Aid Decisions
  • Provide a holistic view of the cybersecurity posture of EDUs to facilitate program decisions.

Who does the Campus Cybersecurity Program affect?

Like the GLBA, the CCP affects any EDU that participates in a Title IV FSA Program and its subsequent units that handle FSA data (e.g., registrar’s office, student aid office, bookstore, etc.). It also applies to institutions outside the US that administer FSA funds.

What does the Campus Cybersecurity Program entail?

Although there are still many unknowns regarding the CCP, we know it will entail a few things:

• GLBA Compliance
  • The CCP will bolster the FSAs current efforts to ensure EDUs comply with the GLBA and introduce new resources to help EDUs comply.
• CUI Protection
  • The CCP will seek to protect CUI by requiring EDUs to assess against NIST 800-171.  This will probably take shape in the form of a compliance audit down the road and start with a self-assessment sometime in 2021 to understand the community’s readiness to comply. Currently, FSA has not released any additional details regarding NIST 800-171 or the self-assessment.

More broadly, the CCP will educate, support, and incentivize partners to mature their cybersecurity postures and mature the FSA’s data breach capabilities and processes.

How will the Campus Cybersecurity Program be rolled out?

Mia Jordan, Chief Information Officer (CIO) at the Department of Education, released a multi-year implementation plan that includes near-term, intermediate-term, and long-term goals.

• Short-Term
  • Electronic announcement – December 2020
  • Engage community stakeholders
  • EDU self-assessment
  • Educate EDUs
• Intermediate-Term
  • Collect EDU cybersecurity data
  • Implement EDU risk profiles
  • Initiate pilot using risk profiles
• Long-Term
  • Fulfill ED and FSA CUI mandate
  • Refine EDU support structure

How can I prepare for the Campus Cybersecurity Program?

• Ensure GLBA Compliance
  • Identify the GLBA covered units and ensure their compliance in preparation for a Department of Education audit. Read more on our comprehensive GLBA in Higher Education blog post.
• Start Preparing for NIST 800-171 Self-Assessment
  • Start understanding the NIST 800-171 controls and how you’ll need to amend your policies and processes to ensure compliance. EDUCAUSE created “An Introduction to NIST Special Publication 800-171 for Higher Education Institutions” which includes an overview of all 14 families of controls as well as other NIST 800-171 resources.
  • If your EDU is a research institution that conducts Department of Defense (DoD) sponsored research, you might already be working to ensure NIST 800-171 compliance as part of the DFARS Interim Rule and the Cybersecurity Maturity Model Certification (CMMC). Those efforts will mostly apply here and it would be wise to leverage the work you’ve done across your research labs and systems to your GLBA covered units.

I still have questions. Can SaltyCloud help?

We sure can. We work with dozens of top universities in the United States to help them ace their compliance audits and safeguard their organization. Learn more about our Governance, Risk, and Compliance (GRC) Assessment Platform, Isora GRC, or email us at info@saltycloud.com.