Understanding the Campus Cybersecurity Program by the Department of Education

Table of Contents

Introduction
What is the purpose of the Campus Cybersecurity Program?
Who does the Campus Cybersecurity Program affect?
What does the Campus Cybersecurity Program entail?
How will the Campus Cybersecurity Program be rolled out?
How can I prepare for the Campus Cybersecurity Program?
I still have questions. Can SaltyCloud help?

Introduction

On December 18, 2020, the Department of Education (ED) Federal Student Aid (FSA) Office released a letter titled, “Protecting Student Information – Compliance with CUI and GLBA.” The letter announced that it is finalizing its Campus Cybersecurity Program (CCP) and will roll out over the next few years. It is still unclear the full extent of the CCP. However, it will broadly involve initiatives to improve cybersecurity maturity at Title IV EDUs by continuing to enforce the Gramm-Leach-Bliley Act (GLBA) and requiring compliance with NIST 800-171 to protect Controlled Unclassified Information (CUI). FSA had previously encouraged EDUs to comply with NIST 800-171 in its 2016 “Dear Colleague” letter (GEN-16-12), strongly encouraging those falling short to assess their current gaps and design and implement plans to close those gaps using the 110 NIST 800-171 standards as a model.

What is the purpose of the Campus Cybersecurity Program?

The CCP is a new initiative by the FSA with a mission to “Monitor and reduce cybersecurity risks to enhance the protection of FSA student financial assistance program data, which are collected, received, processed, stored, transmitted, or destroyed by FSA, EDUs, and third-party servicers.” FSA hopes to achieve several goals with the CCP, including:

  • Understand Risks
    • Provide visibility into EDU compliance with Federal guidelines and their maturity level.
  • Identify Trends
    • Identify trends that differentiate EDUs with more mature cybersecurity security postures vs. EDUs that need some support to enhance their program.
  • Aid Decisions
    • Provide a holistic view of the cybersecurity posture of EDUs to facilitate program decisions.

Who does the Campus Cybersecurity Program affect?

Like the GLBA, the CCP affects any EDU that participates in a Title IV FSA Program and its subsequent units that handle FSA data (e.g., registrar’s office, student aid office, bookstore, etc.). It also applies to institutions outside the US that administer FSA funds.

What does the Campus Cybersecurity Program entail?

Although there are still many unknowns regarding the CCP, we know it will entail a few things:

  • GLBA Compliance
    • The CCP will bolster the FSAs current efforts to ensure EDUs comply with the GLBA and introduce new resources to help EDUs comply.
  • CUI Protection
    • The CCP will seek to protect CUI by requiring EDUs to assess against NIST 800-171.  This will probably take shape in the form of a compliance audit down the road and start with a self-assessment sometime in 2021 to understand the community’s readiness to comply. Currently, FSA has not released any additional details regarding NIST 800-171 or the self-assessment.

More broadly, the CCP will educate, support, and incentivize partners to mature their cybersecurity postures and mature the FSA’s data breach capabilities and processes.

WRITTEN
for EDU

Ace your GLBA Audit

Learn everything you need to know to approach your audit with confidence. Get a FREE copy of our GLBA Definitive Step-by-Step Guidebook.

How will the Campus Cybersecurity Program be rolled out?

Mia Jordan, Chief Information Officer (CIO) at the Department of Education, released a multi-year implementation plan that includes near-term, intermediate-term, and long-term goals.

  • Short-Term
    • Electronic announcement – December 2020
    • Engage community stakeholders
    • EDU self-assessment
    • Educate EDUs
  • Intermediate-Term
    • Collect EDU cybersecurity data
    • Implement EDU risk profiles
    • Initiate pilot using risk profiles
  • Long-Term
    • Fulfill ED and FSA CUI mandate
    • Refine EDU support structure

How can I prepare for the Campus Cybersecurity Program?

I still have questions. Can SaltyCloud help?

We sure can. We work with dozens of top universities in the United States to help them ace their compliance audits and safeguard their organization. Learn more about our Governance, Risk, and Compliance (GRC) Assessment Platform, Isora GRC, or email us at info@saltycloud.com.

Recommended