TL;DR:

The Department of Education announced the finalization of the CCP, which will be rolled out over the next few years and involve initiatives to improve cybersecurity maturity at Title IV EDUs by enforcing the GLBA and requiring compliance with NIST 800-171 to protect CUI.

On December 18, 2020, the Department of Education (ED) Federal Student Aid (FSA) Office released a letter titled, “Protecting Student Information – Compliance with CUI and GLBA.” The letter announced that it is finalizing its Campus Cybersecurity Program (CCP) and will roll out over the next few years.

It is still unclear the full extent of the CCP. However, it will broadly involve initiatives to improve cybersecurity maturity at Title IV EDUs by continuing to enforce the Gramm-Leach-Bliley Act (GLBA) and requiring compliance with NIST 800-171 to protect Controlled Unclassified Information (CUI). FSA had previously encouraged EDUs to comply with NIST 800-171 in its 2016 “Dear Colleague” letter (GEN-16-12), strongly encouraging those falling short to assess their current gaps and design and implement plans to close those gaps using the 110 NIST 800-171 standards as a model.

What is the purpose of the Campus Cybersecurity Program?

TL;DR:

The FSA launched the CCP to monitor and reduce cybersecurity risks related to student financial assistance program data, with the goals of understanding risks, providing visibility into EDU compliance and maturity levels, identifying trends, and aiding program decisions.

The CCP is a new initiative by the FSA with a mission to “Monitor and reduce cybersecurity risks to enhance the protection of FSA student financial assistance program data, which are collected, received, processed, stored, transmitted, or destroyed by FSA, EDUs, and third-party servicers.” FSA hopes to achieve several goals with the CCP, including:

• Understand Risks
• • Provide visibility into EDU compliance with Federal guidelines and their maturity level.
• Identify Trends
  • Identify trends that differentiate EDUs with more mature cybersecurity security postures vs. EDUs that need some support to enhance their program.
• Aid Decisions
  • Provide a holistic view of the cybersecurity posture of EDUs to facilitate program decisions.

Who does the Campus Cybersecurity Program affect?

Like the GLBA, the CCP affects any EDU that participates in a Title IV FSA Program and its subsequent units that handle FSA data (e.g., registrar’s office, student aid office, bookstore, etc.). It also applies to institutions outside the US that administer FSA funds.

What does the Campus Cybersecurity Program entail?

TL;DR:

The CCP will strengthen the FSA’s efforts to ensure GLBA compliance and protect CUI through the assessment of NIST 800-171, with a likely compliance audit in the future and a self-assessment in 2021, while also promoting education, support, and incentives for partners to enhance their cybersecurity postures, data breach capabilities and processes.

Although there are still many unknowns regarding the CCP, we know it will entail a few things:

• GLBA Compliance
  • The CCP will bolster the FSAs current efforts to ensure EDUs comply with the GLBA and introduce new resources to help EDUs comply.
• CUI Protection
  • The CCP will seek to protect CUI by requiring EDUs to assess against NIST 800-171.  This will probably take shape in the form of a compliance audit down the road and start with a self-assessment sometime in 2021 to understand the community’s readiness to comply. Currently, FSA has not released any additional details regarding NIST 800-171 or the self-assessment.

More broadly, the CCP will educate, support, and incentivize partners to mature their cybersecurity postures and mature the FSA’s data breach capabilities and processes.

How will the Campus Cybersecurity Program be rolled out?

TL;DR:

The multi-year implementation plan consists of short-terms goals such as an electronic announcement and EDY self-assessment, intermediate goals including collecting EDU cybersecurity data and implementing risk profiles, and long-term goals such as fulfilling the ED and FSA CUI mandate and refining the EDU support structure.

Mia Jordan, Chief Information Officer (CIO) at the Department of Education, released a multi-year implementation plan that includes near-term, intermediate-term, and long-term goals.

• Short-Term
  • Electronic announcement – December 2020
  • Engage community stakeholders
  • EDU self-assessment
  • Educate EDUs
• Intermediate-Term
  • Collect EDU cybersecurity data
  • Implement EDU risk profiles
  • Initiate pilot using risk profiles
• Long-Term
  • Fulfill ED and FSA CUI mandate
  • Refine EDU support structure

How can I prepare for the Campus Cybersecurity Program?

TL;DR:

To prepare for a Department of Education audit, ensure GLBA compliance for covered units and begin understanding NIST 800-171 controls and amending policies and processes accordingly, and leveraging existing efforts towards NITS 800-171.

• Ensure GLBA Compliance
  • Identify the GLBA covered units and ensure their compliance in preparation for a Department of Education audit. Read more on our comprehensive GLBA in Higher Education blog post.
• Start Preparing for NIST 800-171 Self-Assessment
  • Start understanding the NIST 800-171 controls and how you’ll need to amend your policies and processes to ensure compliance. EDUCAUSE created “An Introduction to NIST Special Publication 800-171 for Higher Education Institutions” which includes an overview of all 14 families of controls as well as other NIST 800-171 resources.
  • If your EDU is a research institution that conducts Department of Defense (DoD) sponsored research, you might already be working to ensure NIST 800-171 compliance as part of the DFARS Interim Rule and the Cybersecurity Maturity Model Certification (CMMC). Those efforts will mostly apply here and it would be wise to leverage the work you’ve done across your research labs and systems to your GLBA covered units.

How Isora GRC from SaltyCloud can help

TL;DR:

Isora GRC from SaltyCloud is the powerfully simple CCP solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.

With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

• Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
• Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
• Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
• Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline your CCP and GLBA compliance.