FSA to Launch Campus Cybersecurity Program and New Cybersecurity Standards

By Michelle Donovan, Partner, Duane Morris LLP

The Department has announced that it is finalizing a Campus Cybersecurity Program framework. The new Program will be implemented over the next few years. As part of the plan, the Department will ensure that Title IV institutions of higher education (IHE) comply with the “CUI Rule,” which requires nongovernment agencies receiving controlled unclassified information (CUI) to comply with the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800–171). The Department previously encouraged compliance with this standard in its 2016 Dear Colleague Letter (GEN 16-12), and strongly encouraged institutions that fall short of NIST 800–171 standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model. The Department has outlined a multi-year implementation plan that includes near-term, intermediate-term and long-term goals, starting with a self-assessment program to understand the community’s readiness to comply with NIST 800–171.¹

Near-Term

• Electronic Announcement – Dec 2020
• Engage community stakeholders
• IHE self-assessment
• Education

Intermediate-Term

• • Collect IHE cybersecurity data

• Implement IHE risk profiles
• Initiate pilot using risk profiles

Long-Term

• Fulfill ED and FSA CUI mandate
• Refine IHE support structure

The Department will be publishing guidelines and best practices to implement the NIST 800–171 standard, as well as additional information regarding the upcoming cybersecurity self-assessment.

What is the CUI Rule

The “CUI Rule” standardizes the way the Executive branch agencies handle CUI that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and federal government-wide policies. The rule is set forth in National Archives and Records Administration’s regulation 32 C.F.R. Part 2002.16, which requires government agencies to enter into an agreement with a non-executive branch entity to share CUI, and requires compliance with the standards set forth in the NIST 800–171. Examples of CUI include: (i) privacy information, such as military personnel records, personnel records, student records, sensitive personally identifiable information; (ii) federal taxpayer information; and (iii) financial information such as electronic funds transfer, financial supervision information, general financial information. Most of the data received from the Department used in the administration of Title IV programs is considered CUI.

What Is NIST 800-171?

NIST Special Publication 800-171 defines the security requirements (controls) required to protect CUI in nonfederal information systems and organizations. The NIST standards are considered the “gold standard” of information security. The standards are comprised of 110 security controls that are grouped into the following fourteen security control families:

You should carefully review all 110 controls when developing your cybersecurity program. Below are a few key features.

• Develop an Information Security Program
  • Designate a program coordinator or team
  • Conduct risk assessment of each system component to identify risks
  • Establish a system security plan describing how safeguards are used to control the identified risks
  • Select service providers that will maintain safety standards

• Employee Management and Training
  • Background and reference checks
  • Confidentiality agreements
  • Limit access to authorized employees only
  • Complex passwords (changed at set intervals)
  • Screen savers
  • Limit unsuccessful logon attempts
  • Control remote access sessions (i.e., authentication, passwords)
  • Use and protection policies for all electronic devices
  • Encrypt communications containing sensitive data
  • Train employees to take steps to maintain security and confidentiality
  • Disciplinary measures

• Information Systems
  • Know where sensitive customer information is stored
  • Store the information securely
  • Encrypt stored data
  • Regularly update software and applications
  • Allow only authorized employees to have access
  • Dispose of customer data when no longer needed
  • Dispose of information securely

• Detecting and Managing System Failures
  • Maintain updated and appropriate programs and system controls
  • Oversight procedures to detect security breaches or theft
  • Develop self-auditing procedure to regularly test security
  • Monitor relevant industry materials to learn about emerging threats
  • Preserve security, confidentiality of information in the event of breach
  • Consider notifying law enforcement, consumers if a breach occurs

Depending on an IHE’s existing security posture, it can often take several months (and in some cases 1-2 years) to comply with the robust NIST 800–171 security controls. IHEs should start assessing any gaps in their information security program to identify any controls that are not addressed and immediately work toward closing those gaps. Consult with legal counsel to consider whether to conduct these assessments under attorney-client privilege.

Reference

1. https://fsaconferences.ed.gov/conferences/library/2020/2020FSAConfSessionBO15.pdf

MICHELLE DONOVAN is a Partner at Duane Morris, LLP. She serves on the firm’s Diversity and Inclusion committee and chairs the San Diego Diversity and Inclusion Initiative. Ms. Donovan’s practice is largely focused on the career college sector and the specialized legal issues that arise for schools in the sector, including issues related to the protection of student records, privacy, online marketing, lead generation, trademarks, copyrights, and domain names. Duane Morris serves all sectors of postsecondary education and the businesses that support postsecondary education, providing deep experience and guidance in all legal aspects of this complex industry, as well as strategy, operations, finance and policy.