NAICU Washington Update

Education Department Issues Cybersecurity Guidance

March 13, 2020

The Department of Education released new cybersecurity guidance to remind institutions of higher education of their obligation to safeguard the information of federal student aid applicants and recipients. Although the cybersecurity requirements have been in place for some time, the guidance notifies institutions that the Department plans to begin enforcing these requirements via annual compliance audits.
 
Under the Gramm-Leach Bliley Act (GLBA), financial institutions are required to implement certain information security provisions. The Federal Trade Commission, which has enforcement authority for GLBA, considers institutions of higher education to be financial institutions subject to the statute’s requirements.
 
The Department has incorporated these GLBA requirements into the program participation agreement (PPA) for institutions that receive federal student aid. Under the PPA, institutions must ensure that federal student aid information is not accessed by or disclosed to unauthorized parties and must demonstrate administrative capability to oversee these internal controls.
 
The annual compliance audits conducted by the Department will examine whether institutions are complying with requirements to designate an information security coordinator, perform a risk assessment, and document a safeguard for each identified risk.
 
If an audit finds that an institution has failed to comply with GLBA requirements, the Department has the authority to disable an institution’s access to the Department’s information systems and to impose fines or other administrative enforcement actions. Additional information about applicable cybersecurity requirements is also available in guidance documents previously issued in 2015 and 2016.
 
At a previous meeting between the Department and multiple higher education stakeholders, the Department indicated that it is willing to collaborate with institutions of higher education to develop a reasonable information security compliance framework for institutions of higher education.
 
Top