March 23, 2021

Posted by John Verry

Reading Time: 3 minute(s)

The FSA’s New Campus Cybersecurity Program – Here’s What It Means for Higher Ed

March 23, 2021

Table of Contents

Last Updated on January 15, 2024

Cyber attacks against higher education institutions continue to escalate, and the reason is simple: these organizations remain vulnerable. Technology use on campus is evolving faster than corresponding data protections, exposing sensitive student financial and personal data.

Against this longstanding backdrop, the US Department of Education Federal Student Aid Office (FSA) on December 18, 2020 released an Electronic Announcement entitled, “Protecting Student Information – Compliance with CUI and GLBA.” Citing the need for universities to protect Controlled Unclassified Information (CUI) used to administer federal student aid programs authorized under Title IV of the Higher Education Act, the letter announces “a multi-year phased implementation” of the FSA’s new Campus Cybersecurity Program framework.

Who does the Campus Cybersecurity Program impact?

The Campus Cybersecurity Program will directly impact any institutions of higher education (IHEs) that participate in an FSA Title IV program. This includes all an IHE’s business units that handle CUI from an FSA program, such as the registrar and student aid office.

The program could also impact federal student aid partners (e.g., churches, community organizations) that “… collect, process and distribute information—including PII—in support of applications for and receipt of Title IV student assistance.”

Why was the Campus Cybersecurity Program created?

Mia Jordan, DoE CIO, stated in a virtual FSA training conference presentation that the mission of the Campus Cybersecurity Program is to:

“Monitor and reduce cybersecurity risks to enhance the protection of FSA student financial assistance program data, which are collected, received, processed, stored, transmitted, or destroyed by FSA, IHEs, and third-party servicers.”

In the same presentation, Ms. Jordan outlined goals for the program, including:

Understanding risks, by offering visibility into IHE compliance with federal guidelines and their cyber maturity level
Identifying trends that differentiate IHEs with more mature cybersecurity security postures versus those that need some support to enhance their programs
Gaining a holistic view of the cybersecurity posture of IHEs to facilitate program aid decisions

What are the phases of the Campus Cybersecurity Program?

While the FSA’s announcement left many questions unanswered, it did cite these initial program steps:

The first step will be “… a self-assessment of the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800-171 2).” The purpose of the self-assessment effort is to help the DoE gauge IHEs’ current cybersecurity postures in relation to NIST 800-171 and in general.
The ultimate goal is to drive NIST 800-171 and GLBA compliance across all universities that handle FSA data. This could well entail a compliance audit.

Beyond that, Ms. Jordan has outlined an implementation plan for the program:

Near-Term

Electronic Announcement (December 2020)
Engage community stakeholders
IHE self-assessment
Educate IHEs

Intermediate-Term

Collect IHE cybersecurity data
Implement IHE risk profiles
Initiate pilot using risk profiles

Long-Term

Fulfill ED and FSA CUI mandate
Refine IHE support structure

The FSA has promised to provide additional information and guidance in 2021, “including the cybersecurity self-assessment.”

What can IHEs do now to prepare for the Campus Cybersecurity Program?

Despite all the unknowns, there are a number of pragmatic steps that higher ed organizations can take today to prepare for Campus Cybersecurity Program compliance. These include:

Review the December 2020 announcement
Make sure you’re GLBA compliant, since this will likely be part of any DoE audit process
Evaluate your current security posture in relation to NIST 800-171 to identify the gaps and decide how best to close them
Explore best practices for handling CUI, such as segregating it within “secure enclaves” (popular among forward-looking organizations in the US Department of Defense (DoD) supply chain) or other forms of physical/logical separation
Identify any NIST 800-171 controls that are not “in scope” in your environment

if you need to protect student data and meet emerging compliance requirements, contact Pivot Point Security to discuss your current environment and how we can help.

For more information:

Guidance from EDUCAUSE on NIST 800-171 for HEIs
New GLBA compliance oversight from the Office of Management and Budget (OMB)
A “coffee chat” with NIST Fellow Ron Ross on NIST 800-171 and CUI (from EDUCAUSE)
A NIST 800-171 compliance template (also from EDUCAUSE)
A 2016 FSA letter encouraging IHEs to comply with NIST 800-171

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

The FSA’s New Campus Cybersecurity Program – Here’s What It Means for Higher Ed

Who does the Campus Cybersecurity Program impact?

Why was the Campus Cybersecurity Program created?

What are the phases of the Campus Cybersecurity Program?

What can IHEs do now to prepare for the Campus Cybersecurity Program?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What are the New CMMC 2.0 Flowdown Requirements to Manage Defense Supply Chain Cyber Risk?

What is Swarm AI and How Can It Advance Cybersecurity?

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

Registered Practitioners Versus Certified CMMC Professionals: What’s the Difference for DIB Orgs Seeking CMMC Compliance?

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

Top 5 Insights from Radicl’s DIB Cybersecurity Maturity Report 2024

How can we help you?

Services

Compliance

Insights

Pivot Point Security