Re: Dept of Edu Letters

[Jarret Cummings <jcummings () EDUCAUSE EDU>]

Hi, Ed – EDUCAUSE has initiated direct discussions with the Federal Student Aid senior advisor for cybersecurity about 
problems with the guidance that FSA both has and hasn’t provided on this topic, and how to expand the dialogue with our 
members to address both the way compliance obligations are being defined and interpreted as well as the lack of 
documented principles and processes for meeting them.

That, of course, is going to take some time to pull together. Given the need for institutional response in the near 
term, I would recommend asking university counsel to take a look at the single provision in the FSA Program 
Participation Agreement that speaks to the GLBA Safeguards Rule, as well as the two provisions in the Student Aid 
Internet Gateway Agreement that address breach issues. It is important that the institution review its copy of those 
agreements, since versions of the agreements vary across institutions depending on when they’ve been signed. What is 
actually in your version of each bears on your compliance obligations, although you can access generic versions of the 
docs. as well as other docs. I’ll mention at: https://ifap.ed.gov/eannouncements/Cyber.html.

In addition to the PPA and SAIG Agreement, there are two “Dear Colleague Letters” relevant to FSA’s cybersecurity 
guidance: https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html. The most 
important for this discussion is the first one, because it’s the letter in which FSA asserts that the SAIG Agreement 
requires institution to report “suspected” breaches. You will want your institutional/system legal counsel to compare 
the statement in GEN 15-18 with what the SAIG Agreement actually says; the provision that talks about institutions 
reporting a breach immediately is distinct from the provision that talks about what ED can do in sharing information 
with other federal agencies if it suspects an institution has had a breach. Thus far, we have yet to see formal 
documentation that connects the two in the way FSA appears to be asserting, or even formal documentation that 
establishes the definition of breach and related processes (i.e., “immediately”) that have been raised in presentations 
and the FAQs on the FSA Cybersecurity Compliance page (see link above).

Finally, as relates to the Safeguards Rule audit objective, which we expect will be included in the FY18 federal single 
audit process although that is not yet officially confirmed, the actual text of the objective 
(https://ifap.ed.gov/eannouncements/attachments/FY18DraftLanguageSecuringStudentInformation.pdf) limits the auditor to 
seeing if the institution has a few key elements of the Rule in place (information security coordinator, a risk 
assessment, documented safeguards for identified risks). The auditor is not charged with or empowered to evaluate the 
nature of what the institution has implemented in those areas, just that it has addressed them (and documented that).

We will have more to say as the engagement with FSA takes shape. In the meantime, I have also informed the presidential 
and other higher education leadership associations about the problems emerging in this space. As a result of those 
discussions, I have every expectation that we can count on their support in trying to get FSA and ED to work with us 
effectively in this area. - Jarret

_______________________________________________
Jarret S. Cummings
Director of Policy and Government Relations

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5372 | main: 202.872.4200 | educause.edu<http://www.educause.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hudson, 
Edward
Sent: Thursday, December 7, 2017 2:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Dept of Edu Letters

Interested in institutions response to the DoE taking an increasingly broad interpretation of breach reporting 
obligations around any security breach of PII. At a recent conference the DoE lead presentation reportedly includes 
insistence that
1-ALL (broadly defined) “breaches” be reported “immediately” (i.e. within a day )
2- an announcement that GLBA audits of institutions will begin in 2018 with fines consistent with Clery fines (up to 
54,789) for each violation.

A read of those Dear Colleague letters, the obligation (especially under GLBA, which regulates in the financial sector) 
is to ensure the security and confidentiality of student financial aid records/information only, and that the data 
breach notification requirements relate to that subset of information only, not all PII.  But it sounds like the DoE is 
now interpreting their mandate and authority much more broadly. A review of one of their recent letters was, in my 
view, very heavy handed and threatening and stemmed from a random media post, not from an actual incident.
Would like to talk to anyone off line that has had to go through this process with DoE.

Best

Ed Hudson
Interim CISO
[cid:image001.png@01D36F6A.60E67990]
401 Golden Shore
Long Beach, CA 90802
Tel 562-951-8431
ehudson () calstate edu<mailto:ehudson () calstate edu>

I subscribe to e-mail classification: i=Information, a=Action, u=Urgent