Re: Dept of Edu Letters

["Aube, Jane M." <jaube () MIDDLEBURY EDU>]

Hi Jarret,

Thank you for providing this information. It’s heartening to hear Educause is engaging with FSA and ED on this 
developing issue.

As an attendee of FSA, ED’s Tiina Rodrigue was successful with her self proclaimed “Operation #InformTerrifyEntertain.

Thank you.

Best regards,
Jane
Jane Aube | Loan Programs and Compliance Specialist | Student Financial Services | Middlebury College | 802.443.5790
Sent from my iPad
_____________________________
From: Jarret Cummings <jcummings () educause edu>
Sent: Thursday, December 7, 2017 3:39 PM
Subject: Re: [SECURITY] Dept of Edu Letters
To: <security () listserv educause edu>


WARNING: The sender of this email could not be validated and may not match the person in the "From" field
Notice: This email is from an external sender. Please use caution before clicking links or opening attachments.


Hi, Ed – EDUCAUSE has initiated direct discussions with the Federal Student Aid senior advisor for cybersecurity about 
problems with the guidance that FSA both has and hasn’t provided on this topic, and how to expand the dialogue with our 
members to address both the way compliance obligations are being defined and interpreted as well as the lack of 
documented principles and processes for meeting them.

That, of course, is going to take some time to pull together. Given the need for institutional response in the near 
term, I would recommend asking university counsel to take a look at the single provision in the FSA Program 
Participation Agreement that speaks to the GLBA Safeguards Rule, as well as the two provisions in the Student Aid 
Internet Gateway Agreement that address breach issues. It is important that the institution reviewits copy of those 
agreements, since versions of the agreements vary across institutions depending on when they’ve been signed. What is 
actually inyour version of each bears on your compliance obligations, although you can access generic versions of the 
docs. as well as other docs. I’ll mention 
at:https://ifap.ed.gov/eannouncements/Cyber.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2FCyber.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=rNDQ3H40V%2BzlU6c5iGZZfNTYvEjJvbkfspTn92f31pU%3D&reserved=0>.

In addition to the PPA and SAIG Agreement, there are two “Dear Colleague Letters” relevant to FSA’s cybersecurity 
guidance:https://ifap.ed.gov/dpcletters/GEN1518.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Fdpcletters%2FGEN1518.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=Ym0yjwzJciFPGRldlz5vP68njeVsculW0E3446wKcY8%3D&reserved=0>
 and 
https://ifap.ed.gov/dpcletters/GEN1612.html<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Fdpcletters%2FGEN1612.html&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=Kj0ri7%2FqUIhgwS76xShqJqkXUZYl2BxHu%2F81NDfBbco%3D&reserved=0>.
 The most important for this discussion is the first one, because it’s the letter in which FSA asserts that the SAIG 
Agreement requires institution to report “suspected” breaches. You will want your institutional/system legal counsel to 
compare the statement in GEN 15-18 with what the SAIG Agreement actually says; the provision that talks about 
institutions reporting a breach immediately is distinct from the provision that talks about what ED can do in sharing 
information with other federal agencies if it suspects an institution has had a breach. Thus far, we have yet to see 
formal documentation that connects the two in the way FSA appears to be asserting, or even formal documentation that 
establishes the definition of breach and related processes (i.e., “immediately”) that have been raised in presentations 
and the FAQs on the FSA Cybersecurity Compliance page (see link above).

Finally, as relates to the Safeguards Rule audit objective, which we expect will be included in the FY18 federal single 
audit process although that is not yet officially confirmed, the actual text of the objective 
(https://ifap.ed.gov/eannouncements/attachments/FY18DraftLanguageSecuringStudentInformation.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Feannouncements%2Fattachments%2FFY18DraftLanguageSecuringStudentInformation.pdf&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C1%7C636482759885774387&sdata=dJfA3%2FyftDJcEc0CD9mr34UbRs%2BmmkBgKhenlek%2F0jw%3D&reserved=0>)
 limits the auditor to seeing if the institution has a few key elements of the Rule in place (information security 
coordinator, a risk assessment, documented safeguards for identified risks). The auditor is not charged with or 
empowered to evaluate the nature of what the institution has implemented in those areas, just that it has addressed 
them (and documented that).

We will have more to say as the engagement with FSA takes shape. In the meantime, I have also informed the presidential 
and other higher education leadership associations about the problems emerging in this space. As a result of those 
discussions, I have every expectation that we can count on their support in trying to get FSA and ED to work with us 
effectively in this area. - Jarret

_______________________________________________
Jarret S. Cummings
Director of Policy and Government Relations

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5372 | main: 202.872.4200 
|educause.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2F&data=02%7C01%7Cjaube%40MIDDLEBURY.EDU%7C9248b05360bd431a3f3108d53db2a71f%7Ca1bb0a191576421dbe93b3a7d4b6dcaa%7C1%7C0%7C636482759885774387&sdata=kpDuEI91FzR5A1JutILRdlsJ%2BDc9z101djtRPrG172k%3D&reserved=0>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Hudson, 
Edward
Sent: Thursday, December 7, 2017 2:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Dept of Edu Letters

Interested in institutions response to the DoE taking an increasingly broad interpretation of breach reporting 
obligations aroundany security breach of PII. At a recent conference the DoE lead presentation reportedly includes 
insistence that
1-ALL (broadly defined) “breaches” be reported “immediately” (i.e. within a day )
2- an announcement that GLBA audits of institutions will begin in 2018 with fines consistent with Clery fines (up to 
54,789) for each violation.

A read of those Dear Colleague letters, the obligation (especially under GLBA, which regulates in the financial sector) 
is to ensure the security and confidentiality of student financial aid records/information only, and that the data 
breach notification requirements relate to that subset of information only, not all PII.  But it sounds like the DoE is 
now interpreting their mandate and authority much more broadly. A review of one of their recent letters was, in my 
view, very heavy handed and threatening and stemmed from a random media post, not from an actual incident.
Would like to talk to anyone off line that has had to go through this process with DoE.

Best

Ed Hudson
Interim CISO
[cid:image001.png@01D36F6A.60E67990]
401 Golden Shore
Long Beach, CA 90802
Tel 562-951-8431
ehudson () calstate edu<mailto:ehudson () calstate edu>

I subscribe to e-mail classification: i=Information, a=Action, u=Urgent