Recent U.S. Department of Education Dear Colleague Letter Raises the Bar on Standards for Protecting Federal Financial Aid Data
July 12, 2016
On July 1, 2016 the U.S. Department of Education issued a follow-up Dear Colleague Letter to the Dear Colleague Letter of July 29, 2015. This most recent letter reminds institutions of their legal obligation to protect student data under Title IV and sets forth the new standards and methods the DOE will use when evaluating data security compliance. An institution’s Title IV Program Participation Agreement (PPA) requires that they must protect all student financial aid data. The Student Aid Internet Gateway (SAIG) Enrollment Agreement, the system used by educational institutions and third-party servicers to exchange data electronically with the U.S. Department of Education, contains similar requirements. In addition, the letter reminds institutions that the specific requirements of the Gramm-Leach-Bliley Act (GLBA) governing data security at financial services organizations apply to post-secondary institutions. These include implementing a written information security program, designating an individual to coordinate information security, performing ongoing risk assessments, and properly vetting third-party service providers. It is also noted that compliance with the GLBA will be incorporated into the DOE’s annual student aid compliance audit requirements. Most significantly, the letter “strongly encourages institutions to review and understand the standards defined in NIST SP 800-171.” These standards were developed by the National Institute of Standards and Technology (NIST) to protect sensitive federal information that is used and stored in non-federal information systems and organizations. NIST SP 800-171 sets forth a significant expansion of the data security requirements and controls expected in the handling of student financial aid data and other types of federal data and information. In citing these standards, the DOE acknowledges “the investment and effort by institutions to meet and maintain the standards set forth in NIST SP 800-171” but “strongly encourages those institutions that fall short of NIST standards to assess their current gaps and immediately begin to design and implement plans to close those gaps using NIST standards as a model.” The message from the US DOE is clear – institutions of higher education that use student financial aid data, and other forms of federal data are expected to “immediately” begin to integrate the specific requirements of NIST SP-171.