Cybersecurity NPRM Coming in October 2024
By Jed Brinton, Senior Vice President and General Counsel, CECU and former Deputy General Counsel at the Department of Education.
The most recent Unified Agenda published by the Department of Education (Department or ED) indicates that in October of 2024 Federal Student Aid plans to publish an NPRM entitled “Cybersecurity Standards for Institutions of Higher Education to Comply With EO 13556 and NIST 800-171.” Why is the Department planning a new regulation on cybersecurity? And what kind of new cybersecurity standards could be imposed?
Executive Order 13556
A uniform system for handling classified information across the Federal government has existed for quite some time now, which includes restrictive rules on the computer systems that hold such information and on sharing such information with persons outside the government. However, there had not been a similar uniform system across the Federal government for handling information subject to a level of control lower than a “classified” designation. In 2010 Executive Order (EO) 13556 was issued to address this lack of uniformity in Federal governance of controlled unclassified information (CUI). The EO designated the National Archives and Records Administration (NARA) as the agency responsible to gather details on the different ways that such information was then being handled and protected across the Federal government and then to establish a uniform Federal approach to handling CUI.
NARA Rule
After gathering information about existing practices and considering the best path forward, NARA eventually published a Final Rule in 2016 on Controlled Unclassified Information. The Final Rule broadly defines CUI as any unclassified information that requires safeguarding or dissemination control under laws, regulations, or government-wide policies. 32 CFR § 2002.4(h). It then requires Federal agencies to safeguard CUI in a number of ways, including by ensuring that when they share CUI with non-Federal entities the non-Federal information systems that store that information are compliance with the cybersecurity specifications of SP 800-171. 32 CFR § 20002.14(h)(2). The Rule specifies that agencies should effectuate this requirement by including it in whatever agreement governs the sharing of information with the non-Federal entity. 32 CFR § 2002.16(a)(5)(i).
NIST SP 800-171
In addition, the Final Rule incorporates by reference a set of substantive cybersecurity requirements set forth by the National Institution of Standards and Technology (NIST) in Special Publication (SP) 800-171, the initial version of which was published around the same time as the Final Rule. 32 CFR § 20002.14(h)(2). The standards in SP 800-171 are designed to ensure the protection of CUI that has been shared by a Federal entity with a non-Federal entity, and they are grouped into 14 different substantive categories or “families.” Some of the standards in SP 800-171 are derived from the moderate control baseline of NIST SP 800-53, which had previously set forth cybersecurity standards for the protection of information held in federal information systems.
Application of SP 800-171 Standards to Higher Education
Pursuant to the NARA Rule, some federal agencies like the Department of Defense (DoD) already require nonfederal entities to comply with SP 800-171 in protecting CUI received pursuant to a contract with those agencies. As a result, to the extent that institutions of higher education contract with those agencies (such as under DoD grants), their systems that house the information received under those contracts are already required to meet the cybersecurity standards in SP 800-171.
In contrast, ED has not yet required institutions to protect information received from ED in systems that comply with SP 800-171. Under the last administration, the Department began studying the application of SP 800-171 requirements to financial aid information held by institutions of higher education, and on December 18, 2020, Federal Student Aid published an Electronic Announcement entitled “Protecting Student Information – Compliance with CUI and GLBA.” The EA stated clearly that “Most data sourced from the Department and information used in the administration of Title IV programs are considered CUI.” However, while it cited the NARA Rule and encouraged institutions to comply with SP 800-171, it did not explicitly require such compliance.
October 2024 Cybersecurity NPRM
In December 2023 the current administration published its Fall 2023 Unified Agenda, and the ED section of the Agenda listed for the first time an NPRM scheduled to be promulgated in October of 2024 with the title “Cybersecurity Standards for Institutions of Higher Education to Comply With EO 13556 and NIST 800-171.” The abstract from the Agenda references the EO, the NARA Rule, and SP 800-171 but does not provide any other details on how the Department plans to implement these cybersecurity standards. The same information was repeated in the Spring 2024 Unified Agenda, including the same predicted publication date of October 2024.
Although it appears that the NPRM will require that institutions comply with SP 800-171 in their handling of student financial aid information received from the Department, there is no indication of the specific timeline or mechanism that the Department will adopt for such compliance. In light of the NARA Rule it is reasonable to anticipate that the Department will impose the requirement by including it in contracts between the Department and institutions. The Program Participation Agreement that institutions must sign in order to participate in Title IV programs and the Student Aid Internet Gateway enrollment agreement that institutions must sign in order to connect to and share information with FSA’s systems are two possibilities, especially since both of those agreements already reference compliance with the cybersecurity requirements institutions already have to follow under the Gramm-Leach-Bliley Act.
Next Steps
CECU will continue to actively engage the Department on this issue and keep our members abreast of the regulatory processes related to cybersecurity. In Part 2 of this blog post and through direct communications with member institutions, we will continue to provide resources to help schools prepare to comply with the Department’s soon-to-be-released cybersecurity requirements.