This new rule will apply to those Title IV Higher Education Institutions with exceptions for institutions that handle less than 5,000 consumer records and the exceptions will only apply to some of the requirements. The exceptions being specifically- having a written risk assessment, an incident response plan and preparing the annual report to the board of directors. If you are exempt, we will still recommend you conduct those activities.  

Educause, an association for Higher Education IT leaders, has been following the topic closely and has published an analysis from the initial proposal and later joined with the America Council on Education (ACE) and other associations and responded with comments from the industry on the proposed reporting requirements. 

When does the amended FTC Safeguards Rule go into effect? 

While this originally applied to financial institutions, the FTC has proposed changes to the Safeguard rule that adds Higher Education institutions into scope via the financial aid processing. Due to increasing data breaches that includes a growing number of ransomware attacks, the FTC is amending this rule to include more entities in an effort to prioritize the protection of consumer information. Throughout 2022 the FTC has proposed changes and sought commentary to be included in the final rule publication.  

Deadline to be in compliance with the Safeguards Rule: June 9, 2023 

What are the FTC Safeguards Rule Requirements? 

Entities subject to meeting the Safeguards Rule requirements, as defined in Section 314.4 of the Code of Federal Regulations (this is the Elements section of the broader Standards for Safeguarding Customer Information of Part 314), must ensure these nine elements are included and conducted as part of the information security policy. Nine elements summarized from the current version of Section 314.4: 

• 314.4(a) Designate someone (internal or service provider) to implement, enforce and oversee the information security program.  
• 314.4(b)(1) Write and exercise a risk assessment plan. This is to include identifying and managing the internal and external risks to confidentiality, integrity and availability of student, staff and customer information that could lead to various data breaches, alteration or misuse and assess the safeguards in place to control these risks. Periodically conduct additional risk assessments that reexamine the risks to the confidentiality, integrity and availability of student, staff and customer information. 
• 314.4(c)(1)-(8) Implement safeguards to control risks. These should address: 
  • Access management and least privilege access to student, staff and customer information 
  • Keep an asset inventory of all systems, devices, platforms, and employees 
  • Encrypt the data of student, staff and customers or secure it through other effective controls 
  • Assess the security of any in-house developed apps (including adoption of secure development practices) or third-party apps that are transmitting, storing or processing the student, staff and customer data.  
  • Implement multi-factor authentication (MFA) for anyone accessing student, staff or customer data on your system. 
  • Ensure secure disposal of student, staff and customer information. Review your data retention policies to minimize unnecessary retention 
  • Develop procedures and processes for change management 
  • Implement logging or maintain a log of activity by authorized users access the data, and detect unauthorized access  
• 314.4(d)(2) Monitor and periodically test the effectiveness of the safeguards to include detection of actual and attempted attacks on or intrusions into the information systems 
  • For information systems this includes continuous monitoring or periodic penetration testing and vulnerability assessments. If continuous monitoring is not an option nor are there systems for detection, changes to the information systems that may create vulnerabilities, entities shall conduct: 
  • Annual penetration testing 
  • Vulnerability assessments to identify publicly known vulnerabilities of your systems, at least every six months; and whenever there are material changes to your operations or business, or when there are circumstances, you know or have reason to know may have a material impact on your information security program 
• 314.4(e) Security Awareness Training. Employees must be trained to take a proactive approach in identifying threats to the information systems through their daily activities. 
• 314.4(f)(3) Monitor Service Providers (Third-party Risk Management). Select service providers that have the skills, experience, and feasibility to maintain appropriate safeguards and through the contracting process ensure service providers implement and maintain safeguards. 
  • Periodically assess your third-party service providers based on the risk they present and the effectiveness of their safeguards 
• 314.4(g) Maintain and Optimize Your Security Plan. Adjust your security plan based on changes to personnel, technology, and the outcome of risk assessments.  
• 314.4(h) Develop a Written Incident Response Plan. This should define the processes and procedures to respond and recover from a security event. 
  • This should cover the goals of the plan, internal response processes, role and responsibility definitions, communications plan for internal and external purposes, remediation processes, documentation of security events and the reevaluation of the plan. 
• 314.4(i) Report to the Board of Directors. In writing, regularly and at least annually, communicate on the program’s activities and updates to the board of directors or equivalent governing body to ensure they are aware.  
  • This will include the status of the overall program and the compliance with the Safeguards Rule. 

How FortifyData Helps Higher Education Institutions Meet the Safeguards Rule 

FortifyData can assess, contextualize and prioritize the cybersecurity risk of a higher education institution, to also include service providers (third parties).  

Our platform can conduct the risk assessments for the institutions and the service providers (third parties) to meet the Safeguard Rule and the benefits are: 

• 314.4(b) Conducting assessments of the University, including all Colleges and Departments and present the findings on a continuous or scheduled interval basis. This includes external, internal and cloud configuration/posture.  

• • This meets the continuous monitoring requirement or every six month interval for vulnerability assessments 
  • This provides both a unified/centralized view of risk with the ability to manage it at the College and Department level. Understand which Colleges or Departments need more help than others in managing cyber risk. 

• • Continuous or semi-annual vulnerability assessments will improve an annual penetration testing engagement by continuously managing the vulnerabilities the pentest team would have found and exploited. 

• 314.4(d)(2)Monitor and periodically test the effectiveness of your safeguards 

• • Continuous or periodic vulnerability assessments meets the requirement to identify the vulnerabilities that could be used in “an actual or attempted attack or intrusion into information systems”. 
  • For “material changes to operations” (personnel, technology or security events) it is required to conduct a vulnerability assessment to identify risks associated from those events. 

• 314.4(f)(3) Monitor service providers (third parties). 

• • We can conduct assessments of services provides for “periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards”. 

• 314.4(g) Evaluate and adjust your security plan. 

• • Based on the findings of the vulnerability assessments, either continuously, periodically or result of material changes you can remediate the findings which may need to be adjusted in the information security program and the risk assessment. 

Enforcement 

Expect that temporary or permanent suspension from the Department’s systems as well as the consideration for fines or other administration actions.  

It is expected that the compliance check for the Safeguards Rule will be a part of the federal single audit process as part of the Title IV Program Participation Agreement (PPA).  

Non-compliance with the Safeguards Rule will be included in the Institution’s audit report with the findings referred to the FTC as well as the Federal Student Aid’s Postsecondary Institution Cybersecurity Team. From the Department of Education, Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act: 

“Federal Student Aid’s Postsecondary Institution Cybersecurity Team (Cybersecurity Team) will also be informed of findings related to GLBA, and may request additional documentation from the institution in order to assess the level of risk to student data presented by the institution or servicer’s information security system. 

If the Cybersecurity Team determines that the institution or servicer poses substantial risk to the security of student information, the Cybersecurity Team may temporarily or permanently disable the institution or servicer’s access to the Department’s information systems. Additionally, if the Cybersecurity Team determines that as a result of very serious internal control weaknesses of the general controls over technology that the institution’s or servicer’s administrative capability is impaired or it has a history of non-compliance, it may refer the institution to the Department’s Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department.” 

Additionally, The Department of Education Office of Federal Student Aid (FSA) has further published additional guidance on the definition of ‘customer information’ to apply to a higher education setting. Educause has a good writeup on the FSA guidance, enforcement actions and the reiteration that NIST SP 800-171 requirements for controlled unclassified information (CUI) should be followed, if not already, and that institutional compliance with NIST SP 800-171 will eventually be required.

References: 

• Code of Federal Regulations Part 314 – Standards for Safeguarding Customer Information 
• Code of Federal Regulations Part 314, Section 4 – Elements of an Information Security Plan 
• Educause – Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule 

• Educause – Higher Ed Responds to Proposed Safeguards Rule Reporting Requirement 
• Educause – FY22 Federal Single Audit: Safeguards Rule Objective Unchanged 
• Department of Education, Office of Federal Student Aid – Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act