In light of the Department of Justice filing suit against the Georgia Institute of Technology for allegedly failing to apply contractually required information security controls to Department of Defense data, higher education institutions should pay close attention to a proposed Department of Education rule. If finalized, the Controlled Unclassified Information Rule (the “ED CUI Rule”) may soon require universities and colleges to protect personal data and other categories of controlled unclassified information according to the same standards required by the Defense Department.
What information will be covered by the ED CUI Rule?
The Rule’s abstract focuses on controlled unclassified information, a broadly defined class of federal government-regulated data that includes many categories of information. The Rule specifically identifies personally identifiable information as a category of CUI the Department of Education wants to protect, but in practice, CUI can include information ranging from financial or tax records, health information, law enforcement information and other sensitive data. For colleges and universities, this could include students’ or parents’ personal information, financial aid data and student health information, among other data categories commonly handled by schools.
What entities will be covered?
The first sentence of the Rule’s abstract suggests that “schools participating in the federal student financial assistance programs and other grant programs under the Higher Education Act” will be the Department’s primary concern in implementing the Rule. If the Rule is structured similarly to other executive agencies’ CUI programs, schools may also be required to ensure that their vendors and contractors apply appropriate cybersecurity safeguards if they handle CUI on the school’s behalf.
What will covered entities have to do to protect CUI data?
The Abstract explains that the Department of Education intends to require covered entities to implement the requirements from the National Institute of Standards and Technology Special Publication 800-171 (“NIST SP 800-171”) to protect CUI on school information systems. NIST SP 800-171, which contains over a hundred discrete technical and physical security requirements, is the same standard the Department of Defense requires of its contractors to safeguard CUI. NIST SP 800-171’s requirements are generally far more stringent than those imposed by the Family Educational Rights and Privacy Act of 1974 (“FERPA”) and other privacy regimes currently applicable to universities and colleges.
More from UB: How to build a high-impact partnership in higher education
Some key requirements of NIST SP 800-171 include:
- Multi-factor authentication (MFA) for network and remote access by all users
- Encryption of data in transit and at rest per Federal Information Processing Standard 140-2 (FIPS 140-2)
- Physical and technical access controls
- Periodic vulnerability scans and compliance assessments
- Comprehensive incident response procedures
- Robust documentation of technical control implementation and related policies
When will these requirements be implemented?
The Department has not provided an implementation timeline. According to the federal Office of Management and Budget’s Unified Regulatory Agenda, a proposed version of the Rule could be published as soon as this fall. However, the Regulatory Agenda timetables are not set in stone, and it is possible that the Department of Education could push back the proposed Rule’s publication pending further review or revisions.
What can colleges and universities do to better protect data?
- Develop an enterprise-level compliance strategy: Because CUI is defined broadly and can capture many different subsets of sensitive data, institutions should engage with all cybersecurity compliance and management stakeholders (e.g. IT, legal, billing, financial aid, etc.) to determine what IT systems are in scope and then develop a compliance strategy focused on how schools will manage and safeguard CUI.
- Consider a dedicated CUI environment: Depending upon the volume of CUI a school possesses and the degree of challenge implementing security controls school-wide, a school may consider erecting a dedicated environment to house its regulated data. Segmenting regulated data to a dedicated environment can reduce legal risk by limiting requirements and streamlining technical implementation while decreasing costs.
- Conduct privileged compliance assessments: Schools should consider conducting compliance assessments under attorney-client privilege in order to pressure test their ability to meet the requirements enumerated in the ED CUI Rule, once published. Engaging counsel with technical capabilities to direct a privileged assessment can help mitigate the risk of having to disclose assessment findings to third parties in litigation or during an investigation.
- Develop and refine cybersecurity policies: A school’s cybersecurity is only as effective as the policies it adopts governing the use of its technology and regulated data traversing its networks. Schools should devise robust internal cybersecurity policies, develop incident response plans and other governance documents, and update all for currency and accuracy. If these processes are already in place, schools should consider initiating a policy review soon after the publication of any ED CUI Rule, ideally under privilege, to assess whether updates are needed.