My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business and Policy Areas
Business and Policy Areas

ED Reminds Schools About Protecting Student Information

July 11, 2016

The Department of Education has published a "Dear Colleague Letter" reminding institutions of their legal obligations to protect student information used in the administration of Title IV programs. Each institution's Program Participation Agreement includes a provision that the institution must comply with the provisions of the Gramm-Leach-Bliley Act (GLBA).

The GLBA states that institutions are required to ensure the security and confidentiality of student financial aid records and information. GLBA requires institutions to, among other things:

  • Develop, implement, and maintain a written information security program.
  • Designate the employee(s) responsible for coordinating the program.
  • Identify and assess risks to student information.
  • Design and implement an information safeguards program.
  • Select appropriate service providers that are capable of maintaining appropriate safeguards.
  • Periodically evaluate and update the security program.

ED plans to incorporate the GLBA security controls into the Annual Audit Guide and will look at GLBA compliance as part of institutions' annual student aid compliance audits.

ED also encourages institutions to review and understand the standards defined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which is the recognized information security publication for protecting controlled unclassified information (CUI). The standards apply to CUI when it is in the possession of non-federal entities, such as institutions of higher education. While ED recognizes that institutions may have to make a significant investment to meet the standards established under NIST SP 800-171, the agency still strongly encourages schools to enhance their cybersecurity to protect CUI. 

EDUCAUSE has prepared a document, An Introduction to NIST Special Publication 800-171 for Higher Education Institutions, which explains the standards and the 14 families of security requirements included in NIST SP 800-171. NACUBO encourages members to review the EDUCAUSE publication and speak with chief information and chief information security officers to examine their institution's existing information security program.


Bryan Dickson
Senior Policy Analyst