The Department of Education poised to implement new cybersecurity standards on higher education

The Department of Education recently announced plans to propose a new rule on higher education institutions in an effort to increase the efficacy of such institutions’ protection of the data in their stewardship. You can view the proposed rule here.

If issued, the new rule would require institutions that participate in federal student financial assistance programs and other grant programs under the Higher Education Act of 1965 to better protect the Controlled Unclassified Information (CUI) and other information that these institutions process and store in large quantities. The Department defines CUI to include personally identifiable information (PII) and sensitive personally identifiable information (SPII.)

Though the rule has yet to be released, the Department has expressed a keen desire to enforce the provisions of Executive Order 13556 and regulations housed in 32 CFR, part 2002. Executive Order 13556 establishes a uniform program for Federal entities to manage CUI in a manner that is infused with information safeguards and restrictions. The regulations found at 32 CFR, part 2002, meanwhile, mandate non-Federal entities that deal with CUI to implement the standards of NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

Both Executive Orders 13556 and 32 CFR, part 2002, reflect a recognition on the part of the executive branch that homogeneity in best data practices is essential to protecting critical information of students. Absent a concerted effort, CUI is mainly left vulnerable. However, regulations are only as good as their implementation, and the Department’s interest in proposing further regulation on information security requirements for academic institutions to enhance compliance with already enacted orders and laws demonstrates that a notable amount of institutions are still falling short in their efforts to protect students and their valuable data.

Addressing these cyber deficits is more critical now than ever before. As academic institutions offer their students greater remote learning opportunities, they also expose themselves to a greater level of cyber risk and possibility of attack, a risk that has increased dramatically since the onset of the Covid-19 Pandemic. In recognition of the increasing risks, the Department of Education’s desire to take compliance with existing cyber-protective measures a step further seems fit.

If you have questions regarding the proposed rule or how to safeguard data, contact Hannah Babinski at 248.402.4074, hbabinski@mcdonaldhopkins.com or Spencer Pollock at 410.917.5189, spollock@mcdonaldhopkins.com

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.