Will Higher Education Institutions Face Enhanced Cybersecurity Requirements?

U.S. colleges and universities watched closely this summer when the DOJ, in a novel move, scrutinized the cybersecurity compliance of a research lab at an academic institution.

The lab at the Georgia Institute of Technology held contracts with the DOD, and the DOJ alleged in a lawsuit that the lab failed to apply required information security controls to DOD data in its possession. As a result, institutions of higher education should consider paying close attention to a proposed Department of Education rule that, if finalized, may soon require universities and colleges to protect personal data and other categories of Controlled Unclassified Information (CUI) according to the same standards required by the DOD.

What Information Will the Education CUI Rule Apply To?

The Rule’s Abstract focuses on Controlled Unclassified Information, a broadly defined class of federal government-regulated data that includes many categories of information. The Rule specifically identifies personally identifiable information (PII) as a category of CUI the Department of Education wants to protect, but in practice, CUI can include information such as financial or tax records, health information, law enforcement information, and other unclassified, sensitive data. For colleges and universities, this could include students’ or parents’ personal information, financial aid data, and student health information, among other data categories commonly handled by schools.

What Entities Will the Education CUI Rule Apply To?

The first sentence of the Rule’s Abstract suggests that “schools participating in the federal student financial assistance programs and other grant programs under the Higher Education Act (HEA)” will be the Department of Education’s primary concern in implementing the Rule. If the Rule is structured similarly to other executive agencies’ CUI programs, schools may also be required to ensure that their vendors and contractors apply appropriate cybersecurity safeguards if they handle CUI on the school’s behalf.

What Will Covered Entities Have to Do to Protect CUI?

The Abstract explains that the Department of Education intends to require covered entities to implement the requirements from National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) to protect CUI on school information systems. NIST SP 800-171 contains over 100 discrete technical and physical security requirements and is the same standard the DOD requires of its contractors to safeguard CUI. NIST SP 800-171’s requirements are generally far more stringent than those imposed by the Family Educational Rights and Privacy Act of 1974 and other privacy obligations currently applicable to universities and colleges.

Some key requirements of NIST SP 800-171 include:

• Multi-factor authentication for network and remote access by all
• Encryption of data in transit and at rest per Federal Information Processing Standard 140-2.
• Sophisticated physical and technical access
• Periodic vulnerability scans and compliance
• Comprehensive incident response
• Robust documentation of technical control implementation and related

The Department of Education has not provided an implementation timeline for its CUI Rule. Schools should actively monitor department communications for rulemaking updates, as it may not provide an extended ramp up period to implement NIST SP 800-171 controls once the rule is published. Once the rule has been published and its requirements are clear, schools should consider conducting readiness assessments to confirm their compliance, ideally under attorney-client privilege to protect assessment findings in the event of litigation or a government investigation.