Navigating the New Landscape of Data Security: The Implications of the ED CUI Rule for Higher Education Institutions

In a significant move that underscores the importance of data security, the Department of Justice has filed a lawsuit against the Georgia Institute of Technology for allegedly failing to implement required information security controls for Department of Defense data. This legal action serves as a wake-up call for higher education institutions across the United States, especially in light of a proposed rule from the Department of Education that could reshape how universities and colleges handle sensitive information. The Controlled Unclassified Information Rule (the “ED CUI Rule”) aims to establish stringent requirements for protecting personal data and other categories of controlled unclassified information, aligning them with the standards set by the Defense Department.

What Information Will Be Covered by the ED CUI Rule?

At the heart of the ED CUI Rule is the concept of controlled unclassified information (CUI), a broad category of federal government-regulated data. The Rule explicitly identifies personally identifiable information (PII) as a key category of CUI that the Department of Education seeks to protect. However, CUI encompasses a wide range of sensitive information, including financial records, health data, law enforcement information, and more. For colleges and universities, this could mean safeguarding students’ and parents’ personal information, financial aid data, and student health records, among other sensitive data commonly handled by educational institutions.

What Entities Will Be Covered?

The ED CUI Rule primarily targets “schools participating in the federal student financial assistance programs and other grant programs under the Higher Education Act.” This focus suggests that a significant number of colleges and universities will need to comply with the new requirements. Additionally, if the Rule mirrors the practices of other executive agencies’ CUI programs, institutions may also be responsible for ensuring that their vendors and contractors implement appropriate cybersecurity measures when handling CUI on behalf of the school.

What Will Covered Entities Have to Do to Protect CUI Data?

To comply with the ED CUI Rule, covered entities will be required to implement the standards outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). This document contains over a hundred specific technical and physical security requirements designed to protect CUI on information systems. Notably, these requirements are significantly more stringent than those imposed by the Family Educational Rights and Privacy Act of 1974 (FERPA) and other existing privacy regulations applicable to educational institutions.

Some of the key requirements of NIST SP 800-171 include:

• Multi-factor authentication (MFA) for network and remote access by all users.
• Encryption of data in transit and at rest, in accordance with Federal Information Processing Standard 140-2 (FIPS 140-2).
• Physical and technical access controls to safeguard sensitive information.
• Periodic vulnerability scans and compliance assessments to identify and mitigate potential security risks.
• Comprehensive incident response procedures to address data breaches and other security incidents.
• Robust documentation of technical control implementation and related policies to ensure accountability and transparency.

When Will These Requirements Be Implemented?

As of now, the Department of Education has not provided a specific timeline for the implementation of the ED CUI Rule. According to the federal Office of Management and Budget’s Unified Regulatory Agenda, a proposed version of the Rule could be published as early as this fall. However, it is important to note that these timelines are not fixed and may be subject to change pending further review or revisions by the Department of Education.

What Can Colleges and Universities Do to Better Protect Data?

In anticipation of the ED CUI Rule, colleges and universities should take proactive steps to enhance their data protection strategies. Here are several recommendations:

1. Develop an Enterprise-Level Compliance Strategy

Given the broad definition of CUI, institutions should engage with all relevant stakeholders—including IT, legal, billing, and financial aid departments—to identify which IT systems are in scope. Developing a comprehensive compliance strategy will help schools manage and safeguard CUI effectively.

2. Consider a Dedicated CUI Environment

Depending on the volume of CUI an institution possesses, it may be beneficial to create a dedicated environment for regulated data. This approach can streamline technical implementation, reduce legal risks, and potentially lower costs by segmenting sensitive information from other data.

3. Conduct Privileged Compliance Assessments

Institutions should consider conducting compliance assessments under attorney-client privilege to evaluate their readiness to meet the requirements of the ED CUI Rule. Engaging legal counsel with technical expertise can help mitigate the risk of disclosing assessment findings during litigation or investigations.

4. Develop and Refine Cybersecurity Policies

A school’s cybersecurity effectiveness hinges on the policies governing the use of technology and regulated data. Institutions should establish robust internal cybersecurity policies, incident response plans, and governance documents. Regular reviews and updates of these policies will ensure they remain current and effective.

Conclusion

The proposed ED CUI Rule represents a significant shift in how higher education institutions will be required to manage and protect sensitive information. As the landscape of data security continues to evolve, colleges and universities must take proactive measures to ensure compliance and safeguard the personal data of their students and stakeholders. By developing comprehensive compliance strategies, implementing robust cybersecurity measures, and staying informed about regulatory changes, educational institutions can navigate this new landscape effectively and responsibly.