Skip to Highlights
Highlights

What GAO Found

The Department of Education's (Education) Office of Federal Student Aid (FSA) and postsecondary schools collect, use, and share a variety of information—including personally identifiable information (PII)—from students, their families, and others to support the administration of student aid. This information is used to make decisions about the eligibility of schools to participate in federal student aid programs, the processing of student applications and students' eligibility to receive various types of aid, the disbursement of funds to aid recipients, and the repayment of loans and recovery of defaulted loan payments.

Education and FSA have established policies and procedures for managing and protecting student information that are aligned with applicable federal laws. However, shortcomings in key areas hinder the effectiveness of FSA's procedures. For example, FSA established procedures and tools for managing and organizing records and scheduling them for disposition, but did not fully establish such procedures for electronic data, ensure that employees regularly received training, or conduct a required internal assessment of its records management program. Regarding the protection of student information, FSA did not consistently analyze privacy risks for its electronic information systems, and policies and procedures for protecting information systems were not always up to date. FSA's shortcomings are consistent with the Education Inspector General's identification of persistent weaknesses in the department's information security policies, procedures, and controls. Recommendations to address these weaknesses are not yet fully implemented. Until FSA implements the recommendations, it increases the risk of improper disclosure of information contained in student aid records.

Based on a GAO survey of schools, the majority (an estimated 95 percent of all schools) of those participating in the federal student aid process reported having policies in place, including records retention and disposition policies. However, schools varied in the methods they used to store records, the retention periods for paper and electronic records, and the disposition control activities they employed (such as the authorization and approval process for destroying records).

FSA oversees schools' participation in student aid programs, but this oversight does not extend to schools' information security programs. To oversee schools' compliance, FSA conducts reviews of schools' student aid programs, based on a number of risk factors. However, it has not identified implementation of information security programs as a factor to consider in selecting schools for program reviews, even though schools have reported serious data breaches. GAO's review of selected schools' policies found that schools did not always include required information security elements, such as assessing risks or designing and implementing safeguards. Moreover, Education's implementing regulations do not require schools to demonstrate their ability to protect student information as a condition for participating in federal aid programs. This raises concerns about FSA's oversight and how effectively schools are protecting student aid information. Until Education ensures that information security requirements are considered in program reviews of schools, FSA will lack assurance that schools have effective information security programs.

Why GAO Did This Study

FSA oversees the award of billions of dollars in federal student aid to eligible students each year. The processing of student aid requires FSA, along with participating schools, to perform a range of functions across the student aid life cycle, including the management of PII on students and their families.

GAO was asked to examine how FSA and schools manage federal student aid records. The objectives of this study were to: (1) describe how FSA and schools use information they collect to manage the federal student aid program, (2) determine the extent to which FSA policies and procedures for managing and protecting this information align with federal requirements, (3) describe the extent to which schools have established policies and procedures for managing student aid information, and (4) determine the extent to which FSA ensures that schools protect this information. To do this, GAO reviewed Education and FSA policies and interviewed agency officials. GAO also administered a survey to a stratified random sample of 560 schools that is generalizable to the population of about 6,200 schools.

Reissued on December 15, 2017

Skip to Recommendations

Recommendations

GAO recommends that FSA take seven actions to strengthen its management and protection of federal student aid records and enhance its oversight of schools. FSA concurred or generally concurred with five of GAO's recommendations, partially concurred with another, and did not concur with another. GAO believes all of the recommendations as discussed in the report are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Education The Secretary of Education should direct the Chief Operating Officer of FSA to establish and document a procedure for the destruction of records contained in electronic systems in accordance with approved disposition schedules. (Recommendation 1)
Closed - Implemented
In response to our recommendation, in January 2021, we verified that the Department of Education documented a procedure for the destruction of records contained in electronic system in accordance with approved disposition schedules. The procedure is outlined in the agency's System Retirement and Disposal Guide where it explains how to properly sanitize, archive, dispose (decommission) and retire information technology systems according to National Institute of Standards and Technology and the agency's guidelines, policies, standards, and procedures. The guide also outlines the activities necessary to accomplish the removal, repurposing, disposal, and destruction of agency property or services (physical and virtual system equipment or infrastructure). In addition, the agency developed a System Retirement and Disposal Plan Template that provides guidance for the development of specific retirement and disposal activities. By documenting a procedure for the destruction of records contained in electronic systems, FSA is better positioned to not retain data files containing student records longer than needed.
Department of Education The Secretary of Education should direct the Chief Operating Officer of FSA to ensure staff receive records management training annually. (Recommendation 2)
Closed - Implemented
In response to our recommendation, in March 2021, we verified that the Department of Education developed records management training to raise knowledge and awareness of the laws, regulations, and policies that protect records. The training included, among other things, records management guidance and regulations, the Managing Government Records Directive, employee records management responsibilities, the different types of electronic messages, and disposal of electronic federal records. According to the department's February 2021 training completion report, 99% of FSA employees completed the information management requirements training. By ensuring that its employees receive records management training, FSA has more assurance that employees are aware of their responsibilities and that federal student aid records are being effectively managed.
Department of Education The Secretary of Education should direct the Chief Operating Officer of FSA to conduct the triennial assessment of the FSA records management program. (Recommendation 3)
Closed - Implemented
In response to our recommendation, in March 2021, we verified that the Department of Education conducted a required self-assessment of their records management program in 2017. The assessment included reviewing records management activities, such as guidance and training, program oversight, records creation and recordkeeping requirements for e-mail records, contractor records, general records, and paper records as well as records disposition. Further, Education began revising all of its records management policies and procedures in 2019, to include annual self-assessments which are scheduled to begin in 2022. By conducting a self-assessment and developing a plan to perform future annual self-assessments, FSA is better positioned to address any short-comings in its records management processes and managing student aid records in accordance with NARA and Education requirements.
Department of Education The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that privacy impact assessments address all required elements. (Recommendation 4)
Closed - Implemented
In response to our recommendation, in March 2021, we verified that the Department of Education updated its Privacy Impact Assessment (PIA) template. The template includes areas for explaining the opportunities individuals have to (1) consent to uses, (2) decline to provide information, or (3) opt out of the project. The template also includes safeguard information and determines the privacy risks associated with the system and discusses how those risks will be mitigated. In March 2020 and April 2020, FSA used the new template to update the PIA for its National Student Loan Data System and Central Processing System, respectively. By updating its existing PIAs and ensuring that it addresses the key elements included in the department's template and associated guidance, FSA has provided additional transparency regarding the risk associated with collecting personally identifiable information from students and greater assurance that those risks are adequately mitigated.
Department of Education The Secretary of Education should direct the Chief Operating Officer of FSA to ensure that information security-related policies and procedures are reviewed at least annually, in accordance with FSA policy; updated as needed; and approved by security officials. (Recommendation 5)
Closed - Implemented
In response to our recommendation, in March 2021, we verified that the Department of Education reviewed information security-related policies and procedures were reviewed, updated, and approved by security officials, as needed. Specifically, FSA developed a standard operating procedure document that defines a process for planning, creating, updating, reviewing, approving, publishing, maintaining, and retiring non-system specific security and privacy documentation, which includes templates, guidance, and standards. This standard operating procedure document is to be updated annually. FSA has also developed a review process for security policies and procedures documentation to determine which documents are to be updated during the annual cycle and which documents should be retired. Further, FSA has recently updated information security-related documents, such as FSA's Ongoing Security Authorization Standard Operating Procedure for Maintaining Authority to Operate and Education's Cybersecurity Risk Management Framework. By having updated policies and procedures, FSA is better positioned in having current security standards to its systems, including those that support the federal financial assistance program process.
Department of Education
Priority Rec.
Priority recommendations are those that GAO believes warrant priority attention from heads of key departments or agencies.
The Secretary of Education should incorporate into its program review process the review of postsecondary schools' information security program requirements. (Recommendation 6)
Closed - Implemented
In November 2019, Education reported and we verified in January 2020 that the agency had included information security requirements for its program reviews of institutions of higher education. The department worked with the Office of Management and Budget (OMB) to include specific key Gramm-Leach-Bliley Act information security requirements as part of OMB's audit guidelines. Specifically, OMB's audit guidelines include the determination of whether the institution designated an individual to coordinate the information security program; performed a risk assessment that addresses, among other things, employee training and management, information systems, including network and software design, and detecting, preventing and responding to attacks, intrusions, or other systems of failures; as well as documenting safeguards for identified risks.
Department of Education The Secretary of Education should update its regulation to include protections of personal information as an element of a school's ability to demonstrate its administrative capability. (Recommendation 7)
Closed - Implemented
In response to our recommendation, we verified in January 2021 that the Department of Education included protections of personal information as an element of a school's ability to demonstrate its administrative capability. The department worked with the Office of Management and Budget (OMB) to include specific key Gramm-Leach-Bliley Act compliance requirements as part of OMB's audit guidelines. Specifically, OMB's audit guidelines include that under an institution's Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. By performing these steps, Education is better informed of schools' efforts in protecting student information.

Full Report

GAO Contacts