Cybersecurity: Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners' Protection of Borrower Information
Highlights
What GAO Found
The Department of Education's Office of Federal Student Aid (FSA) partners with various entities (“non-school partners”) that are involved primarily in supporting the repayment and collection of student loans.
Federal loan servicers are responsible for collecting payments on loans and providing customer service to borrowers on behalf of the Department of Education through its Direct Loan program.
Private collection agencies collect on loans that are in default and work with borrowers to help them get out of default.
Guaranty agencies insure lenders against loss due to borrower default and carry out a variety of loan administration activities.
Federal Family Education Loan lenders are non-federal lenders, such as banks, credit unions, or other lending institutions, that made loans to students in the past and continue to service these loans.
FSA shares a variety of personally identifiable information (PII) on borrowers with its non-school partners. This includes names, addresses, phone numbers, email addresses, Social Security numbers, and financial information.
Key practices for overseeing the protection of PII shared with non-federal entities include requiring (1) risk-based security and privacy controls, (2) independent assessments to ensure controls are effectively implemented, (3) corrective actions to address identified weaknesses in controls, and (4) ongoing monitoring of control status. FSA established oversight policies and procedures for loan servicers and private collection agencies that generally address these key practices. However, FSA exercises minimal oversight of lenders' protection of student data (see table).
Extent to Which Federal Student Aid Processes Address Key Practices for Overseeing the Protection of Personally Identifiable Information
|
Non-school partner |
Security and privacy controls |
Independent assessments |
Corrective actions |
Ongoing monitoring |
|
Loan servicers |
● |
● |
● |
◐ |
|
Private collection agencies |
● |
● |
● |
◐ |
|
Guaranty agencies |
◐ |
● |
● |
○ |
|
Federal Family Education Loan Lenders |
◐ |
○ |
○ |
○ |
Key: ● = FSA provided evidence of processes and procedures that addressed all aspects of the key practice; ◑ = FSA provided evidence of processes and procedures that addressed some but not all aspects of the key practice; ○ = FSA did not provide evidence of processes and procedures that addressed the key practice
Source: GAO analysis of Federal Student Aid data. | GAO-18-518
FSA officials maintain that the lenders are subject to other legal and regulatory requirements for protecting customer data. However, FSA does not have a process for ensuring lenders are complying with these requirements, and thus lacks assurance that appropriate risk-based safeguards are being effectively implemented, tested, and monitored.
Why GAO Did This Study
FSA administers billions of dollars in student financial aid, including loans and grants, to eligible college students. The processing of student aid is complex, and FSA relies on non-school partners to carry out various activities supporting the student aid process, such as loan repayment and collection.
GAO was asked to review how FSA ensures the protection of PII by its non-school partners. The objectives of this review were to (1) describe the roles of non-school partners and the types of PII shared with them and (2) assess the extent to which FSA policies and procedures for overseeing the non-school partners' protection of student aid data adhere to federal requirements, guidance, and best practices.
To address these objectives, GAO collected and reviewed FSA documentation, reports, policies, and procedures and compared FSA policies and procedures to four key practices included in federal guidance for overseeing the protection of PII by non-federal entities. GAO also interviewed FSA officials with responsibility for the oversight of non-school partners.
Recommendations
GAO is making six recommendations to FSA to ensure that its oversight of non-school partners addresses the four key practices for ensuring the protection of PII. FSA concurred with three of the recommendations, partially concurred with two, and did not concur with one. It also described actions planned or under way to implement four of the recommendations. GAO maintains that all of its recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Department of Education | The Secretary of Education should establish a process for continuous monitoring of guaranty agencies' implementation of security and privacy requirements between on-site assessments, to include testing all controls at an FSA-defined frequency and regularly reporting results. (Recommendation 4) |
Open
FSA partially concurred with this recommendation and described actions it planned to take in response. Specifically, FSA provided a standard operating procedure for continuous monitoring of guaranty agencies' implementation of security and privacy requirements between on-site assessments. However, the agency did not provide evidence that this process had been implemented. In June 2023, FSA officials stated that they planned to complete this action by the end of January 2024, but did not provide additional details or documentation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | The Secretary of Education should include specific security and privacy requirements in agreements with the Federal Family Education Loan (FFEL) Program lenders based on FSA's categorization of the information shared with the lenders. (Recommendation 5) |
Open
FSA stated that it partially agreed with this recommendation and provided an updated version of its Organization Participation Agreement (OPA) with FFEL lenders. This agreement contains a number of specific security requirements, but it is unclear whether these requirements were derived from a categorization of the information or other risk-based analysis. In June 2023, FSA officials stated that FSA continues to work with lenders on a viable compliance supplement and that the projected completion date for this action is the end of December 2023. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | The Secretary of Education should develop policies and procedures to gain assurance that FFEL lenders have appropriate security and privacy controls in place and that these controls are being regularly tested and monitored. (Recommendation 6) |
Open
FSA did not concur with this recommendation. In June 2023, FSA officials stated that they are still working to determine an action that that will address the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | The Secretary of Education should enroll private collection agencies in FSA's continuous monitoring program, and, in the interim, require these entities to test all controls at an FSA-defined frequency and regularly report the results. (Recommendation 2) |
Open
FSA stated that it concurred with this recommendation and that private collection agencies (PCA) were to be enrolled in the agency's Ongoing Security Authorization program. In June 2023, FSA officials stated that all PCAs are being decommissioned and projected completion of this action by the end of January 2024. When we confirm what actions, the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | The Secretary of Education should enroll loan servicers in FSA's continuous monitoring program and, in the interim, require these entities to report the results of security controls testing at an FSA-defined frequency. (Recommendation 1) |
Closed – Implemented
FSA concurred with this recommendation and has taken steps to implement it. Specifically, in response to our recommendation, in December 2019, May 2021, and July 2021, FSA provided evidence to show that it had enrolled loan servicers in its Ongoing Security Authorization (OSA) program. This program requires participation in quarterly security control assessments that provide information on the security posture of the system based upon the controls being assed for the quarter. To support this, systems are required to perform the scanning process on key system assets and provide them to FSA's OSA assessment team for independent review and analysis. By taking these steps, FSA has increased assurance that security controls implemented by loan servicers are effectively implemented and operating as intended, which will help ensure the protection of borrower information. Accordingly, we consider this recommendation to be implemented.
|
| Department of Education | The Secretary of Education should modify FSA's agreements with guaranty agencies to specify a required baseline of security controls based on the impact level of the information shared with these agencies, as determined by FSA. (Recommendation 3) |
Closed – Implemented
FSA concurred with this recommendation and stated that it will update the agreements with guaranty agencies (GA) to outline the requirement for security assessments to be conducted at the Federal Information Processing Standards (FIPS)-199 moderate security baseline level. In April 2021, in response to our recommendation, FSA provided amended agreements for 20 guaranty agencies. These agreements specify that the agencies must ensure that student and borrower information comply with a security and privacy controls at the moderate categorization level. By specifying these requirements in its agreements with GAs, FSA increases its ability to ensure that the personally identifiable information it shares with guaranty agencies will be adequately and consistently protected. Accordingly, we consider this recommendation to be implemented.
|