Are You Ready for the DOE Annual Audit? 6 Steps to Ensure Compliance

As the digital landscape evolves and transforms the way organizations run their operations, many experience unprecedented opportunities as well as new challenges. In recent years, universities and colleges have experienced a higher number of cyber-attacks and security breaches due to a lack of a proper security infrastructure to secure student information, including financial aid.

For example, the University of Maryland experienced a large security breach in 2014 leaking over 300,000 student records including names, birthdates, and even social security numbers, according to University Business. Other universities have fallen victim to security breaches as well, including Penn State University and Harvard University.

As security breaches and cyber-attacks continue to increase in the education industry, the Department of Education (DOE) has released guidance that will regulate data security practices at colleges and universities under the Gramm-Leach-Bliley Act (GLBA).


The Gramm-Leach-Bliley Act (GLBA) is a federal law primarily focused on protecting private and personal information within financial institutions. As mandated, these financial institutions are required to develop security programs and to openly communicate privacy practices to clients.

The DOE will use the GLBA to require universities and colleges to:

  • Develop, implement, and maintain a written information security program;
  • Designate the employee(s) responsible for coordinating the information security program;
  • Identify and assess risks to stored personal/confidential information;
  • Design and implement an information safeguards program;
  • Select appropriate service providers that are capable of maintaining appropriate safeguards; and
  • Periodically evaluate and update their security program.

The DOE plans to conduct an annual audit on universities and colleges to ensure compliance with the GLBA and assess financial aid information protection.

Additionally, the DOE highly encourages institutions to comply with the standards developed by the National Institute of Standards and Technology (NIST), specifically 800-171 Rev. 1 to further protect student financial-aid information.

NIST 800-171

The NIST 800-171 standard originally released in June of 2015, provides holistic security standards for controlled unclassified information (CUI). Conducting an assessment following this standard includes:

  • Review of existing processes
  • Risk assessment of 14 control families
  • Development of a compliance roadmap
  • Evaluation of compliance through an audit

The main difference between the GLBA and NIST 800-171 are the frameworks the institutions will test against. Since NIST is a more commonly used and comprehensive federal standard it has more controls within its framework, which will offer greater assurance to not only educational institutions, but also their student body.

Protect Your Institution

With the average cost of a U.S. educational record being $245, it’s more important than ever that universities and colleges enhance their information security to protect their institutions’ financial assets, as well as their students’ personal and financial information. To put it in a greater perspective, the University of Maryland’s 2014 breach cost them around $40 million, with the average cost of a record being $100.

Reduce evolving threats and protect student information today by enhancing your institution’s information security programs using NIST 800-171.

To learn more about how A-LIGN can assist your institution in developing a security program to comply with the DOE Annual Audit Requirements, including GLBA and NIST 800-171 standards, please reach out to one of our experienced security professionals at [email protected] or 1-888-702-5446.