Abstract
The Office of Federal Student Aid (FSA) at the U.S. Department of Education (ED) recently invited public comments on its draft strategic plan for 2020 through 2024. In reviewing the plan, EDUCAUSE members and staff took note of FSA’s emphasis on bolstering information security related to FSA data, which the agency had made its fourth of five strategic goals. Unfortunately, EDUCAUSE felt compelled to comment on the problematic text in the plan that appears to cast doubt on the effectiveness and seriousness of higher education institutions in addressing information security. This included disputing in detail the limited evidence cited in the plan for FSA’s negative remarks concerning institutional information security and recommending more appropriate timelines for establishing baselines for the plan’s proposed compliance metrics. EDUCAUSE encouraged FSA to rewrite the relevant sections of its plan to focus on current and potential collaboration between the agency and higher education information security leaders on clarifying and publicly documenting compliance guidance as well as bolstering the dissemination of jointly sourced effective information security practices.