Audio version of this articles is attached below for your convenience. 

The U.S. Department of Education (ED) announced[1] on Wednesday, July 17, 2019, that some authorized users had been temporarily blocked from accessing ED’s Federal Student Aid (FSA) systems and websites.  ED states that the blocking occurred as a result of their recently implemented new cybersecurity measures “to further protect critical student data and ensure the security of FSA systems and websites.”
 
Access Issues Resolved
 
Most institutions that were impacted had resolution by ED when ED added the institution’s range of Internet Protocol (IP) addresses to a list of trusted IP addresses.  (Such a trusted list of IP addresses is commonly called a “whitelist.”)
 
ED indicates that most institutions’ issues related to access to the FSA systems and websites have been resolved.  But, if an institution is still having access issues, ED instructs institutions to report the incident immediately to ED at EDSOC@ed.gov andFSASchoolCyberSafety@ed.gov.  ED will respond to you from the EDSOC@ed.gov address confirming receipt of your notification of an issue.  Follow-up communications from the ED data security team will come from EDSOC@ed.gov or FSASchoolCyberSafety@ed.gov as they work to resolve the situation quickly.
 
Ensure Ongoing Access with Updated Information by August 1, 2019
 
ED is requesting institutions to provide it with a list of IP addresses used by the institution.  They will use this updated information to expand its whitelist of institutional IP addresses.  This will help ensure that authorized users are able to appropriately access FSA systems and websites, and hopefully prevent any inadvertent blocking in the future. 
 
ED requests that institutions provide its list of IP addresses by August 1, 2019, to FSASchoolCyberSafety@ed.gov.  The information to provide should include:

  • Name of institution
  • Address of institution
  • Office of Postsecondary Education Identifier (OPEID)
  • List or range of IP addresses used by your institution
  • Information Technology (IT) contact at your institution (Name, E-mail, Phone Number)

 
The information may be presented in a simple format as shown above.  It is likely best to use the name of the institution as shown on your Eligibility and Certification Approval Report (ECAR). 
 
For those unfamiliar with IP addresses, the IP address is unique to each individual device used to communicate via the Internet.  It gives the location of the device and allows other devices (e.g., ED’s systems and computers) to know where to send information via the Internet.  In simple terms, its purpose is similar to that of a “return address” on a physical piece of mail (i.e., postal mail).  Therefore, if your institution uses more than one computer or device to communicate with ED electronically, ED will need to know all IP addresses to include them on the “white list” of addresses that will not be blocked.
 
ED did not specify that the updated information being submitted has to be provided by or signed off on by your president or CEO, but likely you will want to ensure accuracy and concurrence of information with your main IT person, and have your president or CEO aware of the updated information being sent to ED.
 
ED encourages institutions that have questions about its request for updated IP addresses or who have access issues to contact FSASchoolCyberSafety@ed.gov.
 
We would remind institutions of the importance of ongoing information and data security protocols at the institutional and individual user levels.  This would be a good time to also ensure that all authorized users with institutional and ED access to systems are still current and valid.  Any formerly authorized individuals who no longer need access to systems should have such authorization removed to prevent unauthorized access.
 
Should you have any questions regarding the information in this edition of our DYK, please feel free to contact FAME Customer Service through the Client Solution Center.
Publication Date:  July 19, 2019



[1] Electronic Announcement, July 17, 2019, U.S. Department of Education, at https://ifap.ed.gov/eannouncements/071719InforReqtoEnsureAccesstoFSASysWebsites.html.  Accessed on July 18, 2019.

__________________________________________________
This material is presented for informational and educational purposes only and should not be considered to be giving legal advice.

Did You Know Some Authorized Users Were Temporarily Blocked from Accessing FSA Systems and Websites.wma