Third-Party Access to the Department's Information Technology Systems and Notice of Criminal Penalties for Misuse of Access Devices, 50707-50709 [2021-19536]
Download as PDF
<![CDATA[
Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Notices
Contracting Activity: NATIONAL
GEOSPATIAL-INTELLIGENCE AGENCY
(NGA), NATL GEOSPATIALINTELLIGENCE AGENCY
The Committee finds good cause to
dispense with the 30-day delay in the
effective date normally required by the
Administrative Procedure Act. See 5 U.S.C.
553(d). This addition to the Committee’s
Procurement List is effectuated because of
the expiration of the National Geospatial
Agency, Document Management contract.
The Federal customer contacted and has
worked diligently with the AbilityOne
Program to fulfill this service need under the
AbilityOne Program. To avoid performance
disruption, and the possibility that the
National Geospatial Agency will refer its
business elsewhere, this addition must be
effective on September 29, 2021, ensuring
timely execution for a September 30, 2021,
start date while still allowing 19 days for
comment. The Committee determined that no
severe adverse impact exists on any current
contractor, as this is new requirement never
having been contracted for in the past. The
Committee also published a notice of
proposed Procurement List addition in the
Federal Register on June 18, 2021 and did
not receive any comments from any
interested persons. This addition will not
create a public hardship and has limited
effect on the public at large, but, rather, will
create new jobs for other affected parties—
people with significant disabilities in the
AbilityOne program who otherwise face
challenges locating employment. Moreover,
this addition will enable Federal customer
operations to continue without interruption.
jbell on DSKJLSW7X2PROD with NOTICES
Deletions
On 8/6/2021, the Committee for
Purchase From People Who Are Blind
or Severely Disabled published notice of
proposed deletions from the
Procurement List. This notice is
published pursuant to 41 U.S.C.
8503(a)(2) and 41 CFR 51–2.3.
After consideration of the relevant
matter presented, the Committee has
determined that the product(s) listed
below are no longer suitable for
procurement by the Federal Government
under 41 U.S.C. 8501–8506 and 41 CFR
51–2.4.
Regulatory Flexibility Act Certification
I certify that the following action will
not have a significant impact on a
substantial number of small entities.
The major factors considered for this
certification were:
1. The action will not result in
additional reporting, recordkeeping or
other compliance requirements for small
entities.
2. The action may result in
authorizing small entities to furnish the
product(s) to the Government.
3. There are no known regulatory
alternatives which would accomplish
the objectives of the Javits-WagnerO’Day Act (41 U.S.C. 8501–8506) in
VerDate Sep<11>2014
18:09 Sep 09, 2021
Jkt 253001
connection with the product(s) deleted
from the Procurement List.
End of Certification
Accordingly, the following product(s)
are deleted from the Procurement List:
Product(s)
NSN(s)—Product Name(s): 8460–00–368–
4281—Case, Map and Photograph
Contracting Activity: DLA TROOP SUPPORT,
PHILADELPHIA, PA
NSN(s)—Product Name(s):
8455–01–113–0062—Qualification Badge,
Basic Marksman, U. S. Army
8455–01–113–0066—Qualification Badge,
Basic Sharpshooter, U. S. Army
Designated Source of Supply: Fontana
Resources at Work, Fontana, CA
Contracting Activity: DLA TROOP SUPPORT,
PHILADELPHIA, PA
NSN(s)—Product Name(s): 7360–00–660–
0526—Dining Packet, In-Flight, Deluxe
Designated Source of Supply: Cincinnati
Association for the Blind, Cincinnati, OH
Contracting Activity: GSA/FSS GREATER
SOUTHWEST ACQUISITI, FORT
WORTH, TX
NSN(s)—Product Name(s):
8520–01–303–4037—Toothpaste, 3.0 oz.,
Fluoride
8530–01–293–1387—Toothbrush, Adult,
Assorted Colors, 6’’, Soft Bristles
Designated Source of Supply: North Jersey
Friendship House, Inc., Hackensack, NJ
Contracting Activity: GSA/FSS GREATER
SOUTHWEST ACQUISITI, FORT
WORTH, TX
Michael R. Jurkowski,
Acting Director, Business Operations.
[FR Doc. 2021–19562 Filed 9–9–21; 8:45 am]
BILLING CODE 6353–01–P
DEPARTMENT OF EDUCATION
Third-Party Access to the
Department’s Information Technology
Systems and Notice of Criminal
Penalties for Misuse of Access
Devices
Federal Student Aid,
Department of Education.
ACTION: Notice.
AGENCY:
The U.S. Department of
Education (Department) outlines the
requirements for third-party access to
the Department’s Information
Technology (IT) systems and establishes
criminal penalties for misuse of access
devices. Specifically, this notice sets
forth the definition of an access device,
the terms of service, the Code of
Conduct, and information security
standards, and provides notice of
related criminal penalties.
DATES: This notice is applicable
September 10, 2021.
SUMMARY:
PO 00000
Frm 00014
Fmt 4703
Sfmt 4703
50707
FOR FURTHER INFORMATION CONTACT:
Michael Ruggless, Federal Student Aid,
830 First Street NE, Union Center Plaza,
Room 114B4, Washington, DC 20202–
5345. Telephone: (202) 377–4098.
Email: Michael.Ruggless@ed.gov.
Tamy Abernathy, Office of
Postsecondary Education, 400 Maryland
Avenue SW, 2C–129, Washington, DC
20202. Telephone: (202) 453–5970.
Email: Tamy.Abernathy@ed.gov.
If you use a telecommunications
device for the deaf (TDD) or a text
telephone (TTY), call the Federal Relay
Service, toll free, at 1–800–877–8339.
SUPPLEMENTARY INFORMATION: The Stop
Student Debt Relief Scams Act of 2019
(STOP Act) amended sections 141,
485B, and 490 of the Higher Education
Act of 1965, as amended (HEA), on
December 22, 2020, to prevent and
address the improper use of access
devices issued by the Department and
establish criminal penalties for
improper use. (Pub. L. 116–251; 134
Stat. 1129–1132). Section 485B(e) of
these HEA amendments includes
provisions for the prevention of
improper access to the Department’s
systems. Section 490(e) of these HEA
amendments explicitly makes
unauthorized access to the Department’s
IT systems and the misuse of
identification devices issued by the
Department a criminal act. Criminal
penalties associated with the STOP Act
are applicable one day after the date of
publication of this notice. All other
actions and information pursuant to
these HEA amendments contained in
this notice are applicable upon
publication.
The Department establishes, pursuant
to section 2(b) of the STOP Act, the
following definition of an access device,
terms of service, information security
standards, and Code of Conduct.
Definition of Access Device
An access device, as defined in 18
U.S.C. 1029(e)(1), means any—
(a) Card;
(b) Plate;
(c) Code;
(d) Account number;
(e) Electronic serial number;
(f) Mobile identification number;
(g) Personal identification number;
(h) Other telecommunications service,
equipment, or instrument identifier; or
(i) Other means of account access that
can be used alone or in conjunction
with another access device—
(1) To obtain money, goods, services,
or any other thing of value; or
(2) To initiate a transfer of funds
(other than a transfer originated solely
by paper instrument).
E:\FR\FM\10SEN1.SGM
10SEN1
50708
Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Notices
jbell on DSKJLSW7X2PROD with NOTICES
Terms of Service
An authorized user must abide by the
Code of Conduct and Information
Security Standards for Department
systems.
Acceptable Use of Systems
(a) A person or entity may be granted
access to, and use and share, the
Department’s assets, data, information
resources, and information systems
(collectively, the Department’s
information systems) only if the person
or entity is an ‘‘authorized user’’ under
paragraph (b) and only to the extent
otherwise authorized pursuant to this
section.
(b) A person or entity may be granted
access to the Department’s information
systems as an authorized user if the
person or entity has a bona fide ‘‘need
to know’’ the information or data
contained in the Department’s
information systems and they are—
(1) A student, borrower, or parent;
(2) A guaranty agency, eligible lender,
eligible institution, or a third-party
organization acting on behalf of a
guaranty agency, eligible lender, or
eligible institution that complies with
Federal law and requirements
applicable to the Department’s
information systems; or
(3) A licensed attorney representing a
student, borrower, or parent, or another
individual who works for a Federal,
State, local, or Tribal government or
agency, or for a nonprofit organization,
providing financial or student loan
repayment counseling to a student,
borrower, or parent, if—
(i) The attorney or other individual
has never engaged in unfair, deceptive,
or abusive practices, as determined by
the Department;
(ii) The attorney or other individual
does not work for an entity that has
engaged in unfair, deceptive, or abusive
practices (including an entity that is
owned or operated by a person or entity
that engaged in such practices), as
determined by the Department;
(iii) System access is provided only
through a separate point of entry issued
to the attorney or other individual; and
(iv) The attorney or other individual
has written consent from the relevant
student, borrower, or parent to access
the system.
(c) To access the Department’s
information systems, an authorized user
must—
(1) Read, understand, and sign the
information system-specific Rules of
Behavior;
(2) Have valid and current access
authorization issued by the Department;
(3) Access the Department’s
information systems using an access
VerDate Sep<11>2014
18:09 Sep 09, 2021
Jkt 253001
device issued by the Department to the
authorized user, and may not use an
access device issued by the Department
to a student, borrower, or parent. A
student, borrower, or parent, including
through a power of attorney, may not
authorize a third party to use their
access device; and
(4) Comply with the terms of service,
information security standards, and
Code of Conduct.
(d) No person or entity may access the
Department’s information systems for
the purpose of assisting a student in
managing loan repayment or applying
for any repayment plan, consolidation
loan, or other benefit authorized under
title IV of the HEA, except as permitted
under this ‘‘Acceptable Use of
Systems.’’
Criminal Penalties
Section 2 of the STOP Act, Public
Law 116–251, amended section 490 of
the HEA (20 U.S.C 1097), by adding
paragraph (e), which makes it a crime to
knowingly use an access device that was
issued to another person or obtained by
fraud or false statement to access
Department information technology
systems for commercial advantage,
private financial gain, criminal activity,
or wrongful act violating United States
or State law. A violator is subject to
criminal penalties that include a fine of
not more than $20,000, imprisonment
for not more than five years, or both,
beginning one day after the date of
publication of this notice.
Code of Conduct
This Code of Conduct identifies the
acceptable rules of behavior for
accessing the Department’s information
systems. Upon accessing the
Department’s information systems, all
users will receive a notification warning
banner similar to the following that
requires them to acknowledge and agree
to the Code of Conduct prior to being
allowed further access:
‘‘You are accessing a U.S. Federal
Government computer system intended
to be solely accessed by individual users
expressly authorized to access the
system by the U.S. Department of
Education. Usage may be monitored,
recorded, and/or subject to audit. For
security purposes, and in order to
ensure that the system remains available
to all expressly authorized users, the
U.S. Department of Education monitors
the system to identify unauthorized
users. Anyone using this system
expressly consents to such monitoring
and recording. Unauthorized use of this
information system is prohibited and
subject to criminal and civil penalties.
Except as expressly authorized by the
PO 00000
Frm 00015
Fmt 4703
Sfmt 4703
U.S. Department of Education,
unauthorized attempts to access, obtain,
upload, modify, change, and/or delete
information on this system are strictly
prohibited and are subject to criminal
prosecution under 18 U.S.C. 1030, and
other applicable statutes, which may
result in fines and imprisonment. This
system may contain Personally
Identifiable Information (PII), as defined
by the Privacy Act of 1974, or other
Controlled Unclassified Information as
defined by 32 CFR 2002.
For purposes of this system,
unauthorized access includes, but is not
limited to—
(a) Any access by an employee or
agent of a commercial entity, or other
third party, who is not the individual
user, for purposes of commercial
advantage or private financial gain
(regardless of whether the commercial
entity or third party is providing a
service to an authorized user of the
system); and
(b) Any access in furtherance of any
criminal or tortious act in violation of
the Constitution or laws of the United
States or any State.
If system monitoring reveals
information indicating possible criminal
activity, such evidence may be provided
to law enforcement personnel. These
Rules of Behavior identify
responsibilities and expectations for all
individuals accessing Federal Student
Aid (FSA) systems. By accepting, you
confirm that you have reviewed,
acknowledge, and agree to the following
Rules of Behavior:
(a) You must protect all of the
Department’s information systems,
including the Department’s data and
information in your possession, from
access by, or disclosure to, unauthorized
individuals or entities.
(b) Your User ID, password, and other
credentials are unique and only
assigned to the specified authorized
user.
(1) Your User ID, password, and other
credentials serve as an electronic
signature for signing fiduciary
documents committing you to financial
obligations.
(2) Your User ID, password, and other
credentials are for official Department
business only.
(c) You must never give your User ID,
password, or other credentials to
another person, including your
supervisor(s). Any information retrieved
from the Department’s information
systems may be shared only with
individuals expressly authorized to
receive this information.
(d) You must access only systems,
networks, data, control information, and
software for which you have been
E:\FR\FM\10SEN1.SGM
10SEN1
Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Notices
jbell on DSKJLSW7X2PROD with NOTICES
authorized by the U.S. Department of
Education.
(e) If you are a third party
representing an authorized user under
paragraph (b) of the ‘‘Acceptable Use of
Systems,’’ you must be issued your own
unique User ID, password, or
credentials; at no time is a third party
authorized to use another individual’s
unique User ID, password, or
credentials. A user may not authorize a
third party to use their User ID,
password, or credentials, including
through a power of attorney.
(f) You are individually responsible
for ensuring that data/information
obtained from the Department’s
information systems is not used
improperly. A legitimate reason must be
present to view data/information
contained within the Department’s
information systems.
(g) You must change your password
immediately and notify the appropriate
security personnel if your password is
compromised, or someone else knows
your password.
(h) You must properly encrypt (or
password protect) all electronic files
when transmitting data via email.
Passwords must be sent separately (not
in the same transmission or
transmission channel).
(i) All paper documents containing PII
or Controlled Unclassified Information
must be labeled and stored in a secure
environment, to which only authorized
personnel have access.
(j) You must inform or contact the
organization that granted initial access
when access to an FSA system is no
longer required or access changes
because of changes in job
responsibilities or termination of
employment.
(k) You must remain current on all
required training, including security
training (at least annually).
(l) You must not download or store
the Department’s information systems
information or data on unsecure/public
computers or portable devices.
(m) If you have Title IV loans, they
must be in good standing. If you have
a loan that goes into default, your access
to the Department’s information systems
will be revoked.’’
Information Security Standards
In addition to requirements identified
in the Terms of Service and Code of
Conduct, individuals accessing
Department of Education information
systems must comply with the following
requirements:
(a) A third party accessing the
Department’s information systems, on
behalf of an authorized user, must
ensure proper control and handling of
VerDate Sep<11>2014
18:09 Sep 09, 2021
Jkt 253001
Controlled Unclassified Information
(CUI), which includes data commonly
known as PII, Sensitive Personally
Identifiable Information (SPII) and CUI,
residing on their computer, on
removable media, and on paper
documents.
(b) A third party that handles CUI
must do so in accordance with
Executive Order 13556, 32 CFR 2002—
Controlled Unclassified Information,
and the CUI Registry.
(c) The third party must ensure data
at rest that contains CUI is encrypted
using validated FIPS 140–2 encryption
in any and all third-party computing
environments where data is housed
and/or stored.
(d) The third party must consider data
at rest to include data that reside in
databases, file systems, information
technology systems, applications,
personal computers (desktops and
laptops and portable electronic devices
[PEDs] and mobile electronic devices
and personal data assistants [PDAs]) and
other structured storage devices (USB
flash drives, memory cards, external
hard drives, writeable CDs, and DVDs)
that are not in transit.
(e) The third party must ensure the
integrity and confidentiality of the
information and protect against any
reasonably anticipated security threats
or unauthorized uses or disclosures of
the information.
If, at any time, CUI is provided to or
viewed by unauthorized individual(s), a
breach report is required by the third
party. A breach report must be
submitted to the Department of
Education Security Operations Center
(EDSOC), email to EDSOC@ed.gov.
EDSOC may also be contacted by phone
at (202) 245–6550.
A Breach or Data Breach is an
incident that includes the loss of
control, compromise, unauthorized
disclosure, unauthorized acquisition, or
any similar occurrence where (1) a
person other than an authorized user
accesses or potentially accesses PII or
(2) an authorized user accesses or
potentially accesses PII for an
unauthorized purpose OMB M–17–12,
p. 9. An occurrence may be first
identified as an incident, but later
identified as a breach once it is
determined that the incident involves
PII. Breaches include cyber incidents, as
well as the loss or theft of physical
documents or portable electronic storage
media, inadvertent disclosure of PII on
a public website, an oral disclosure to
a person not authorized to receive that
information, or an authorized user
accessing PII for an unauthorized
purpose, etc.
PO 00000
Frm 00016
Fmt 4703
Sfmt 4703
50709
Accessible Format: On request to one
of the program contact persons listed
under FOR FURTHER INFORMATION
CONTACT, individuals with disabilities
can obtain this document in an
accessible format. The Department will
provide the requestor with an accessible
format that may include Rich Text
Format (RTF) or text format (txt), a
thumb drive, an MP3 file, braille, large
print, audiotape, or compact disc, or
other accessible format.
Electronic Access to This Document:
The official version of this document is
the document published in the Federal
Register. You may access to the official
edition of the Federal Register and the
Code of Federal Regulations at
www.govinfo.gov. At this site you can
view this document, as well as all other
documents of this Department
published in the Federal Register, in
text or Portable Document Format
(PDF). To use PDF you must have
Adobe Acrobat Reader, which is
available free at the site.
You may also access documents of the
Department published in the Federal
Register by using the article search
feature at www.federalregister.gov.
Specifically, through the advanced
search feature at this site, you can limit
your search to documents published by
the Department.
Program Authority: 20 U.S.C 1001; 20
U.S.C. 1018; 20 U.S.C. 1092b; and 20
U.S.C. 1097.
Richard Cordray,
Chief Operating Officer, Federal Student Aid.
[FR Doc. 2021–19536 Filed 9–9–21; 8:45 am]
BILLING CODE 4000–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
Combined Notice of Filings #1
Take notice that the Commission
received the following electric corporate
filings:
Docket Numbers: EC21–125–000.
Applicants: PSEG New Haven LLC,
PSEG Power Connecticut LLC, PSEG
Power New York LLC, Generation
Bridge II, LLC.
Description: Joint Application for
Authorization Under Section 203 of the
Federal Power Act of PSEG New Haven
LLC, et al.
Filed Date: 9/2/21.
Accession Number: 20210902–5147.
Comment Date: 5 p.m. ET 11/2/21.
Docket Numbers: EC21–126–000.
Applicants: Utah Solar Holdings II
LLC, Enterprise Solar, LLC, Escalante
E:\FR\FM\10SEN1.SGM
10SEN1
]]>Agencies
[Federal Register Volume 86, Number 173 (Friday, September 10, 2021)]
[Notices]
[Pages 50707-50709]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-19536]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
Third-Party Access to the Department's Information Technology
Systems and Notice of Criminal Penalties for Misuse of Access Devices
AGENCY: Federal Student Aid, Department of Education.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The U.S. Department of Education (Department) outlines the
requirements for third-party access to the Department's Information
Technology (IT) systems and establishes criminal penalties for misuse
of access devices. Specifically, this notice sets forth the definition
of an access device, the terms of service, the Code of Conduct, and
information security standards, and provides notice of related criminal
penalties.
DATES: This notice is applicable September 10, 2021.
FOR FURTHER INFORMATION CONTACT: Michael Ruggless, Federal Student Aid,
830 First Street NE, Union Center Plaza, Room 114B4, Washington, DC
20202-5345. Telephone: (202) 377-4098. Email: [email protected].
Tamy Abernathy, Office of Postsecondary Education, 400 Maryland
Avenue SW, 2C-129, Washington, DC 20202. Telephone: (202) 453-5970.
Email: [email protected].
If you use a telecommunications device for the deaf (TDD) or a text
telephone (TTY), call the Federal Relay Service, toll free, at 1-800-
877-8339.
SUPPLEMENTARY INFORMATION: The Stop Student Debt Relief Scams Act of
2019 (STOP Act) amended sections 141, 485B, and 490 of the Higher
Education Act of 1965, as amended (HEA), on December 22, 2020, to
prevent and address the improper use of access devices issued by the
Department and establish criminal penalties for improper use. (Pub. L.
116-251; 134 Stat. 1129-1132). Section 485B(e) of these HEA amendments
includes provisions for the prevention of improper access to the
Department's systems. Section 490(e) of these HEA amendments explicitly
makes unauthorized access to the Department's IT systems and the misuse
of identification devices issued by the Department a criminal act.
Criminal penalties associated with the STOP Act are applicable one day
after the date of publication of this notice. All other actions and
information pursuant to these HEA amendments contained in this notice
are applicable upon publication.
The Department establishes, pursuant to section 2(b) of the STOP
Act, the following definition of an access device, terms of service,
information security standards, and Code of Conduct.
Definition of Access Device
An access device, as defined in 18 U.S.C. 1029(e)(1), means any--
(a) Card;
(b) Plate;
(c) Code;
(d) Account number;
(e) Electronic serial number;
(f) Mobile identification number;
(g) Personal identification number;
(h) Other telecommunications service, equipment, or instrument
identifier; or
(i) Other means of account access that can be used alone or in
conjunction with another access device--
(1) To obtain money, goods, services, or any other thing of value;
or
(2) To initiate a transfer of funds (other than a transfer
originated solely by paper instrument).
[[Page 50708]]
Terms of Service
An authorized user must abide by the Code of Conduct and
Information Security Standards for Department systems.
Acceptable Use of Systems
(a) A person or entity may be granted access to, and use and share,
the Department's assets, data, information resources, and information
systems (collectively, the Department's information systems) only if
the person or entity is an ``authorized user'' under paragraph (b) and
only to the extent otherwise authorized pursuant to this section.
(b) A person or entity may be granted access to the Department's
information systems as an authorized user if the person or entity has a
bona fide ``need to know'' the information or data contained in the
Department's information systems and they are--
(1) A student, borrower, or parent;
(2) A guaranty agency, eligible lender, eligible institution, or a
third-party organization acting on behalf of a guaranty agency,
eligible lender, or eligible institution that complies with Federal law
and requirements applicable to the Department's information systems; or
(3) A licensed attorney representing a student, borrower, or
parent, or another individual who works for a Federal, State, local, or
Tribal government or agency, or for a nonprofit organization, providing
financial or student loan repayment counseling to a student, borrower,
or parent, if--
(i) The attorney or other individual has never engaged in unfair,
deceptive, or abusive practices, as determined by the Department;
(ii) The attorney or other individual does not work for an entity
that has engaged in unfair, deceptive, or abusive practices (including
an entity that is owned or operated by a person or entity that engaged
in such practices), as determined by the Department;
(iii) System access is provided only through a separate point of
entry issued to the attorney or other individual; and
(iv) The attorney or other individual has written consent from the
relevant student, borrower, or parent to access the system.
(c) To access the Department's information systems, an authorized
user must--
(1) Read, understand, and sign the information system-specific
Rules of Behavior;
(2) Have valid and current access authorization issued by the
Department;
(3) Access the Department's information systems using an access
device issued by the Department to the authorized user, and may not use
an access device issued by the Department to a student, borrower, or
parent. A student, borrower, or parent, including through a power of
attorney, may not authorize a third party to use their access device;
and
(4) Comply with the terms of service, information security
standards, and Code of Conduct.
(d) No person or entity may access the Department's information
systems for the purpose of assisting a student in managing loan
repayment or applying for any repayment plan, consolidation loan, or
other benefit authorized under title IV of the HEA, except as permitted
under this ``Acceptable Use of Systems.''
Criminal Penalties
Section 2 of the STOP Act, Public Law 116-251, amended section 490
of the HEA (20 U.S.C 1097), by adding paragraph (e), which makes it a
crime to knowingly use an access device that was issued to another
person or obtained by fraud or false statement to access Department
information technology systems for commercial advantage, private
financial gain, criminal activity, or wrongful act violating United
States or State law. A violator is subject to criminal penalties that
include a fine of not more than $20,000, imprisonment for not more than
five years, or both, beginning one day after the date of publication of
this notice.
Code of Conduct
This Code of Conduct identifies the acceptable rules of behavior
for accessing the Department's information systems. Upon accessing the
Department's information systems, all users will receive a notification
warning banner similar to the following that requires them to
acknowledge and agree to the Code of Conduct prior to being allowed
further access:
``You are accessing a U.S. Federal Government computer system
intended to be solely accessed by individual users expressly authorized
to access the system by the U.S. Department of Education. Usage may be
monitored, recorded, and/or subject to audit. For security purposes,
and in order to ensure that the system remains available to all
expressly authorized users, the U.S. Department of Education monitors
the system to identify unauthorized users. Anyone using this system
expressly consents to such monitoring and recording. Unauthorized use
of this information system is prohibited and subject to criminal and
civil penalties. Except as expressly authorized by the U.S. Department
of Education, unauthorized attempts to access, obtain, upload, modify,
change, and/or delete information on this system are strictly
prohibited and are subject to criminal prosecution under 18 U.S.C.
1030, and other applicable statutes, which may result in fines and
imprisonment. This system may contain Personally Identifiable
Information (PII), as defined by the Privacy Act of 1974, or other
Controlled Unclassified Information as defined by 32 CFR 2002.
For purposes of this system, unauthorized access includes, but is
not limited to--
(a) Any access by an employee or agent of a commercial entity, or
other third party, who is not the individual user, for purposes of
commercial advantage or private financial gain (regardless of whether
the commercial entity or third party is providing a service to an
authorized user of the system); and
(b) Any access in furtherance of any criminal or tortious act in
violation of the Constitution or laws of the United States or any
State.
If system monitoring reveals information indicating possible
criminal activity, such evidence may be provided to law enforcement
personnel. These Rules of Behavior identify responsibilities and
expectations for all individuals accessing Federal Student Aid (FSA)
systems. By accepting, you confirm that you have reviewed, acknowledge,
and agree to the following Rules of Behavior:
(a) You must protect all of the Department's information systems,
including the Department's data and information in your possession,
from access by, or disclosure to, unauthorized individuals or entities.
(b) Your User ID, password, and other credentials are unique and
only assigned to the specified authorized user.
(1) Your User ID, password, and other credentials serve as an
electronic signature for signing fiduciary documents committing you to
financial obligations.
(2) Your User ID, password, and other credentials are for official
Department business only.
(c) You must never give your User ID, password, or other
credentials to another person, including your supervisor(s). Any
information retrieved from the Department's information systems may be
shared only with individuals expressly authorized to receive this
information.
(d) You must access only systems, networks, data, control
information, and software for which you have been
[[Page 50709]]
authorized by the U.S. Department of Education.
(e) If you are a third party representing an authorized user under
paragraph (b) of the ``Acceptable Use of Systems,'' you must be issued
your own unique User ID, password, or credentials; at no time is a
third party authorized to use another individual's unique User ID,
password, or credentials. A user may not authorize a third party to use
their User ID, password, or credentials, including through a power of
attorney.
(f) You are individually responsible for ensuring that data/
information obtained from the Department's information systems is not
used improperly. A legitimate reason must be present to view data/
information contained within the Department's information systems.
(g) You must change your password immediately and notify the
appropriate security personnel if your password is compromised, or
someone else knows your password.
(h) You must properly encrypt (or password protect) all electronic
files when transmitting data via email. Passwords must be sent
separately (not in the same transmission or transmission channel).
(i) All paper documents containing PII or Controlled Unclassified
Information must be labeled and stored in a secure environment, to
which only authorized personnel have access.
(j) You must inform or contact the organization that granted
initial access when access to an FSA system is no longer required or
access changes because of changes in job responsibilities or
termination of employment.
(k) You must remain current on all required training, including
security training (at least annually).
(l) You must not download or store the Department's information
systems information or data on unsecure/public computers or portable
devices.
(m) If you have Title IV loans, they must be in good standing. If
you have a loan that goes into default, your access to the Department's
information systems will be revoked.''
Information Security Standards
In addition to requirements identified in the Terms of Service and
Code of Conduct, individuals accessing Department of Education
information systems must comply with the following requirements:
(a) A third party accessing the Department's information systems,
on behalf of an authorized user, must ensure proper control and
handling of Controlled Unclassified Information (CUI), which includes
data commonly known as PII, Sensitive Personally Identifiable
Information (SPII) and CUI, residing on their computer, on removable
media, and on paper documents.
(b) A third party that handles CUI must do so in accordance with
Executive Order 13556, 32 CFR 2002--Controlled Unclassified
Information, and the CUI Registry.
(c) The third party must ensure data at rest that contains CUI is
encrypted using validated FIPS 140-2 encryption in any and all third-
party computing environments where data is housed and/or stored.
(d) The third party must consider data at rest to include data that
reside in databases, file systems, information technology systems,
applications, personal computers (desktops and laptops and portable
electronic devices [PEDs] and mobile electronic devices and personal
data assistants [PDAs]) and other structured storage devices (USB flash
drives, memory cards, external hard drives, writeable CDs, and DVDs)
that are not in transit.
(e) The third party must ensure the integrity and confidentiality
of the information and protect against any reasonably anticipated
security threats or unauthorized uses or disclosures of the
information.
If, at any time, CUI is provided to or viewed by unauthorized
individual(s), a breach report is required by the third party. A breach
report must be submitted to the Department of Education Security
Operations Center (EDSOC), email to [email protected]. EDSOC may also be
contacted by phone at (202) 245-6550.
A Breach or Data Breach is an incident that includes the loss of
control, compromise, unauthorized disclosure, unauthorized acquisition,
or any similar occurrence where (1) a person other than an authorized
user accesses or potentially accesses PII or (2) an authorized user
accesses or potentially accesses PII for an unauthorized purpose OMB M-
17-12, p. 9. An occurrence may be first identified as an incident, but
later identified as a breach once it is determined that the incident
involves PII. Breaches include cyber incidents, as well as the loss or
theft of physical documents or portable electronic storage media,
inadvertent disclosure of PII on a public website, an oral disclosure
to a person not authorized to receive that information, or an
authorized user accessing PII for an unauthorized purpose, etc.
Accessible Format: On request to one of the program contact persons
listed under FOR FURTHER INFORMATION CONTACT, individuals with
disabilities can obtain this document in an accessible format. The
Department will provide the requestor with an accessible format that
may include Rich Text Format (RTF) or text format (txt), a thumb drive,
an MP3 file, braille, large print, audiotape, or compact disc, or other
accessible format.
Electronic Access to This Document: The official version of this
document is the document published in the Federal Register. You may
access to the official edition of the Federal Register and the Code of
Federal Regulations at www.govinfo.gov. At this site you can view this
document, as well as all other documents of this Department published
in the Federal Register, in text or Portable Document Format (PDF). To
use PDF you must have Adobe Acrobat Reader, which is available free at
the site.
You may also access documents of the Department published in the
Federal Register by using the article search feature at
www.federalregister.gov. Specifically, through the advanced search
feature at this site, you can limit your search to documents published
by the Department.
Program Authority: 20 U.S.C 1001; 20 U.S.C. 1018; 20 U.S.C. 1092b;
and 20 U.S.C. 1097.
Richard Cordray,
Chief Operating Officer, Federal Student Aid.
[FR Doc. 2021-19536 Filed 9-9-21; 8:45 am]
BILLING CODE 4000-01-P
