Posted Date:January 13, 2012
Author: | Pamela Eliadis, Service Director, System Operations & Aid Delivery Management, Federal Student Aid William Leith, Service Director, Program Management, Federal Student Aid |
Subject: High-Level Overview — New Technology Security Initiatives for Federal Student Aid Systems 2012
As we begin calendar year 2012, we want to provide a high-level summary of the new technology security initiatives that are currently underway at Federal Student Aid. The planned initiatives comply with mandated government-wide security requirements and are part of our ongoing effort to ensure the security of the Federal Student Aid data systems. Some of our planned initiatives were introduced to schools in earlier announcements on the Information for Financial Aid Professionals (IFAP) Web site or at the 2011 Federal Student Aid Conference .
As we progress with implementation plans for the 2012 technology security initiatives, we will continue to communicate through Electronic Announcements on the IFAP Web site and targeted e-mails to schools' Primary Destination Point Administrators (PDPAs), Common Origination and Disbursement (COD) Security Administrators, and other system users as appropriate.
We present high-level information about the 2012 technology security initiatives as follows:
Two Factor Authentication (TFA)
Active Confirmation for COD Web Site Users
EDconnect/SAIG Upgrade
AIMS Security-Related Screens and Annual Training
Further Information
We appreciate your cooperation and assistance as we implement the 2012 technology security initiatives.
Two Factor Authentication (TFA)
We are implementing a security process through which all authorized users will be required to enter two forms of "authentication" to access Federal Student Aid systems.
The security process is an established technology referred to as Two Factor Authentication (TFA).
The first factor is something that an individual knows—his or her User ID and Password.
The second factor is something that an individual has—a token that generates a One-Time Password (OTP).
Through TFA, when logging in to certain Federal Student Aid systems, an authorized user will be required to use a traditional User ID and Password as well as provide an OTP. The OTP will be generated by a registered token device that is in the physical possession of the user.
TFA Token Information
The TFA token is a small electronic device that looks like a "key fob" with a "power" button and a display screen on its front. To generate an OTP, the user will press the button on the front of the token. A different OTP will be generated each time the button is pressed and will display for 30 seconds.
We will soon begin a phased distribution of tokens and token information to schools. Working with PDPAs and COD Security Administrators, we will distribute the tokens to one group of schools at a time. Each group will be comprised of the schools located in a particular set of states. Prior to distributing tokens to each group of schools, we will post an Electronic Announcement that informs the community of the states that will be covered in that particular distribution group. Following the Electronic Announcement notice to the community, we will communicate via e-mail directly with the PDPA and/or COD Security Administrator at each school that is in the states listed in the announcement. The e-mail will explain how we will send the tokens to the PDPAs and COD Security Administrators and how the tokens should be distributed to authorized users.
Once an authorized user receives a token from his or her PDPA or COD Security Administrator, the user will use that one token to access all Federal Student Aid systems accommodated for TFA. Each user will register the token up to two times depending on the systems the user accesses. Registration must be completed one time for the COD System and one time for the systems behind Federal Student Aid's Access and Identity Management System (AIMS).
Note: The AIMS enables authorized users to log in once to access multiple Federal Student Aid systems rather than needing to log in multiple times using various identification methods. The systems/Web sites that are currently behind AIMS are e-Campus-Based (eCB), eCDR Appeals, FAA Access to CPS Online, Financial Partners Datamart (used only by guaranty agencies), National Student Loan Data System (NSLDS), and Student Aid Internet Gateway (SAIG) Enrollment.
TFA Implementation - System Information
TFA will be implemented over the 2012 calendar year and will apply to the AIMS, COD System, and SAIG for users who access the SAIG via EDconnect. We are in the process of completing the appropriate system changes to accommodate TFA and expect to have all necessary system modifications in place by spring 2012.
Note: G5, the Department of Education's payment system, is not affected by the TFA rollout. Authorized users who are only responsible for accessing and completing payment transactions via G5 will not receive TFA tokens.
As authorized users at schools receive and register their tokens, they will begin to use the tokens to access all of the systems noted above.
Active Confirmation for COD Web Site Users
We plan to implement an active confirmation process for COD Web site users at both foreign and domestic schools. The new process will require COD Security Administrators to review and confirm a list of authorized COD Web site users at their schools. COD Security Administrators will also be required to review and confirm third party servicer users who access the COD Web site on their school's behalf. The COD Web site active confirmation process will be similar to the active confirmation process performed each year to confirm user information for FAA Access to CPS Online and other systems.
If a user is not confirmed by a COD Security Administrator or is identified as no longer needing access to the COD Web site, the COD Security Administrator will be required to deactivate the user's COD Web site account and the user will no longer have access to the COD Web site.
EDconnect/SAIG Upgrade
As explained in a November 18, 2011 Electronic Announcement on the IFAP Web site, we will implement an upgrade to all components of the SAIG, including TDNgine, TDClient, TDCommunity Manager (SAIG Portal), and EDconnect. There will be several steps domestic and foreign schools will need to perform in order to complete the upgrade, including a new requirement that all EDconnect users be enrolled via the SAIG Enrollment Web site and that they obtain an FSA User ID and Password.
Implementation of the SAIG upgrade is planned for February and March 2012. After the March implementation, schools will be required to complete all steps related to the SAIG upgrade within 90 days. If the upgrade is not completed within 90 days, a school will no longer be able to connect to its SAIG mailbox(es).
More information about the EDconnect/SAIG upgrade and required steps a school must take will be provided in forthcoming guidance posted to the IFAP Web site.
AIMS Security-Related Screens and Annual Training
We plan to implement security screens and a training package for all Federal Student Aid systems behind the AIMS. The AIMS security screens will require that each authorized user read and acknowledge Privacy Act and Rules of Behavior screens each time the user logs in through AIMS to access a system or Web site that is behind AIMS. The user will also be required to complete a security training module upon our implementation of the training package and on an annual basis thereafter.
Further Information
We appreciate your cooperation in providing safe and secure access to Federal Student Aid systems and look forward to working with the school community to implement the 2012 technology security initiatives. Please continue to monitor the IFAP Web site for additional information about these initiatives.
For general questions about the technology security initiatives, contact us at TFA_Communications@ed.gov (TFA_Communications@ed.gov).