Posted Date:February 6, 2013
|Author:||Pamela Eliadis, Service Director, System Operations & Aid Delivery Management, Federal Student Aid|
Subject: Change to Login Process for All Federal Student Aid Systems Behind AIMS
Over the last year, we have implemented several new technology security initiatives at Federal Student Aid. As described to the community in a January 13, 2012 electronic announcement posted to the Information for Financial Aid Professionals (IFAP) Web site, these initiatives were designed to comply with mandated government-wide security requirements and are part of an ongoing effort to ensure the security of the Federal Student Aid data systems.
One of these initiatives will result in a change in early March 2013 to the login process for all systems that are behind Federal Student Aid's Access and Identity Management System (AIMS). AIMS enables authorized users to log in once to access multiple Federal Student Aid systems rather than needing to log in multiple times using various identification methods.
Beginning Monday, March 11, 2013, any user of a system behind AIMS will be required to read and accept the Federal Student Aid Privacy Act Acknowledgement and Rules of Behavior, as well as be required to take Security Training on an annual basis.
The systems/Web sites that are currently behind AIMS and which will be affected by this change are eCampus-Based (eCB), eCDR Appeals, Experimental Sites, FAA Access to CPS Online, Financial Partners Datamart, National Student Loan Data System (NSLDS) Professional Access, and Student Aid Internet Gateway (SAIG) Enrollment.
As a result of this change, users of NSLDS will no longer be required to accept the NSLDS-specific Privacy Act Acknowledgement and Rules of Behavior, or complete the NSLDS Security Training. In addition, users of eCDR Appeals will no longer need to accept the eCDR Appeals-specific Rules of Behavior as part of the initial enrollment process. These system-specific processes will be replaced by the new AIMS security process.
Note: As described in a January 25, 2013 electronic announcement, we are also preparing to implement a change in how authorized users access the Common Origination and Disbursement (COD) System via the Web. Upon implementation of that change in May 2013, COD Web site users will follow an updated AIMS login process similar to the one described in this communication. Additional information about the COD Web site access change will be included in forthcoming electronic announcements posted to the IFAP Web site.
In the following sections, we describe each step in the new process, and provide important detail about what the user will see upon login to a system behind AIMS. We present this information in the following order:
Privacy Act Acknowledgement
Rules of Behavior
Annual Security Training
Privacy Act Acknowledgement
After implementation of this change on March 11, 2013, a user logging in to any system that is behind AIMS will first be presented with the new Privacy Act Acknowledgment. The Privacy Act Acknowledgment reminds the user that Federal Student Aid systems contain personal information protected by the Privacy Act of 1974 (as amended). By logging in, the user is personally confirming that they are an authorized user of the Federal Student Aid system, will adhere to the requirements of the Privacy Act, and understand the consequences for violating the Privacy Act.
The new Privacy Act Acknowledgment page will appear each time a user logs in to a system behind AIMS, regardless of how many times the user logs in that day.
Rules of Behavior
After the user reads and navigates past the Privacy Act Acknowledgment page, they will be presented with the new Rules of Behavior page. The Rules of Behavior identify responsibilities and expectations for all individuals accessing Federal Student Aid systems and includes information about authorized use of the systems, password security, properly storing Personally Identifiable Information (PII), and training requirements. By checking the box at the end of the page, the user is confirming that they understand and agree to the Rules of Behavior.
Unlike the Privacy Act Acknowledgment, which will be presented to the user upon every login, the Rules of Behavior will appear only the first time a user logs in to a system behind AIMS each day. After that first login, the user will not see the Rules of Behavior again that day, even if they log out and then log back in to a system behind AIMS.
Annual Security Training
Following the Privacy Act Acknowledgment and Rules of Behavior, a user who is required to take the new Security Training will be presented with the training module. The Security Training consists of a series of Web pages that provide important information about the acceptable uses of Federal Student Aid systems, data protection, creating a secure password, and other reminders critical to maintaining system security. A mandatory checkbox is presented at the conclusion of the training, for the user to acknowledge they have completed the training.
The Security Training will be required on an annual basis, one year from the date the user completes the training. Users who are required to take the training will be presented with a reminder, which will appear after the Privacy Act Acknowledgment and Rules of Behavior pages ten days prior to the training due date. After receiving the reminder, the user may complete the training at that time and the reminder will cease to be presented. Alternatively, the user may choose to skip the training, and the reminder will continue to be presented to the user upon every login for the remainder of the ten day period. Once the ten days have passed the user will be required to complete the training before accessing any system behind AIMS.
Upon implementation of this change on March 11, 2013, the new annual Security Training requirement for users accessing systems behind AIMS will be applied as follows:
NSLDS Users– We will populate the AIMS database with the last NSLDS annual training date of all users who are currently authorized to use NSLDS. This date will be used by AIMS to identify when training is due for each current NSLDS user (the AIMS due date will be one year from the NSLDS completed date). The user will be prompted when training is due.
Non-NSLDS Users– All other users will be prompted to complete the new Security Training the first time they log in to AIMS after implementation of this change. Due to the critical nature of this requirement, we will not provide the ten-day warning for these users during this initial implementation.
We appreciate your cooperation in providing secure access to Federal Student Aid systems.
If you have any questions regarding this message, contact FSA Security Architecture at firstname.lastname@example.org.