Get Help Now



GLBA Compliance – Protecting Controlled Unclassified Information (CUI) 

Posted May 8, 2023 | Written by Randy Waterman, Solution Engineer, GreyCastle Security
>> Download our GLBA checklist guide to make sure you’re prepared for the new deadline this year

Many institutions do not believe they have Controlled Unclassified Information (CUI) in their environment, primarily because they do not conduct government research or apply for government grant funding. However, that is very often not true.

CUI in Higher Education 

Controlled Unclassified Information is defined by the National Archives and Records Administration (NARA) as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies….” While the first part of this definition may leave you with more questions than answers, CUI is required to have some level of protection from unauthorized access or release because it would be detrimental to the U.S. government and/or its citizens.  

It is important to understand that CUI Categories are very wide ranging. Even though ammonium nitrate deposits, nuclear reactor information, and student records are all considered CUI, the security controls required to protect these data elements are dependent on its CUI Category and, more importantly, the law or regulation that governs that data.  

At minimum, IHEs are collecting CUI in the form of General Financial Information and Student Records and should comply with Gramm-Leach-Bliley Act (GLBA) and  Family Educational Rights Privacy Act (FERPA) to ensure that the appropriate controls and safeguards are being implemented.  

GLBA Safeguards Rule  

While GLBA is enforced by the Federal Trade Commission (FTC), the Department of Education Office of Federal Student Aid (FSA) has issued succinct guidance for IHEs to comply with GLBA. The most recent FSA Announcement continues to point to the NIST (National Institute of Standards and Technology) SP (Special Publication) 800-171 framework to ensure GLBA [and FERPA] compliance. It only makes sense that this standard, titled Protecting Controlled Unclassified Information in Nonfederal Systems, is effective at ensuring appropriate controls are implemented to protect student financial records and student PII (Personally Identifiable Information).  

In addition, this announcement from the FSA called out enforcement and ramifications of noncompliance: “repeated non-compliance by an institution or a servicer may result in an administrative action taken by the Department, which could impact the institution’s or servicer’s participation in the Title IV programs.”  The impact associated with loss of Title IV funding would be catastrophic for any institution and Institutions of Higher Education (IHEs) should act to ensure continued participation in these programs. 

Minimum GLBA Compliance Activities 

At a minimum, IHEs should: 

Designate qualified individual
It is a GLBA requirement that Financial Institutions designate a qualified individual to oversee the program and ensure cybersecurity policies are being implemented by the institution. While GLBA does not specify a role or position (I.E. Chief Information Security Officer, CIO, Director of IT), this individual must understand the GLBA Safeguards Rule requirements, the spirit and intent of NIST SP 800-171, and must be able to communicate mitigation or remediation priorities to all levels of the institution. [For supplemental information, please see our blog GLBA Compliance Action Plan]

Scope the GLBA Cybersecurity Program
Identify the departments and systems that are storing, processing, and transmitting CUI applicable to GLBA and FERPA. 

Assess scope against NIST SP 800-171
Per guidance by the Department of Education office of Federal Student Aid (FSA), Institutions should assess against NIST SP 800-171 to comply with GLBA and FERPA.  

Remediate gaps
Develop and execute a corrective action plan to remediate any gaps in relation to procedures for handling, storing, transmitting, and disposing of CUI in compliance with the regulations.

While there are many pointed requirements associated with GLBA, assessing the program against NIST SP 800-171, and ensuring clarity of program scope will identify gaps in compliance with the GLBA Safeguards Rule. Prioritizing gaps based on risk to the institution via a well-defined risk management process will provide clarity on top risks and inform remediation plans that can be communicated to senior leadership and the board. 


Want to make sure you’re up-to-date on the newest compliance requirements? Grab our newest GLBA checklist guide to make sure you’re prepared for the new deadline this year.


Let’s Discuss Your Cybersecurity Needs

Contact Us
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us