Department of Education Update

National Council of Higher Education Resources (NCHER)

2015 Knowledge Symposium

Annmarie WeismanU. S. Department of Education

November 4, 2015

Revised Pay As You Earn (“REPAYE”)

Negotiated Rulemaking - REPAYE

• FY 2015 REPAYE “Neg Reg” Feb. 24 – 26, 2015: Session 1 March 31 – April 2, 2015: Session 2 April 28 – 30, 2015: Session 3 (consensus)

July 9, 2015: NPRM published Aug. 10, 2015: Public comment period ended

(nearly 3,000 received) Oct. 30, 2015: Regulations published December 2015: early implementation July 2016: Other issues effective

REPAYE

REPAYE Goal: Targeting neediest borrowers

President Obama’s 2016 budget proposal:“…reform and streamline income-driven

repayment to ensure that program benefits are targeted to the neediest borrowers and to safeguard the program for the future.”

REPAYE

REPAYE Goal: Targeting neediest borrowers

June 9, 2014 Presidential Memorandum:Directs the Secretary to, within one year, propose

new regulations for PAYE to expand PAYE to all borrowers and directs ED to implement this by December 2015….

…ensure that student loans remain affordable for all who borrowed federal direct loans as students by allowing them cap their payments at 10% of their monthly incomes.

REPAYE – Who is eligible?

1. Nearly all Direct Loan (DL) Borrowers

2. Many FFEL Borrowers Can Consolidate into DL

3. Eligible loan types: Subsidized DL, Unsubsidized DL, Grad PLUS

REPAYE – What’s Revised?

1. No Partial Financial Hardship

2. Interest Subsidy

3. Annual Certification

4. No Payment Cap

5. Married Borrowers Filing Separately

6. Undergraduate vs. Graduate Loan Debt

7. Loan Forgiveness

REPAYE – Other Issues

1. Servicemembers Civil Relief Act (SCRA)

2. ‘Warm Transfer’

3. Participation Rate Index (PRI) Appeals

4. DoD Lump Sum Payments and PSLF

5. Technical Correction to 682.405

REPAYE –Common Questions

Q: Why Another Plan?

A: REPAYE provides key protections to all borrowers while ensuring the benefits are not accruing predominantly to the most affluent

Q: Is there an income requirement to be eligible for REPAYE?

A: No, borrowers of all incomes may select the REPAYE repayment plan.

REPAYE –Common Questions

Q: What outreach is planned?

A: Incorporating REPAYE info into various servicer and Department communications

· Written correspondence· Servicer and StudentAid.gov webpage updates· FSA email campaign to borrowers (early 2016)

Cash Management

12

Cash Management, etc. Feb. 19–21, 2014 Session 1

March 26–28, 2-14 Session 2

April 23–25, 2014 Session 3

May 19–20, 2014 Session 4

May 18, 2015: NPRM published

July 2, 2015: public comment period closed (over 200 received)

Oct. 30: final regulations published

Effective July 1, 2016

13

Cash Management

Tougher standards and greater transparency around agreements between colleges and companies providing prepaid/debit cards to students Meaningful choice of products Clear and neutral information Fees charged to students

14

Other Issues Negotiated

Clock to credit hour conversion removed provisions under which a State or

Federal approval or licensure action required a program to be measured in clock hours

Retaking coursework Allow an institution offering term-based

programs to count, for enrollment purposes, courses a student is retaking that the student previously passed, up to one repetition per course

Questions

Contact Information

Annmarie Weismanannmarie.weisman@ed.gov

202-502-7784

Andy Newton, CISSP, PMP

Overview of OMB Cyber Security Sprint Initiative

November 4, 2015

Agenda Background

Sprint Actions

Why Should we Care About the Sprint Actions

Network Scans/Configurations

Patch Management

Security Policies

Multi-Factor Authentication

Hardware/Software Asset Mgt

Privileged User Definition

Resources18

Background

In June 2015, the United States Chief Information Officer (CIO) Tony Scott responded to a data breach at a federal agency by launching a 30-day Cyber Security Sprint to improve federal cybersecurity and protect IT systems against evolving threats. As part of this effort, the Federal CIO instructed federal agencies to immediately take a number of steps to further protect information and assets and improve the resilience of federal networks.

19

20

Cyber Security Sprint Actions• Scan Networks for Indicators of Compromise• Patch Critical Vulnerabilities Without Delay• Tighten Policies and practices for Privileged Users• Implement Personal Identify Verification (PIV) Cards for

Network Access, Especially for Privileged Users• Identify High Value Assets and Review Corresponding

Security Protections

21

Why Should we Care About the Sprint Actions?

• These are high priority items for FSA and will likely be reviewed during future sites visits at your locations

• Best practices in your toolbox to help protect student information

• Help to safeguard against potential student information breaches

• Provides a baseline for implementing critical security controls

22

Network Scans/Configuration• Perform scans on a frequent basis to detect

vulnerabilities and to maintain good situational awareness• Use Authenticated Scans whenever possible• Categorized and remediate identified vulnerabilities ASAP• Create Plan of Action and Milestones (POA&Ms) to track

vulnerabilities that cannot be remediated in the near term• Use a risk based method for POA&M management, with

emphasis on remediating high and medium risk vulnerabilities

• Use a server configuration standard such as Center for Information Security (CIS) or DISA Security Technical Information Guidelines (STIGS)

23

Patch Management

• Apply critical patches for vulnerabilities without delay, the vast majority of cyber incidents exploit well known vulnerabilities that are easy to remediate

• Evaluate, test and apply other patches within reasonable timeframes (Waiting more than 30 days maybe too long)

• Automate and push patches to users so they do not have to perform patch management functions

• Don’t forget third party products such as Adobe, these should be automated and patched in a timely manner

• Plan for assets and operating system end-of-life (e.g. Windows XP)

24

Security Policies

• Implement policies consistent with emerging technologies such as disablement and wiping data from lost or stolen mobile devices

• Limit functions that can be performed when using privileged accounts

• Minimize the number of privileged users and limit the privileged functions that can be performed remotely

• Log privileged users activities and review logs on a regular basis

• Encrypt data at rest and in transit using strong encryption

25

Multi Factor Authentication• Implement Personal Identify Verification (PIV-I) Cards for

network access, especially for privileged users• Intruders can easily steal or guess usernames and

passwords and use them to gain access to your networks and stored information

26

Hardware/Software Asset Mgt

• Inventory, track and monitor hardware and software assets

• Investigate unusual activity levels or unknown hardware connection to your networks

• Identify high value assets and review corresponding security protections

• Consider isolating high value assets in network enclaves or use network segmentation to reduce risk to these assets

27

Privileged User Definition

• A Privileged User is defined as a user of an Information System with more authority and access than a general user.

• Example: users with root access, Database Administrators, Application Administrators, Network Administrator, System Administrator, Information Assurance Manager/Information Assurance Officer.

Resources: Helpful Information• Department of Homeland Security Handbook for Safeguarding Sensitive Personally

Identifiable Information• http://www.dhs.gov/sites/default/files/publications/privacy/Guidance/handb

ookforsafeguardingsensitivePII_march_2012_webversion.pdf• Cyber Resiliency Reviews

• https://www.us-cert.gov/ccubedvp/self-servicecrr• Critical Infrastructure Cyber Community Voluntary Program

• https://www.uscert.gov/ccubedvp• Cybersecurity Information Sharing and Collaboration Program

• https://www.uscert.gov/sites/default/files/c3vp/CISCP_20140523.pdf• GEN-15-18: Protecting Student Information

• http://www.ifap.ed.gov/dpcletters/attachments/GEN1518.pdf• NIST National Vulnerability Database & National Checklist Program

• https://nvd.nist.gov• https://web.nvd.nist.gov/view/ncp/repository

28

29

Questions

Ombudsman GroupSummary of Activities – FY 2015

November 4, 2015NCHER Knowledge Symposium

Customer ExperienceU.S. Department of Education

Highlights of FY 2015

31

• Received total of 38,008 contacts

• Implemented new case management system• Improves tracking of pending actions & data analytics

• New customer survey uses ACSI Index• Conducted via email following case closure

NCHER Knowledge Symposium – November 2015

FY 2015 Contact Volumes

32

• Top 5 Overall:• FSA Assistance – 5645• Account Balance – 3863• Loan Cancellation/Discharge – 3128• Repayment Plans/Amounts – 2780• Default -- 2309

• Other of note: Consolidation – influenced by prevalence of 3rd party debt relief

NCHER Knowledge Symposium – November 2015

FY 2015 Case Outcomes

33

• Outcomes vary significantly between General Assistance and Research• General Assistance cases most frequently are initial

inquiries with referral to another party • Research cases have more variable results as we facilitate

options for resolution

NCHER Knowledge Symposium – November 2015

Action Confirmation Information Referral Other Total

Research 27.3% 35.2% 19.5% 10.2% 7.7% 5,997General Assistance 0.5% 0.8% 5.1% 80.9% 12.7% 27,503

34

More on Case Outcomes

• The Ombudsman Group provided confirmation on 54% of Account Balance complaints

• Hosted four conference calls with student loan borrower interest groups

• Implemented a new customer survey using American Customer Satisfaction Institute (ACSI) methodology (September)

NCHER Knowledge Symposium – November 2014

35

Thank you!

Joyce DeMoss, Ombudsman Joyce.DeMoss@ed.gov 202-377-3992

Questions?

NCHER Knowledge Symposium – November 2014