Finding Text
CFDA Number: Various – SFA Cluster
Criteria: Per 16 CFR 314.4 (c)(5), the College is required to implement multi-factor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement this rule by June 9, 2023.
Condition: The College did not fully implement multi-factor authentication by June 9, 2023, which was the effective deadline.
Cause: The College is currently still in the process of implementing multi-factor authentication on the WIReD system.
Effect: The College is not in compliance with the requirement set by the Safeguards Rule under the Gramm-Leach-Bliley Act.
Prevalence: Implementing multi-factor authentication proved to be more complicated and timeconsuming for the student information system WIReD. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information, and all other elements of the Safeguards Rule appear to be in place as required.
Recommendation: The College should implement multi-factor authentication for all systems as soon as possible and reference MFA in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner.
Management’s Response and Planned Corrective Action: Management acknowledged that implementation of multi-factor authentication for the WIReD system has taken more time due to the complexity of the systems in place. The multi-factor authentication on the WIReD system was implemented and went into effect on March 26, 2024.