Two Factor Authentication & PII Security Updates

1. Two Factor Authentication & PII Security Updates June 20th, 2012 Steven Burke

2. Two-Factor Authentication – Overview To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education, is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA).

3. Scope: Two-Factor Authentication • Provide safe and secure access to FSA network services • Primary systems impacted across the enterprise • NLSDS, CPS, COD, AIMS, PM, FMS and SAIG • This project encompasses approximately 96K users • FSA employees, Dept. of ED employees • Partners • Postsecondary Schools Destination Point Administrators (DPA) • Guaranty Agencies • Servicers/PCA’s/NFPs • Call Centers • Developers/Contractors and Sub-Contractors • TFA project is focused on privileged users • A privileged user is anyone who can see more than just their own personal data

4. What is Two-Factor Authentication? • Something that you know is the First Factor: • User ID and Password • Something that you have is the Second Factor:Token with a One Time Password • The One Time Password (OTP) will be generated by a small electronic device, known as the TFA Token, that is in the physical possession of the user • To generate the OTP, a user will press the • “power” button on the front of the token • A different OTP will be generated each time the • button is pressed • Alternative Methods of obtaining OTP without TFA Token: • A) Answer 3 Challenge Questions online • B) Have the OTP sent to your Smart Phone

5. Two - Factor Authentication Key Deliverables: • Phase 1 To ensure the successful deployment of two-factor tokens for FSA – Citrix users 1,300 completed 5/1/2011 • Phase 2 To ensure the successful deployment of two-factor tokens for Dept. of ED Staff, approximately 5,200 users. As of 7/1/2011, FSA Contractors have been added for TFA. In production as of 10/28/2011 • Phase 3 International users, Foreign Schools (FS) and Domestic Schools, when logging into FSA systems across 35 countries completed12/31/2011 Domestic users, to ensure the successful deployment of two-factor tokens for users when logging into FSA systems: 88,600 users by12/31/2012 • Phase 4 Guaranty Agencies, TIVAS, Third Party Servicers, Not-for-Profits, Payment Collection Agencies (PCA), and VPN users connecting through VDC

6. Two - Factor Authentication Project Status • Total TFA Tokens Deployed: 32,176 to 35 Countries • Tokens Deployed to Phase III & IV for Partners: 25,594 • System Update: 90% Complete • NSLDS moved behind AIMS, completed on 12/18/11 • COD TFA enabled on 1/28/12 • SAIG Enrollment TFA enabled 2/12/12 • EDconnect TFA enabled 3/4/12

7. TFA -Token Deployment Forecast As of 6/20/2012

8. Two-Factor Authentication - Attestation/Confirmation Process Action Items: • For each school, the PDPA and COD Security Administrator need to work together to ensure all users have been identified and receive tokens. • Step 1: Confirmation/Attestation • Confirm/Attest to the individuals (unique users) at your school who are authorized users of one or more of the identified Federal Student Aid systems. This confirmation will only be used to determine the TOTAL NUMBER of tokens you will receive. • Identify any Third Party Servicer(s) supporting your school. • Confirm the physical street address to which tokens should be shipped, and provide a telephone number where we can contact you. NOTE: We cannot ship to PO Boxes. • Step 2: Federal Student Aid Ships Tokens to School • The tokens will be sent to the attention of the PDPA via UPS • Step 3: Token Receipt, Distribution, and Registration • After the tokens are shipped, FSA will send a follow-on e-mail with more information about token distribution and registration. • The tokens are to be registered within7days of receipt.

9. Two - Authentication - Frequently Asked Questions Will I be locked out of FSA systems if I don’t have a token? Once your school has been TFA enabled (locked) a token will be required to access FSA systems. The TFA Deployment Schedule identifies the scheduled lock dates by state. Tokens are distributed through the Primary Destination Point Administrator (PDPA) at each institution. If you have not received your token please contact your PDPA. I received more tokens than I have authorized users. What do I do with the extra tokens? Each token shipment will include at least one (1) extra TFA token, for use as a replacement for a lost or broken token, or for issue to a new authorized user. The PDPA should secure and safeguard the extra tokens for use in these situations. I need more tokens. How do I get them? For additional tokens please send an email to [TFA_Communications@ed.gov] with the following information: (We can only send tokens to the Primary DPA.) • School Name and OPEID • Full Name and FSA User ID of the additional users • The name of the PDPA and the physical address where the tokens are to be shipped

10. Two - Factor Authentication - Frequently Asked Questions Do I need to provide tokens to my third party servicer? No, However please indicate the name and point of contact if you use a Third Party Servicer. Do I need a token to use EDconnect 8.1? I need to install and use EDconnect 8.1, but I don’t have my token yet. A TFA token is not required to use the EDconnect software until your school has been TFA enabled (locked). If you are an EDconnect /SAIG user and have not already done so, you will need to download and install version 8.1 of the EDconnect software. On Sunday, June 24, 2012 EDconnect 8.1 will be required to access EDconnect/SAIG. All previous versions of EDconnect will be disabled. (See SAIG Upgrade - System and Software Product Enhancements Available March 5, 2012 (Updated March 15, 2012)) On the EDconnect login screen, enter your TG number, including the letters “TG” (example: TG12345). In the Security Code field, enter the 6-digit code displayed on your TFA token, if you have one.

11. Employee Enterprise Business Collaboration (EEBC) Support Hours: Monday-Friday, 8 AM – 5 PM Phone: 1-866-441-6633 Email:eebcservicerequest@ed.gov eCampus-Based (eCB) Support Hours: Monday-Friday, 8 AM – 8 PM Phone: 1-877-801-7168 Email: cbfob@ed.gov Email: secarch@ed.gov Website: The eCampus-Based System (https://cbfisap.ed.gov/ecb/CBSWebApp/welcome.jsp) electronic Cohort Default Rate Appeals (eCDR Appeals) Mainly from the email request from FSA SSO Donna Bellflower (Donna.Bellflower@ed.gov) Email: secarch@ed.gov Website: eCDR Appeals System (https://ecdrappeals.ed.gov/ecdra/index.html) Support Contacts for External Customers(Postsecondary Schools and Financial Partners) TFA Questions : For general questions about TFA Email: TFA_Communications@ed.gov Central Processing System – Financial Aid Administrators (CPS-FAA) Student Aid Internet Gateway (SAIG) Phone: 1-800-330-5947 / TTY 1-800-511-5806 Email: CPSSAIG@ed.gov Website: FAA Access CPS Online (https://faaaccess.ed.gov/FOTWWebApp/faa/faa.jsp) National Student Loan Data System (NSLDS) Phone: 1-800-999-8219 Email:nslds@ed.gov Website: Common Origination and Disbursement (COD) Phone: COD School Relations Center 1-800-474-7268(for Grants) Phone: COD Direct Loans 1-800-848-0978 Email: CODSupport@acs-inc.com