SA-10

• Developer Configuration Management

• Developer Testing and Evaluation

• Developer Testing and Evaluation | Static Code Analysis

• Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

• Development Process, Standards, and Tools

• Development Process, Standards, and Tools | Criticality Analysis

• Developer-provided Training

• Developer Security and Privacy Architecture and Design

• Developer Screening

• Unsupported System Components

SC-1

• Process Isolation

• System Time Synchronization

• System Time Synchronization | Synchronization with Authoritative Time Source

• Boundary Protection | Deny by Default — Allow by Exception

• Boundary Protection | Split Tunneling for Remote Devices

• Boundary Protection | Route Traffic to Authenticated Proxy Servers

• Boundary Protection | Prevent Exfiltration

• Boundary Protection | Host-based Protection

• Boundary Protection | Fail Secure

• Boundary Protection | Dynamic Isolation and Segregation

• Boundary Protection | Isolation of System Components

• Transmission Confidentiality and Integrity

• Transmission Confidentiality and Integrity | Cryptographic Protection

• Network Disconnect

• Cryptographic Key Establishment and Management

• Cryptographic Key Establishment and Management | Availability

• Cryptographic Protection

• Collaborative Computing Devices and Applications

• Public Key Infrastructure Certificates

• Mobile Code

• Secure Name/address Resolution Service (authoritative Source)

• Secure Name/address Resolution Service (recursive or Caching Resolver)

• Architecture and Provisioning for Name/address Resolution Service

• Session Authenticity

• Fail in Known State

• Protection of Information at Rest

• Protection of Information at Rest | Cryptographic Protection

• Policy and Procedures

• Separation of System and User Functionality

• Security Function Isolation

• Information in Shared System Resources

• Denial-of-service Protection

• Boundary Protection

• Boundary Protection | Access Points

• Boundary Protection | External Telecommunications Services

SI-1

• Security Alerts, Advisories, and Directives

• Security Alerts, Advisories, and Directives | Automated Alerts and Advisories

• Security and Privacy Function Verification

• Software, Firmware, and Information Integrity

• Software, Firmware, and Information Integrity | Integrity Checks

• Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

• Software, Firmware, and Information Integrity | Automated Response to Integrity Violations

• Software, Firmware, and Information Integrity | Integration of Detection and Response

• Software, Firmware, and Information Integrity | Code Authentication

• Spam Protection

• Spam Protection | Automatic Updates

• Information Input Validation

• Error Handling

• Information Management and Retention

• Memory Protection

• Policy and Procedures

• Flaw Remediation

• Flaw Remediation | Automated Flaw Remediation Status

• Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

• Malicious Code Protection

• System Monitoring

• System Monitoring | System-wide Intrusion Detection System

• System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

• System Monitoring | Inbound and Outbound Communications Traffic

• System Monitoring | System-generated Alerts

• System Monitoring | Visibility of Encrypted Communications

• System Monitoring | Analyze Communications Traffic Anomalies

• System Monitoring | Automated Organization-generated Alerts

• System Monitoring | Wireless Intrusion Detection

• System Monitoring | Correlate Monitoring Information

• System Monitoring | Analyze Traffic and Covert Exfiltration

• System Monitoring | Risk for Individuals

• System Monitoring | Privileged Users

• System Monitoring | Unauthorized Network Services

• System Monitoring | Host-based Devices

SR-1

• Component Authenticity

• Component Authenticity | Anti-counterfeit Training

• Component Authenticity | Configuration Control for Component Service and Repair

• Component Disposal

• Policy and Procedures

• Supply Chain Risk Management Plan

• Supply Chain Risk Management Plan | Establish SCRM Team

• Supply Chain Controls and Processes

• Acquisition Strategies, Tools, and Methods

• Supplier Assessments and Reviews

• Notification Agreements

• Tamper Resistance and Detection

• Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle

• Inspection of Systems or Components

Procedures and contract terms to ensure third-party vendors comply with FERPA regulations when accessing student data.

• Organizational Contract

  Contracts with vendors who handle student data must specify FERPA compliance requirements to ensure the protection of student privacy.

Designated individual responsible for overseeing the institution’s FERPA compliance program.

• Organizational Role

  Designated role responsible for overseeing FERPA compliance and ensuring all organizational processes meet FERPA requirements.

Technology and procedures for logging and reviewing access to student records to monitor compliance with FERPA.

• Operational Technology

  Technology and procedures for maintaining and reviewing logs of access to student records.

Organizational plan for responding to data breaches involving FERPA-protected student data, including notifications.

• Organizational Plan

  Plan for responding to data breaches affecting FERPA-protected information, including containment, notification, and resolution procedures.

Regular audits to assess compliance with FERPA policies and procedures, identifying gaps and ensuring corrective actions.

• Compliance Audit

  Audits to assess FERPA compliance across organizational processes and policies.

Documentation and tracking of all FERPA training activities and employee participation to ensure compliance.

• Organizational Document

  Documentation of all FERPA training sessions and employee participation records.

Procedures to ensure proper tracking and documentation of consent forms for FERPA disclosures.

• Operational Process

  Procedures for tracking signed consent forms authorizing disclosure of FERPA-protected information.

Procedures for managing legal requests for student records, including subpoenas and court orders, under FERPA.

• Legal Procedure

  Procedures for managing legal requests for student records.

Procedures for handling complaints or investigations of FERPA violations.

• Legal Procedure

  Procedures for managing complaints or investigations related to FERPA violations.

Procedures and technologies to manage and limit access to student data based on roles and responsibilities.

• Operational Procedure

  Procedures to ensure only authorized users access student records.

Policy and procedures for retaining and disposing of student records as required by FERPA and other regulations.

• Operational Policy

  Policy defining the retention period for student records and the secure disposal of records after the retention period.

Measures to protect FERPA-protected data from unauthorized access or breaches through encryption, authentication, and monitoring.

• Operational Procedure

  Security measures to protect FERPA-protected data from unauthorized access or breaches.

Standardized forms to obtain consent from students or guardians for sharing personal information.

• Operational Form

  Standardized form to obtain consent from students or guardians for information sharing.

Policy governing the disclosure of student directory information and the process for opting out of such disclosures.

• Operational Policy

  Policy defining what constitutes directory information and how it is shared, with an opt-out process.

A policy to identify, assess, and mitigate risks to FERPA-protected data and ensure data protection across the institution.

• Organizational Policy

  A policy to systematically identify, assess, and mitigate risks to FERPA-regulated student information.

Training program to educate staff on FERPA compliance and best practices for protecting student records.

• Organizational Training

  Regular training program to educate staff on FERPA requirements and best practices.

Procedures for securely handling, storing, and managing student records to comply with FERPA.

• Operational Process

  Procedures for securely handling, storing, and managing student records.