Designation of Authorizing Official

Current Designee:

If you as the President or CEO wish to designate someone other than yourself to sign SAIG enrollment applications, you may do so by completing the designation statement below and signing Box 1. Have your designee complete and sign Box 2.

I hereby designate with the title , to be my

(Name of New Designee - Required) (Position Title of New Designee - Required)

responsible authorizing official for all future Federal Student Aid System enrollment applications. All related responsibilities of the President/ CEO shall be carried out by this designee. As President/CEO, I agree to assume the responsibility on behalf of the organization for such actions associated with this and future enrollment agreements. This designation is effective as of the date signed below.

Note: Authorized Official name and signature must match information on file with ED.

Responsibilities of the President/CEO or Designee

As the President/CEO or Designee, I certify that:

• I or my designee will notify CPS/SAIG Technical Support within one business day, by e-mail at [email protected] or call
  1-800-330-5947 when any person designated as a designated authorizing official, Primary DPA, or Non-Primary DPA is no longer authorized to perform that role by the institution or organization. (For more information, refer to the SAIG Enrollment Form for roles/ responsibilities of the primary and non-primary DPA).

• My organization will not permit unauthorized use or sharing of SAIG passwords or codes that have been issued to anyone at my organization and will take immediate action to remedy any such unauthorized use or sharing that is identified.

• Each person who is a SAIG DPA for my organization has read and signed a copy of “Step Three: Responsibilities of the Primary and Non-Primary Destination Point Administrator.”

• Each person who is a SAIG DPA for my organization has a copy of the signed Step Three document for his or her own files and a copy is maintained at my organization.

• My organization has provided for the security and confidentiality of student information, protected against any anticipated threats or hazards to the security or integrity of such information; and protected against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)). My organization further verifies that administrative, operational, and technical security controls are in place and are operating as intended pursuant to the Federal Trade Commission’s (FTC) Final Rule on Standards for Safeguarding Customer Information (i.e., the Safeguards Rule). Additionally, my organization verifies that it has performed appropriate due diligence to ensure that, at a minimum, any employee who has access to Federal Student Aid (FSA) ISIR data, including FTI, meets applicable federal and state security requirements for personnel handling controlled unclassified information (CUI) and sensitive personally identifiable information (SPII), including but not limited to meeting the requirements under 26 U.S.C. §6103(l)(13) and 20 U.S.C.§1098h.

• I have ensured my organization has implemented steps to meet the standards for protecting federal tax information (FTI) in accordance the 26 U.S.C. §6103 and pursuant to 20 U.S.C.§1090 . I further acknowledge that violations of 26 U.S.C. §6103 may lead to criminal and/or civil penalties pursuant to 26 U.S.C. 7213; 7213A; and §7431. Additionally, I further acknowledge that a taxpayer may bring civil action for damages against an officer or employee who has inspected or disclosed, knowingly or by reason of negligence, such taxpayer's tax return or return information in violation of any provision of IRC §6103.

• I understand the Secretary may consider any unauthorized disclosure or breach of student records and student applicant information as a demonstration of a potential lack of administrative capability on the part of an institution of higher education under 34 C.F.R. § 668.16. I further understand that in the event of an unauthorized disclosure or breach of student applicant information or other sensitive information (such as personally identifiable information), the DPA or the Qualified Individual identified under 16 C.F.R. Part 314 must notify Federal Student Aid at [email protected] within 24 hours after the incident is known or identified. I am responsible for ensuring that any unauthorized disclosure or breach of student applicant information or other sensitive information (such as personally identifiable information) is reported to Federal Student Aid as required.

• I have ensured that the Standards for Safeguarding Customer Information (as the term customer information applies to my institution – See Glossary of SAIG Enrollment Form), 16 C.F.R. Part 314, issued by the Federal Trade Commission (FTC), as required by the Gramm-Leach-Bliley (GLB) Act, P.L. 106-102 have been implemented and understand that these Standards provide, among other things, that I implement the following and I understand that failure to implement the requirements of the GLB Act may be considered a lack of administrative capability under 34 C.F.R. § 668.16 by the Secretary. I further acknowledge that my responsibility to safeguard customer information extends beyond Title Ⅳ, HEA program recipients:

• Develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts that meets the requirements for an information security program in 16 C.F.R. Part 314.

• Designate a qualified individual responsible for overseeing an implementing my institution’s information security program and enforcing my institution’s information security program in compliance with 16 C.F.R. 314.4(a).

• Base my institution’s information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to my institution – See Glossary) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks as required under 16 C.F.R. 314.4(b).

• Design and implement safeguards to control the risks my institution identifies through risk assessment that meet the requirements of 16 C.F.R. 314.4(c)(1) through (8).

• Regularly test or otherwise monitor the effectiveness of the safeguards my institution has implemented that meet the requirements of 16 C.F.R. 314.4(d).

• Implement policies and procedures to ensure that personnel are able to enact my institution’s information security program and meet the requirements of 16 C.F.R. 314.4(e)(1) through (4).

• Oversee my institution’s service providers (See Glossary) by meeting the requirements of 16 C.F.R. 314.4(f)(1) through (3).

• Evaluate and adjust my institution’s information security program in light of the results of the required testing and monitoring required by 16 C.F.R. 314.4(d); any material changes to my institution’s operations or business arrangements; the results of the required risk assessments under 16 C.F.R. 314.4(b)(2); or any other circumstances that I know or have reason to know may have a material impact on my institution’s information security program as required by 16 C.F.R. 314.4(g).

• Establish an incident response plan that meets the requirements of 16 C.F.R. 314.4(h).

• Require my institution’s Qualified Individual to report regularly and least annually to those with control over my institution on my institution’s information security program as required by 16 C.F.R. 314.4(i).

By Signing below, I, the Designee, have read the foregoing responsibilities and agree to abide by them including the rules and responsibilities outlined in the SAIG Enrollment Form for my organization. I further understand that I must submit this designation form with signatures to the Department and I have retained a copy of this certification at the organization.

Office Use Only

Customer Number_________________________________________________________________

TG Number______________________________________________________________________