Student aid office banks on trust

Student aid office banks on trust

Boots oversees protections for a system that delivers $50 billion a year

By Richard W. Walker

GCN Staff

Around the Education Department's Office of Student Financial Assistance, it's known as 'the hairball.'

It's a flow chart of the department's student financial aid system. It depicts a dense tangle of routes and destinations.

'Jay Leno once used it in his monologue,' said Andrew Boots, champion for information privacy and security for OSFA. 'He said, 'Look at this. Believe it or not, this is the simplified view of a federal agency program.' '


"Holding on to people's information is really an awesome responsibility." ' Andrew Boots


But it's no joke.

'It is enormously complicated, but we're talking about a program that delivers $50 billion a year,' he said. 'So not only does it need to be complicated because there are all these different ways we do it, but it also needs to be complicated to make sure we've got the right controls to prevent fraud as best as we can.'

OSFA facilitates loans to students at 6,000 institutions, from Harvard University to Tony's Trucking Academy. In all, the agency deals with about 30 million people: applicants, current borrowers and borrowers who have finished school and are repaying their loans.

Under a three-year network modernization plan, OSFA wants to let those 30 million customers review their records via the Web.

Boots' job is to make sure that technicians follow proper security and privacy policies as they revamp the automated system that supports the student aid process.

'The vision is for a more Web-based, commercial, off-the-shelf system for more commercial practices,' he said. He's planning 'for people to do the entire process in a paperless way.'

OSFA saves $38 for every application that's submitted online.

'And when you're getting 10 million applications a year, saving $38 a pop really pays off,' Boots said. 'In terms of lowering unit cost, the more money we save, the more money we've got to help kids.'

Students can file applications online, but they can't sign them. They have to print the signature page, sign it and mail it to OSFA.

Once student information is in the system, it moves over leased lines. That's about to change.

'We've got about 15,000 places where we move lots and lots of data about loans and students, particularly at the application stage, when we may move 50G or 60G of data a day,' Boots said. 'When we start moving things over the Internet, the risk that the pathways will get clogged goes down, but the risk of losing data goes up a little bit.'

The volume and sensitive nature of the information creates formidable hurdles to the system's security and privacy.

'We get information from about 10 million strangers a year,' Boots said. 'Holding on to people's information is really an awesome responsibility.'

Applicants for student loans must submit detailed information about personal and family income, assets, home ownership and similar data.

'Many, if not all, Americans would view information about their income and assets as pretty sensitive stuff,' he said. 'They have to give it to us to apply for aid, and we have to protect it.'

OSFA's biggest security challenge will be in providing remote access via the Web to the system's data center in Meriden, Conn.

Planning strategy

The modernization plan calls for a combined Internet, extranet and intranet strategy, eliminating the landscape of stovepipes in the current system.

Under the plan, applicants and borrowers will use a Web browser, personal identification numbers and passwords to access information protected by Secure Sockets Layer encryption.

Contractors, employees and auditors will access data via an intranet using token-based digital certificates.

An extranet will support batch file transfers to 15,000 destination points, including schools, state agencies and guarantee agencies, using a virtual private network and digital certificates.

Eventually, Boots said, 'We're probably going to be issuing smart cards and encryption tokens to everybody who has access and begin to do a much better job of tracking what they do and when they do it.'

Boots wasn't always a security sage. When he was a systems technician at the Justice Department from 1983 to 1997 he dismissed computer security as a nuisance.

'I was an operations guy,' Boots said. 'My job was to get people computers so they could do stuff. I viewed security as annoying. Yeah, we had to have good security, and Justice was very serious about it. But I wasn't an enthusiast, I wasn't a specialist and I certainly wasn't an expert.'

His transformation into a security and privacy specialist began at Vice President Gore's National Partnership for Reinventing Government, where he arrived in 1997 with a bad case of burnout after 13 years in the systems trenches at Justice.

In a sense, Boots reinvented himself at NPR.

'People told me NPR would be a great place to work, but nobody told me I was going to be inspired,' he said.

At NPR, computer security was integral to Gore's Access America plan for online government.

'The vice president's idea is that we want to give the American people an opportunity to get government services without standing in line, going from office to office or filling out paper forms,' Boots said. 'In order to realize that vision, we have to promise security and privacy, or people aren't going to do it. They'll say, 'I'll do the paper, thank you very much.''

Boots, an information systems design graduate of Georgia Tech, enjoyed the cerebral world of NPR. 'It was very abstract,' he said. 'I got into that.'

Hitting the road

Early last year, Greg Woods, OSFA's chief operating officer and former deputy director for information technology, customer service and regulatory reform at NPR, offered Boots the security champion's job at OSFA.

Boots balked at the offer.

'My initial reaction was, why would I want to do that? I'm just having a wonderful time,' he said.

But when he realized that working with the student financial aid system would give him a chance to turn the ideas he developed at NPR into reality''the place where the rubber really meets the road''he was on his way to the Education Department.

These days, after about a year on the job, Boots spends part of his time on low-tech bureaucratic obligations such as paper-pushing and memo writing and part of his time on high-tech matters such as meeting vendors and keeping up with the latest security technology.

But most of his time is focused on 'the sweet spot in the middle'cheerleading and telling everybody we can do it,' he said.

Right now, Boots and OSFA are bracing for big challenges ahead.

'We're facing this tsunami of college-age students. The baby boom echo is coming. We're going to have more and more and more people wanting to get financial aid, and this is an organization that has to get ready for that,' he said.

But that's no cause for anxiety'Boots loves what he does.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above