

Ask HN: Laws to comply with when storing FAFSA data? - conorgil145

Background:<p>I am volunteering development time to a local non-profit in my home town by advising a group of high school computer science students as they develop a website for the organization. The non-profit grants student loans with 0% interest to help local students pay for college. The first milestone is a simple static site, which is going very well. The second step is to create the typical user&#x2F;admin login paradigm where students can submit applications and admins of the org can process those applications.<p>Question:<p>The application that a student would submit will include information (or a copy of) the FAFSA [1]. Obviously, the information contained in the FAFSA is very sensitive and needs to be protected appropriately. Is anyone aware of any specific regulations which specify how to protect FAFSA data. I was thinking something like PCI compliance for CC info, HIPAA for health information, etc. I am not familiar with the educational space and was wondering if someone might point me in the right direction.<p>At a minimum, I was planning to use a robust TLS configuration with PFS to protect the uploaded FAFSA data (likely in PDF format or similar) in transit and a private S3 bucket with SSE [2] to store the data at rest. Then, once the information is no longer needed it could also be deleted so that the data doesn&#x27;t persist unnecessarily (likely, several months to a year or more).<p>Any pointers to related regulations? Any other suggestions on the technical approach&#x2F;solution?<p>Any and all advice is appreciated!<p>[1]: https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;FAFSA
[2]: https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;AmazonS3&#x2F;latest&#x2F;dev&#x2F;UsingServerSideEncryption.html
======
anigbrowl
Read up on FIPS, Federal Information Processing Standards. They're a sort of
baseline for everything else in this space.

