I am volunteering development time to a local non-profit in my home town by advising a group of high school computer science students as they develop a website for the organization. The non-profit grants student loans with 0% interest to help local students pay for college. The first milestone is a simple static site, which is going very well. The second step is to create the typical user/admin login paradigm where students can submit applications and admins of the org can process those applications.

Question:

The application that a student would submit will include information (or a copy of) the FAFSA [1]. Obviously, the information contained in the FAFSA is very sensitive and needs to be protected appropriately. Is anyone aware of any specific regulations which specify how to protect FAFSA data. I was thinking something like PCI compliance for CC info, HIPAA for health information, etc. I am not familiar with the educational space and was wondering if someone might point me in the right direction.

At a minimum, I was planning to use a robust TLS configuration with PFS to protect the uploaded FAFSA data (likely in PDF format or similar) in transit and a private S3 bucket with SSE [2] to store the data at rest. Then, once the information is no longer needed it could also be deleted so that the data doesn't persist unnecessarily (likely, several months to a year or more).

Any pointers to related regulations? Any other suggestions on the technical approach/solution?

Any and all advice is appreciated!

[1]: https://en.wikipedia.org/wiki/FAFSA [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html