What FERPA is
FERPA is the Family Educational Rights and Privacy Act, the federal law that protects the privacy of student education records. It lives in the United States Code at 20 U.S.C. § 1232g and is implemented through regulations at 34 CFR Part 99. It is administered by the U.S. Department of Education — specifically the Student Privacy Policy Office, which publishes much of its practical guidance through the Privacy Technical Assistance Center (PTAC).
It helps to be clear about what kind of law this is. FERPA is a privacy law, not a security checklist. Unlike the prescriptive security regimes some organizations face, it does not enumerate a list of required technical controls. There is no FERPA mandate to deploy a particular product, no required encryption list, and no statutory breach-notification clock. What FERPA does is govern who may see and who may share the personally identifiable information (PII) in a student's education records. That distinction shapes everything else on this page: the work is mostly about controlling access and disclosure, and only then about the technical means you use to do it.
Who has to comply, and the rights it creates
FERPA applies to educational agencies and institutions that receive funds under a program administered by the U.S. Department of Education. In practice that reaches essentially every public K-12 district and most colleges and universities. Many private K-12 schools do not receive those funds and are not directly bound, though plenty follow FERPA-style practices by choice or under state student-privacy law. If your district takes federal education money, assume you are in scope.
The rights FERPA creates belong to parents while a student is a minor, and they transfer to the student — an “eligible student” — once the student turns 18 or enrolls in a postsecondary institution. Those parties have the right to inspect and review the student's education records, to request amendment of records they believe are inaccurate or misleading, and to control the disclosure of PII from those records. As a general rule, a school needs written consent before it discloses PII from education records, subject to a set of exceptions the regulations spell out. Getting consent and disclosure right is the core of FERPA compliance.
What FERPA expects for data security
This is where many schools over-read the law. FERPA does not prescribe specific technical controls. The U.S. Department of Education says so plainly: FERPA “does not require educational institutions to adopt specific security controls.” There is also no FERPA breach-notification requirement — the law does not obligate a school to notify parents, students, or the Department when records are exposed, though the Department treats notification as a best practice.
What FERPA does require is captured in one phrase that runs through the regulations: reasonable methods. A school must use reasonable methods to ensure that school officials “obtain access to only those education records in which they have legitimate educational interests,” and to authenticate the identity of the parties to whom it discloses PII. The Department's PTAC guidance frames the security side as applying “appropriate technical, physical, and administrative safeguards” to protect PII. So security under FERPA is a means to an end: you control access and disclosure, and you choose the safeguards that reasonably accomplish that. And note the flip side — because a breach can be an unauthorized disclosure, a data breach can still implicate FERPA even though the law sets no notice clock.
A FERPA compliance checklist
Here is a scannable FERPA compliance checklist a district can self-assess against. Each line is a reasonable method that supports FERPA's access-control and disclosure obligations — not a fixed federal control requirement.
- Access to education records follows least privilege, and that access is reviewed periodically.
- The student information system and any records store use authentication strong enough to keep access to authorized staff.
- A written data-sharing agreement is in place with every vendor that touches education records.
- The annual FERPA notification reaches parents and eligible students, stating their rights and the school's disclosure practices.
- A record of disclosures is maintained, as the rule requires, including who received PII and why.
- Directory information, if used, is defined, and opt-outs are honored.
- Data retention and secure disposal are defined, so records are not kept or discarded carelessly.
- Staff are trained on what FERPA allows, what needs consent, and how to handle records requests.
- An incident response plan is ready, even though FERPA itself sets no breach-notification deadline.
- Backups of records systems exist and are restore-tested.
None of these lines is FERPA “requiring” a product. They are the practical ways a school demonstrates it is using reasonable methods to protect education records and to control who sees and shares them.
FERPA and edtech/IT vendors: the school-official exception
Schools share student data with outside parties all the time — the student information system vendor, the learning platform, the managed IT provider. FERPA permits that without separate parental consent under the “school official” exception at 34 CFR 99.31(a)(1). An outside party can be treated as a school official if it performs an institutional service or function the school would otherwise use employees for, is under the direct control of the school with respect to the use and maintenance of education records, and is subject to the rule's limits on using and re-disclosing PII. In plain terms: the vendor uses the data only for the authorized purpose, on the school's terms, and does not re-share it.
That is exactly how an MSP or an edtech provider fits FERPA. The mechanism that makes it work is a written data-sharing agreement — the contract that establishes the school's direct control, defines authorized use, restricts re-disclosure, and sets expectations for safeguards and for what happens if PII is ever lost. PTAC publishes written-agreement checklists for exactly this reason. If a vendor cannot or will not sign one, that is a signal worth taking seriously.
What an MSP owns, and what stays with the district
An MSP serving a FERPA-scoped district owns the technical work that makes the reasonable-methods standard real: the MFA deployment, the access controls and least-privilege design on the systems that hold education records, the encryption configuration, the segmented network, the logging and monitoring infrastructure, the patching cadence, the EDR, the SOC, the backups, and the security awareness platform. The MSP can also help maintain the evidence files and coordinate the written agreements with other vendors.
The district owns the parts the law places on the institution. Issuing the annual notification, deciding what counts as directory information, granting and revoking who has a legitimate educational interest, handling inspection and amendment requests, maintaining the record of disclosures, and signing the data-sharing agreements are the school's responsibilities. The MSP supplies the controls and the proof; the district owns the privacy program and the relationship with parents and the Department of Education.
How a Micro-IT engagement helps a district meet FERPA
A district on the Micro-IT managed stack gets the reasonable methods of FERPA deployed and documented — not because FERPA names these tools, but because they are how a school keeps education records seen and shared only by authorized parties. Managed Endpoint ($79/device) brings EDR, patching, and 24/7 SOC monitoring and logging of device activity. Managed Inbox ($20/mailbox) adds enforced MFA and anti-phishing on the staff accounts where student data moves. Managed Site ($149+/site) covers the segmented, monitored network and encryption in transit. On top of that: encryption at rest, immutable backups that are restore-tested, least-privilege access on the student information system, vendor coordination around written agreements, and security awareness training.
That gives a district a defensible answer to the reasonable-methods and access-control questions, with evidence behind it. The annual notification, the consent decisions, and the records of disclosure stay with your leadership. We do not sell a fixed “compliance package” price, because the right scope depends on your size and systems. Start with the free risk assessment, see plans to build an estimate, or call 270.816.5726.