Federal Policy Perspectives on the EDUCAUSE 2023 Top 10 IT Issues

The EDUCAUSE Policy Advisory Committee (EPAC) serves the broader association by ensuring that EDUCAUSE federal policy and government relations efforts are informed by members' knowledge and expertise. The EPAC works with EDUCAUSE staff and consultants to help them understand what U.S. legislative and regulatory issues mean for colleges and universities in practical terms. As a result, EDUCAUSE is better able to engage with its members and other relevant groups to analyze and respond to policy developments that may impact the ability of technology to advance higher education.

With the release of the EDUCAUSE 2023 Top 10 IT Issues, members of the EPAC were asked to review the list and reflect on how it connects with the policy issues that the committee has been following over the course of the year. Committee members generally agreed that all of the Top 10 IT Issues could conceivably have federal policy implications. However, Issue #2, Privacy and Cybersecurity 101, had the greatest resonance for the committee overall, especially given the extent to which privacy and cybersecurity concerns permeate other issues on the list, including Issue #4, Smooth Sailing for the Student Experiences, and Issue #7, Moving from Data Insight to Data Action. Comments from several EPAC members help to illustrate this view:

• "Privacy and cybersecurity are definitely major areas of concern for the EDUCAUSE community when it comes to federal policy, but they have major implications for the data analytics issues on the Top 10 list as well. . . . Data analytics comes down to ensuring data security and providing for continuous consent when it comes to data privacy." —Leo Howell, Chief Information Security Officer, Georgia Tech
• "Much of the list is about access and measuring student success, but for the policy committee specifically, the privacy and cybersecurity lens pervades everything." —Todd Britton, Chief Information Officer, University of La Verne
• "For us, and I'm sure that many other institutions are in the same bucket, we're trying to decide what is the best way to handle all of the data we have, particularly in the research space. We have a lot of data distributed across the university, and we're trying to figure out how to deal with it more effectively, and how to protect it more effectively." —Michele Norin, Senior Vice President and Chief Information Officer, Rutgers, The State University of New Jersey

Considering this perspective on the Top 10 IT Issues list, EPAC members tackled the question of what they would most want federal policy makers to understand about the challenges that colleges and universities face in relation to privacy and cybersecurity. The points they raised focused on the need for legislators and regulators to recognize the uniquely diverse and complex environment for privacy and cybersecurity in higher education; to put that recognition into action by tailoring requirements to higher education where possible while allowing for flexibility and discretion in implementation; and to drive toward much greater standardization across agencies so that higher education institutions can more efficiently and effectively fulfill their compliance responsibilities:

• "If Congress or federal agencies aim for a policy or procedure that directly addresses higher education, it seems to me that there's a better chance of producing policy requirements that we could actually manage. . . . It's when we're lumped in with other entities, such as banks or nonprofits in general, that the law of unintended consequences starts to loom larger and larger and larger. That's a concern—the unintended consequences of being pulled into a regulatory environment, a policy environment, that is designed for one type of industry but that pulls in higher education, because our institutions include aspects of many, many different kinds of industries." —Bret Ingerman, Vice President for Information Technology, Tallahassee Community College
• "When it comes to cybersecurity, there are too many different sets of regulations at the federal level that all say basically the same thing. Everything seems to come back to [NIST SP] 800-171, but different agencies are approaching those guidelines based on their separate compliance interests. Policy makers need to drive federal agencies to harmonize their requirements and to work with CISA [the Cybersecurity and Infrastructure Security Agency] to support compliance by providing standardized resources for financially challenged organizations." —Howell, Georgia Tech
• "When you're putting together a policy, if you're thinking about flagship universities and their ability to do something, please also keep in mind the small rural community college or the small private liberal arts institution that isn't located in a high-population area with a concentration of technology and cybersecurity professionals. These institutions often rely on staff to wear many hats, and increasing the volume or complexity of requirements very much adds to or, in many cases, multiplies the impact on staff of trying to stay in compliance." —Keith "Mac" McIntosh, Vice President and Chief Information Officer, University of Richmond

The discussion of key messages for policy makers has parallels in the answers that EPAC members provided on the question of where federal policy may already be off the rails in relation to privacy and cybersecurity in higher education—and what Congress and federal agencies could do to get it back on track. Members stressed that federal policy makers need to stop individual agencies from mandating distinct variations of essentially common policies and standards. This practice clearly risks driving higher education institutions toward compliance for compliance's sake, not for better privacy and cybersecurity:

• "The proliferation of cybersecurity requirements from federal agencies has become like water torture. Each agency sees its own piece of the cybersecurity puzzle and imposes requirements based on that, not realizing that they're all doing the same thing and we have too many requirements building up over time. We're seeing the same thing happening with privacy, such as with FERPA and HIPAA. We need the federal government to dispense with sector-specific laws and take a comprehensive legal approach." —Steve Fabiani, Vice President for Digital Innovation and Technology, Hofstra University
• "The federal government can't seem to gel on one direction to head for cybersecurity requirements, which means we're still having to meet the shotgun requirements of everyone. We're getting requirements from the U.S. Department of Education, from granting organizations, from all different groups. . . . We still haven't gotten to a point where privacy and cybersecurity policies are being consolidated so that we can have a smaller footprint or target to hit. We're seeing everything just continue to grow." —Mark Cather, Chief Information Security Officer, Chief Privacy Officer, and Assistant General Counsel, University of Maryland, Baltimore County
• "All too often, we get these blanket rules that apply everything to everyone uniformly because that's the easiest approach for agencies to maintain and support. However, the reality is that colleges and universities are not using data in the same way that many—or I would even hazard to say, most—other entities or industries are. So again, it's not that we're special, but higher education institutions are our own unique entities, and policy makers need to account for that difference if policies are going to work in higher education." —Britton, University of La Verne
• "What higher education could use the most from the federal government is a regulatory compliance reduction act. It's not that we're unwilling to do the right thing or to comply. It's the difficulty of every rule from every agency requiring a different level of compliance, sometimes for the same thing. It would be better for the government to take a holistic look and try to harmonize compliance requirements." —Ingerman, Tallahassee Community College

Finally, the committee members were asked to identify developments that have a significant federal policy component and that may become increasingly important in the years ahead. All of these again relate to Issue #2, Privacy and Cybersecurity 101. Members raised concerns about the lack of alignment between the federal and state governments on privacy and cybersecurity, the need for those who offer technology and services for higher education to better incorporate cybersecurity and privacy into their offerings, and the ways in which the drive to recruit more international students further complicates the privacy and cybersecurity picture:

• "Federal and state officials need to consider the ambiguity and difficulty for public institutions in possibly having to reconcile federal rules with state rules. When a federal law or regulation requires something in addition or opposition to what the institution's state does, what exactly the institution is supposed to do becomes an interesting question. This could become an increasingly significant issue because states are not consistent in many areas of data security and data privacy." —Ingerman, Tallahassee Community College
• "Since I've been in higher education, I've seen a problem begin to develop in addition to the issue at the federal level about harmonizing policies and practices. State requirements on cybersecurity and privacy are starting to grow, and if the state and federal requirements are distinct, that's just a double whammy. It would be fantastic if we could get some harmonization between the federal government and the states so we could better comply with both." —McIntosh, University of Richmond
• "Higher education faces some trickiness in finding ways to get real partnerships with the vendors that we have to rely on to do our work every day. What can we do to get large technology companies to design cybersecurity into their technology and services? It's a constant struggle. Should anyone expect that it's the college's job to make sure that large technology companies are secure?" —Holly Drake, Chief Privacy Officer, The Ohio State University
• "As a country, we really need to figure out a way to hold the providers of the tools that consumers and institutions rely on accountable for protecting information. We need to hold them accountable for building tools and services that are secure and protect privacy. At the same time, we can't have the federal government impose rules that are so restrictive and have so many requirements that providers and institutions can't make effective use of data analytics tools, for example. There has to be some flexibility and discretion built into the rules as well." —Norin, Rutgers
• "I know many universities are looking toward international students to fill in some of the gaps in enrollment as the pool of domestic students declines, and that is starting to pose even more challenges. . . . U.S. law has always taken this perspective that the United States is going to do its own thing, . . . so we're not going to have to harmonize. Well, that's now leaving colleges and universities in a position where we have to follow U.S. law but we also have to follow GDPR [the EU General Data Protection Regulation], and now China's privacy law applies, and Korea's laws, India's laws, and Brazil's laws, and they're not harmonizing. So, it's just making our environment that much more complex." —Cather, University of Maryland, Baltimore County

As the priorities of the U.S. federal government shift, the relationship between the Top 10 IT Issues and the federal policy developments of greatest significance for EDUCAUSE members can change at any time. For the year ahead, though, desires for federal policy action most clearly align around the issue of cybersecurity and privacy, as well as how federal policy in this area affects the use of data in higher education. The importance of these topics at both the institutional and the federal level (and increasingly at the state level) also indicates that their significance will not disappear anytime soon. With that in mind, the members of the EDUCAUSE Policy Advisory Committee look forward to continuing to contribute to the community's understanding of the issues and topics from a federal policy perspective in the years ahead.

---

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.