Fall 2023 Regulatory Agenda Highlights

The Biden administration released its Fall 2023 Unified Agenda of Regulatory and Deregulatory Actions (Regulatory Agenda) in December 2023. Each year, nearly all federal departments, agencies, and commissions update the public on the regulatory activities that are in progress and list a target date for when each regulation or regulatory action will be issued. EDUCAUSE analyzes these updates to better understand federal agencies' priorities as they relate to higher education information technology.

While it's helpful to note the target dates identified in the Fall Regulatory Agenda, EDUCAUSE members should keep in mind that there is no guarantee that the federal agencies will release the regulations by the target date. Instead, members should consider these dates as rough timelines for when these regulations might emerge.

Department of Education

Cybersecurity Standards for Institutions of Higher Education to Comply with EO13556 and NIST SP 800-171

The U.S. Department of Education (ED) Office of Federal Student Aid (FSA) anticipates releasing a Notice of Proposed Rulemaking (NPRM) on cybersecurity standards for processing, storing, and transmitting controlled unclassified information (CUI) in October.^Footnote1 This is the first time this proposed rule has been included in the Regulatory Agenda. The EDUCAUSE Policy team anticipated this regulatory item, given the recent changes to how FSA receives and handles federal tax information (FTI).^Footnote2 Considering that FTI is designated as CUI and the cybersecurity requirements that follow CUI pursuant to the National Archives and Records Administration (NARA) CUI program, it is not surprising that FSA is seeking to incorporate National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) information security requirements into its regulations.

While little information is available regarding what specific form these regulations will take, the Regulatory Agenda notes that "schools routinely process, store, and transmit Controlled Unclassified Information (CUI)" and that protecting such sensitive data in school information systems is of "paramount importance" to ED. As such, FSA "plans to propose to regulate on information security requirements" to "assure schools properly protect CUI" and "require non-Federal entities handling CUI to implement NIST 800-171."^Footnote3

Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from ED

The ED Office for Civil Rights (OCR) indicated it would release an NPRM in November 2023 to amend the regulations that implement Section 504 of the Rehabilitation Act of 1973.^Footnote4 The proposed rule had not been issued for public review at the time this article was published.

According to the OCR, the new proposed rule will align with the priorities of the Biden administration, which include "advancing equity for persons with disabilities as required by Executive Order 13985, addressing persistent barriers to access for students with disabilities in education, updating outdated language, and aligning the current regulations with intervening laws protecting the rights of people with disabilities, including the Americans with Disabilities Act and the Americans with Disabilities Act Amendments Act."^Footnote5

The Policy team believes that the OCR will largely model this regulation on the anticipated final rule from the Department of Justice (DOJ) regarding web accessibility regulations for state and local government entities (including public higher education institutions) as required under Title II of the Americans with Disabilities Act (ADA). To that end, we expect that the rule from the OCR will be further delayed pending the release of the final rule from the DOJ later this spring (see below for more information).

Third-Party Servicers and Related Issues

As part of a negotiated rulemaking, the ED Office of Postsecondary Education plans to issue an NPRM in October to amend regulations on third-party servicers (TPSs) under the Higher Education Act (HEA) of 1965.^Footnote6 The regulations will focus on updating existing guidance for TPSs and the reporting, financial, compliance, and past performance requirements for TPSs related to an institution's ongoing eligibility to participate in federal student financial aid.

ED released a guidance letter in February 2023. This guidance would have substantially changed how HEA regulations are interpreted concerning the definition of a TPS. The guidance letter expanded the definition of a TPS to include providers of "functions or services necessary . . . to provide Title IV-eligible educational programs"—a departure from the statutory definition that covers entities that contract with institutions to administer an institution's Title IV federal student financial aid programs.^Footnote7 EDUCAUSE expressed significant concern with the overly broad definition of TPS in the guidance letter, stating that the unclear scope of the guidance may force member institutions to conclude that virtually all digital content, software, systems, and services providers they have entered into contracts with would now be considered TPSs.^Footnote8

After hearing widespread concern about the substance of the February 2023 guidance letter, Under Secretary of Education James Kvaal notified the community that ED would revise the guidance and delay the effective date until at least six months after the revised guidance is issued.^Footnote9 It is unclear when the revised guidance will be issued or whether this proposed regulatory item will touch on the same elements the original guidance letter addressed regarding TPSs.

Department of Justice

Nondiscrimination on the Basis of Disability: Accessibility of Web Information and Services of State and Local Government Entities

The DOJ plans to issue a final rule addressing web and mobile app accessibility for public entities in April.^Footnote10

Last August, DOJ published a proposed rule setting forth web and mobile app accessibility requirements under Title II of the ADA, which applies to state or local government entities, including public higher education institutions.^Footnote11 EDUCAUSE submitted comments in response to the proposed rule from the DOJ, focusing on how DOJ can ensure that the final regulations allow institutions to adapt to new accessibility standards within the confines of their unique operational characteristics.^Footnote12 This is the first set of formal regulations that DOJ has issued under the ADA concerning web accessibility.

Federal Acquisition Regulation

Uncontrolled Unclassified Information

The U.S. Department of Defense (DOD), General Services Administration, and National Aeronautics and Space Administration anticipate releasing a proposed rule this month to update the Federal Acquisition Regulation (FAR) to apply the CUI program requirements in Federal contracts. The goal of the rulemaking is to better protect CUI by uniformly applying the program requirements.^Footnote13

The rule will be issued in accordance with the NARA regulations implementing the CUI program. The NARA CUI regulations, which reference NIST SP 800-171 and other safeguarding standards, went into effect in 2016.^Footnote14

While the agenda notes a target date of February 2024, the Policy team is skeptical about whether this date will be met. This regulatory item has been delayed repeatedly over the last several years. At this point, we are more likely to see SP 800-171 implications in the ED regulations mentioned above before we see a proposed FAR clause for incorporation across federal contracts.

Department of Homeland Security

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) plans to issue a proposed rule in March to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022.^Footnote15 The law directs CISA to implement CIRCIA regulations requiring covered entities to submit reports on covered cyber incidents and ransom payments.

While the details of the proposed rule remain unseen, the CIRCIA text includes some guidance and limitations for CISA to follow when implementing the regulations. Examples include the requirements for covered entities to report covered cyber incidents to CISA within 72 hours after an entity "reasonably believes" an incident has occurred and to report all ransom payments made in response to attacks within 24 hours after making a payment.^Footnote16 CISA will likely provide details regarding what constitutes a covered cyber incident in the implementing regulations.

CIRCIA requirements will only apply to DHS's long-established list of "critical infrastructure" sectors. The language in CIRCIA does not directly include higher education, despite efforts from lawmakers to include it in earlier iterations of cyber incident reporting legislation.^Footnote17 With that in mind, EDUCAUSE will closely watch for and review an eventual NPRM and keep members apprised of any implications for the higher education community.

Department of Defense

Cybersecurity Maturity Model Certification Program

On December 26, 2023, the DOD issued a proposed rule to implement security requirements for defense contractors and subcontractors with respect to Federal Contract Information (FCI) and CUI under the CMMC Program.^Footnote18 While the Policy team plans to work with EDUCAUSE members on specific feedback, our current read of the NPRM indicates that DOD ultimately agreed with our prior comments in response to the CMMC 2.0 proposed rule that fundamental research isn't subject to CMMC requirements.^Footnote19 Comments are due on February 26.

Notes

1. U.S. Department of Education, Office of Federal Student Aid, "Cybersecurity Standards for Institutions of Higher Education to Comply with EO 13556 and NIST 800-171," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2023. Jump back to footnote 1 in the text.↩
2. Kathryn Branson, "FSA Federal Tax Information Announcement: Is NIST 800-171 Compliance on the Horizon?" EDUCAUSE Review, June 28, 2023. Jump back to footnote 2 in the text.↩
3. U.S. Department of Education, "Cybersecurity Standards," December 2023. Jump back to footnote 3 in the text.↩
4. U.S. Department of Education, Office for Civil Rights, "Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from the Department of Education," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2023. Jump back to footnote 4 in the text.↩
5. Ibid. Jump back to footnote 5 in the text.↩
6. U.S. Department of Education, "Third-Party Servicers and Related Issues," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2023. Jump back to footnote 6 in the text.↩
7. Jarret Cummings, "EDUCAUSE and Third-Party Servicer Guidance," EDUCAUSE Review, March 16, 2023; Annmarie Weisman, "Requirements and Responsibilities for Third-Party Servicers and Institutions (GEN-23-03)," U.S. Department of Education, Office of Federal Student Aid, updated May 16, 2023. Jump back to footnote 7 in the text.↩
8. EDUCAUSE letter to Miguel Cardona, Secretary, U.S. Department of Education, "Re: Docket ID ED-2022-OPE-0103," March 7, 2023. Jump back to footnote 8 in the text.↩
9. James Kvaal, "Update on the Department of Education's Third-Party Servicer Guidance," Homeroom (blog), U.S. Department of Education, April 11, 2023. Jump back to footnote 9 in the text.↩
10. U.S. Department of Justice, Civil Rights Division, "Nondiscrimination on the Basis of Disability: Accessibility of Web Information and Services of State and Local Government Entities," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2023. Jump back to footnote 10 in the text.↩
11. Kathryn Branson, "DOJ's Proposed Web and Mobile App Accessibility Regulations: An Overview," EDUCAUSE Review, November 27, 2023. Jump back to footnote 11 in the text.↩
12. EDUCAUSE letter to Rebecca Bond, Disability Rights Section, U.S. Department of Education, Civil Rights Division, "Re: Notice of Proposed Rulemaking, Nondiscrimination on the Basis of Disability; Accessibility of Web Information and Services of State and Local Government Entities RIN 1190-AA79 (CRT Docket No. 144)," October 3, 2023. Jump back to footnote 12 in the text.↩
13. U.S. Department of Defense, General Services Administration, and National Aeronautics and Space Administration, "Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI)," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2023. Jump back to footnote 13 in the text.↩
14. Jennifer Ortega, "NARA Final Rule," EDUCAUSE Review, October 19, 2016. Jump back to footnote 14 in the text.↩
15. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, "Cyber Incident Reporting for Critical Infrastructure Act Regulations," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2023. Jump back to footnote 15 in the text.↩
16. Cyber Incident Reporting for Critical Infrastructure Act of 2022 Publication, Cybersecurity & Infrastructure Security Agency (website), accessed January 24, 2024. Jump back to footnote 16 in the text.↩
17. Jarret Cummings, "FY23 NDAA Omits Incident Reporting Amendment," EDUCAUSE Review, January 3, 2023. Jump back to footnote 17 in the text.↩
18. U.S. Department of Defense, "Cybersecurity Maturity Model Certification (CMMC) Program," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2023. Jump back to footnote 18 in the text.↩
19. Exception in cases where federal contract information or CUI is part of the actual research project; Jarret Cummings, "EDUCAUSE Raises Concerns About DOD CMMC/800-171 Assessment Rule," EDUCAUSE Review, December 15, 2020. Jump back to footnote 19 in the text.↩

---

Bailey Graves is a Senior Associate at Ulman Public Policy.