Spring 2024 Regulatory Agenda Highlights

The Biden administration released its Spring 2024 Unified Agenda of Regulatory and Deregulatory Actions (Regulatory Agenda) in July 2024. The Spring Regulatory Agenda is the first report of the calendar year in which nearly all federal departments, agencies, and commissions update the public on the regulatory activities that are in progress and provide target dates for when each regulation will be issued.^Footnote1 EDUCAUSE analyzes the updates to help explain federal agencies' priorities as they relate to higher education information technology.

The target dates identified in the Regulatory Agenda are just that. Federal agencies aren't guaranteed to release the identified regulations by those dates. Instead, consider the target dates as rough timelines for when these regulations might emerge.

Department of Education

Cybersecurity Standards for Institutions of Higher Education to Comply with EO13556 and NIST SP 800-171

The U.S. Department of Education (ED) Office of Federal Student Aid (FSA) anticipates releasing a Notice of Proposed Rulemaking (NPRM) on cybersecurity standards for processing, storing, and transmitting controlled unclassified information (CUI) in October.^Footnote2

These standards were first introduced in the Fall 2023 Regulatory Agenda. The EDUCAUSE Policy team has been expecting FSA to take regulatory action in this space, given the recent changes to how FSA receives and handles federal tax information (FTI).^Footnote3 Since FTI is designated as CUI and the cybersecurity requirements that follow CUI (under the National Archives and Records Administration [NARA] CUI program), it is not surprising that FSA is seeking to incorporate National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) information security requirements into its regulations.

EDUCAUSE does not yet have much insight into the form these regulations will take once released; however, the Regulatory Agenda notes that "schools routinely process, store, and transmit Controlled Unclassified Information (CUI)," and protecting such sensitive data in school information systems is of "paramount importance" to ED. Accordingly, FSA "plans to propose to regulate on information security requirements" to "assure schools properly protect CUI" and "require non-Federal entities handling CUI to implement NIST 800-171."^Footnote4

Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from ED

The ED Office for Civil Rights (OCR) expects to release an NPRM in November to amend the regulations implementing Section 504 of the Rehabilitation Act of 1973.^Footnote5

According to OCR, the proposed rule will align with the priorities of the Biden administration. These priorities include "advancing equity for persons with disabilities as required by Executive Order 13985, addressing persistent barriers to access for students with disabilities in education, aligning the current regulations with intervening laws protecting the rights of people with disabilities, including the Americans with Disabilities Act and the Americans with Disabilities Act Amendments Act, and updating outdated language."^Footnote6

The Policy team believes that OCR will model this regulation on the final rule from the Department of Justice (DOJ) regarding web accessibility regulations for state and local government entities (including public higher education institutions), as required under Title II of the Americans with Disabilities Act (ADA).^Footnote7 The final rule was published on April 24, 2024, but it does not take effect until April 2026 for most affected colleges and universities. Therefore, the Section 504 NPRM could be delayed beyond the November 2024 target date.

Third-Party Servicers and Related Issues

In June 2025, the ED Office of Postsecondary Education plans to issue an NPRM to amend regulations on third-party servicers (TPSs) under the Higher Education Act (HEA) of 1965.^Footnote8 The regulations will focus on updating existing guidance for TPSs and the reporting, financial, compliance, and past performance requirements for TPSs related to the ongoing eligibility of an institution to participate in federal student financial aid.

ED released a guidance letter in February 2023 concerning third-party servicers. The letter would have substantially changed how HEA regulations are interpreted concerning the definition of a TPS. It expanded the definition to include providers of "functions or services necessary . . . to provide Title IV-eligible educational programs." This change constitutes a departure from the statutory definition that covers entities contracting with institutions to administer their Title IV federal student financial aid programs.^Footnote9 EDUCAUSE expressed significant concern with the overly broad definition of TPS in the guidance letter. Specifically, we stated that the unclear scope of the guidance would likely force member institutions to conclude that virtually all contracted providers of digital content, software, systems, and services would be considered TPSs.^Footnote10

After receiving widespread negative feedback about the substance of the February 2023 guidance letter, Under Secretary of Education James Kvaal notified the higher education community in April 2023 that ED would revise the guidance and delay the effective date until at least six months after ED issued the revised guidance.^Footnote11 ED has released no additional TPS-related information since this announcement. Moreover, whether and when the revised guidance will be issued or whether this proposed regulatory item will address the same elements as the original guidance letter is unclear.

Federal Acquisition Regulation

Controlled Unclassified Information

The U.S. Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) anticipate releasing a proposed rule in October to update the Federal Acquisition Regulation (FAR) to apply the CUI program requirements to federal contracts. This rulemaking aims to better protect CUI by uniformly applying the program requirements.^Footnote12

The rule will be issued in accordance with the NARA regulations implementing the CUI program. The NARA CUI regulations, which reference NIST SP 800-171 and other safeguarding standards, were enacted in 2016.^Footnote13

While the Unified Agenda notes a December target date, this regulatory item has been delayed repeatedly.^Footnote14 However, the FAR agencies sent this proposed rule to the White House Office of Information and Regulatory Affairs (OIRA) for final review on May 21. OIRA review typically takes 60–90 days, so the CUI proposed rule could finally be issued around—or even before—its December target date.

Cyber Threat and Incident Reporting and Information Sharing

In December, the FAR agencies also anticipate releasing a final rule to increase information sharing about cyber threats and incidents between the federal government and federal contractors.

The agencies released an NPRM in October 2023 that proposed to impose cyber incident reporting and software bill of materials (SBOM) requirements on federal contractors.^Footnote15 Two higher education associations joined EDUCAUSE in submitting comments on the NPRM. In our comments, we expressed concern about applying cyber incident and SBOM requirements to all federal contractors rather than only to those that provide IT and operational technology products and services to federal agencies. We argued that higher education researchers and their graduate assistants may be pulled into reporting compliance, which could lead to significant overreporting and obscure real cybersecurity threats to the federal government.^Footnote16

Department of Homeland Security

Cyber Incident Reporting for Critical Infrastructure Act Regulations

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) expects to release its final rule on cyber incident reporting for designated critical infrastructure entities in October 2025.^Footnote17 The final rule aims to implement the requirements established under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 in regulations concerning the obligations of covered entities to submit reports on covered cyber incidents and ransom payments.

CISA published an NPRM on CIRCIA regulations in April, designating higher education institutions as "covered entities" that would need to comply with the reporting requirements outlined in the regulations. EDUCAUSE and others in the higher education community were surprised to learn that CISA included colleges and universities receiving Title IV funding as covered entities. This designation was especially surprising given that CIRCIA, as enacted by Congress, was intended to apply only to the long-established list of "critical infrastructure" sectors identified by DHS and did not include higher education directly.

EDUCAUSE and five other higher education associations submitted comments in response to the NPRM, raising concerns about the sudden inclusion of higher education on the covered entities list.^Footnote18 In addition to questioning the lack of outreach to the higher education community prior to this inclusion, we also conveyed the need for CISA to shield covered entities from redundant reporting requirements. Additionally, we asked CISA to clarify and narrow the scope of the information that covered entities must report. EDUCAUSE hopes CISA will consider our concerns and change the final rule accordingly.

Department of Defense

Cybersecurity Maturity Model Certification (CMMC) Program

The DOD aims to release a final rule in November to implement security requirements for defense contractors and subcontractors with respect to Federal Contract Information (FCI) and CUI under the Cybersecurity Maturity Model Certification (CMMC) Program.

In December 2023, DOD issued an NPRM to update regulations for the CMMC Program. In February 2024, EDUCAUSE and four other higher education associations submitted joint comments.^Footnote19 In the NPRM, DOD acknowledged prior comments on fundamental research related to CMMC and agreed that fundamental research projects don't generally involve FCI or CUI and therefore would not be covered by the CMMC Program. EDUCAUSE and its partners welcomed this acknowledgment. However, we raised concerns over the possibility of edge cases emerging in the fundamental research space that might necessitate the application of CMMC requirements. Our comment letter urged DOD to clarify edge cases that might fall under CMMC to ensure they are identified in relevant project solicitations. EDUCAUSE and the other associations further disputed the regulations because of the possible treatment of Security Protection Data (SPD) as CUI, the ability of covered entities to include a broad array of CMMC assessment objectives in a plan of action and milestones (POA&M), and the mandate for lead assessors of CMMC assessments to have knowledge of and experience in the industry of the organization being assessed, among other issues.

The CMMC Program final rule was sent to OIRA for final review on June 27, 2024. As explained above, OIRA reviews typically take 60–90 days, so DOD could be on track to release the final rule by the November target date. EDUCAUSE will be monitoring this issue closely.

Notes

1. The Fall 2023 Regulatory Agenda was the last regulatory update published by the Biden administration. See Bailey Graves, "Fall 2023 Regulatory Agenda Highlights," EDUCAUSE Review, February 1, 2024. Jump back to footnote 1 in the text.↩
2. U.S. Department of Education, Office of Federal Student Aid, "Cybersecurity Standards for Institutions of Higher Education to Comply with EO 13556 and NIST 800-171," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, July 2024. Jump back to footnote 2 in the text.↩
3. Katie Branson, "FSA Federal Tax Information Announcement: Is NIST 800-171 Compliance on the Horizon?" EDUCAUSE Review, June 28, 2023. Jump back to footnote 3 in the text.↩
4. U.S. Department of Education, "Cybersecurity Standards for Institutions of Higher Education to Comply With EO 13556 and IST 800-171," December 2023. Jump back to footnote 4 in the text.↩
5. U.S. Department of Education, Office for Civil Rights, "Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from the Department of Education," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, July 2024. Jump back to footnote 5 in the text.↩
6. Ibid. Jump back to footnote 6 in the text.↩
7. Katie Branson, "Web and Mobile App Accessibility Regulations," EDUCAUSE Review, June 10, 2024. Jump back to footnote 7 in the text.↩
8. U.S. Department of Education, Office of Postsecondary Education, "Third-Party Servicers and Related Issues," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, July 2024. Jump back to footnote 8 in the text.↩
9. Jarret Cummings, "EDUCAUSE and Third-Party Servicer Guidance," EDUCAUSE Review, March 16, 2023; Annmarie Weisman, "(GEN-23-03) Requirements and Responsibilities for Third-Party Servicers and Institutions," Dear Colleague Letter, U.S. Department of Education, Office of Federal Student Aid, updated May 16, 2023. Jump back to footnote 9 in the text.↩
10. EDUCAUSE letter to Miguel Cardona, Secretary, U.S. Department of Education, "Re: Docket ID ED-2022-OPE-0103," March 7, 2023. Jump back to footnote 10 in the text.↩
11. James Kvaal, "Update on the Department of Education's Third-Party Servicer Guidance," Homeroom (blog), U.S. Department of Education, April 11, 2023. Jump back to footnote 11 in the text.↩
12. U.S. Department of Defense, General Services Administration, and National Aeronautics and Space Administration, "Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI)," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, July 2024. Jump back to footnote 12 in the text.↩
13. Jen Ortega, "NARA Final Rule," EDUCAUSE Review, October 19, 2016. Jump back to footnote 13 in the text.↩
14. For example, the Fall 2023 Regulatory Agenda targeted February 2024 as a possible release date, but the agencies did not meet this target. Jump back to footnote 14 in the text.↩
15. U.S. Department of Defense, General Services Administration, and National Aeronautics and Space Administration, "Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing," Federal Register, October 3, 2023. Jump back to footnote 15 in the text.↩
16. EDUCAUSE, Council on Governmental Relations, and the Association of American Universities, "Comments in Response to FAR Case 2021-017, 'Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing,'" February 2, 2024. Jump back to footnote 16 in the text.↩
17. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, July 2024. Jump back to footnote 17 in the text.↩
18. EDUCAUSE, American Association of Collegiate Registrars and Admissions Officers, Association of American Universities, Association of Governing Boards of Universities and Colleges, Association of Public and Land-grant Universities, and National Association of Independent Colleges and Universities, "Comments Concerning Docket Number CISA-2022-0010, 'Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements,'" July 1, 2024. Jump back to footnote 18 in the text.↩
19. American Council on Education, Association of American Universities, Association of Public and Land-grand Universities, Council on Governmental Relations, and EDUCAUSE letter to Chief Information Officer, U.S. Department of Defense, "RE: Comments in Response to Docket Number DoD–2023–OS–0063 / Regulatory Identifier Number (RIN) 0790–AL49, 'Cybersecurity Maturity Model Certification (CMMC) Program,'" February 26, 2024. Jump back to footnote 19 in the text.↩

---

Bailey Graves is a Senior Associate at Ulman Public Policy.