What the Election Results Mean for Higher Education IT Policy

Change is ahead in Washington, DC, as Republicans prepare to control both Congressional chambers and the White House. President-Elect Donald Trump will be sworn in for his second term on January 20, 2025. This overview examines the 119th Congress, the second Trump U.S. Department of Education (ED), recent regulatory policies relevant to EDUCAUSE members, and the potential implications of a Trump administration on those policies.

Congressional and Legislative Landscape

Republicans will remain in control of the U.S. House of Representatives, albeit by a slim margin of 220 to 215. However, over the next few months, that margin will shrink even more when several members leave Congress for the Trump administration. Until their replacements are selected, Republicans will control the House by a 217 to 215 margin. In the Senate, Republicans enjoy a larger majority, controlling fifty-three seats to the Democrats' forty-seven.

A legislative agenda for the 119th Congress is beginning to take shape. The Senate will likely spend much of 2025 focusing on many of President Trump's nominations for key cabinet and administration posts. Additionally, leadership in the Senate and House have indicated that lawmakers will take up a variety of Trump administration priorities—including taxes, immigration, defense, and energy—via a legislative procedure known as "budget reconciliation." That said, the overall legislative strategy for this process remains relatively unclear, given that lawmakers appear split on the timing and the order in which they should tackle the abovementioned priorities.

The U.S. Department of Education

Meanwhile, President-Elect Trump has announced several nominees for cabinet-level and other key administration positions, including Linda McMahon as his pick to lead the U.S. Department of Education. In addition to co-founding World Wrestling Entertainment (WWE) with her husband, McMahon served in the first Trump administration as head of the Small Business Administration. McMahon is a staunch advocate for state and local control of education policy, and she has signaled support for expanding the Pell Grant program to short-term workforce education programs. Other key appointments throughout ED, including the Under Secretary of Education and Assistant Secretary for Postsecondary Education, have yet to be announced. These appointments will also influence the types of policies that ED is poised to pursue over the next four years.

EDUCAUSE Policy Priorities

In the absence of a specific Trump administration agenda for higher education IT and cybersecurity policy, the EDUCAUSE Policy team has compiled a list of the top policy areas EDUCAUSE engaged in during the Biden administration, including the status of each area and insights gleaned from the first Trump administration that may inform future developments.

Web Accessibility

• DOJ Title II Final Rule: On April 24, the U.S. Department of Justice (DOJ) issued its final regulation on web and mobile application accessibility under Title II of the Americans with Disabilities Act (ADA). The regulation applies only to public higher education institutions and has an effective date of either April 26, 2026, or April 26, 2027, depending on the population size of an institution's governing jurisdiction.^Footnote1 This regulation is DOJ's first-ever formal rule on web accessibility. It adopts WCAG 2.1 AA requirements as the technical standard to which public entities must conform their digital content. EDUCAUSE raised concerns about how the final rule distinguishes between large and small postsecondary institutions, the compliance timeline requirements, and the decision to omit a previously proposed exception for password-protected course content.^Footnote2
  • What's Next? Given the change in administration, the future of the final rule is uncertain. Under the first Trump administration, DOJ formally withdrew plans for rulemakings for web accessibility under Title II and Title III of the ADA.^Footnote3 Whether the incoming administration will withdraw this rule remains to be seen.
• DOJ Title III Regulations: Interested stakeholders speculated that the second Biden administration would include DOJ's pursuit of web and mobile app accessibility regulations pursuant to Title III of the ADA—which would extend requirements to the private sector and, accordingly, to private nonprofit colleges and universities.
  • What's Next? The Biden administration never included a Title III regulation on its planned regulatory agenda. The likelihood that DOJ pursues a Title III web and mobile app accessibility rule over the next four years, however, seems relatively slim. During Trump's first term, DOJ removed an Obama-administration-planned Title III regulation from its regulatory agenda.^Footnote4
• ED Section 504: In 2022, the ED Office of Civil Rights (OCR) announced that it would pursue web accessibility regulations under Section 504 of the Rehabilitation Act, which would ultimately extend to all higher education institutions that receive federal funds. The Biden administration had planned to release this proposed regulation in December 2024. As of this writing, though, it has not been released.^Footnote5
  • What's Next? It is unknown what the incoming administration will do with this agenda item. However, given the withdrawal of accessibility rulemakings early in the first Trump administration, it seems unlikely that ED will update its Section 504 regulations to address web accessibility during the second Trump administration.

Cyber Incident Reporting

• CISA Cyber Incident Reporting Proposed Rule: In 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed cyber incident reporting regulation as required under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).^Footnote6 The CISA proposal includes higher education institutions participating in Title IV federal student aid programs among the entities designated as critical infrastructure and, therefore, subject to the proposed regulation. This contrasts with the long-standing position of the Department of Homeland Security (DHS) that excludes higher education from the sectors considered to be critical infrastructure. EDUCAUSE joined with several other higher education associations in raising concerns about various aspects of the proposed rule, including CISA's decision to include higher education as a critical infrastructure sector and its failure to engage with the higher education community before issuing the rule as required by CIRCIA's stakeholder engagement directives.^Footnote7
  • What's Next? CISA is currently in the comment review phase of its rulemaking. CIRCIA requires that a final regulation be issued by October 2025—meaning that a Trump-controlled CISA will be responsible for finalizing the regulation. Project 2025 (the document widely regarded as outlining potential policy priorities for a second Trump term) argues that CISA has "rapidly expanded its scope into lanes where it does not belong . . . [particularly with respect to] censorship of so-called misinformation."^Footnote8 Whether or not that point of view also extends to CISA's expansive view of what constitutes critical infrastructure remains to be seen.

FSA Cybersecurity Issues

• 800-171 Notice of Proposed Rulemaking (NPRM): In the fall of 2023, FSA formally announced that it would pursue a rulemaking on cybersecurity standards for processing, storing, and transmitting controlled unclassified information (CUI) pursuant to the National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171). The EDUCAUSE Policy team had anticipated that FSA would take regulatory action in this space, particularly given the recent changes to how FSA receives and handles federal tax information (FTI).^Footnote9 FTI is designated as CUI under the National Archives and Records Administration (NARA) CUI program; as such, it carries NIST 800-171 cybersecurity requirements. FSA has indicated that it will issue an NPRM in January 2025.^Footnote10
  • What's Next? Given the change in administration and inevitable personnel shifts, it is unclear when FSA will ultimately release a proposed rule, but it seems likely that we will not see one until sometime later in 2025.

Third-Party Servicers

• Dear Colleague Letter GEN 23-03: In early 2023, FSA published Dear Colleague Letter (DCL) GEN-23-03, "Requirements and Responsibilities for Third-Party Servicers and Institutions."^Footnote11 The DCL adopted a new definition for "third-party servicers" (TPS). The new definition greatly expanded the universe of entities subject to the TPS-related regulations that ED enforces. This development was notable, given that TPS-related regulations carry reporting mandates for institutions and compliance and audit mandates for providers. The new definition could have encompassed any contractual relationship an institution has with a digital content, software/system, or services provider; it also would have extended a ban on any foreign-owned or located firm serving as a TPS.^Footnote12 EDUCAUSE submitted comments urging ED to withdraw the DCL, given the significant disruption it would bring to the higher education IT community. In April 2023, citing concerns from many individuals across the higher education and vendor community, Under Secretary of Education James Kvaal announced that ED would withdraw the effective date of the DCL and issue revised guidance.^Footnote13 However, it looks as though that guidance will not be coming. Through negotiations to settle a lawsuit that challenged the DCL on the grounds that ED lacked the authority to implement the guidance without following procedural rulemaking requirements under the Administrative Procedures Act (APA), ED announced that it would formally rescind the DCL by November 18, 2024.^Footnote14
  • What's Next? Although the TPS issue raised by the DCL appears to be off the table for now, ED may still decide to pursue new regulations modifying the TPS definition through a negotiated rulemaking. Indeed, ED indicated it would pursue a TPS-related rulemaking beginning in June 2025.^Footnote15 It is unclear whether the incoming administration will pursue this regulation.

Research Cybersecurity

• CMMC 2.0: EDUCAUSE submitted comments in response to regulations proposed by the U.S. Department of Defense (DOD) for the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. The proposed rules establish cybersecurity certification requirements in DOD contracts.^Footnote16 Our comments supported DOD's proposed acknowledgment that fundamental research does not fall under CMMC requirements but raised several other suggestions for DOD to consider in producing a final rule. The final rule was issued on October 15, 2024, and, most importantly, it affirms that fundamental research will not fall under CMMC requirements.^Footnote17
  • What's Next? The rule is effective as of December 16, 2024, but the phase-in of CMMC requirements into DOD contracts will not begin until the relevant DOD contracting regulations take effect in late spring or early summer 2025.
• OSTP Research Security Requirements: In July 2024, the White House of Office of Science and Technology Policy (OSTP) issued its final requirements for research program security—mandates called for in National Security Presidential Memorandum – 33 (NSPM-33), "Supported Research and Development National Security Policy." All federal agencies will need to apply the requirements to colleges and universities receiving more than $50 million per year in federal research funding. Importantly, OSTP heeded the concerns of EDUCAUSE and others and withdrew its proposal that higher education institutions base their research cybersecurity program requirements on federal contract information (FCI) safeguards. OSTP's final version stipulates that federal agencies must require institutions to certify they will implement a cybersecurity program consistent with a pending report on higher education research cybersecurity from the National Institute of Standards and Technology (NIST).^Footnote18 The NIST report is currently available in initial public draft form.
  • What's Next? Based on the implementation timelines included in the OSTP memo, we expect to see agency implementation plans by early January 2025. However, it is unclear whether the incoming administration will sustain the OSTP effort as is, although the underlying memorandum was issued at the end of President Trump's first term.

Net Neutrality

• FCC Final Rule on Safeguarding and Securing the Open Internet: Restoring Internet Freedom: In May 2024, the FCC issued its final rule that reclassified internet service providers as telecommunications service providers and restored net neutrality rules that prohibit blocking, throttling, or creating paid or affiliated prioritization arrangements for internet traffic.^Footnote19 The regulation largely restores the 2015 net neutrality rules adopted under the Obama administration, and EDUCAUSE expressed its support for the final rule via comments submitted to the FCC in December 2023.^Footnote20 However, in August, the U.S. Sixth Circuit Court of Appeals placed a stay on the FCC's rule and is currently reviewing the validity of the regulation.
  • What's Next? Even if the rule survives the legal challenge, the new Trump FCC will likely move quickly to repeal the regulation. President-Elect Trump has selected current Commissioner Brendan Carr as the next FCC Chairman, and Carr was a vocal critic of the final rule.

Notes

1. Civil Rights Division, Department of Justice, "Nondiscrimination on the Basis of Disability; Accessibility of Web Information and Services of State and Local Government Entitles," final rule, Federal Register 89, no. 80 (April 24, 2024): 31320–31396; Large public institutions (in a governing jurisdiction with a population of 50,000 or more) must be in compliance by the 2026 date; small public institutions (in a governing jurisdiction with a population of less than 50,000) must be in compliance by the 2027 date. Jump back to footnote 1 in the text.↩
2. EDUCAUSE letter to Rebecca Bond, Disability Rights Section, U.S. Department of Justice, "Re: Notice of Proposed Rulemaking, Nondiscrimination on the Basis of Disability; Accessibility of Web Information and Services of State and Local Government Entities RIN 1190-AA79 (CRT Docket No. 144)," October 3, 2023; Katie Branson, "Web and Mobile App Accessibility Regulations," EDUCAUSE Review, June 10, 2024. Jump back to footnote 2 in the text.↩
3. Department of Justice, Civil Rights Division, "Nondiscrimination on the Basis of Disability; Notice of Withdrawal of Four Previously Announced Rulemaking Actions," Federal Register 82, no. 246 (December 26, 2017): 60932. Jump back to footnote 3 in the text.↩
4. Ibid. Jump back to footnote 4 in the text.↩
5. U.S. Department of Education, "U.S. Department of Education Announces Intent to Strengthen and Protect Rights for Students with Disabilities by Amending Regulations Implementing Section 504," press release, May 6, 2022; U.S. Department of Education, "Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from the Department of Education," Fall 2024. Jump back to footnote 5 in the text.↩
6. Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," Federal Register 89, no. 66 (April 4, 2024): 23644–23776. Jump back to footnote 6 in the text.↩
7. EDUCAUSE et al., letter to Jennie M. Easterly, Director, Cybersecurity and Infrastructure Security Agency, "RE: Comments Concerning Docket Number CISA-2022-0010, 'Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements,'" July 1, 2024. Jump back to footnote 7 in the text.↩
8. Ken Cuccinelli, "Department of Homeland Security," in Mandate for Leadership 2025: The Conservative Promise, eds. Paul Dans and Steven Groves, (The Heritage Foundation, 2023), 155. Jump back to footnote 8 in the text.↩
9. U.S. Department of Education, Office of Federal Student Aid, "Cybersecurity Standards for Institutions of Higher Education to Comply with EO 13556 and NIST 800-171," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, Fall 2023; Jarret Cummings, "No 800-171 in the New SAIG Agreement," EDUCAUSE Review, November 21, 2023. Jump back to footnote 9 in the text.↩
10. Office of Federal Student Aid, "Cybersecurity Standards for Institutions of Higher Education," Fall 2023. Jump back to footnote 10 in the text.↩
11. Annmarie Weisman, "(GEN-23-03) Requirements and Responsibilities for Third-Party Servicers and Institutions," U.S. Department of Education, Office of Federal Student Aid, updated November 14, 2024. Jump back to footnote 11 in the text.↩
12. For more information, see Jarret Cummings, "EDUCAUSE and Third-Party Servicer Guidance," EDUCAUSE Review, March 16, 2023. Jump back to footnote 12 in the text.↩
13. John O'Brien, EDUCAUSE letter to Miguel Cardona, Secretary, U.S. Department of Education, "Re: Docket ID ED-2022-OPE-0103," March 7, 2023; James Kvaal, "Update on the Department of Education's Third-Party Servicer Guidance," Homeroom (blog), U.S. Department of Education, April 11, 2023. Jump back to footnote 13 in the text.↩
14. 2U, Inc. et al. v. Cardona et al., (U.S. District Court for the District of Columbia, April 4, 2023); "Joint Status Report," 2U, LLC et al. v. Cardona, et al. Jump back to footnote 14 in the text.↩
15. U.S. Department of Education, Office of Postsecondary Education, "Third-Party Servicers and Related Issues," The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions, Fall 2024. Jump back to footnote 15 in the text.↩
16. American Council on Education et al., letter to the Office of the Department of Defense Chief Information Officer, "Comments in Response to Docket Number DoD–2023–OS–0063 / Regulatory Identifier, Number (RIN) 0790–AL49, 'Cybersecurity Maturity Model Certification (CMMC) Program,'" February 26, 2024. Jump back to footnote 16 in the text.↩
17. U.S. Department of Defense, Office of the CIO, "Cybersecurity Maturity Model Certification (CMMC) Program" (final rule), Federal Register 89, no. 199 (October 15, 2024): 83092–83236; Jarret Cummings, "CMMC Program Rule Finalized," EDUCAUSE Review, December 11, 2024. Jump back to footnote 17 in the text.↩
18. Arati Prabhakar, memorandum, "Guidelines for Research Security Programs at Covered Institutions," Executive Office of the President, Office of Science and Technology Policy, July 9, 2024; National Security Presidential Memorandum – 33, "United States Government-Supported Research and Development National Security Policy," January 14, 2021; For more information, see Jarret Cummings, "Cautious Optimism on OSTP Research Cybersecurity Requirements," EDUCAUSE Review, September 11, 2024. Jump back to footnote 18 in the text.↩
19. Federal Communications Commission, "Safeguarding and Securing the Open Internet; Restoring Internet Freedom," Federal Register 89, no. 100 (May 22, 2024): 45404–45556; Bailey Graves, "FCC Issues Net Neutrality Final Rule," EDUCAUSE Review, June 5, 2024. Jump back to footnote 19 in the text.↩
20. EDUCAUSE and the Association of Research Libraries letter to the Commissioners of the Federal Communications Commission, "Safeguarding and Securing the Open Internet, WC Docket 23–320," December 14, 2023. Jump back to footnote 20 in the text.↩

Kathryn Branson is a Partner at Ulman Public Policy.