Spring 2025 Regulatory Agenda Highlights

The Trump administration released its Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions(Regulatory Agenda) in September 2025. Each year, nearly all federal agencies update the public on the regulatory activities that are in progress and provide a target date for when each regulation or regulatory action will be issued.^Footnote1 The Spring 2025 Agenda is the first regulatory update published by the Trump Administration. EDUCAUSE analyzes the information included in the regulatory agenda to help explain federal agencies' priorities as they relate to the higher education IT community.

Below are descriptions of key regulatory items, along with context on their relevance to EDUCAUSE members.

Federal Acquisition Regulation

Controlled Unclassified Information

The Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) have targeted December 2025 for releasing a final rule that updates the Federal Acquisition Regulation (FAR) to uniformly apply the Controlled Unclassified Information (CUI) Program requirements to federal contracts.^Footnote2

The FAR Council published a notice of proposed rulemaking (NPRM) for the 2024 proposed rule in January 2025. The NPRM proposed incorporating National Archives and Records Administration (NARA) CUI Program requirements into federal contracting, but it contained a few contentious provisions that deviated from the original standards that NARA modeled.^Footnote3 EDUCAUSE, along with other associations, submitted comments on the NPRM recommending changes to these provisions.^Footnote4 For instance, the NPRM proposed a definition of CUI that differs from the definition in the existing CUI Program rule. The definition in the NPRM would allow a small set of exceptions in the FAR version of the definition. EDUCAUSE and the partnering associations argued that this change would undermine the uniformity that the CUI Program rule was designed to establish across the federal government, and that the FAR Council should use the CUI Program definition of CUI in the final rule for consistency—while incorporating the exceptions to the definition in a separate provision. Similarly, the NPRM included an eight-hour deadline for institutions to report cyber incidents involving CUI, compared to the seventy-two-hour deadline that already exists in federal contracting regulations. Our comments urged the FAR Council to adopt the seventy-two hour deadline included in the existing regulations.

The rule will be issued in accordance with the NARA regulations implementing the CUI Program; those regulations incorporate National Institute of Standards and Technology Special Publication 800-171 ( NIST SP 800-171) and additional safeguarding standards that apply to all systems that maintain CUI.

Cyberthreat and Incident Reporting and Information Sharing

The release of a final rule to increase information sharing about cyberthreats and cyber incidents between the federal government and its contractors by establishing requirements for cyber incident reporting is targeted for February 2026.^Footnote5

The NPRM published in October 2023 includes requirements for cyber incident reporting and software bill of materials (SBOM) for all federal contractors. EDUCAUSE submitted comments on the NPRM expressing concern about the requirement that all federal contractors (rather than only IT and technology services–related contractors) be held to cyber incident and SBOM requirements, given the likelihood that such a broad scope would lead to significant overreporting.^Footnote6

Department of Education

Family Educational Rights and Privacy Act

The Department of Education (ED) aims to amend regulations enforcing the Family Educational Rights and Privacy Act (FERPA). An NPRM is targeted for release in January 2026.^Footnote7 According to the regulatory agenda, ED will seek to clarify the definition of an education record, updating provisions governing nonconsensual disclosure of personally identifiable information (PII) in education records and disclosures in response to warrants or subpoenas and improving complaint and investigation procedures related to ED's enforcement of FERPA.

Department of Homeland Security

Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) expects to release its final rule on cyber incident reporting for designated critical infrastructure entities in May 2026. This is several months past the statutorily required deadline of early October 2025.^Footnote8 The final rule will implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Specifically, it would establish regulations requiring covered entities to submit reports to CISA concerning cyber incidents and ransom payments.

CISA published the NPRM for this rule in April 2024. EDUCAUSE expressed concern in our formal comments about the NPRM—specifically about the inclusion of higher education writ large among the set of covered critical infrastructure sectors for the first time.^Footnote9 We recently reiterated these concerns with the Trump administration because, although the Biden administration developed and issued the proposed rules, the Trump administration—which has issued executive orders that appear to reinforce our arguments against the proposed regulations—is now tasked with finalizing them.^Footnote10

Department of Justice

Nondiscrimination on the Basis of Disability; Accessibility of Web Information and Services of State and Local Government Entities

On April 24, 2024, the Department of Justice (DOJ) released its final rule on web and mobile application accessibility pursuant to Title II of the Americans with Disabilities Act (ADA). Title II covers state and local government entities for persons with disabilities.^Footnote11 All web content and mobile apps created or made available by such entities must comply with the outlined requirements, including content and applications provided by third-party providers. Specifically, the rule adopts the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA, as the compliance standard.^Footnote12

The effective date of the final rule varies by institutional size. Institutions associated with a governing jurisdiction having a U.S. census–defined population of 50,000 or more must be in compliance by April 24, 2026. Institutions associated with a governing jurisdiction with a census-defined population size of fewer than 50,000 people must achieve compliance by April 26, 2027.

Although DOJ has not announced an intent to delay those effective dates, the agency did include a new regulatory item on the agenda stating that it plans to publish an NPRM to reconsider whether some of the regulatory provisions imposed by the April 24, 2024, rule could be made less costly.^Footnote13 The NPRM publication date is currently "to be determined," so it is unclear when the DOJ intends to move forward with a new rulemaking on this topic.

Department of Defense

NIST SP 800-171 DOD Assessment Requirements

The Department of Defense (DOD) intends to issue a final rule on NIST SP 800-171 assessment requirements in January 2026, finalizing an interim rule from 2020.^Footnote14

Implementation of the rule would formalize the DOD standard methodology for validating contractor implementation of the NIST SP 800-171 cybersecurity requirements as stipulated by the Defense Federal Acquisition Regulation Supplement (DFARS).^Footnote15 Contractors will have to review their system security plans, provide an implementation self-assessment to the department, and, under some circumstances, be subject to on-site validation assessments. The certification process will fall under the Cybersecurity Maturity Model Certification (CMMC) Program, and companies that pass assessments will be awarded certification.

Updates to the Safeguarding Covered Defense Information and Cyber Incident Reporting Clause

The DOD is proposing to amend DFARS clauses on safeguarding covered defense information and cyber incident reporting. The rule would incorporate references to NIST SP 800-172 requirements, create uniformity for certain terminology, address international agreements, and streamline the vendor identification process. The department plans to publish an NPRM in July 2026.^Footnote16 The same rule proposal was listed in the Fall 2024 Unified Regulatory Agenda from the Biden administration, and the NPRM in that agenda was targeted for April 2025.^Footnote17

Previous Rules No Longer on the Agenda

Cybersecurity Standards for Institutions of Higher Education to Comply with EO 13556 and NIST SP 800-171

Under the Biden administration, Federal Student Aid (FSA) had previously announced a planned regulatory action to issue an NPRM on cybersecurity standards incorporating NIST SP 800-171 requirements for processing, storing, and transmitting CUI. The Policy team anticipated that FSA would take such action given the direct incorporation of Federal Tax Information (FTI) into the federal student financial aid process, since FTI is considered CUI and should therefore be subject to NIST SP 800-171 standards. However, this item is no longer listed on the regulatory agenda, so for the time being, we can only assume that it has been removed. In recent guidance on the use of FTI by institutions and other stakeholders, FSA reiterated its intention to eventually establish institutional compliance requirements for NIST SP 800-171 regarding FTI but provided no details on when or how it might take this action.^Footnote18

Third-Party Servicers and Related Issues

The ED Office of Postsecondary Education will no longer publish an NPRM to amend regulations on third-party servicers (TPSs) under the Higher Education Act (HEA) of 1965. The NPRM, scheduled for June 2025 in the previous Unified Agenda, would have focused on amending existing guidance on TPSs; reporting, financial, or other compliance requirements; and past performance requirements for TPSs as a component of ongoing institutional eligibility to participate in federal student financial aid.^Footnote19

In February 2023, ED released a guidance letter expanding the definition of TPSs to include providers of "functions or services necessary . . . to provide Title IV-eligible educational programs," which deviates significantly from the comparable statutory definition.^Footnote20 EDUCAUSE, along with many other associations, expressed significant concern over the excessively broad definition of TPS in the letter.^Footnote21 As a result, in April 2023, Under Secretary of Education James Kvaal announced to the higher education community that the guidance would be revised and its implementation delayed. ED had never issued such guidance prior to the end of President Biden's term, and it was unclear whether this regulatory item would address the same elements as the original guidance letter if the rulemaking had moved forward.

Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from the Department of Education

The ED Office for Civil Rights (OCR) will no longer pursue a proposed rule, titled "Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from the Department of Education," to amend regulations implementing Section 504 of the Rehabilitation Act of 1973.^Footnote22 The Policy team anticipated that this NPRM would likely incorporate requirements from the DOJ ADA Title II final rule on web and mobile app accessibility, which would have extended those requirements to all entities receiving federal funding from ED. The ADA Title II regulations discussed previously apply to state and local government entities, but DOJ has not yet moved to establish similar regulations under Title III, which applies the ADA to "places of public accommodation." Private colleges and universities fall under Title III of the ADA, so the pending web and mobile app accessibility regulations would not apply to them. Section 504, on the other hand, applies to all entities receiving funds from ED; therefore, web and mobile app regulations established under Section 504 would apply to private and public institutions alike.

Notes

1. Please note that although target dates identified in the Regulatory Agenda are useful for gauging general timing, there is no guarantee that federal agencies will adhere to those time frames. Jump back to footnote 1 in the text.↩
2. U.S. Department of Defense, General Services Administration, and National Aeronautics and Space Administration, "Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI)," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 2 in the text.↩
3. Jarret Cummings, "EDUCAUSE Recommends Changes to Proposed FAR CUI Rules," EDUCAUSE Review, April 23, 2025; Jen Ortega, "NARA Final Rule," EDUCAUSE Review, October 19, 2016. Jump back to footnote 3 in the text.↩
4. American Council on Education, Association of American Universities, Association of Public and Land-grant Universities, Council on Government Relations, and EDUCAUSE letter to William F. Clark, Director, Office of Government-wide Acquisition Policy, Office of Government-wide Policy, General Services Administration, "Comments regarding FAR Case 2017-016, 'Federal Acquisition Regulation: Controlled Unclassified Information,'" March 17, 2025. Jump back to footnote 4 in the text.↩
5. U.S. Department of Defense, General Services Administration, and National Aeronautics and Space Administration, "Federal Acquisition Regulation (FAR); FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 5 in the text.↩
6. EDUCAUSE, Council on Government Relations, and the Association of American Universities, "Comments in response to FAR Case 2021-017, 'Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing,'" February 2, 2024. Jump back to footnote 6 in the text.↩
7. U.S. Department of Education, Office of Planning, Evaluation, Policy and Development, "Family Educational Rights and Privacy Act," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 7 in the text.↩
8. U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 8 in the text.↩
9. EDUCAUSE, the American Association of Collegiate Registrars and Admissions Officers, the Association of American Universities, the Association of Governing Boards of Universities and Colleges, the Association of Public and Land-grant Universities, the National Association of Independent Colleges and Universities, "Comments concerning Docket Number CISA-2022-0010, 'Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements,'" July 1, 2024. Jump back to footnote 9 in the text.↩
10. Kathryn Branson, "EDUCAUSE Reiterates Concerns over CISA's Cyber Incident Reporting Proposed Rule," EDUCAUSE Review, August 14, 2025. Jump back to footnote 10 in the text.↩
11. Kathryn Branson, "Web and Mobile App Accessibility Regulations," EDUCAUSE Review, June 10, 2024.Jump back to footnote 11 in the text.↩
12. World Wide Web Consortium, "Web Content Accessibility Guidelines (WCAG) 2.1,"W3C Recommendation, May 6, 2025. Jump back to footnote 12 in the text.↩
13. U.S. Department of Justice, Civil Rights Division, "Nondiscrimination on the Basis of Disability; Accessibility of Web Information and Services of State and Local Government Entities," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 13 in the text.↩
14. U.S. Department of Defense, Office of the Under Secretary of Defense for Acquisition and Sustainment, "NIST SP 800-171 DoD Assessment Requirements (DFARS Case 2022-D017)," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 14 in the text.↩
15. U.S. Department of Defense, "Strategic Assessment and Cybersecurity Certification Requirements (DFARS Case 2019-D041)," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, August 2020. Jump back to footnote 15 in the text.↩
16. U.S. Department of Defense, Office of the Under Secretary of Defense for Acquisition and Sustainment, "Updates to the Safeguarding Covered Defense Information and Cyber Incident Reporting Clause (DFARS Case 2023-D024)," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, September 2025. Jump back to footnote 16 in the text.↩
17. U.S. Department of Defense, Office of the Under Secretary of Defense for Acquisition and Sustainment, "Updates to the Safeguarding Covered Defense Information and Cyber Incident Reporting Clause (DFARS Case 2023-D024)," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2024. Jump back to footnote 17 in the text.↩
18. U.S. Department of Education, Office of Federal Student Aid, "(GEN-25-08) Guidance on the Use of Federal Tax Information (FTI), Free Application for Federal Student Aid (FAFSA) Data, and Non-FAFSA Data," Dear Colleague Letter, September 30, 2025. Jump back to footnote 18 in the text.↩
19. U.S. Department of Education, Office of Postsecondary Education, "Third-Party Servicers and Related Issues," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2024. Jump back to footnote 19 in the text.↩
20. U.S. Department of Education, Office of Federal Student Aid, "(GEN-23-03) Requirements and Responsibilities for Third-Party Servicers and Institutions,"Federal Student Aid, February 15, 2023 (updated November 14, 2024).Jump back to footnote 20 in the text.↩
21. EDUCAUSE letter to Miguel Cardona, Secretary, U.S. Department of Education, "Re: Docket ID ED-2022-OPE-0103," March 7, 2023.Jump back to footnote 21 in the text.↩
22. U.S. Department of Education, "Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance from the Department of Education," The Regulatory Plan and Unified Agenda of Federal Regulatory and Deregulatory Actions, December 2024. Jump back to footnote 22 in the text.↩

---

Kathryn Branson is a Partner with Ulman Public Policy.