Spring 2019 Regulatory Agenda Includes State Authorization, FERPA, and FAR PII Breach Response/CUI Proposal Projections

On May 22, the Trump administration released its Spring 2019 Regulatory Agenda, which is a comprehensive list of the regulatory actions executive agencies plan to pursue over the coming 12 months. The Regulatory Agenda is released semiannually and is aimed at informing the general public and interested stakeholders of targeted release dates for potential rulemakings. The spring 2019 agenda includes several updates to items EDUCAUSE is tracking for the higher education IT community, including state authorization rules, updated Family Educational Rights and Privacy Act (FERPA) regulations, and personally identifiable information (PII) and controlled unclassified information (CUI) requirements for federal contractors.

State Authorization

In June 2018, we described the ongoing saga around the state authorization of distance education regulation initially promulgated by the Obama Administration.¹ Under the Higher Education Act, institutions are required to obtain authorization from the state(s) in which they are physically located in order to be eligible for federal student aid. The Obama-era state authorization rule,² finalized in 2016, extended this authorization requirement to institutions offering distance education programs. This rule stipulated that an institution offering distance education programs must obtain authorization from each state in which it operates regardless of whether the institution has a physical location in said jurisdiction(s). The 2016 rule prompted concern from many stakeholders, and EDUCAUSE filed comments in conjunction with several other higher education associations expressing discontent with the regulation's ambiguity and its impact on existing state authorization reciprocity agreements.³

The rule was originally slated to go into effect in 2018. The Trump administration delayed the rule's effective date by two years. That was followed by an August 2018 announcement indicating that the U.S. Department of Education (ED) would embark on a negotiated rulemaking session spanning many subject areas, including state authorization rules.⁴ The negotiated rulemaking concluded in April 2019. There was relative consensus around the provisions that should be included in an updated state authorization regulation, such as clarity around the ED's support for reciprocity agreements as vehicles for states to resolve authorization issues. More information on the topic can be found in a recent WCET Frontiers blog post.⁵

The Spring Regulatory Agenda lists June 2019 as the target date for issuing the updated notice of proposed rulemaking specific to state authorization of distance education regulations that will incorporate the recommendations from the negotiated rulemaking session. If you are interested in learning about the other topics considered during the rulemaking process, WCET Frontiers published several blog posts reviewing the issues covered. The final post includes details regarding accreditation, student identity verification, and student disclosures, as well as links to previous posts on topics such as regular and substantive interaction.⁶

Family Educational Rights and Privacy Act Regulations

FERPA is the federal statute governing the privacy of student education records in K-12 schools and higher education institutions. The Spring Regulatory agenda indicates that ED intends to amend FERPA regulations (34 CFR part 99) by addressing "outstanding policy issues." The agenda is silent on what the outstanding policy issues entail, so stakeholders will likely need to await the release of the notice of proposed rulemaking, which has an anticipated February 2020 publication date. EDUCAUSE will closely monitor activity on this issue and keep members apprised accordingly.

Federal Acquisition Regulation: Personally Identifiable Information Breaches and Controlled Unclassified Information

The Federal Acquisition Regulation (FAR) is the preeminent set of rules contractors must adhere to when entering into agreements with or providing goods and services to the government. Institutions of higher education with federal contracting activity are among those that generally pay close attention to the FAR provisions, rules, and requirements. EDUCAUSE is carefully following two rules the Trump administration plans to propose in the coming months. The first is specific to directing contractor response to breaches of personally identifiable information (PII), and the other would amend controlled unclassified information (CUI) requirements.

The Spring Regulatory Agenda includes a proposed rulemaking that would establish a FAR provision on how federal contractors should respond to breaches of PII, including the creation and implementation of contract clauses and regulatory coverage. The notice of proposed rulemaking is targeted for October 2019. It is worth noting, however, that the government has previously delayed this regulatory action; the Spring 2018 Regulatory Agenda projected a targeted release date of November 2018.⁷ The anticipated FAR PII update stems from a January 2017 memorandum from the Office of Management and Budget that established an updated PII breach response policy for federal agencies.⁸ As the current regulatory agenda item is sparse on details, it may make sense for institutions with significant federal contracting activity to review this directive.

The agenda also includes a FAR amendment to implement requirements of the National Archives and Records Administration (NARA) CUI program; the notice of proposed rulemaking for this effort is similarly targeted for October 2019. The item was previously included in past regulatory agendas.⁹ The NARA CUI Program published a final rule in the fall of 2016 establishing uniform requirements for non-defense federal agencies regarding designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI; this action essentially incorporated the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 guidelines for the handling of CUI in nonfederal systems and organizations into requirements for federal agencies. The anticipated FAR amendment will thus integrate NARA CUI requirements into federal procurement contracts across non-defense agencies. As the standard this FAR amendment proposes to incorporate is broadly applicable, the substance of the rule could influence and shed light on how federal agencies may, in the future, frame similar requirements in agreements with colleges and universities, such as the Federal Student Aid Program Participation Agreement and the Student Aid Internet Gateway Agreement. EDUCAUSE members should expect that these agreements will eventually include CUI requirements based on NIST SP 800-171, and that the implementation text will be similar to what is expected in the FAR CUI provision. While there is no indication that ED is ready to begin integrating such requirements into their agreements with colleges and universities, any attempt to do so will have far-reaching implications for EDUCAUSE members. As such, EDUCAUSE will monitor these developments closely.

Notes

1. Jennifer Ortega, "State Authorization Regulations Officially Delayed in Spring 2018 Regulatory Agenda," Policy Spotlight (blog), June 1, 2018. ↩
2. State Authorization Final Regulations. 81 Fed. Reg. 243 (December 16, 2016). Federal Register: The Daily Journal of the United States. ↩
3. EDUCAUSE Comments: Distance Education State Authorization Regulations (Washington DC: EDUCAUSE Policy Office, August 29, 2016). ↩
4. Kathryn Branson, "Department of Education Initiates Wide-Ranging Negotiated Rulemaking; Targets Distance Education, Competency-Based Education Regulations," Policy Spotlight (blog), September 13, 2018. ↩
5. Cheryl Dowd and Russ Poulin, "Negotiated Rulemaking: What Happened with State Authorization and Licensure Notifications?" WCET Frontiers (blog), April 17, 2019. ↩
6. Cheryl Dowd and Russ Poulin, "Negotiated Rulemaking: Accreditation, Student Identify Verification, Student Disclosures, and Other Proposed Regulations," WCET Frontiers (blog), May 10, 2019. ↩
7. Jarret Cummings, "PII Breach Response Requirements for Contractors on the 2018 Federal Regulatory Agenda," Policy Spotlight (blog), May 24, 2018. ↩
8. U.S. Office of Management and Budget Office Memorandum M-17-12, "Preparing for and Responding to a Breach of Personally Identifiable Information" by Shaun Donovan, January 3, 2017. ↩
9. Jarret Cummings, "CUI Requirements In Federal Contracts Aren't FAR Away," Policy Spotlight (blog), May 25, 2018). ↩

---

Kathryn Branson is an associate with Ulman Public Policy.