Continuity and Change in Higher Education IT Policy

"Unprecedented" barely describes 2020, and the nation has already seen some of that unprecedented character continue into 2021. With the Trump Administration giving way to the Biden Administration, many aspects of federal policy in the current year will reflect a radical departure from how they developed last year. For higher education IT policy, however, the catalog of issues looks remarkably consistent for now. How these issues will evolve remains the key point of discussion.

Coronavirus emergency relief funding dominated the first half of last year, while the question of whether and when Congress would pass more relief funding hung over the second half of 2020, before finally being answered in late December. The largest and last of the relief bills passed in the spring, the over $2 trillion Coronavirus Aid, Relief, and Economic Security (CARES) Act, had special importance for EDUCAUSE members because of the broader willingness among the higher education community to make a nearly $8 billion technology fund a major pillar of its request for college and university funding in the bill.^Footnote1 As negotiations continued on the final package, we had to settle for IT being one of the major areas on which institutions could spend their CARES Act dollars. Having higher education associations in general support the technology fund proposal, though, was a major advance in the recognition of the importance of information technology to the present and future of higher education. EDUCAUSE was happy to work with its members and related groups to inform the development of that request.

The CARES Act model has carried over into the latest relief bill that was signed into law just before the end of 2020.^Footnote2 Once again, the amount provided (approximately $21 billion) is considerably lower than the need demonstrated by colleges and universities (roughly $120 billion), and once again, technology costs to support the institutional response to the pandemic are specifically identified as among the major areas of expense to which institutions can apply their allocations. In the meantime, the Biden Administration has released a nearly $2 trillion pandemic relief bill to start 2021, which includes a proposed $35 billion in funding for higher education.^Footnote3 Perhaps even more important for many public institutions, the first Biden bill for pandemic relief includes $350 billion in emergency funding for state and local governments, money which may be essential in preventing crippling budget cuts for public colleges and universities across the nation.

Access to broadband internet service for students living in unserved and underserved communities, whether rural or urban, emerged as a major concern of EDUCAUSE and the higher education community in general. Institutional networks and computer labs, as well as similar resources in public libraries or Wi-Fi access in coffee shops, helped to fill the gap in students' access to broadband internet and computers before the pandemic. However, campus closures and physical-distancing requirements exposed how broad the digital divide is for those who don't have access to or can't afford personal broadband service or personal devices with which to take advantage of it. As EDUCAUSE members worked to supply students in need with mobile Wi-Fi hotspots and Chromebooks, the association led the higher education community in submitting comments to Congress calling for action to address this critical issue now while supporting research and education networking capacity in any future infrastructure bill.^Footnote4 One of our major requests concerned incorporating the Supporting Connectivity for Higher Education Students in Need Act into the next round of pandemic relief funding Congress might pass starting in the summer of 2020. If passed, the bill would have created a $1 billion fund for grants to colleges and universities to help their students in need get online and stay online through the pandemic from wherever they happened to be.^Footnote5

Congress ultimately wouldn't pass its next major emergency funding bill until late December, at which point pandemic response needs in relation to unemployment benefits, public health, and so forth took center stage. However, elements of the Supporting Connectivity for Higher Education Students in Need Act did make it into the latest relief package along with a range of broadband access and infrastructure provisions. The Connecting Minority Communities Pilot Program included in the package provides $285 million for grants to historically black colleges and universities (HBCUs) and a range of minority-serving institutions (MSIs), so they can provide the kind of student broadband access envisioned by the Supporting Connectivity proposal in addition to facilitating greater broadband availability in the institutions' surrounding communities.^Footnote6 Another key development for higher education comes in the form of the Emergency Broadband Benefit Program, which provides subsidized service and devices for unserved and underserved households along similar lines as the Lifeline program—except it has much higher subsidy levels and Pell Grant recipients are eligible to participate.

Democratic control of the Senate makes the use of the Senate's "budget reconciliation" process a viable way of pursuing the spending priorities of the Biden Administration and Congressional Democrats. That, in turn, makes much more likely the possibility of a major effort to close the digital divide from both a broadband infrastructure perspective (e.g., extending connections into rural areas) and a broadband affordability perspective (e.g., making much more substantial service/device subsidies permanent). The recently passed relief bill shows that those issues as they pertain to higher education institutions and students are clearly on Congress's radar, which raises hope for continued progress on student broadband access over the next few years. Even as students eventually get to return to campus and access institutional networks and computer labs, the pandemic has established the importance of personal broadband service and device access moving forward, as online and hybrid learning options are likely to become even more prominent as a result.

Cybersecurity remains a perennial issue at all levels of government and society, but it gained momentum at the federal level in 2020, and the SolarWinds hack is likely to accelerate it even further in 2021. Early last year, EDUCAUSE worked with members and associations representing research university presidents and research administration leaders to highlight concerns about the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program. Through CMMC, DOD established a framework with criteria for determining—and ultimately certifying—different levels of cybersecurity maturity achieved by defense contractors and other organizations that participate in defense contracts, such as colleges and universities. DoD officials stated that the goal of the program was for all organizations that receive DoD contracts to be certified by independent, third-party assessors at least at the lowest CMMC level, Level 1.

EDUCAUSE and its partners, however, sent a letter last summer to the DoD under secretary for the office ultimately responsible for the program to highlight the inherent problems that CMMC presents for fundamental research in higher education. In particular, we noted that even the Level 1 requirements may not make sense in the fundamental research context given the focus of such research on publicly sharing the data and the findings generated from it. We included a request for the DoD to initiate a direct dialogue with the associations and their member communities to explore the validity of excluding fundamental research from the certification process.^Footnote7 Unfortunately, the DoD did not respond.

Instead, the DoD released last fall an interim rule formally incorporating compliance with the CMMC framework into its contracting regulations along with a requirement for contractors to conduct self-assessments of their compliance with the NIST SP 800-171 controlled unclassified information (CUI) guidelines, with the results to be posted to the DoD contractor information database.^Footnote8 (The 800-171 self-assessments are meant to fill the gap in motivating cybersecurity progress across defense contractors as CMMC assessment processes and third-party assessors come online over the next few years.) EDUCAUSE again worked with research university and administrator groups to submit comments on the regulations in question. Expanding on the points raised in our earlier letter, EDUCAUSE and its partners stressed that fundamental research projects rarely involve the federal contract information that forms the basis for CMMC Level 1 requirements, thus adding weight to the argument that fundamental research should be excluded from CMMC requirements. We also asked the DoD to clarify in the final version of the regulations that the 800-171 assessment requirement does not apply to fundamental research.^Footnote9 By definition, such research does not include CUI, and the DoD confirms this by not requiring projects that it has designated as fundamental research to comply with the 800-171 guidelines. Thus, it stands to reason that fundamental research projects should not have to worry about assessing compliance with guidelines they are not required to meet. We argued for making this understanding explicit, however, to greatly minimize the potential for unnecessary confusion.

The timeline for the DoD to release the final rule remains unknown, but EDUCAUSE and related groups continue to engage with DoD officials and related parties to ensure that fundamental research is appropriately addressed by (or, more appropriately, overtly excluded from) CMMC. EDUCAUSE also spent much of 2020 working with other major higher education associations to engage with the US Department of Education (ED) and its Federal Student Aid (FSA) office on their concerns about and potential plans for ensuring the security of FSA data that is shared with institutions as part of administering federal student loans. These efforts included requesting that FSA rescind a notice on institutional compliance with the FTC Safeguards Rule so that it could include a number of policy and process clarifications.^Footnote10 EDUCAUSE also raised several concerns about how FSA's latest five-year strategic plan misrepresents the state of cybersecurity in higher education to the detriment of the cybersecurity goals that FSA and our member institutions share.^Footnote11 Despite a number of positive conversations in which EDUCAUSE members and other association and institutional representatives sought to inform ED and FSA about institutional cybersecurity operations and commitments, FSA closed 2020 by issuing a cryptic notice about possibly developing a cybersecurity agreement requiring 800-171 compliance that all colleges and universities participating in federal financial aid programs would have to sign. The notice also alluded to a possible call by FSA for institutions to conduct 800-171 self-assessments in relation to FSA data to help inform the development of a possible cybersecurity agreement and related processes.^Footnote12

If and when FSA will follow through on its proposed cybersecurity requirements remains to be seen, but its December 2020 notice will clearly keep the issue on the association's radar for the foreseeable future. CMMC and the other issues previously mentioned will also be on our radar. Meanwhile, EDUCAUSE will watch for possible developments in federal privacy policy, potential changes in Section 230 liability protections regarding content posted by users on third-party websites, efforts by a soon-to-be Democratic majority of the Federal Communications Commission to "repeal the repeal" of net neutrality rules, and surprises in areas of member interest that have yet to arise. Given a new presidential administration and unified control of Congress by razor-thin majorities, those surprises are sure to come, and EDUCAUSE looks forward to working with its members and other higher education associations to rise to those challenges just as we did in 2020.

Notes

1. Jarret Cummings, "Higher Ed IT Funding Request for Federal Emergency Relief Bill," Policy Spotlight (blog), EDUCAUSE Review, April 10, 2020. Jump back to footnote 1 in the text.↩
2. Ibid. Jump back to footnote 2 in the text.↩
3. Rachel Siegel, "What’s in Biden’s $1.9 Trillion Emergency Coronavirus Plan," The Washington Post, January 14, 2021. Jump back to footnote 3 in the text.↩
4. Jarret Cummings, "EDUCAUSE, Higher Ed Groups Push for Broadband Access and Infrastructure," Policy Spotlight (blog), EDUCAUSE Review, June 10, 2020. Jump back to footnote 4 in the text.↩
5. Katie Branson, "EDUCAUSE Supports Bill to Provide Broadband Access for Unserved and Underserved College Students," Policy Spotlight (blog), EDUCAUSE Review, June 12, 2020. Jump back to footnote 5 in the text.↩
6. Casey Lide and Jason P. Chun, "Overview of Broadband Funding Opportunities in the COVID-19 Relief Act," Keller and Heckman LLP (website), January 19, 2021. Jump back to footnote 6 in the text.↩
7. Jarret Cummings, "CMMC and Fundamental Research: EDUCAUSE Joins Groups in Raising Concerns," Policy Spotlight (blog), EDUCAUSE Review, September 24, 2020. Jump back to footnote 7 in the text.↩
8. Defense Acquisition Regulations System, Department of Defense, Interim Rule, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements" (DFARS Case 2019-D041), September 29, 2020. Jump back to footnote 8 in the text.↩
9. Jarret Cummings, "EDUCAUSE Raises Concerns About DOD CMMC/800-171 Assessment Rule," Policy Spotlight (blog), EDUCAUSE Review, December 15, 2020. Jump back to footnote 9 in the text.↩
10. Jarret Cummings, "FSA Notice on Handling Safeguards Rule Audit Findings," Policy Spotlight (blog), EDUCAUSE Review, May 7, 2020. Jump back to footnote 10 in the text.↩
11. Jarret Cummings, "EDUCAUSE Provides Feedback on the FSA Strategic Plan," Policy Spotlight (blog), EDUCAUSE Review, October 30, 2020. Jump back to footnote 11 in the text.↩
12. Federal Student Aid, "Protecting Student Information – Compliance with CUI and GLBA," December 18, 2020. Jump back to footnote 12 in the text.↩

---

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.