Policy - EDUCAUSE Reviewhttps://er.educause.edu/channels/policyThe RSS feed for blogs and articles contributed to the Policy channel in EDUCAUSE Reviewen{02C8AC7E-57A6-4792-8606-BCD392CB3671}https://er.educause.edu/articles/2024/2/educause-submits-comments-on-proposed-net-neutrality-ruleEDUCAUSE Submits Comments on Proposed Net Neutrality RuleIn November 2023, the Federal Communications Commission issued a proposed rule to reclassify broadband internet access as a telecommunications service under Title II of the Communications Act, thus reestablishing its 2015 net neutrality regulations. EDUCAUSE and the Association for Research Libraries submitted joint comments in December 2023 expressing the associations' support for an open internet.{A58E2081-4BAC-4A44-BCCC-B5F9CCA9A6C9}https://er.educause.edu/articles/2024/2/fall-2023-regulatory-agenda-highlightsFall 2023 Regulatory Agenda HighlightsThe Biden administration released its Fall 2023 Unified Agenda of Regulatory and Deregulatory Actions in December 2023. The Regulatory Agenda provides insights on the regulatory activities under development across federal departments and agencies and includes updates to several regulations EDUCAUSE has been following.{F7899389-5DA1-4C88-80D9-3A439E2BA484}https://er.educause.edu/articles/2023/12/ftc-publishes-final-breach-reporting-requirements-under-the-safeguards-ruleFTC Publishes Final Breach Reporting Requirements Under the Safeguards RuleThe Federal Trade Commission released its final breach reporting requirements under the latest revision of the Safeguards Rule. The reporting requirements take effect on May 13, 2024.{D5CB08CB-497D-463C-9F90-2652D4B85034}https://er.educause.edu/articles/2023/11/dojs-proposed-web-and-mobile-app-accessibility-regulations-an-overviewDOJ's Proposed Web and Mobile App Accessibility Regulations: An OverviewThe U.S. Department of Justice released its long-anticipated proposed regulation outlining web accessibility requirements under Title II of the Americans with Disabilities Act. EDUCAUSE submitted comments to DOJ on October 3, 2023.{816912B7-5C8B-48AE-AA22-E5D3E7B19942}https://er.educause.edu/articles/2023/11/no-800-171-in-the-new-saig-agreementNo 800-171 in the New SAIG AgreementFederal Student Aid (FSA) has released a new version of its Student Aid Internet Gateway Agreement. The new version omits a NIST SP 800-171 compliance requirement, but FSA cites a provision of the agreement as the basis for its controlled unclassified information marking guidance regarding Federal Tax Information. FSA is urging institutions to sign the new agreement as soon as possible to avoid a delay in receiving 2024-25 FAFSA data from students and their families.{3C636920-C447-4DE0-B4B8-ABD1A0123C4C}https://er.educause.edu/articles/2023/9/expanding-access-to-high-speed-internetExpanding Access to High-Speed InternetThe Biden-Harris Administration has announced funding for the Broadband Equity Access and Deployment (BEAD) program, a major broadband access program originally introduced in the 2022 Infrastructure Investment and Jobs Act. States have been tasked with outlining how they plan to use their funding to ensure equitable access to high-speed internet.{5BA97ED3-225D-44D7-B5F8-A99173E82B88}https://er.educause.edu/articles/2023/9/the-supreme-court-rules-on-the-scope-of-section-230-protectionsThe Supreme Court Rules on the Scope of Section 230 ProtectionsOn May 18, the U.S. Supreme Court issued decisions in two cases related to Section 230 of the Communications Decency Act. The decisions leave Section 230 protections unchanged for now, but they also allow for potential future litigation.{02584559-2F18-4D5D-A33A-C647128EB66A}https://er.educause.edu/articles/2023/8/nsf-requests-input-on-the-development-of-an-rsi-isaoNSF Requests Input on the Development of an RSI-ISAOEDUCAUSE responded to the National Science Foundation (NSF) request for comment on the formation of a research security and integrity information sharing and analysis organization. Among other recommendations, EDUCAUSE called for NSF to collaborate fully with REN-ISAC.{1B221A66-BEFB-47E7-A137-C95CC8B49B5C}https://er.educause.edu/articles/2023/8/nist-explores-developing-research-cybersecurity-resources-for-higher-edNIST Explores Developing Research Cybersecurity Resources for Higher EdThe National Institute of Standards and Technology (NIST) requested public input on the research cybersecurity resources it might develop for colleges and universities. EDUCAUSE submitted comments that encouraged NIST to curate existing resources and develop new ones to support the research cybersecurity profession.{92E24009-AB29-45DF-8089-4A0DB70A201A}https://er.educause.edu/articles/2023/7/educause-responds-to-draft-ostp-research-cybersecurity-provisionsEDUCAUSE Responds to Draft OSTP Research Cybersecurity ProvisionsEDUCAUSE submitted comments to the Office of Science and Technology Policy concerning the research cybersecurity provisions of its draft requirements for institutional research security programs.{435B4B03-50A1-40AC-B260-2F46AB4F3E13}https://er.educause.edu/articles/2023/6/new-and-potential-saig-agreement-revisions-include-safeguards-rule-federal-tax-informationNew and Potential SAIG Agreement Revisions Include Safeguards Rule, Federal Tax InformationThe current Student Aid Internet Gateway (SAIG) Agreement requires higher education institutions to attest to full compliance with new Safeguards Rule provisions. A new version of the SAIG Agreement coming this fall may include new cybersecurity obligations related to the redisclosure of federal tax information to institutions.{B4AFDFF3-9192-407D-9B95-603E6DB9D423}https://er.educause.edu/articles/2023/6/fsa-federal-tax-information-announcement-is-nist-800-171-compliance-on-the-horizonFSA Federal Tax Information Announcement: Is NIST 800-171 Compliance on the Horizon?The U.S. Department of Education Office of Federal Student Aid issued an electronic announcement in May regarding changes to the treatment of federal tax information (FTI) that will take effect for the 2024–2025 financial aid award year. In particular, the designation of FTI as controlled unclassified information may hold implications for institutional compliance with NIST SP 800-171.{3F4F32BE-E5FC-406A-8894-9A3C104331E4}https://er.educause.edu/articles/2023/6/fy23-federal-single-audit-includes-a-new-safeguards-rule-audit-objectiveFY23 Federal Single Audit Includes a New Safeguards Rule Audit ObjectiveThe federal single audit includes a new Safeguards Rule audit objective for FY23 that incorporates new compliance elements associated with the Federal Trade Commission's updated Safeguards Rule.{6D2B64DD-1C3E-466C-A503-724BCD5F0CDD}https://er.educause.edu/articles/2023/6/doj-and-ed-issue-joint-dear-colleague-letter-regarding-online-accessibilityDOJ and ED Issue Joint "Dear Colleague Letter" Regarding Online AccessibilityThe U.S. Departments of Justice and Education issued a joint "Dear Colleague Letter" regarding online accessibility. The letter shares the departments' efforts to address online accessibility issues at colleges, universities, and other institutions of higher education and comes amid forthcoming regulations that would update web accessibility rules pursuant to Title II of the Americans with Disabilities Act and Section 504 of the Rehabilitation Act.{4FA76944-F887-47C5-835B-4D545788D0B4}https://er.educause.edu/articles/2023/6/ed-removes-effective-date-for-previously-released-third-party-servicer-guidanceED Removes Effective Date for Previously Released Third-Party Servicer GuidanceThe U.S. Department of Education issued a "Dear Colleague Letter" (GEN-23-08) that formally removed the effective date of third-party servicer guidance published in GEN-23-03, which was issued in February.{2E470D08-1395-4462-9195-355366B7BFF6}https://er.educause.edu/articles/2023/5/ed-delays-effective-date-of-third-party-servicer-guidanceED Delays Effective Date of Third-Party Servicer GuidanceThe U.S. Department of Education has announced its intention to issue revised guidance concerning the Dear Colleague guidance letter on Third-Party Servicer requirements and delay the effective date until at least six months after the revision is published.{16791D6A-A798-4359-B10E-8A311A2823A7}https://er.educause.edu/articles/2023/4/the-biden-administration-issues-a-national-cybersecurity-strategyThe Biden Administration Issues a National Cybersecurity StrategyThe Biden Administration has released a National Cybersecurity Strategy, a comprehensive plan to address the most pressing cybersecurity issues. The National Cybersecurity Strategy does not explicitly include policies for higher education, but some policies may open or strengthen opportunities for institutions to participate in federally funded cybersecurity programs.{B990D3B6-18DC-4DCA-824E-0C89D1FDC043}https://er.educause.edu/articles/2023/4/tiktok-crackdown-and-higher-educationTikTok Crackdown and Higher EducationCiting national security concerns, federal and state public officials continue to pursue policies that would ban or serve to ban TikTok, the popular video-sharing app. Congressional Republicans recently introduced legislation that would effectively ban TikTok on institutional devices.{7FEE2121-5289-4558-B0D6-D4B7FC8F5E62}https://er.educause.edu/articles/2023/4/educause-and-arl-members-highlight-tps-problemsEDUCAUSE and ARL Members Highlight TPS ProblemsEDUCAUSE and the Association of Research Libraries submitted a joint response to the U.S. Department of Education that includes examples from their members of the problems posed by the recent third-party servicer guidance.{81D78437-DA82-40C4-A04C-905389B0E695}https://er.educause.edu/articles/2023/4/doj-web-accessibility-regulations-are-imminentDOJ Web Accessibility Regulations Are ImminentThe U.S. Department of Justice has sent its proposed rule on web accessibility for state and local government entities to the Office of Information and Regulatory Affairs. This is one of the final steps an agency must take before publishing a proposed regulation.{828188B9-A270-467C-8AC9-6B3B6D701A0D}https://er.educause.edu/articles/2023/3/educause-and-third-party-servicer-guidanceEDUCAUSE and Third-Party Servicer GuidanceA recent guidance letter from the U.S. Department of Education applies “Third-Party Servicer” regulations to higher education institutions and to their content, software, systems, and services providers. Given the disruption this would cause, EDUCAUSE has asked the department to rescind the letter, fully consult with institutions and their stakeholders, and revise its guidance.{CB1A53AE-85FF-49B2-A131-D03ECD37F255}https://er.educause.edu/articles/2023/2/fsa-issues-guidance-on-safeguards-rule-complianceFSA Issues Guidance on Safeguards Rule ComplianceA recent notice from the office of Federal Student Aid (FSA) provides a brief review of the pending changes to the Safeguards Rule and explains how FSA plans to ensure institutional compliance with the new requirements.{A63FB609-A40B-4AD6-956A-1CF77A6C08A3}https://er.educause.edu/articles/2023/1/fy23-ndaa-omits-incident-reporting-amendmentFY23 NDAA Omits Incident Reporting AmendmentThe final version of the National Defense Authorization Act for Fiscal Year 2023 excludes a proposed Senate amendment that would have required federal contractors and grant recipients to report cyber incidents involving their contracting/granting agency's data or systems to the agency.{9E231B35-85A0-4373-8579-B8FA35A85E0F}https://er.educause.edu/articles/2022/12/web-accessibility-regulations-are-poised-to-be-a-focal-point-in-spring-2023Web Accessibility Regulations Are Poised to Be a Focal Point in Spring 2023The U.S. Department of Justice intends to issue a notice of proposed rulemaking in 2023 around web accessibility regulations for state and local government entities pursuant to Title II of the Americans with Disability Act. At the same time, The U.S. Department of Education is considering updating regulations implementing Section 504 of the Rehabilitation Act.{FDB00ABB-5930-4BB0-96EA-6E4ECC81CEE8}https://er.educause.edu/articles/2022/11/the-copyright-claims-board-worrying-implications-for-scholarshipThe Copyright Claims Board: Worrying Implications for ScholarshipThe Copyright Claims Board helps rights holders but may expose researchers and students to litigation. Higher education institutions and research libraries can position themselves to support students and prevent possible risks to scholarship.{1FDA7DF1-B9DE-4C57-85FE-06DEE706B027}https://er.educause.edu/articles/2022/10/cisa-issues-request-for-information-for-cyber-incident-reporting-rulemakingCISA Issues Request for Information for Cyber Incident Reporting RulemakingColleges and universities are not subject to the law requiring cyber incident reporting to the Cybersecurity and Infrastructure Security Agency (CISA). However, details of the agency's regulatory process, starting with its recent request for information, are worth noting, given their general implications for federal policy on cyber incident reporting.{F9811E8B-50D9-4A4F-BC0F-D000CB3EA88E}https://er.educause.edu/articles/2022/10/federal-policy-perspectives-on-the-educause-2023-top-10-it-issuesFederal Policy Perspectives on the EDUCAUSE 2023 Top 10 IT IssuesEDUCAUSE community members offer federal policy perspectives on the 2023 Top 10 IT Issues.{7B88C6B1-2C66-417B-8316-E962D5AC680C}https://er.educause.edu/articles/2022/9/cisa-cyber-incident-reporting-rulemaking-is-on-the-horizonCISA Cyber Incident Reporting Rulemaking Is on the HorizonWhile higher education is not covered by a pending rulemaking on cyber incident reporting, EDUCAUSE is monitoring the process given the possibility that colleges and universities could face a similar requirement in the future.{BDCF0A6F-96C4-490B-93BA-748F99B4A512}https://er.educause.edu/articles/2022/9/funding-opportunities-for-federal-broadband-programsFunding Opportunities for Federal Broadband ProgramsThe National Telecommunications and Information Administration has taken the first steps in implementing the broadband programs of the Infrastructure Investment and Jobs Act.{FA950F05-1CF3-48C2-8A24-F32D4541BBB7}https://er.educause.edu/articles/2022/8/a-possible-move-toward-comprehensive-federal-privacy-legislationA Possible Move Toward Comprehensive Federal Privacy LegislationA comprehensive privacy bill has cleared a House committee for the first time, but its flaws on federal preemption and a private right of action may limit its prospects. The way the bill handles exceptions for existing laws is also concerning for higher education.{3877B612-C7D1-4006-8D62-0E3E19DB3AA3}https://er.educause.edu/articles/2022/8/fy22-federal-single-audit-safeguards-rule-objective-unchangedFY22 Federal Single Audit: Safeguards Rule Objective UnchangedThe Safeguards Rule audit objective for the federal single audit remains unchanged for the FY22 audit process. It will likely change in future years, however, to align with the new Safeguards Rule requirements that take effect in December.{65F2C76A-6043-44AB-8801-1AFC9ADAF7BB}https://er.educause.edu/articles/2022/6/educause-board-chair-testifies-to-senate-on-cybersecurityEDUCAUSE Board Chair Testifies to Senate on CybersecurityHelen Norris, EDUCAUSE board chairperson and Chapman University CIO, testified to a Senate committee about higher education cybersecurity challenges and what the federal government could do to help.{873FF67A-57AF-4656-A787-C324AB6AC765}https://er.educause.edu/articles/2022/5/problems-with-national-research-cybersecurity-requirementsProblems with National Research Cybersecurity RequirementsEDUCAUSE is working with its members and partners to engage the White House on the problematic approach to research cybersecurity included in its recent research security guidance.{A7C50A90-ED2A-4446-A660-381AC283F866}https://er.educause.edu/articles/2022/3/good-news-on-cyber-incident-reporting-billGood News on Cyber Incident Reporting BillCongress included cyber incident reporting legislation in its FY22 appropriations bill that recently became law. However, the legislation focuses solely on entities in the well-established "critical infrastructure" sectors, which exclude higher education.{486A8A2B-09A9-430E-B732-486E1D865E04}https://er.educause.edu/articles/2022/3/higher-ed-responds-to-proposed-safeguards-rule-reporting-requirementHigher Ed Responds to Proposed Safeguards Rule Reporting RequirementThe Federal Trade Commission (FTC) has proposed adding a reporting requirement to its Safeguards Rule. EDUCAUSE and its partners recommend that the FTC adopt a few revisions (e.g., delaying the public release of any Safeguards Rule security event report for one year from the submission date).{A7A63883-7376-40E6-9C83-DBCED436404E}https://er.educause.edu/articles/2021/12/cyber-incident-reporting-under-the-safeguards-ruleCyber Incident Reporting Under the Safeguards Rule?The Federal Trade Commission (FTC) is seeking public comments on whether to require institutions that are subject to its Safeguards Rule, which includes colleges and universities, to report certain security events to it.{085D9328-5ABA-4E74-9D5A-9FF7D028C297}https://er.educause.edu/articles/2021/12/policy-analysis-revised-highly-prescriptive-ftc-safeguards-rulePolicy Analysis: Revised, Highly Prescriptive FTC Safeguards RuleThe Federal Trade Commission (FTC) has released a revised version of the Safeguards Rule. The revised Rule will impose many new requirements on institutional cybersecurity operations in relation to student financial aid and other "customer" information.{40F61864-F207-4DA3-9A35-DD2AF41BAC18}https://er.educause.edu/articles/2021/10/congress-and-cyber-incident-reportingCongress and Cyber-Incident ReportingLegislation that would mandate cyber-incident reporting to the federal government is circulating through Congress. The bills that are likely to pass do not cover higher education, but all of the proposals provide clues about what EDUCAUSE members may see in the future.{E84B70A1-7E79-4F57-95A3-4C11D7899FAB}https://er.educause.edu/multimedia/2021/9/special-report-fighting-the-innovation-killer-whats-in-your-ip-policySpecial Report: Fighting the Innovation Killer—What's in Your IP Policy? [video]Who owns all of the content that instructors created in response to the urgent need to move from face-to-face to remote instruction starting in March 2020?{C260F3F2-0C58-4E4A-9D16-C40FCA29BD18}https://er.educause.edu/articles/2021/8/beyond-social-media-the-full-context-of-section-230Beyond Social Media: The Full Context of Section 230Policymakers must begin to understand that Section 230 liability protection is much more foundational to the effective functioning of the internet than they realize.{A29398CD-315B-4E3C-A5A6-A4A78E8B66CA}https://er.educause.edu/articles/2021/8/bipartisan-infrastructure-bill-offers-some-opportunities-for-higher-edBipartisan Infrastructure Bill Offers Some Opportunities for Higher EdA bipartisan Senate infrastructure bill has the United States set to make an unprecedented investment in broadband infrastructure and service affordability.{F434C8CD-865E-4C58-9F0B-BD52694CDD93}https://er.educause.edu/articles/2021/7/biden-administration-promotes-net-neutralityBiden Administration Promotes Net NeutralityPresident Biden's recent executive order to promote economic competition reaffirmed his commitment to restoring net neutrality protections. For that to happen, however, he must first determine the composition of a new Democratic majority on the Federal Communications Commission (FCC).{4086B35B-A621-4CEB-8719-7CAE19E2E22F}https://er.educause.edu/articles/2021/7/closing-the-institutional-digital-divide-the-ren-infrastructure-proposalClosing the Institutional Digital Divide: The REN Infrastructure ProposalEDUCAUSE joined more than twenty higher education associations in a letter to Congress encouraging policymakers to invest $5 billion in research and education networks as part of the $65 billion in broadband infrastructure funding that Congress is currently considering.{BD1CB299-D30A-405F-A34A-530E64C78A1B}https://er.educause.edu/articles/2021/7/the-hecvat-a-5-year-anniversary-updateThe HECVAT: A 5-Year Anniversary Update As the Higher Education Community Vendor Assessment Toolkit (HECVAT) celebrates its five-year anniversary in 2021, it is undergoing a major makeover.{A73BE392-8B3A-4E3B-BAC9-03B6A92EA807}https://er.educause.edu/articles/2021/6/interesting-policy-reads-june-10-2021Interesting Policy Reads: Research and Education Network Infrastructure, Federal Agency Website Accessibility, Broadband Access and Affordability, Higher Education Cybersecurity, and MoreThis article includes information about a proposal for national investment in research and education network infrastructure, continuing problems with the accessibility of federal agency websites, current trends in the access and affordability of consumer broadband and mobile technologies, and key post-pandemic considerations for higher education cybersecurity.{F3695092-11AE-4CAD-A4AD-5DA9EE0971FE}https://er.educause.edu/articles/2021/5/higher-education-the-latest-focus-of-biometrics-class-action-lawsuitsHigher Education: The Latest Focus of Biometrics Class Action LawsuitsCompliance with Illinois Biometric Information Privacy Act—which imposes strict consent requirements on entities that collect, use, and store biometric information—is straightforward, but the cost of running afoul of its requirements can be potentially catastrophic.{E1AD5008-ACD6-44DC-977F-F4ADEDD28C19}https://er.educause.edu/articles/2021/5/the-biden-administrations-first-100-days-a-milestone-for-higher-educationThe Biden Administration’s First 100 Days: A Milestone for Higher Education?What have we seen in President Joe Biden's first 100 days in office, and what does that suggest for colleges and universities moving forward?{F0F268A6-11AC-4726-85D8-DB42463DB4B8}https://er.educause.edu/articles/2021/3/800-171-compliance-on-the-horizon800-171 Compliance on the HorizonThe office of Federal Student Aid posted a high-level overview of its cybersecurity compliance plans. The notice makes clear that the NIST SP 800-171 controlled unclassified information guidelines will form the foundation of the Campus Cybersecurity Program.{F75499FB-7AC8-4D21-A4CE-93A4E15DDD1C}https://er.educause.edu/blogs/2021/2/continuity-and-change-in-higher-education-it-policyContinuity and Change in Higher Education IT PolicyThe transition to a new president and Democratic Senate in 2021 open the door for dramatic changes across the federal policy landscape. In higher education IT policy, though, many issues will carry over from 2020. Some will move in a decidedly different direction, but others may stay on more or less the same path.{0ED2EAE5-0DBE-49FA-9381-56FF15FB3C23}https://er.educause.edu/blogs/2020/12/educause-raises-concerns-about-dod-cmmc-800-171-assessment-ruleEDUCAUSE Raises Concerns About DOD CMMC/800-171 Assessment RuleFollowing an earlier letter to the US Department of Defense (DOD), EDUCAUSE joined other groups in highlighting problems with an interim DOD regulation that could impose unnecessary cybersecurity requirements on university fundamental research.