Policy - EDUCAUSE Review

DOJ and HHS Extend Web Accessibility Deadlines to 2027–2028

The Department of Justice and the Department of Health and Human Services have extended web accessibility compliance deadlines by one year to provide additional time for implementation.

White House Unveils National AI Legislative Framework

The White House has proposed a national artificial intelligence framework that seeks to establish a uniform federal standard, prioritizing the preemption of state regulations while focusing on child safety, energy cost protections, and American technological competitiveness.

Trump Administration Releases Cyber Strategy

The Trump administration has released a new cyber strategy outlining a more assertive federal approach to cybersecurity, emphasizing coordination, deterrence, and enforcement. The president also issued a companion executive order that elevates the federal response to cybercrime and fraud through stronger coordination of government efforts, private-sector partnerships, and expanded support for state and local governments.

CISA Announces Town Hall Meetings on CIRCIA Regulations

The Cybersecurity and Infrastructure Security Agency has announced a series of virtual town hall meetings to seek additional input on proposed regulations under the Cyber Incident Reporting for Critical Infrastructure Act.

Trump Signs AI Executive Order as States Implement AI Laws

In December 2025, President Trump issued an executive order establishing a national artificial intelligence (AI) policy framework, challenging stricter state AI laws, and tying certain federal funding to state compliance.

New Agency Head Appointed at FSA While Policy Activity Remains Uncertain

Richard Lucas has been appointed as the chief operating officer of the U.S. Department of Education Office of Federal Student Aid. However, specific details on the agency's plans to establish cybersecurity compliance obligations have yet to emerge.

Follow-Up: What Tech Leaders Need to Know About Federal Policy and Higher Ed

Sophie talks with John O'Brien and Jarret Cummings to respond to audience questions submitted at the 2025 EDUCAUSE Annual Conference live podcast recording.

Spring 2025 Regulatory Agenda Highlights

The Trump administration released the Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions in September. The Regulatory Agenda outlines regulatory activities under development across federal departments and agencies and includes updates on several regulations that EDUCAUSE has been monitoring.

What Tech Leaders Need to Know About Federal Policy and Higher Ed

Sophie and Jenay discuss U.S. federal policy updates and higher education with John O'Brien and Jarret Cummings live at the 2025 EDUCAUSE Annual Conference in Nashville.

DFARS Changes to Integrate CMMC Requirements Effective November 10

The final version of changes to defense contracting regulations implementing the Cybersecurity Maturity Model Certification Program has been released, beginning a three-year phase-in period for incorporating contractor self-assessment or third-party certification requirements in all Department of Defense contracts involving Federal Contract Information or Controlled Unclassified Information.

Senate Reintroduces Kids Online Safety Act

The Kids Online Safety Act was reintroduced in the 119th Congress with a key revision aimed at preventing government enforcement of the duty of care provision based on users' First Amendment-protected speech.

Trump AI Action Plan: Short on Action

The Trump administration released its national AI Action Plan on July 23, 2025. Despite its title, most of the substantive measures it calls for focus on eliminating federal regulations, leveraging federal funding to limit state regulation of artificial intelligence, and leaning on existing agencies and resources to accomplish new goals and objectives.

EDUCAUSE Reiterates Concerns Over CISA's Cyber Incident Reporting Proposed Rule

EDUCAUSE recently sent a letter to the Cybersecurity and Infrastructure Agency (CISA) to reemphasize concerns about CISA's proposed rule regarding cyber-incident reporting under the Cyber Incident Reporting for Critical Infrastructure Act.

EDUCAUSE Joins Comments to Inform Trump Administration's AI Action Plan

EDUCAUSE joined the American Council on Education and other higher education associations in commenting on the Request for Information from the Trump administration regarding the development of a proposed Artificial Intelligence Action Plan for the United States.

EDUCAUSE Recommends Changes to Proposed FAR CUI Rules

EDUCAUSE and other higher education associations recently highlighted problems with proposed changes to federal contracting regulations to incorporate uniform controlled unclassified information (CUI) marking and handling requirements. Those problems include definitions of CUI and covered federal information that might expose federally funded fundamental research projects to inappropriate data security requirements.

Senate Reintroduces Children and Teens' Online Privacy Protection Act

The Children and Teens' Online Privacy Protection Acts was recently reintroduced in the Senate. The proposed legislation is aimed at improving online privacy protections for children and teens.

Trump 2.0 Regulatory Executive Orders

Since his inauguration, President Trump has issued several executive orders that could indicate what regulations federal agencies will focus on in the coming months.

ED Issues Guidance on Misrepresentations by Third-Party Servicers

In the final days of the Biden administration, the U.S. Department of Education issued a notice of interpretation regarding third-party servicer misrepresentations. The notice concludes the Biden administration's multiyear attempt to regulate online program managers through third-party servicer regulations and guidance.

DOJ Finalizes Rule Prohibiting and Restricting Foreign Transfer of Personal Sensitive Data

In the final days of the Biden administration, the U.S. Department of Justice published a final rule that establishes prohibitions and restrictions around certain data transfers to countries of concern. The final rule is set to go into effect April 8, 2025.

What the Election Results Mean for Higher Education IT Policy

The 2024 election has come and gone, and Washington awaits a second Trump administration and a Republican-controlled Congress. Meanwhile, the outcomes of several regulatory policies that are important to the higher education IT community remain uncertain.

CMMC Program Rule Finalized

The U.S. Department of Defense released the final regulations for its Cybersecurity Maturity Model Certification (CMMC) Program on October 15, 2024. The DOD reconfirmed the exclusion of fundamental research from CMMC program requirements and added concepts to help institutions meet the requirements.

ED Formally Rescinds 2023 Guidance Letter on Third-Party Servicers

After over a year in limbo, the U.S. Department of Education is taking steps to formally rescind its "Dear Colleague Letter" that attempted to apply its third-party servicer regulations to higher education institutions and their content, software, systems, and services providers.

A Policy Update from the 2024 EDUCAUSE Annual Conference

Host Jenay Robert talks legislative updates with Jarret Cummings, EDUCAUSE Senior Advisor for Policy and Government Relations. They dive into the new web and mobile app accessibility regulations, proposed cyber incident reporting rules, research cybersecurity issues, and what to expect in 2025.

Kids Online Safety and Privacy Act Passes Senate, House Committee Passes New Version

In July and September, the U.S. Senate and House of Representatives moved the Kids Online Safety and Privacy Act through each chamber. Although the bill passed in the Senate and advanced out of the House Energy and Commerce Committee, its future remains uncertain, especially given that Congress will be in session for only a few more days this year.

Cautious Optimism on OSTP Research Cybersecurity Requirements

The Office of Science and Technology Policy has released its final requirements for research security programs, which federal research funding agencies will have to apply to colleges and universities that average $50 million or more per year in federal research grants. The requirements include potentially positive guidelines for research cybersecurity at covered institutions.

Spring 2024 Regulatory Agenda Highlights

The Biden administration released the Spring 2024 Unified Agenda of Regulatory and Deregulatory Actions on July 5. The Regulatory Agenda provides insights on the regulatory activities under development across federal departments and agencies and includes updates on several regulations that EDUCAUSE has been monitoring.

EDUCAUSE Pushes Back on Proposed Cyber Incident Reporting Regulations

Several higher education associations joined EDUCAUSE in responding to proposed federal regulations mandating cyber incident reporting. Among other key points, the associations argued that the issuing agency, CISA, intends to apply vague requirements to higher education without consulting the higher education community or considering the impacts of the requirements.

Web and Mobile App Accessibility Regulations

The U.S. Department of Justice published its final regulation on web and mobile application accessibility under Title II of the Americans with Disabilities Act in the Federal Register on April 24. The regulation goes into effect for large public entities on April 26, 2026, and for small public entities on April 26, 2027.

FCC Issues Net Neutrality Final Rule

Last month, the Federal Communications Commission (FCC) issued the anticipated final rule to reclassify broadband internet access as a telecommunications service under Title II of the Communications Act, thus reestablishing the FCC's 2015 net neutrality regulations. The rule goes into effect on July 22, 2024.

The Kids Online Safety Act Faces an Unclear Future

In early 2024, the Senate garnered enough support to potentially pass the Kids Online Safety Act—a major privacy law focused on content moderation for minors. Though the bill does not seem to cover higher education institutions, the EDUCAUSE Policy team will be asking for clarification about whether certain scenarios would create compliance concerns for colleges and universities.

EDUCAUSE Responds to Research Cybersecurity Regulations in Q1 2024

EDUCAUSE responded to three major comment processes in the first quarter of 2024, all of which have significant implications for research cybersecurity.

EDUCAUSE Submits Comments on Proposed Net Neutrality Rule

In November 2023, the Federal Communications Commission issued a proposed rule to reclassify broadband internet access as a telecommunications service under Title II of the Communications Act, thus reestablishing its 2015 net neutrality regulations. EDUCAUSE and the Association for Research Libraries submitted joint comments in December 2023 expressing the associations' support for an open internet.

Fall 2023 Regulatory Agenda Highlights

The Biden administration released its Fall 2023 Unified Agenda of Regulatory and Deregulatory Actions in December 2023. The Regulatory Agenda provides insights on the regulatory activities under development across federal departments and agencies and includes updates to several regulations EDUCAUSE has been following.

FTC Publishes Final Breach Reporting Requirements Under the Safeguards Rule

The Federal Trade Commission released its final breach reporting requirements under the latest revision of the Safeguards Rule. The reporting requirements take effect on May 13, 2024.

DOJ's Proposed Web and Mobile App Accessibility Regulations: An Overview

The U.S. Department of Justice released its long-anticipated proposed regulation outlining web accessibility requirements under Title II of the Americans with Disabilities Act. EDUCAUSE submitted comments to DOJ on October 3, 2023.

No 800-171 in the New SAIG Agreement

Federal Student Aid (FSA) has released a new version of its Student Aid Internet Gateway Agreement. The new version omits a NIST SP 800-171 compliance requirement, but FSA cites a provision of the agreement as the basis for its controlled unclassified information marking guidance regarding Federal Tax Information. FSA is urging institutions to sign the new agreement as soon as possible to avoid a delay in receiving 2024-25 FAFSA data from students and their families.

Expanding Access to High-Speed Internet

The Biden-Harris Administration has announced funding for the Broadband Equity Access and Deployment (BEAD) program, a major broadband access program originally introduced in the 2022 Infrastructure Investment and Jobs Act. States have been tasked with outlining how they plan to use their funding to ensure equitable access to high-speed internet.

The Supreme Court Rules on the Scope of Section 230 Protections

On May 18, the U.S. Supreme Court issued decisions in two cases related to Section 230 of the Communications Decency Act. The decisions leave Section 230 protections unchanged for now, but they also allow for potential future litigation.

NSF Requests Input on the Development of an RSI-ISAO

EDUCAUSE responded to the National Science Foundation (NSF) request for comment on the formation of a research security and integrity information sharing and analysis organization. Among other recommendations, EDUCAUSE called for NSF to collaborate fully with REN-ISAC.

NIST Explores Developing Research Cybersecurity Resources for Higher Ed

The National Institute of Standards and Technology (NIST) requested public input on the research cybersecurity resources it might develop for colleges and universities. EDUCAUSE submitted comments that encouraged NIST to curate existing resources and develop new ones to support the research cybersecurity profession.

EDUCAUSE Responds to Draft OSTP Research Cybersecurity Provisions

EDUCAUSE submitted comments to the Office of Science and Technology Policy concerning the research cybersecurity provisions of its draft requirements for institutional research security programs.

New and Potential SAIG Agreement Revisions Include Safeguards Rule, Federal Tax Information

The current Student Aid Internet Gateway (SAIG) Agreement requires higher education institutions to attest to full compliance with new Safeguards Rule provisions. A new version of the SAIG Agreement coming this fall may include new cybersecurity obligations related to the redisclosure of federal tax information to institutions.

FSA Federal Tax Information Announcement: Is NIST 800-171 Compliance on the Horizon?

The U.S. Department of Education Office of Federal Student Aid issued an electronic announcement in May regarding changes to the treatment of federal tax information (FTI) that will take effect for the 2024–2025 financial aid award year. In particular, the designation of FTI as controlled unclassified information may hold implications for institutional compliance with NIST SP 800-171.

FY23 Federal Single Audit Includes a New Safeguards Rule Audit Objective

The federal single audit includes a new Safeguards Rule audit objective for FY23 that incorporates new compliance elements associated with the Federal Trade Commission's updated Safeguards Rule.

DOJ and ED Issue Joint "Dear Colleague Letter" Regarding Online Accessibility

The U.S. Departments of Justice and Education issued a joint "Dear Colleague Letter" regarding online accessibility. The letter shares the departments' efforts to address online accessibility issues at colleges, universities, and other institutions of higher education and comes amid forthcoming regulations that would update web accessibility rules pursuant to Title II of the Americans with Disabilities Act and Section 504 of the Rehabilitation Act.

ED Removes Effective Date for Previously Released Third-Party Servicer Guidance

The U.S. Department of Education issued a "Dear Colleague Letter" (GEN-23-08) that formally removed the effective date of third-party servicer guidance published in GEN-23-03, which was issued in February.

ED Delays Effective Date of Third-Party Servicer Guidance

The U.S. Department of Education has announced its intention to issue revised guidance concerning the Dear Colleague guidance letter on Third-Party Servicer requirements and delay the effective date until at least six months after the revision is published.

The Biden Administration Issues a National Cybersecurity Strategy

The Biden Administration has released a National Cybersecurity Strategy, a comprehensive plan to address the most pressing cybersecurity issues. The National Cybersecurity Strategy does not explicitly include policies for higher education, but some policies may open or strengthen opportunities for institutions to participate in federally funded cybersecurity programs.

TikTok Crackdown and Higher Education

Citing national security concerns, federal and state public officials continue to pursue policies that would ban or serve to ban TikTok, the popular video-sharing app. Congressional Republicans recently introduced legislation that would effectively ban TikTok on institutional devices.

EDUCAUSE and ARL Members Highlight TPS Problems

EDUCAUSE and the Association of Research Libraries submitted a joint response to the U.S. Department of Education that includes examples from their members of the problems posed by the recent third-party servicer guidance.