Host Jenay Robert talks legislative updates with Jarret Cummings, EDUCAUSE Senior Advisor for Policy and Government Relations. They dive into the new web and mobile app accessibility regulations, proposed cyber incident reporting rules, research cybersecurity issues, and what to expect in 2025.
View Transcript
Jenay Robert: Thank you to all of you for being here for the first time that we recorded Shop Talk Live. If you're not familiar with Shop Talk, it's a series that you can find from EDUCAUSE on YouTube and on Spotify. So whatever way you like to consume your media. I am Jenay Robert. I'm a senior researcher at EDUCAUSE, and I am joined by one of my favorite colleagues that's sitting with me today.
Jarret Cummings: Very small population.
Jenay Robert: Jarret Cummings. We used to only have a friendship over Twitter, and then now we get to see each other more often, so . . .
Jarret Cummings: Exactly. We will find out if we really still like each other live and in person. So it's high-risk video.
Jenay Robert: Yeah, yeah. But yeah, thank you all for taking the time to be here and Jarret is brilliant. I always say I wish I could download his brain into mine. He is our policy expert. It's probably not your right title. What's your real title?
Jarret Cummings: Senior Advisor for Policy and Government Relations.
Jenay Robert: There you go. All thanks. Policy. And this is a little policy update, right? Absolutely. It's very informal. We're just having a chat. I think we may have some time for audience questions at the end if we can figure that out. But in the meantime, I think we just want to get some little updates and picture its brain about what's going on in the policy world and what's interesting.
Jarret Cummings: Well, I think probably the most impactful development this year has been around the web and mobile app accessibility regulations that the Department of Justice released under Title II of the Americans with Disabilities Act. So that's the portion of the ADA that covers state and local government entities, which of course covers all public colleges and universities. And it's the first time that the DOJ has set an actual standard for web and mobile ACT accessibility under the ADA. So that is get ready for the acronym. WIC had 2.1 AA, and if you'd like that read out, it's the web Content Accessibility Guidelines 2.1 level aa.
Jenay Robert: How many times did you have to practice that? That's a lot.
Jarret Cummings: I've lived with that long enough that I can almost get it out without tripping, but it's a very significant development because in the final version of the regulation, the department made some changes from its proposed rules, which have really, I think greatly increased the potential impact on higher education. Probably the most relevant change is they dropped the proposed exception for password protected post-secondary course content from the proposed regulation to the final regulation. So that means that all of the digital content in all of our courses and programs that might appear on the web in some form or fashion would have to be compliant with the WAC 2.1 AA standard, and that also includes the delivery systems, how that content is accessed. So it's a very expansive level of compliance and the proposed regulations in the final regulations. Another significant change that amplifies that, the importance of that change is that DOJ, rather than going with compliance based upon a robust set of policy and process to identify and remediate compliance issues and the fire rule, they ultimately said no.
Compliance means do you meet the standard or not? And the only real time in which it doesn't matter is when it genuinely doesn't matter. If you have a deviation from the standard that doesn't impact the delivery of the program activity or service to someone with a disability, then DOJ is willing to let that slide. But that's a very narrow space. Now, the file regulations do include a series of exceptions for things such as preexisting electronic documents, archived materials and so forth. But even in those exceptions, if any of the content is actually used for the delivery of a program activity or service, then it has to be made compliant anyway. So there's a very broad scope of compliance involved in this final regulation. And for the overwhelming majority of colleges and universities, the deadline to achieve compliance is April 26th, 2026. So we're roughly 18 months from all digital course content essentially needing to be compliant with these regulations. And that's going to be a huge challenge from of institutions.
Jenay Robert: So something that stands out to me about this conversation, and I heard it multiple times and what you just said, was this vocabulary of compliant where sometimes I hear people talk about this and I'm guessing it's not quite accurate, so I want to hear your take on this. Some people say, all course content has to be accessible by a certain date. And I feel like this title, this label accessible is not, at least as a researcher, I've always learned that it's not that something is or is not accessible. There are accessibility features, there's different levels of accessibility. And so I hear you saying compliant. Is that a correct difference? It's not that we're saying accessible black and white, but compliant with some regulations and standards.
Jarret Cummings: Well, in this context, the regulation by identifying WC 2.1, AA as the standard for compliance, that is the level of accessibility for that content or relevant technology. So it basically is the content or the technology accessible to this level. And an interesting wrinkle with the new regulations is that the, sorry, momentary blank. It's in past application of the A DA. The focus would be on remediating something, fixing something that wasn't accessible to the level necessary to serve the individual involved. And in this context, now, the regulation is if you have to make the content WIC at 2.1 AA accessible, it has to meet the full standard. It's not just having to meet for someone with a visual disability, for example. You're not just talking about remediating the content to address visual disability issues. You have to elevate the content so that it fully meets all of the WAC 2.1 AA requirements.
Jenay Robert: So would it be fair to say that we're shifting away from this approach where we say, well, we can accommodate as needed and more towards, we need to not have to accommodate as much as possible. Is that a fair representation?
Jarret Cummings: Absolutely. The file regulation essentially takes the issue of reasonable accommodation off the table. From a regulatory standpoint, we're going to be assessed in terms of compliance, whether the content is Wiccan 2.1 AA accessible or not across the full scope of Wiccan 2.1 aa. And it's not an issue if someone with particular disability needs content remediated to a certain level, you have to remediate it to the full standard or it's not compliant under the regulation.
Jenay Robert: Does that mean that the way we understand accommodation now goes away completely or does it change? Is there still going to be some process input?
Jarret Cummings: Well, I mean, I think there still are always issues where institutions may run into content or technology that can't be elevated to that standard for a given person with their disability. So I don't know that reasonable accommodation comes off the table completely, but just as a focus of addressing accessibility compliance, now what's the standard? Not how do we accommodate this individual?
Jenay Robert: Yeah, I've been feeling very hopeful hearing about some of these changes because I know in our own research with students at EDUCAUSE if you follow some of the annual students and technology studies, we see that students oftentimes don't even pursue accommodation requests for various reasons, whether it's because of the paperwork being too overwhelming or they just don't know that they have to do that or can do that. So we know that students who really need these services maybe just aren't getting them or most likely just aren't getting them. So it's really exciting to hear that there's some progress in this space. I mean, are you hearing from the community that they feel like that is progress or do you think it's my hopeful kind of take on the matter?
Jarret Cummings: Well, there's progress and then there are challenges associated with attaining that progress. And I think that for many institutions, given the scope of the content that's going to have to be addressed, it's going to be a very significant issue whether our provider community, our content providers, our service providers and so forth are able to adapt and make their offerings compliant because there's just going to be a limit, I think, to what any individual institution can do to address all of the content and services that will have to be made compliant. And so I think my concern would be, and we said this in our comments on the proposed regulation, that a two year timeframe for large public organizations at a three year timeframe for small organizations where the distinction isn't whether your organization is large or small, but really whether you're talking about a large, small state or local government. So you could have a small state college, but it's a state college, so it's associated with its state. And that state's population far exceeds what the definition of a large entity under, excuse me. Well, a large entity under the regulation is, so within the scope of two years, and in the absence of the password protected course, content exception, many institutions, you're talking about tremendous volume of course content that has to be elevated to the standard, and that's going to be a greater or lesser challenge even within institutions depending upon the course, the program, the faculty were involved and so forth.
Jenay Robert: Do you have advice, and I mean I have an opinion on this so I can chime in as well. Do you have advice for institutions you feel, okay, this is a lot of work. This is really overwhelming. I don't even know where to start. I know this was part of some conversations I had yesterday I was at, actually, ed had our first annual partner summit where we had folks from ed tech, folks who are IT leaders at institutions, other associations, all chatting about some of these really big issues that we need to all work together on. And this came up as a huge piece of that conversation. So what is some of your advice for institutions who are saying this is a really big challenge to take on very quickly? Where do I start?
Jarret Cummings: Well, I think our IT accessibility community group is a really great collection of leaders and professionals in the technology accessibility space. They share a lot of knowledge and really work to support each other and help each other support their institutions. So in terms of getting ideas, background information on how to try to address these challenges institutionally, I think starting with our community group is a great way to go and past that. In the near term, I think you're going to see many state university systems, community college districts trying to work together within states and across states to try to address the scope of the regulation.
Jenay Robert: And I've heard some CIOs saying that this might be a lever to pull. If you're in a position where you've been trying to get more staff that focus on accessibility, this might be a way just to kind of make the case not we've always needed these folks to be on our teams. But if you're in a position where you've had a hard time making the argument to get those stuff, this might be a good opportunity to say, look, this is coming. We need to do this now.
Jarret Cummings: Well, yes, I think as I said, given the compliance deadline that most colleges, universities are likely to face in this space, we're just short of 18 months before that deadline has to be met. And I think for a large number of institutions, they will need outside support to make that happen. And particularly not just in financial resources, but outside expertise, even with our accessibility community group members, to your point, many of them may be a one person team at their institution, and there's just a level and volume of work that's going to have to be done that I don't know that institutions individually or at least their existing staff on their own are going to be able to handle.
Jenay Robert: Are you seeing in the community group that there are some folks who are kind of ahead of this curve a little bit and they're helping out other people? You can find people who maybe have some best practices and advice for getting up to speed on these things?
Jarret Cummings: Well, one, and I don't want to shortchange any of our member institutions. This is just the one that comes to mind off the top of my head. The University of Washington I think has been a leader in this space for a considerable period of time. And so I believe they have a good collection of policy and planning resources. But there are a number of institutions, our accessibility community group leaders, Kyle Shamu comes from Harvard URA to rule comes from Wake Forest. They have many members at all levels of higher education that do tremendous work. And so I think there are great resources available for any given institutional context. It's a matter of plugging in and flashing the bat signal.
Jenay Robert: And another plug for those folks. They've got some great sessions happening at the conference. So if you haven't checked that out, I think even just the keyword search for accessibility will point you to a lot of those really nice sessions. So something I would recommend,
Jarret Cummings: And they have multiple poster sessions as well, so if you can't get to a live session, I know they've scheduled I think at least three poster sessions.
Jenay Robert: Yeah, yeah. We could come back to this topic. Were there any other policy updates that you wanted to touch on?
Jarret Cummings: Well, another, in the range of highly impactful when it happens earlier this year, the Office of Federal Student Aid at the US Department of Education added to what's called the Unified Federal Regulatory Agenda that they are going to pursue a rulemaking to finally implement compliance with. And here's another fun acronym, NIST s SP 800 dash 1 71 controlled unclassified Information cybersecurity guides, and we will abbreviate and classified information to CUI. Some people call it CUI. I'm never comfortable with that. I just say CUI.
Jenay Robert: It sounds like a dessert your grandmother makes at Thanksgiving,
Jarret Cummings: CUI. It doesn't have that feel through it. So I always go with CUI, but to each his own. So in any case, within the Department of Defense at some other federal areas, CUI compliance is already a much more active issue per the executive order that established the uniform rules and requirements for CUI. The Department of Education was ultimately going to have to do something around imposing CUI compliance onto colleges, universities in relation to federal student aid. There's a CUI category in the CUI, the official CUI registry that provides the guidance and the parameters on how basically student financial aid data is considered CUI. And so eventually the Department of Education and FSA, were going to have to move in this direction in any case. But I think the necessity of moving that direction increased significantly with the direct introduction of federal tax information into the FAFSA process.
Because by law, well, let me start in a different place. Traditionally, if you take the IRS's data, you have to accept their cybersecurity requirements for that data in any case. And it just so happens that the IRS's cybersecurity standards for federal tax information are at a level that very few colleges and universities could meet. And so Congress actually through the CARES Act, introduced an exception for the use of federal tax information in the FAFSA process. It's an exception from those IRS requirements. So even though FTI is now directly applied within FAFSA processing, colleges and universities do not have to apply the IRS's cybersecurity controls to that data when it flows down to them from the department. However, there's still a need to have some uniform standards for the protection of this data because obviously federal tax information is considered relatively sensitive. And so the Department of Education was going to have to ultimately impose a hundred dash 1 71 compliance on colleges and universities.
Anyway, it provides a uniform standard that would help in this process. And so the need to move forward in applying that standard to the student financial aid data that colleges and universities receive, I think is just, as I said earlier, accelerated. The question is when are they actually going to get this rulemaking off the ground and the provision and the unified federal regulatory agenda, they said October, 2024, well, we're running out of time. That doesn't mean they can't get it out next week or later this week. But my view has been that the departments resources have been so tapped by trying to address the FAFSA transition and the continuing work that's necessary in that from the previous FAFSA year to current FAFSA year, that my sense is they just don't have the horses to get that off the ground in the original timeframe that they proposed.
So it could happen at any time between now and the end of the year. But my suspicion is we'll probably see the rulemaking process start at some point in 2025, excuse me. But also unlike the accessibility space, I don't think the outcome of the presidential election is going to change whether or not that rulemaking happens or not. I think it may just delay it depending on the extent of the transition that's involved. If we have a Democratic administration in January, I don't think you see as dramatic of a transition at the Department of Education, and therefore they have more capacity to move more quickly. If we have a Republican administration in January, the virtual complete turnover of the senior leadership of the department is likely to slow that process down. But I would be very surprised if the department and FSA don't get that rulemaking off the ground in 2025.
Jenay Robert: I want to check the time here. So one thing I've always wanted to ask you, I'm going to take a left turn here, is that okay? One thing I always wanted to ask you is when I used to work at an institution and I've worked at a few, I was never able to really follow education policy at the level. Certainly not the level you do, but really, I mean, I'm so busy with my day-to-day work, right? And I imagine a lot of people here today and people watching feel that way too. So do you have advice for someone who says, I have enough on my plate. I know that these things impact me sometimes. Not always. I don't know when they impact me. How does the average person stay up to date?
Jarret Cummings: What you mean? Not everybody wants to get daily cured searches from the federal Register in their inbox.
Jenay Robert: That's why we have you. I thought we all.
Jarret Cummings: Did that. You burst my bubble. We're going to have to rethink. . .
Jenay Robert: Your whole world changes now. Yes, exactly.
Jarret Cummings: Well, I think it starts with associations like EDUCAUSE and our sister associations across higher education, all of the major higher education associations have some degree of government relations and policy tracking involved. And also the associations in higher education are very collaborative, like higher education professionals and leaders are generally. So I think a great deal starts with understanding which associations tracking what and how does that matter to you in your space and what you're interested in. Obviously the IT space is where EDUCAUSE leans in, but our friends at nasfa, which is the STEM Financial Aid Association, their coverage of all things student financial aid from a regulatory perspective is incredible.
Jenay Robert: W-C-E-T-A does some,
Jarret Cummings: Well, WCT does great work around distance learning and state authorization reciprocity. That's a real strengths of that organization. Our friends at acro, they really keep track of all of the fun and exciting things that can happen with F Up. And because EDU cause has a significant privacy community, we also stay in contact with acro around developments in the privacy space and add our perspective on different issues where maybe there's some privacy developments outside ferpa, but they're still relevant to that community and to the broader higher education community. So there's a lot of collaboration across associations around policy issues and just recognizing that different associations cover different spaces. If you're not sure then which one you want to follow on any particular topic, then follow Jared. Well that's one. And I was also going to say within our community, you can ask me and I will do my best to point you in the right direction. Or sometimes people will surprise me. I'm like, well, I don't know. I'm going to have to go find out myself.
Jenay Robert: Good. So try to stump Jared after this. Well, I think that's really the value of these types of conversations is that these are such vital conversations to have. And yet, like I said before, we know this from our workforce research, we're all burned out so we don't have time to keep up with these things. And so we really appreciate the work you do. Was there anything else you wanted to talk about before we closed?
Jarret Cummings: Well, how much time do we have?
Jenay Robert: Time? Do we have five to 10 minutes?
Jarret Cummings: I think I can do a decent shot at this one.
Jenay Robert: Alright, 10 minutes or less because this has also been a very significant year for research cybersecurity.
Jarret Cummings: And that's of significant importance to a great many of our members. The year started off with a flurry of miscellaneous research, cybersecurity comment processes. So I will walk you through all of those, but it was a very fun January through early March, just one right after the other. But in the meantime, since that's calmed down, we've had I think two really significant developments over the last couple of months. The first being that the Office of Science and Technology policy out of the White House released its final guidelines to funding agencies about the requirements for institutional research security programs that they have to impose upon their grantees at a certain level in order for those grantees to be able to compete for federal grants. And as part of that, there's a research cybersecurity component that changed significantly and I think in a positive way, but I have to say that tentatively because we're going to have to see how some developments take place.
In the original proposal for the research cybersecurity component of the research security program guidelines, OSTP was essentially going to take the federal contract information safeguards and make those the basis for research cybersecurity programs at institutions. And that was something of an odd choice from our member's perspective because those safeguards are for contract information and therefore administrative environments. And those don't translate necessarily to higher education research environments, particularly higher education fundamental research environments where ultimately the results of that research are going to be publicly available. So with our members' input, we submitted comments to us tp, to the effect that they really should shift from that approach to allowing institutions to develop and implement a risk management approach to addressing research cybersecurity. Because institutions need the ability to calibrate the application of their resources and time and effort to areas of research cybersecurity that pose the most significant risk.
And we feel like OSTP hurt us and really rethought the space, but they ultimately went in the file regulation and the direction we hadn't anticipated. So rather than sticking with the basic safeguards for federal contact information, they instead said, okay, well NIST is developing this report based on the Chips and Science Act, which is intended to identify the resources that NIST could develop to support cybersecurity and higher education research contexts. So institutions, in order to meet these research security guidelines, you'll have to have research cybersecurity programs that are consistent with this report. And that's pretty much all they said. Now, the plus side of that is that our members had really significant input into that NIST process. And even though the final version of that report's not out, the interim version of the report's been posted for some time. And it really highlights many of the organizations and resources that our community would encourage each other as well as federal agencies to look to in the research cybersecurity space.
So the basic foundation that they've selected is a net positive, but they don't explain what consistent with means in the guidelines. And the funding agencies themselves actually have to take this OSTP guidance and implement it within their grad programs. And so by not giving the funding agencies any guidance on what it means to require institutions to have research cybersecurity programs that are consistent with this report, which is not yet final, there's a wide range of potential outcomes across the various federal funding agencies that could come into play. And so the good news is that OSTP gave the agencies until January to present their implementation plans to OSTP as well as the Office of Management budget. And so we should start to get some sense for whether or not the agencies understood the mandate that OSTP was giving them or not, and whether or not there are any problems with how they interpreted that guidance in the relatively near future. In the meantime, the Department of Defense just released its final regulations for the cybersecurity Maturity Model Certification program.
Jenay Robert: You're killing me.
Jarret Cummings: Yeah, it's DC Acronyms are our world, our abbreviation.
Jenay Robert: I thought getting a PhD in education was bad enough with the acronyms, but you have a speech.
Jarret Cummings: Oh no, this is a way of life. Yeah, no, it's like, so we're still processing that final set of regulations. The unofficial official final draft is a 470 page PDF, so it's got to take some time. But fortunately, we have some members who are much smarter and more capable than I am who've already done a fairly significant dig through the document and identified some positives and some not so positives. On the positive side, the department once again has reaffirmed that fundamental research is essentially not covered by CMMC because it doesn't involve the controlled and classified information or the federal contract information that CMMC was intended to protect. However, we recommended on the proposed regulation that they establish an objective stakeholder driven process to address edge cases because there are these situations in which what is fundamentally a fundamental research project. I'm making my English teacher cringe right now. I know that sometimes CUI or FCI federal contract information will somehow become part of that project. And ostensibly that would mean that the CMMC certification requirements would apply to that project, and that would be fairly problematic if that comes into play after the grant has been awarded. The institution's ability to adjust and suddenly apply security requirements and certification requirements to a project on that basis could be extremely limited or limited to the point of non-existence.
So unfortunately, in the final regulation, DOD said, well, thank you very much, but we're just going to continue to handle this on an ad hoc basis. So it really places a premium on institutions working with their researchers, the DOD program officer that's involved in the DO contracting officer that's involved to try to work out in advance any situation in which they think there's a possibility that FCI or CUI could be introduced into this project so that the requirements are ironed out in advance. Another area where we asked for some change, where I think we got a modest degree of response was around the phasing periods for the program. So now that the final rule is out, DOD is over the next four or so years, going to slowly add these requirements to their contracts to try to build up to eventually having all of their contracts to CMMC requirements where it's relevant.
And our members said, gee, we don't think there are going to be enough assessment professionals available to do these certifications in the timeframe necessary. So perhaps you could extend the self-assessment period for meeting the requirements further, further out, or you could extend it through all four phases. And so that was what we proposed to the Department of Defense. What they came back with was we're going to extend the phase in period for phase one for six months, and that will reset the start of each subsequent phase by six months. So somewhat helpful, but not really, I think what our institutions need to see. And so now it's really going to come down to a fact-based analysis. We're going to find out whether there are going to be enough assessment professionals out in the ether to do all of the assessments necessary in time to reach the Department of Defense's timeframe.
Jenay Robert: It sounds like a good reason to stay tuned to your work as this unfolds. Can you tell people where to follow you or where to find your work besides EDUCAUSE website?
Jarret Cummings: Absolutely. Well, so we push most of our information through our policy channel on the IKAS review site, so that's where our most active material is. And then periodically I port links over to my policy webpage. Ones I think are particularly relevant over time, but the overwhelming majority of our work is through the policy channel on EDUCAUSE Review.
Jenay Robert: EDUCAUSE Review. Well, thank you. Thanks again for joining us. Thanks again to everybody here on site and for anyone watching on YouTube or listening, we miss you here at the annual conference. But we hope to see you here next year.
You can also watch the episode on YouTube
This episode features:
Jarret Cummings
Senior Advisor for Policy and Government Relations
EDUCAUSE
Jenay Robert
Senior Researcher
EDUCAUSE