The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:

• Department Information Security and Privacy Requirements (January 30, 2024) (530k)
• Contractor Vetting Security Requirements (February 1, 2024) (204k)

Effective March 25, 2024, the following controls and documents are provided for contractors to comply with Department of Education standards referenced within “Department Information Security and Privacy Requirements”:

• AC - Access Control
• AT - Awareness Training
• AU - Audit and Accountability
• CA - Assessment, Authorization, and Monitoring
• CM - Configuration Management
• CP - Contingency Planning Standard
• IA - Identification and Authentication
• IR - Incident Response
• MA - Maintenance
• MP - Media Protection
• PE - Physical and Environmental Protection
• PL - Planning
• PM - Program Management
• PS - Personnel Security
• PT - PII Processing and Transparency
• RA - Risk Assessment
• SA - System and Services Acquisition
• SC - System and Communication Protection
• SI - System and Information Integrity
• SR - Supply Chain Risk Management
• Other - Protection of Federal Tax Information

Click here for Legacy documentation