Security Requirements for Contractors Doing Business with the Department of Education

The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:

  • Security and Privacy Requirements for IT Procurements (September 29, 2020) [download files] PDF (499K)
  • Contractor Vetting Security Requirements (November 1, 2019) [download files] PDF (200K)
Security Requirements for Contractors Doing Business with the Department of Education (Legacy - Updated May 2017)

Cybersecurity and Privacy Requirements (Updated)

  • Federal government information technology (IT) contracts must include requirements and clauses that address the cybersecurity and privacy controls that are specified in a number of publicly available guidance documents, standards, and laws. This includes the Federal Information Security Modernization Act (FISMA), the special publications and standards posted at the computer security website maintained by the National Institute of Standards and Technology (NIST), cybersecurity guidance publicly distributed via memoranda issued by the Office of Management and Budget (OMB), OMB Circular A-130, and various other related cybersecurity and privacy guidance that are posted on the Internet. Prospective bidders are encouraged to review the guidance listed in order to best prepare for bidding on government IT contracts work. The specific requirements for each contract may vary, and will be included in each solicitation. Internal staff at the Department should contact the Information Assurance Services (IAS) group at the Department’s Office of the Chief Information Officer (OCIO) for assistance in determining what specific cybersecurity and privacy requirements and clauses are required for the Department’s IT contracts.

Administrative Communications System Departmental Directive (Current)

  • Contractor Employee Personnel Security Screenings (OM: 5-101 - Internal Document)
Security Requirements for Contractors Doing Business with the Department of Education (Legacy)

For existing/current ED contracts, the legacy guidance is posted immediately below. For all new/future solicitations, the legacy guidance should not be used. The updated guidance posted further below should be used.

Administrative Communications System Handbook (Legacy)

  • Information Assurance Security Policy (OCIO-01) [download files] PDF (446K)
  • Information Security Incident Response and Reporting Procedures (OCIO-14) [download files] MS WORD (841K)
  • Protection of Sensitive But Unclassified Information (OCIO-15) [download files] MS WORD (259K)

Administrative Communications System Departmental Directive (Legacy)

  • Personal Use of Government Equipment (OCIO: 1-104) [download files] MS WORD (124K)
  • Lifecycle Management (LCM) Framework (OCIO: 1-106) [download files] PDF (652K)
  • Procuring Electronic and Information Technology (EIT) in Conformance with Section 508 of the Rehabilitation Act of 1973 (OCIO: 3-105) [download files] MS WORD (983K)

IT Security Awareness (Legacy)

  • Department of Education IT Security Awareness Training 2011 [download files] MS WORD (688K)

Privacy Safeguards (Legacy)

  • External Breach Notification Policy and Plan (OM:6-107) [download files] PDF (496K)

Last Modified: 09/29/2020