The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:
- Security and Privacy Requirements for IT Procurements (September 29, 2020)
PDF (499K)
- Contractor Vetting Security Requirements (November 1, 2019)
PDF (200K)
Cybersecurity and Privacy Requirements (Updated)
- Federal government information technology (IT) contracts must include requirements and clauses that address the cybersecurity and privacy controls that are specified in a number of publicly available guidance documents, standards, and laws. This includes the Federal Information Security Modernization Act (FISMA), the special publications and standards posted at the computer security website maintained by the National Institute of Standards and Technology (NIST), cybersecurity guidance publicly distributed via memoranda issued by the Office of Management and Budget (OMB), OMB Circular A-130, and various other related cybersecurity and privacy guidance that are posted on the Internet. Prospective bidders are encouraged to review the guidance listed in order to best prepare for bidding on government IT contracts work. The specific requirements for each contract may vary, and will be included in each solicitation. Internal staff at the Department should contact the Information Assurance Services (IAS) group at the Department’s Office of the Chief Information Officer (OCIO) for assistance in determining what specific cybersecurity and privacy requirements and clauses are required for the Department’s IT contracts.
Administrative Communications System Departmental Directive (Current)
- Contractor Employee Personnel Security Screenings (OM: 5-101 - Internal Document)
For existing/current ED contracts, the legacy guidance is posted immediately below. For all new/future solicitations, the legacy guidance should not be used. The updated guidance posted further below should be used.
Administrative Communications System Handbook (Legacy)
- Information Assurance Security Policy (OCIO-01)
PDF (446K)
- Information Security Incident Response and Reporting Procedures (OCIO-14)
MS WORD (841K)
- Protection of Sensitive But Unclassified Information (OCIO-15)
MS WORD (259K)
Administrative Communications System Departmental Directive (Legacy)
- Personal Use of Government Equipment (OCIO: 1-104)
MS WORD (124K)
- Lifecycle Management (LCM) Framework (OCIO: 1-106)
PDF (652K)
- Procuring Electronic and Information Technology (EIT) in Conformance with Section 508 of the Rehabilitation Act of 1973 (OCIO: 3-105)
MS WORD (983K)
IT Security Awareness (Legacy)
- Department of Education IT Security Awareness Training 2011
MS WORD (688K)
Privacy Safeguards (Legacy)
- External Breach Notification Policy and Plan (OM:6-107)
PDF (496K)