The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:

• Department Information Security and Privacy Requirements (May 4, 2023) (525k)
• Contractor Vetting Security Requirements (January 19, 2021) (142k)

The following controls and documents are provided for contractors to comply with Department of Education standards referenced within “Department Information Security and Privacy Requirements”:

• AC - Access Control Standard – Updated February 10, 2023
• AT - Awareness and Training Standard – Updated January 27, 2023
• AU - Audit and Accountability Standard – Updated January 26, 2023
• CA - Security Assessment and Authorization Standard – Updated January 31, 2023
• CM - Configuration Management Standard – Updated February 10, 2023
• CP - Contingency Planning Standard – Updated December 5, 2022
• IA - Identification and Authentication Standard – Updated October 11, 2022
• IR - Incident Response Standard – Updated February 10, 2023
• MA - Maintenance Standard – Updated January 27, 2023
• MP - Media Protection Standard – Updated January 27, 2023
• PE - Physical and Environmental Protection Standard – Updated January 31, 2023
• PL - Planning Standard – Updated December 5, 2022
• PM - Program Management Standard – Updated January 31, 2023
• PS - Personnel Security Standard – Updated January 31, 2023
• PT - PII Processing and Transparency Standard – Updated January 27, 2023
• RA - Risk Assessment Standard – January 31, 2023
• SA - System and Services Acquisition – Updated January 31, 2023
• SC - System and Communications Protection Standard – Updated February 10, 2023
• SI - System and Information Integrity Standard – Updated January 31, 2023
• SR - Supply Chain Risk Management Standard – Updated March 10, 2023
• Standard PR.DS: Protection of Federal Tax Information – Updated January 26, 2023
• Departmental Directive ACSD-OCIO-004 Cybersecurity Policy – Updated January 12, 2023

Click here for Legacy documentation