The following were the posted requirements from February 1, 2024 through March 24, 2024:

The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:

• Department Information Security and Privacy Requirements (January 30, 2024) (530k)
• Contractor Vetting Security Requirements (February 1, 2024) (204k)

The following controls and documents are provided for contractors to comply with Department of Education standards referenced within “Department Information Security and Privacy Requirements”:

• AC - Access Control Standard – Updated February 10, 2023
• AT - Awareness and Training Standard – Updated January 27, 2023
• AU - Audit and Accountability Standard – Updated January 26, 2023
• CA - Security Assessment and Authorization Standard – Updated January 31, 2023
• CM - Configuration Management Standard – Updated February 10, 2023
• CP - Contingency Planning Standard – Updated December 5, 2022
• IA - Identification and Authentication Standard – Updated October 11, 2022
• IR - Incident Response Standard – Updated February 10, 2023
• MA - Maintenance Standard – Updated January 27, 2023
• MP - Media Protection Standard – Updated January 27, 2023
• PE - Physical and Environmental Protection Standard – Updated January 31, 2023
• PL - Planning Standard – Updated December 5, 2022
• PM - Program Management Standard – Updated January 31, 2023
• PS - Personnel Security Standard – Updated January 31, 2023
• PT - PII Processing and Transparency Standard – Updated January 27, 2023
• RA - Risk Assessment Standard – January 31, 2023
• SA - System and Services Acquisition – Updated January 31, 2023
• SC - System and Communications Protection Standard – Updated February 10, 2023
• SI - System and Information Integrity Standard – Updated January 31, 2023
• SR - Supply Chain Risk Management Standard – Updated February 23, 2024
• Standard PR.DS: Protection of Federal Tax Information – Updated January 26, 2023
• Departmental Directive ACSD-OCIO-004 Cybersecurity Policy – Updated January 12, 2023

The following were the posted requirements from May 4, 2023 through January 30, 2024:

The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:

• Department Information Security and Privacy Requirements (May 4, 2023) PDF (525K)
• Contractor Vetting Security Requirements (January 19, 2021) PDF (142K)

The following controls are provided for contractors to comply with Department of Education standards referenced within “Security and Privacy Requirements for IT Procurements:

• AC - Access Control Standard (February 11, 2022)
• AT - Awareness and Training Standard (January 31, 2022)
• AU - Audit and Accountability Standard (January 31, 2022)
• CA - Security Assessment and Authorization Standard (January 31, 2022)
• CM - Configuration Management Standard (February 11, 2022)
• CP - Contingency Planning Standard (February 11, 2022)
• IA - Identification and Authentication Standard (February 1, 2022)
• IR - Incident Response Standard (January 31, 2022)
• MA - Maintenance Standard (January 31, 2022)
• MP - Media Protection Standard (January 31, 2022)
• PE - Physical and Environmental Protection Standard (January 31, 2022)
• PL - Planning Standard (February 11, 2022)
• PM - Program Management Standard (January 31, 2022)
• PS - Personnel Security Standard (January 31, 2022)
• PT - PII Processing and Transparency Standard (January 31, 2022)
• RA - Risk Assessment Standard (January 31, 2022)
• SA - System and Services Acquisition (January 31, 2022)
• SC - System and Communications Protection Standard (January 31, 2022)
• SI - System Information and Integrity Standard (January 31, 2022)
• SR - Supply Chain Risk Management (January 31, 2022)

Security Requirements for Contractors Doing Business with the Department of Education (Legacy - Updated September 2021)

The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:

• Security and Privacy Requirements for IT Procurements (September 23, 2021) PDF (525K)
• Contractor Vetting Security Requirements (January 19, 2021) PDF (142K)

The following controls are provided for contractors to comply with Department of Education standards referenced within “Security and Privacy Requirements for IT Procurements:

• Baseline Standards PDF (525K)
• Systems Inventory PDF (390K)
• Required Authorization PDF (400K)
• System Security Plan (SSP) Review Checklist PDF (397K)
• Authorizing Officials (AO) PDF (340K)
• Cybersecurity Risk Management Framework (CRMF) PDF (405K)
• Information and Communications (ICT) Supply Chain Risk Management (SCRM) PDF (1.1M)
• Encryption of Computing Devices PDF (450K)
• Password Parameters PDF (440K)
• User-Notification Warning Banner PDF (380K)
• Digital Identity PDF (1.4M)
• Separation of Duties PDF (425K)
• User Account Re-certification PDF (375K)
• Emergency PIV Alternate PDF (370K)
• Identity, Credential, and Access Management (ICAM) PDF (385K)
• Cybersecurity Awareness Training  PDF (320K)
• Data Loss Prevention – Microsoft 365 PDF (570K)
• International Travel and Use of Education IT Services PDF (365K)
• Cyber Hygiene PDF (415K)
• Ongoing Assessment & Authorization PDF (345K)
• Vulnerability Management  PDF (400K)
• Computer Crime Incident Reporting PDF (275K)

Security Requirements for Contractors Doing Business with the Department of Education (Legacy - Updated September 2020)

• Security and Privacy Requirements for IT Procurements (September 29, 2020) PDF (499K)

Cybersecurity and Privacy Requirements (Updated)

• Federal government information technology (IT) contracts must include requirements and clauses that address the cybersecurity and privacy controls that are specified in a number of publicly available guidance documents, standards, and laws. This includes the Federal Information Security Modernization Act (FISMA), the special publications and standards posted at the computer security website maintained by the National Institute of Standards and Technology (NIST), cybersecurity guidance publicly distributed via memoranda issued by the Office of Management and Budget (OMB), OMB Circular A-130, and various other related cybersecurity and privacy guidance that are posted on the Internet. Prospective bidders are encouraged to review the guidance listed in order to best prepare for bidding on government IT contracts work. The specific requirements for each contract may vary, and will be included in each solicitation. Internal staff at the Department should contact the Information Assurance Services (IAS) group at the Department’s Office of the Chief Information Officer (OCIO) for assistance in determining what specific cybersecurity and privacy requirements and clauses are required for the Department’s IT contracts.

Administrative Communications System Departmental Directive (Current)

• Contractor Employee Personnel Security Screenings (OM: 5-101 - Internal Document)

For existing/current ED contracts, the legacy guidance is posted immediately below. For all new/future solicitations, the legacy guidance should not be used. The updated guidance posted further below should be used.

Administrative Communications System Handbook (Legacy)

• Information Assurance Security Policy (OCIO-01) PDF (446K)
• Information Security Incident Response and Reporting Procedures (OCIO-14) MS WORD (841K)
• Protection of Sensitive But Unclassified Information (OCIO-15) MS WORD (259K)

Administrative Communications System Departmental Directive (Legacy)

• Personal Use of Government Equipment (OCIO: 1-104) MS WORD (124K)
• Lifecycle Management (LCM) Framework (OCIO: 1-106) PDF (652K)
• Procuring Electronic and Information Technology (EIT) in Conformance with Section 508 of the Rehabilitation Act of 1973 (OCIO: 3-105) MS WORD (983K)

IT Security Awareness (Legacy)

• Department of Education IT Security Awareness Training 2011 MS WORD (688K)

Privacy Safeguards (Legacy)

• External Breach Notification Policy and Plan (OM:6-107) PDF (496K)