The successful contractor must comply with Department of Education cyber, privacy, and personnel (i.e., contractor vetting) security policy requirements:
- Department Information Security and Privacy Requirements (January 30, 2024) (530k)
- Contractor Vetting Security Requirements (February 1, 2024) (204k)
Effective April 7, 2025, the following controls and documents are provided for contractors to comply with Department of Education standards referenced within "Department Information Security and Privacy Requirements":
- AC - Access Control
- AT - Awareness Training
- AU - Audit and Accountability
- CA - Assessment, Authorization, and Monitoring
- CM - Configuration Management
- CP - Contingency Planning Standard
- IA - Identification and Authentication
- IR - Incident Response
- MA - Maintenance
- MP - Media Protection
- PE - Physical and Environmental Protection
- PL - Planning
- PM - Program Management
- PR.DS - Protection of Federal Tax Information
- PT - Personally Identifiable Information Standards
- RA - Risk Assessment
- SA - System and Services Acquisition
- SC - System and Communication Protection
- SI - System and Information Integrity
- SR - Supply Chain Risk Management
Click here for Legacy documentation