Effective January 1, 2024
The effective date for full implementation has been shifted from August 1, 2023 to January 1, 2024. This extension will enable vendors and PSUs some additional flexibility with initial implementation. While this effective date has been moved, we are strongly encouraging all PSUs to continue to work towards implementation. PSUs still have the discretion and authority to implement as soon as they are ready to do so and to increase the security requirements as local policy informs.
Protecting the privacy and security of our student data is a challenging, yet critical task. The Department of Public Instruction (DPI) and Public-School Units (PSUs) are required, under Article 29 of NC General Statute 115C, to protect student data. Over the last two years, the number of digital resources provided to students has increased dramatically. The vendors of these digital resources are requesting PSUs to receive data on students or directly integrate their data with statewide applications, such as the Student Information System. These integrations may be implemented both through an Application Programming Interface (API) or data exported flat files provided to the vendors.
While these integrations are necessary for many of these tools to be useful in the classroom, a significant increase in cybersecurity threats against education technology vendors, schools, and student data is occurring nationally. To strengthen security and privacy protections, DPI will implement a new process for PSU third-party vendor integration. The new process aligns with the NC Department of Information Technology (DIT) data security standards for third-party integrations with state systems. This new process is designed to ensure that PSUs have the resources they need to adequately evaluate the security readiness of vendor partners, provide alignment with the State of North Carolina Information Security Manual and the NIST 800-53 framework, as well as provide a more streamlined process that allows PSUs to implement a third-party application more quickly.
- The Vendor and PSU must both sign the DPI (Department of Public Instruction) Data Confidentiality and Security Agreement, in whole with no modifications.
- The vendor must clearly articulate the following items in the Third Party Data Collection Reporting Worksheet:
- The statewide systems they will be connecting to (PowerSchool SIS, ECATS, Amplify mClass, or any state system containing student information);
- The method of integration (API, AutoComm, SFTP, etc.);
- Specific data fields requested and the rationale for their inclusion in the request, including how the data will be used in the target system;
- A description of how data will be restricted to the users who have a legitimate business need to see the data; o A description of any data written back to the statewide system.
- The Vendor must submit the following security documentation:
- An approved Vendor Assessment Tool:
- The NCDIT Vendor Readiness Assessment Report
- Educause Higher Education Community Vendor Assessment Toolkit (HECVAT) Lite
- CoSN K-12 Community Vendor Assessment Toolkit (K-12CVAT)
- 1EdTech Security Assessment Rubric (when released for public use)
- A third-party conducted assessment report, such as the Federal Risk and Authorization Management Program (FedRAMP) authorization, SOC (Security Operations Center) 2 Type 2 audit, ISO 27001 certification, or HITRUST certification. This report must be no more than 12 months old.
- An approved Vendor Assessment Tool:
- If required based on the results of the Vendor Assessment Tool or the third-party audit, additional documentation may be required, including:
- An engagement letter with a third-party auditor indicating that a third-party audit is planned or in progress.
- A third-party conducted penetration test, dated within the last 12 months, with all medium and above findings remediated in accordance with state security requirements.
- A credentialed vulnerability scan of the environment with all medium and above vulnerabilities remediated in accordance with state security requirements. This scan must be current within the last 30 days.
Once all the required documentation has been obtained, the PSU shall review to ensure that the documentation meets all applicable security standards. The PSU shall upload a copy of the signed Data Confidentiality and Security Agreement and Third Party Data Collection Reporting Worksheet into the PSU Third Party Data Integration Reporting form. Once complete, PSUs may begin exchanging data. In the event a vendor is unable or unwilling to provide the requested information at any time during the contract period, the integration is unauthorized and may not proceed. If the PSU or DPI becomes aware of a data breach involving the vendor, authorization of the integration is suspended pending investigation.