NIST Special Publication 800-171 for higher education has been saved
Higher education has always enjoyed a culture of openness. But cybersecurity experts are increasingly wary of open-source information-sharing, and a new regulation demands that colleges and universities with federal contracts tighten their cyber practices and work to safeguard information.
In order to address increasing cyber risk and comply with new government regulations, colleges and universities that enter into contracts with federal agencies must give heightened attention to their cybersecurity measures. The last decade has seen a significant rise in the number of cyber incidents affecting federal agencies: Between fiscal years 2006 and 2015, agencies reported cyber incidents increasing over 1,300 percent, from 5,500 annually to more than 77,000.1
Subscribe to receive Public Sector content
And given the volume of sensitive federal information that agencies share with third parties—including colleges and universities—the government has strengthened its requirements for safeguarding a broad set of controlled unclassified information (CUI).
In July 2017, Deloitte and EDUCAUSE convened an expert panel to discuss the implications for higher education institutions in protecting CUI received from the federal government in institutional information technology systems. Members of the panel shared their insights about CUI data protection requirements and their approaches to achieving compliance with those requirements. This article provides a high-level summary of their discussion as well as a road map for compliance activities.
For many leaders in institutions of higher learning, getting information security under control is about to become critical to funding and more. Whether a college or university has many large government research contracts or one small contract, it will need to comply with the requirements laid out in National Institute of Standards and Technology (NIST) Special Publication 800-171. These requirements are designed to protect the confidentiality of CUI residing in nonfederal systems. (See sidebar, “The legal basis for protecting controlled unclassified information.”)
CUI can be any data received from the federal government that is not designated as classified; this can include but is not limited to:
The Defense Federal Acquisition Regulation Supplement 252.204.7012 establishes NIST 800-171 as the minimum security standard for protecting both CUI and covered defense information (CDI) associated with defense-related contracts. The Federal Acquisition Regulation (FAR) clause, with expected publication in late 2017, is also anticipated to apply NIST 800-171 standards to protect CUI associated across a broader set of civilian contracts.2 Higher education institutions will face contractual requirements—most likely associated with federal grants, research contracts, and other transactions in which the institution receives data from the federal government—that will mandate compliance. In 2016, the US Department of Education communicated its intention to make student financial data subject to NIST 800-171 controls in the future and encouraged institutions to conduct a gap analysis between their current security measures and NIST 800-171 requirements.3
The protection of controlled unclassified information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.
NIST Special Publication 800-171
Institutions receiving defense contracts with provisions for CUI must comply by December 31, 2017. Institutions are already seeing provisions about the new standards inserted into defense contracts, and defense agencies are adding no-cost change orders to existing defense contracts, requiring NIST 800-171 compliance. For all others, the FAR clause may publish as soon as December 2017.
Given these changes, traditional approaches to cybersecurity in higher education are no longer adequate. While colleges and universities must already deal with a great many government regulations and reporting requirements, NIST 800-171 demands special attention. Institutions that do not comply risk losing federal funding for research and, potentially, financial aid, while those that take a proactive stance stand to gain a competitive advantage. Deadlines for developing a plan of action are rapidly approaching, with the first compliance attestations for defense contracts due at the end of 2017.
To get started down the path to compliance, institutions will first need to understand the challenges that the new standard presents and then chart a course for achieving and sustaining compliance. By drawing on the experiences of institutions further down the NIST 800-171 path, we aim to offer a road map to help institutions comply with the new requirements.
In 2010, the White House issued Executive Order 13556, defining CUI. The purpose of the executive order was to gather various information categories—those that required additional protection from disclosure but were not otherwise considered classified information—into a single definition of protected information for all federal agencies. The executive order placed the National Archives and Records Administration in the role of creating a registry of information and handling requirements for the newly defined CUI classification.
As CUI information is often shared among federal agencies and with nonfederal organizations, data handling requirements were needed for the newly defined data type. Charged with creating that guidance, the National Institute of Standards and Technology published Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in June 2015 (and updated it in January 2016). The requirements outlined in NIST 800-171 apply to CUI that the federal government shares with a nonfederal entity.
The requirement to protect CUI according to a prescribed set of rules is contractual in nature, meaning that nonfederal agencies must scrutinize their contracts with federal agencies and must understand whether any data they receive from a federal agency is classified as CUI. In most instances, federal procurement rules will incorporate the contractual clauses requiring CUI protection. For instance, US defense agencies moved quickly to create a procurement rule that specified that NIST 800-171 is the minimum security standard for protecting any CUI received from defense agencies.
Federal civilian agencies have moved more slowly. While a Federal Acquisition Regulation regarding general data safeguarding came out in 2016 (FAR 52.204-21), the federal government has not yet released a rule mandating that nonfederal agencies protect CUI data received from the government at NIST 800-171 levels. However, a Notice of Proposed Rulemaking was issued in July 2017 stating that a CUI FAR rule would be released in December 2017 and would be open for comment until February 2018, with a final FAR rule to be released shortly thereafter.4 Until that FAR rule is promulgated, contracts with non-defense federal agencies must specifically reference NIST 800-171 for its requirements to apply to the underlying contract (and associated CUI data).
Institutions have made varying degrees of progress on NIST 800-171 compliance. While college and university CIOs and CISOs are generally aware of the standard, this awareness hasn’t necessarily translated into progress. Many institutions are still working out how to get started and get everyone on board. Other institutions, notably those that receive significant defense research funding, are much further down the path.
In addition, many institutions are not beginning from a common starting point. Institutions that previously built their information security program to a higher standard such as NIST 800-53 have a head start on compliance, whereas 800-171 can represent a much more significant lift for those that haven’t built to any standard. For institutions in the latter group, the process ahead will include taking stock of what’s already in place, what the new regulations require, and filling in the gaps.
Colleges and universities are also working through how NIST 800-171 will impact their institutional research strategies. Some institutions, for example, view achieving compliance as a potential source of competitive advantage that will help bring in more federal research funding, which, in turn, can help them attract top researchers.5 Others are stepping back and charting a more conservative path forward, weighing the impact of NIST 800-171 and its associated costs against their institution’s desire to build up its research capacity and classification.6
Compliance with the spirit of NIST 800-171 goes well beyond technological solutions. To achieve and sustain compliance, it’s necessary to take a programmatic approach that encompasses, among other things, organizational change management, training, end user adoption, and process controls. The challenges that institutions face in progressing toward compliance include a lack of executive and board-level attention, significant cultural barriers, and governance coordination.
Lack of executive and board-level attention: While most CIOs and CISOs are aware of NIST 800-171, it is not yet on the radar of many institutional leaders or boards of trustees, largely because the issue has been cast as one of merely implementing a set of technical information security controls. To gain traction with institutional leaders, the conversation must be reframed in terms of enterprise risk management, with the business impact to the institution clearly spelled out. To the extent this is done effectively, resources should follow.
Cultural barriers: Colleges and universities have always enjoyed a culture of openness and sharing. If an American researcher is building on research done by a colleague in another country, it’s normal for the two to talk, share information, and even collaborate. Institutional leaders, many of whom rose through the ranks of academia, understand and value this time-honored practice. Outside of defense-related research, the cultural tradition of openness is antithetical to the spirit of protection that NIST 800-171 calls for, and the principal investigator community and others may therefore resist the changes that the standard requires. To pave the way forward, leaders should stress the need for enhanced security while maintaining a federated model for data sharing and access. Institutions should also develop an effective organizational change-management strategy.
Governance coordination: In many institutional settings, responsibility for ensuring contractual compliance lies with the research division. However, as demands grow to comply with International Traffic in Arms Regulations, the Health Insurance Portability and Accountability Act, and other standards, as well as with NIST 800-171, it is no longer effective or economical to do this work in a decentralized manner when there are many research entities that lack the internal capacity to perform compliance. An institutional, enterprise-level solution is needed, as is a central authority to assess and certify data and access compliance.
To gain traction with institutional leaders, the conversation must be reframed in terms of enterprise risk management, with the business impact to the institution clearly spelled out.
Institutions approach NIST 800-171 from vastly different circumstances, including the current maturity of their information security programs, the makeup of their research funding portfolio, the structure of their IT programs, and the complexity of their governance processes. As a result, what it takes to achieve compliance will vary widely from institution to institution. That said, there is a common set of activities that all institutions will need to undertake on their path to compliance.
To begin, a college or university should form a working group with representatives from academics, administration, and research; the group should have top-down support and the sustained engagement of leadership. Take Virginia Tech’s NIST 800-171 working group, for example: The institution’s working group includes senior-level representatives from across the university’s IT departments, as well as the university’s bursar and registrar, and is jointly sponsored by the university’s VP for research and innovation and the VP for information technology.7
Once formed, the working group should undertake the following five phases of work to manage compliance requirements (see figure 1):
Up to now, many institutions have struggled to understand how to right-size their institution’s security posture, asking, “Are we too strict?” or, “Are we at risk?” While compliance with NIST 800-171 is not without its challenges, the standard sets a common bar for the industry and helps institutions determine whether their security measures are appropriate.
EDUCAUSE is a higher education technology association and the largest community of IT leaders and professionals committed to advancing higher education. The EDUCAUSE Cybersecurity Program offers a number of resources to help colleges and universities develop and mature their information security and privacy programs. Recommended readings pertaining to the topic of this report include: