Viewing offline content

Limited functionality available

Dismiss
United States
  • Services

    What's New

    • Register for Dbriefs webcasts

    • Unlimited Reality™

      Metaverse solutions that drive value

    • Sustainability, Climate & Equity

      Cultivating a sustainable and prosperous future

    • Tax

      • Tax Operate
      • Tax Legislation
      • Tax Technology Consulting
      • Mobility and Payroll
      • Legal Business Services
      • Tax Services
    • Consulting

      • Core Business Operations
      • Customer & Marketing
      • Enterprise Technology & Performance
      • Human Capital
      • Strategy & Analytics
    • Audit & Assurance

      • Audit Innovation
      • Accounting Standards
      • Accounting Events & Transactions
    • Deloitte Private

    • M&A and Restructuring

    • Risk & Financial Advisory

      • Accounting & Internal Controls
      • Cyber & Strategic Risk
      • Regulatory & Legal
      • Transactions and M&A
    • AI & Analytics

    • Cloud

    • Diversity, Equity & Inclusion

  • Industries

    What's New

    • The Ripple Effect

      Real-world client stories of purpose and impact

    • Register for Dbriefs webcasts

    • Industry Outlooks

      Key opportunities, trends, and challenges

    • Consumer

      • Automotive
      • Consumer Products
      • Retail, Wholesale & Distribution
      • Transportation, Hospitality & Services
    • Energy, Resources & Industrials

      • Industrial Products & Construction
      • Power, Utilities & Renewables
      • Energy & Chemicals
      • Mining & Metals
    • Financial Services

      • Banking & Capital Markets
      • Insurance
      • Investment Management
      • Real Estate
    • Government & Public Services

      • Defense, Security & Justice
      • Federal health
      • Civil
      • State & Local
      • Higher Education
    • Life Sciences & Health Care

      • Health Care
      • Life Sciences
    • Technology, Media & Telecommunications

      • Technology
      • Telecommunications, Media & Entertainment
  • Insights

    Deloitte Insights

    What's New

    • Deloitte Insights Magazine

      Explore the latest issue now

    • Deloitte Insights app

      Go straight to smart with daily updates on your mobile device

    • Weekly economic update

      See what's happening this week and the impact on your business

    • Strategy

      • Business Strategy & Growth
      • Digital Transformation
      • Governance & Board
      • Innovation
      • Marketing & Sales
      • Private Enterprise
    • Economy & Society

      • Economy
      • Environmental, Social, & Governance
      • Health Equity
      • Trust
      • Mobility
    • Organization

      • Operations
      • Finance & Tax
      • Risk & Regulation
      • Supply Chain
      • Smart Manufacturing
    • People

      • Leadership
      • Talent & Work
      • Diversity, Equity, & Inclusion
    • Technology

      • Data & Analytics
      • Emerging Technologies
      • Technology Management
    • Industries

      • Consumer
      • Energy, Resources, & Industrials
      • Financial Services
      • Government & Public Services
      • Life Sciences & Health Care
      • Technology, Media, & Telecommunications
    • Spotlight

      • Deloitte Insights Magazine
      • Press Room Podcasts
      • Weekly Economic Update
      • COVID-19
      • Resilience
      • Top 10 reading guide
  • Careers

    What's New

    • Our Purpose

      Exceptional organizations are led by a purpose. At Deloitte, our purpose is to make an impact that matters by creating trust and confidence in a more equitable society.

    • Day in the Life: Our hybrid workplace model

      See how we connect, collaborate, and drive impact across various locations.

    • The Deloitte University Experience

      Explore Deloitte University like never before through a cinematic movie trailer and films of popular locations throughout Deloitte University.

    • Careers

      • Audit & Assurance
      • Consulting
      • Risk & Financial Advisory
      • Tax
      • Internal Services
      • US Delivery Center
    • Students

      • Undergraduate
      • Advanced Degree
      • Internships
    • Experienced Professionals

      • Additional Opportunities
      • Veterans
      • Industries
      • Executives
    • Job Search

      • Entry Level Jobs
      • Experienced Professional Jobs
      • Recruiting Tips
      • Explore Your Fit
      • Labor Condition Applications
    • Life at Deloitte

      • Life at Deloitte Blog
      • Meet Our People
      • Diversity, Equity, & Inclusion
      • Corporate Citizenship
      • Leadership Development
      • Empowered Well-Being
      • Deloitte University
    • Alumni Relations

      • Update Your Information
      • Events
      • Career Development Support
      • Marketplace Jobs Dashboard
      • Alumni Resources
  • US-EN Location: United States-English  
  • Contact us
  • US-EN Location: United States-English  
  • Contact us
    • Dashboard
    • Saved items
    • Content feed
    • Subscriptions
    • Profile/Interests
    • Account settings

Welcome back

Still not a member? Join My Deloitte

NIST Special Publication 800-171 for higher education

by Tiffany Fishman, Richard Rudnicki
  • Save for later
  • Download
  • Share
    • Share on Facebook
    • Share on Twitter
    • Share on Linkedin
    • Share by email
Deloitte Insights
  • Strategy
    Strategy
    Strategy
    • Business Strategy & Growth
    • Digital Transformation
    • Governance & Board
    • Innovation
    • Marketing & Sales
    • Private Enterprise
  • Economy & Society
    Economy & Society
    Economy & Society
    • Economy
    • Environmental, Social, & Governance
    • Health Equity
    • Trust
    • Mobility
  • Organization
    Organization
    Organization
    • Operations
    • Finance & Tax
    • Risk & Regulation
    • Supply Chain
    • Smart Manufacturing
  • People
    People
    People
    • Leadership
    • Talent & Work
    • Diversity, Equity, & Inclusion
  • Technology
    Technology
    Technology
    • Data & Analytics
    • Emerging Technologies
    • Technology Management
  • Industries
    Industries
    Industries
    • Consumer
    • Energy, Resources, & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Tech, Media, & Telecom
  • Spotlight
    Spotlight
    Spotlight
    • Deloitte Insights Magazine
    • Press Room Podcasts
    • Weekly Economic Update
    • COVID-19
    • Resilience
    • Top 10 reading guide
    • US-EN Location: United States-English  
    • Contact us
      • Dashboard
      • Saved items
      • Content feed
      • Subscriptions
      • Profile/Interests
      • Account settings
    30 October 2017

    NIST Special Publication 800-171 for higher education A guide to helping colleges and universities comply with new federal regulations

    30 October 2017
    • Tiffany Fishman United States
    • Richard Rudnicki United States
    • Save for later
    • Download
    • Share
      • Share on Facebook
      • Share on Twitter
      • Share on Linkedin
      • Share by email
    • Introduction
    • Meet NIST Special Publication 800-171
    • The current state: Where colleges and universities are at now
    • Getting from here to there: A road map for compliance
    • Recommended reading

    Higher education has always enjoyed a culture of openness. But cybersecurity experts are increasingly wary of open-source information-sharing, and a new regulation demands that colleges and universities with federal contracts tighten their cyber practices and work to safeguard information.

    Introduction

    In order to address increasing cyber risk and comply with new government regulations, colleges and universities that enter into contracts with federal agencies must give heightened attention to their cybersecurity measures. The last decade has seen a significant rise in the number of cyber incidents affecting federal agencies: Between fiscal years 2006 and 2015, agencies reported cyber incidents increasing over 1,300 percent, from 5,500 annually to more than 77,000.1

    Learn More

    Read Elevating cybersecurity on the higher education leadership agenda

    Subscribe to receive Public Sector content

    And given the volume of sensitive federal information that agencies share with third parties—including colleges and universities—the government has strengthened its requirements for safeguarding a broad set of controlled unclassified information (CUI).

    In July 2017, Deloitte and EDUCAUSE convened an expert panel to discuss the implications for higher education institutions in protecting CUI received from the federal government in institutional information technology systems. Members of the panel shared their insights about CUI data protection requirements and their approaches to achieving compliance with those requirements. This article provides a high-level summary of their discussion as well as a road map for compliance activities.

    Meet NIST Special Publication 800-171

    For many leaders in institutions of higher learning, getting information security under control is about to become critical to funding and more. Whether a college or university has many large government research contracts or one small contract, it will need to comply with the requirements laid out in National Institute of Standards and Technology (NIST) Special Publication 800-171. These requirements are designed to protect the confidentiality of CUI residing in nonfederal systems. (See sidebar, “The legal basis for protecting controlled unclassified information.”)

    CUI can be any data received from the federal government that is not designated as classified; this can include but is not limited to:

    • Controlled technical information
    • Patent information
    • Export control data
    • Research data
    • Engineering data and drawings
    • Agricultural data
    • Privacy data
    • Health records
    • Financial information (on, for example, student loans)
    • Student records
    • Genetic data

    The Defense Federal Acquisition Regulation Supplement 252.204.7012 establishes NIST 800-171 as the minimum security standard for protecting both CUI and covered defense information (CDI) associated with defense-related contracts. The Federal Acquisition Regulation (FAR) clause, with expected publication in late 2017, is also anticipated to apply NIST 800-171 standards to protect CUI associated across a broader set of civilian contracts.2 Higher education institutions will face contractual requirements—most likely associated with federal grants, research contracts, and other transactions in which the institution receives data from the federal government—that will mandate compliance. In 2016, the US Department of Education communicated its intention to make student financial data subject to NIST 800-171 controls in the future and encouraged institutions to conduct a gap analysis between their current security measures and NIST 800-171 requirements.3

    The protection of controlled unclassified information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.

    NIST Special Publication 800-171

    Institutions receiving defense contracts with provisions for CUI must comply by December 31, 2017. Institutions are already seeing provisions about the new standards inserted into defense contracts, and defense agencies are adding no-cost change orders to existing defense contracts, requiring NIST 800-171 compliance. For all others, the FAR clause may publish as soon as December 2017.

    Given these changes, traditional approaches to cybersecurity in higher education are no longer adequate. While colleges and universities must already deal with a great many government regulations and reporting requirements, NIST 800-171 demands special attention. Institutions that do not comply risk losing federal funding for research and, potentially, financial aid, while those that take a proactive stance stand to gain a competitive advantage. Deadlines for developing a plan of action are rapidly approaching, with the first compliance attestations for defense contracts due at the end of 2017.

    To get started down the path to compliance, institutions will first need to understand the challenges that the new standard presents and then chart a course for achieving and sustaining compliance. By drawing on the experiences of institutions further down the NIST 800-171 path, we aim to offer a road map to help institutions comply with the new requirements.

    The legal basis for protecting controlled unclassified information

    In 2010, the White House issued Executive Order 13556, defining CUI. The purpose of the executive order was to gather various information categories—those that required additional protection from disclosure but were not otherwise considered classified information—into a single definition of protected information for all federal agencies. The executive order placed the National Archives and Records Administration in the role of creating a registry of information and handling requirements for the newly defined CUI classification.

    As CUI information is often shared among federal agencies and with nonfederal organizations, data handling requirements were needed for the newly defined data type. Charged with creating that guidance, the National Institute of Standards and Technology published Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in June 2015 (and updated it in January 2016). The requirements outlined in NIST 800-171 apply to CUI that the federal government shares with a nonfederal entity.

    The requirement to protect CUI according to a prescribed set of rules is contractual in nature, meaning that nonfederal agencies must scrutinize their contracts with federal agencies and must understand whether any data they receive from a federal agency is classified as CUI. In most instances, federal procurement rules will incorporate the contractual clauses requiring CUI protection. For instance, US defense agencies moved quickly to create a procurement rule that specified that NIST 800-171 is the minimum security standard for protecting any CUI received from defense agencies.

    Federal civilian agencies have moved more slowly. While a Federal Acquisition Regulation regarding general data safeguarding came out in 2016 (FAR 52.204-21), the federal government has not yet released a rule mandating that nonfederal agencies protect CUI data received from the government at NIST 800-171 levels. However, a Notice of Proposed Rulemaking was issued in July 2017 stating that a CUI FAR rule would be released in December 2017 and would be open for comment until February 2018, with a final FAR rule to be released shortly thereafter.4 Until that FAR rule is promulgated, contracts with non-defense federal agencies must specifically reference NIST 800-171 for its requirements to apply to the underlying contract (and associated CUI data).

    The current state: Where colleges and universities are now

    Institutions have made varying degrees of progress on NIST 800-171 compliance. While college and university CIOs and CISOs are generally aware of the standard, this awareness hasn’t necessarily translated into progress. Many institutions are still working out how to get started and get everyone on board. Other institutions, notably those that receive significant defense research funding, are much further down the path.

    In addition, many institutions are not beginning from a common starting point. Institutions that previously built their information security program to a higher standard such as NIST 800-53 have a head start on compliance, whereas 800-171 can represent a much more significant lift for those that haven’t built to any standard. For institutions in the latter group, the process ahead will include taking stock of what’s already in place, what the new regulations require, and filling in the gaps.

    Colleges and universities are also working through how NIST 800-171 will impact their institutional research strategies. Some institutions, for example, view achieving compliance as a potential source of competitive advantage that will help bring in more federal research funding, which, in turn, can help them attract top researchers.5 Others are stepping back and charting a more conservative path forward, weighing the impact of NIST 800-171 and its associated costs against their institution’s desire to build up its research capacity and classification.6

    Overcoming the top challenges

    Compliance with the spirit of NIST 800-171 goes well beyond technological solutions. To achieve and sustain compliance, it’s necessary to take a programmatic approach that encompasses, among other things, organizational change management, training, end user adoption, and process controls. The challenges that institutions face in progressing toward compliance include a lack of executive and board-level attention, significant cultural barriers, and governance coordination.

    Lack of executive and board-level attention: While most CIOs and CISOs are aware of NIST 800-171, it is not yet on the radar of many institutional leaders or boards of trustees, largely because the issue has been cast as one of merely implementing a set of technical information security controls. To gain traction with institutional leaders, the conversation must be reframed in terms of enterprise risk management, with the business impact to the institution clearly spelled out. To the extent this is done effectively, resources should follow.

    Cultural barriers: Colleges and universities have always enjoyed a culture of openness and sharing. If an American researcher is building on research done by a colleague in another country, it’s normal for the two to talk, share information, and even collaborate. Institutional leaders, many of whom rose through the ranks of academia, understand and value this time-honored practice. Outside of defense-related research, the cultural tradition of openness is antithetical to the spirit of protection that NIST 800-171 calls for, and the principal investigator community and others may therefore resist the changes that the standard requires. To pave the way forward, leaders should stress the need for enhanced security while maintaining a federated model for data sharing and access. Institutions should also develop an effective organizational change-management strategy.

    Governance coordination: In many institutional settings, responsibility for ensuring contractual compliance lies with the research division. However, as demands grow to comply with International Traffic in Arms Regulations, the Health Insurance Portability and Accountability Act, and other standards, as well as with NIST 800-171, it is no longer effective or economical to do this work in a decentralized manner when there are many research entities that lack the internal capacity to perform compliance. An institutional, enterprise-level solution is needed, as is a central authority to assess and certify data and access compliance.

    To gain traction with institutional leaders, the conversation must be reframed in terms of enterprise risk management, with the business impact to the institution clearly spelled out.

    Getting from here to there: A road map for compliance

    Institutions approach NIST 800-171 from vastly different circumstances, including the current maturity of their information security programs, the makeup of their research funding portfolio, the structure of their IT programs, and the complexity of their governance processes. As a result, what it takes to achieve compliance will vary widely from institution to institution. That said, there is a common set of activities that all institutions will need to undertake on their path to compliance.

    To begin, a college or university should form a working group with representatives from academics, administration, and research; the group should have top-down support and the sustained engagement of leadership. Take Virginia Tech’s NIST 800-171 working group, for example: The institution’s working group includes senior-level representatives from across the university’s IT departments, as well as the university’s bursar and registrar, and is jointly sponsored by the university’s VP for research and innovation and the VP for information technology.7

    Once formed, the working group should undertake the following five phases of work to manage compliance requirements (see figure 1):

    1. Analyze the impact and scope
      1. Determine the applicable contracts and identify data (including student financial data, which may be subject to NIST 800-171 controls in the future) that must be controlled. The level of effort here will be affected by the size and structure of the institution: A smaller institution with a centralized contract/research office will be easier to manage than a large system with decentralized responsibilities over contracting, research, and so forth. Review the contracts to find language related to compliance requirements and references to the data covered. Key questions include the following: What percentage of your institution’s current research portfolio is affected by NIST 800-171 requirements? What funding is at stake?
      2. Determine the value of receiving and using applicable data: How does it affect critical operations and research? What would happen if the institution were to stop receiving it? This step is important to justify any additional investment. At this stage, some institutions will need to formulate a preliminary estimate of impact and the cost to comply, and communicate that to senior leadership.
    2. Assess the current state of security
      1. Understand where CUI data resides (in on-premise campus systems and in cloud systems) and how it’s processed (from the point of receiving through the life cycle): Based on the flow of covered data, understand the security measures already in place to comply with other regulations and standards. This will require getting input from the owners of relevant data and processes, as well as from IT and security representatives. At this point, some institutions may find that they have many controls that meet or exceed NIST 800-171 standards. Others may realize there is significant work ahead and should perform a gap analysis.
      2. Perform a gap analysis against NIST 800-171 standards, as needed. Start by interpreting what NIST 800-171 requires and developing a conceptual framework of controls to address standards and compliance. Next, do a crosswalk with any existing standards and regulations that impact the flow of covered data. Once this is done, compliance with any outstanding items in the framework needs to be reviewed. At the conclusion, undertake an updated assessment of impact (specifically on the time, resources, and funds needed to achieve compliance) and communicate the results to senior leadership. As costs become clearer, further decisions on costs and benefits can be undertaken. Some institutions may opt to decline select contracts to avoid undertaking measures to comply.
    3. Develop a plan to achieve compliance and mitigate existing gaps
      1. Define roles and responsibilities to achieve and maintain compliance: Based on the assessment’s findings, formalize roles and responsibilities to address gaps (using a plan), and maintain any controls going forward.
      2. Develop a plan of action to implement gap-fix measures with reasonable milestones. It will be important to lock in appropriate financial and leadership support to realistically achieve milestones and to maintain new controls over the long term. The plan must look beyond technical fixes and consider process and governance-related impacts. At this point, institutions should consider funding models needed to achieve and maintain compliance over the long term. Existing security budgets are unlikely to be sufficient to cover these costs. Furthermore, as the institution pursues new federal contracts, each contract should be closely scrutinized and its compliance cost assessed.
    4. Establish responsibilities and efficient processes to achieve sustained compliance over the long haul
      1. Deploy communications and training: Based on the institution’s plan of action and milestones, identify additional parties affected and engage them in communications and training based on requirements.
      2. Conduct ongoing self-assessments: Put a process in place to continually track updates and to assess the ongoing effectiveness of existing controls. Additional gaps may arise based on new contracts and/or changes to the regulations.
      3. Put a process in place for continuous improvement: Compliance will be an ongoing process warranting continuous improvement. As new technology arises, consider how it can be applied to more efficiently and effectively address control requirements within the framework of controls an institution has adopted. Existing solutions can help streamline compliance efforts. Many organizations are adopting governance, risk management, and compliance tools that map out regulations and control requirements and can offer dashboards, giving senior leadership visibility into how risks and compliance requirements are being addressed. Because colleges and universities face numerous regulations, it is a good idea to take an enterprisewide approach to compliance with support from technology. This approach is in line with leading practices in commercial enterprises.
    5. Employ third parties to provide a thorough review of current practices across the entire academic enterprise
      1. Undertake an independent review of current practices. A third-party evaluation can identify an institution’s blind spots; it can also help gain executive and board-level support for addressing any gaps that the review may reveal.

    A road map for NIST 800-171 compliance

    Looking ahead

    Up to now, many institutions have struggled to understand how to right-size their institution’s security posture, asking, “Are we too strict?” or, “Are we at risk?” While compliance with NIST 800-171 is not without its challenges, the standard sets a common bar for the industry and helps institutions determine whether their security measures are appropriate.

    Recommended reading

    EDUCAUSE is a higher education technology association and the largest community of IT leaders and professionals committed to advancing higher education. The EDUCAUSE Cybersecurity Program offers a number of resources to help colleges and universities develop and mature their information security and privacy programs. Recommended readings pertaining to the topic of this report include:

    • EDUCAUSE, An Introduction to NIST Special Publication 800-171 for Higher Education Institutions (April 2016)
    • EDUCAUSE, Information Security Program Assessment Tool (last updated September 2017)
    • EDUCAUSE, Digital Capabilities in Higher Education 2016, Information Security Report (forthcoming October 2017)
    • Common Solutions Group, NIST SP 800-171 Compliance Template (September 2016)
    Authors

    Tiffany Fishman is a senior manager with the Deloitte Center for Higher Education Excellence and is based in Arlington, Va.

    Richard Rudnicki is a specialist leader in the Deloitte & Touche Cyber Risk practice, based in Detroit.

    Joanna Lyn Grama directs the EDUCAUSE Cybersecurity Initiative and the IT GRC (governance, risk, and compliance) program.

    Acknowledgements

    In summer 2017, Deloitte and EDUCAUSE convened an expert panel to discuss the implications for higher education institutions in protecting CUI received from the federal government in institutional IT systems. Deloitte and EDUCAUSE extend their thanks to the following working group members: Ahmed El-Haggen, CIO and VP for information technology, Coppin State University; Patrick Feehan, information security and privacy director, Montgomery College; Cathy Hubbs, chief information security officer, American University; Randy Marchany, information technology security officer, Virginia Tech; Ed Martin, deputy chief information officer, George Washington University; and Scott Midkiff, CIO and VP for information technology, Virginia Tech.

     

    Deloitte and EDUCAUSE also wish to extend their thanks to Timothy D. Sands, president of Virginia Tech, and David Swartz, vice president and CIO of American University, who were interviewed as a part of this project.

     

    This project would not have been possible without the leadership of Dave Noone. Thanks also go to Susan Grajek, Cole Clark, Allison Eng-Perez, Betty Fleurimond, Justin Williams, Michael Wyatt, Srini Subramanian, and Devin Amato.

     

    Cover image by: Alex Nabaum

    Endnotes
      1. Gregory C. Wilshusen, “Federal information security: Actions needed to address challenges,” testimony before the President’s Commission on Enhancing National Cybersecurity, September 19, 2016. View in article

      2. Office of Information and Regulatory Affairs, “Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI),” accessed October 18, 2017. View in article

      3. US Department of Education, Office of Student Financial Aid, “Protecting student information,” July 1, 2016. View in article

      4. Office of Information and Regulatory Affairs, “Federal Acquisition Regulation.” View in article

      5. Deloitte EDUCAUSE working group, July 2017. View in article

      6. Ibid. View in article

      7. David Brady and T. J. Beckett, “New process and regulations for controlled unclassified information,” Virginia Tech, April 19, 2017. View in article

    Show moreShow less

    Topics in this article

    Education , Federal Government , Information Management , Cyber risk

    Deloitte Center for Higher Education Excellence

    Deloitte’s Center for Higher Education Excellence focuses on groundbreaking research to help colleges and universities navigate these challenges and reimagine how they achieve innovation in every aspect of the future college campus: Teaching, learning, and research.

    View
    Get in touch
    Contact
    • Tiffany Fishman
    • Senior manager
    • Deloitte Center for Higher Education Excellence
    • tfishman@deloitte.com
    • +1 571 882 6247
    Download Subscribe

    Related

    img Trending

    Interactive 3 days ago

    Tiffany Fishman

    Tiffany Fishman

    Senior Manager | Deloitte Services LP

    Tiffany is a senior manager with the Deloitte Center for Government Insights. Her research and client work focuses on how emerging issues in technology, business, and society will impact organizations. She has written extensively on a wide range of public policy and management issues, from health and human services reform to the future of transportation and the transformation of higher education. Her work has appeared in a number of publications, including Public CIO, Governing, and EducationWeek.

    • tfishman@deloitte.com
    • +1 571 882 6247
    Richard Rudnicki

    Richard Rudnicki

    Specialist Leader | Deloitte & Touche LLP

    Richard is a specialist leader with more than 15 years of experience in the Deloitte & Touche LLP's Cyber Risk practice, focused on delivering cyber risk and regulatory compliance solutions to clients, with a focus on higher education and the public sector. His experience includes delivering enterprise resource planning systems such as PeopleSoft, Workday, and Oracle Cloud, implementing identity and access management solutions, and performing risk assessments and security program reviews based on National Institute of Standards and Technology, Health Insurance Portability and Accountability, and Family Educational Rights and Privacy Act of 1974 standards and regulations.

    • rrudnicki@deloitte.com
    • +1 313 396 2519

    Share article highlights

    See something interesting? Simply select text and choose how to share it:

    Email a customized link that shows your highlighted text.
    Copy a customized link that shows your highlighted text.
    Copy your highlighted text.

    NIST Special Publication 800-171 for higher education has been saved

    NIST Special Publication 800-171 for higher education has been removed

    An Article Titled NIST Special Publication 800-171 for higher education already exists in Saved items

    Invalid special characters found 
    Forgot password

    To stay logged in, change your functional cookie settings.

    OR

    Social login not available on Microsoft Edge browser at this time.

    Connect Accounts

    Connect your social accounts

    This is the first time you have logged in with a social network.

    You have previously logged in with a different account. To link your accounts, please re-authenticate.

    Log in with an existing social network:

    To connect with your existing account, please enter your password:

    OR

    Log in with an existing site account:

    To connect with your existing account, please enter your password:

    Forgot password

    Subscribe

    to receive more business insights, analysis, and perspectives from Deloitte Insights
    ✓ Link copied to clipboard
    • Contact us
    • Search jobs
    • Submit RFP
    • Subscribe to Deloitte Insights
    Follow Deloitte Insights:
    Global office directory US office locations
    US-EN Location: United States-English  
    About Deloitte
    • About Deloitte
    • Client stories
    • My Deloitte
    • Deloitte Insights
    • Email subscriptions
    • Press releases
    • Submit RFP
    • US office locations
    • Alumni
    • Global office directory
    • Newsroom
    • Dbriefs webcasts
    • Contact us
    Services
    • Tax
    • Consulting
    • Audit & Assurance
    • Deloitte Private
    • M&A and Restructuring
    • Risk & Financial Advisory
    • AI & Analytics
    • Cloud
    • Diversity, Equity & Inclusion
    Industries
    • Consumer
    • Energy, Resources & Industrials
    • Financial Services
    • Government & Public Services
    • Life Sciences & Health Care
    • Technology, Media & Telecommunications
    Careers
    • Careers
    • Students
    • Experienced Professionals
    • Job Search
    • Life at Deloitte
    • Alumni Relations
    • About Deloitte
    • Terms of Use
    • Privacy
    • Privacy Shield
    • Cookies
    • Cookie Settings
    • Legal Information for Job Seekers
    • Labor Condition Applications
    • Do Not Sell My Personal Information

    © 2023. See Terms of Use for more information.

    Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

    Learn more about Deloitte's work for the US Olympic Committee