lock

Perspectives

NIST Special Publication 800-171 for higher education

Prioritizing higher education compliance

Higher education institutions are being asked to comply with new federal rules with requirements to safeguard data known as controlled unclassified information (CUI). The National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171) is the minimum security standard for protecting CUI. Deloitte can help institutions meet their December 31, 2017, compliance requirement, as well as maintain and monitor ongoing compliance.

New federal rules known as controlled unclassified information

Higher education institutions are being asked to comply with new federal rules with heightened requirements to safeguard data known as controlled unclassified information (CUI). By December 31, 2017, select grants and contracts with the federal government may be subject to additional requirements, and timely compliance will be essential to avoid potential fines or the loss of contracts that could impact the institution’s research and preeminence missions.

Institutions that process, store, or transmit CUI data—such as student financial aid information or research conducted under federally funded contracts—may be impacted. This can include student records, research data, and student loan information.

Prioritizing higher education compliance

​The defense federal acquisition regulation supplement (DFARS) 252.204.7012 establishes the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171) as the minimum security standards for protecting both CUI and covered defense information (CDI) associated with defense related contracts.

The federal acquisition regulation (FAR) clause is also expected to apply NIST SP 800-171 standards to protect CUI associated with civilian contracts. Institutions will therefore face additional contractual requirements, likely associated with federal grants and research contracts as the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171) covers 14 groups of security control families.

If organizations fail to comply with these new regulations, they risk the loss of access to mission-critical data, and consequently government funding that contributes to research and day-to-day operations. Furthermore, there’s a risk of remaining non-compliant if institutions adopt the wrong technology or compliance activities. This could result in exposure to data breaches or regulatory audit findings causing brand and financial damage.

Building icons

How can Deloitte help?

While each institution will be impacted differently by the new regulations, there are critical activities that should be undertaken to manage these compliance requirements. Deloitte, the leading provider of cyber governance, can help institutions both meet their December 31, 2017, compliance requirement, as well as maintain and monitor ongoing compliance by following a methodical approach.

Deloitte is a market leader in designing and deploying cybersecurity, compliance, and transformational solutions. We also bring a deep understanding of higher education, based on over 90 years of serving colleges and universities, and combine that with the extensive experience in our Federal practice obtained from implementing relevant cyber security standards.

As a result, we offer an unparalleled ability to effectively interpret NIST SP 800-171 requirements and design and deploy federally compliant systems and processes that address the specific needs of our higher education clients.

talk bubble icon

Looking ahead at the changing regulatory landscape

The changing regulatory landscape will require institutions to remain vigilant as they build out their NIST programs. It’s important for institutions to be strategic in the adoption of compliance activities by understanding their particular set of requirements and expectations.

Deloitte can help higher education institutions understand this dynamic regulatory landscape, and promptly help them achieve compliance by implementing the required compliance activities that can become sustainable and integrated with day-to-day operations. More importantly, by being strategic with their decisions, institutions can reduce overall compliance costs by choosing the requisite programs from the start.

The breadth of our capabilities across contract compliance, risk management, IT consulting, and organizational transformation allows us to define an approach that can efficiently and effectively align people, process, and technology. We can help higher education institutions meet their NIST SP 800-171 compliance obligations which will be required to maintain project funding and avoid other compliance issues that may result.

For more details, download our guide on helping colleges and universities address compliance related to NIST SP 800-171.

paper airplane icpn

Let's talk

If you’re interested in learning more, please contact us. We’d be happy to schedule a meeting with you and your team.

Mark Ford
Principal
Deloitte Risk and Financial Advisory
Higher Education
+1 313 394 5313
Profile

Michael Wyatt
Principal
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 512 226 4171
Profile

Richard Rudnicki
Specialist leader
Deloitte & Touche LLP
+1 313 401 5263

Justin Williams
Senior manager
Deloitte & Touche LLP
+1 346 224 5001

Back to top

handshake icon
Did you find this useful?