Today, institutions of higher education face a dizzying array of regulations. These regulations increasingly force colleges and universities to adopt stronger security measures as they combat more and more cybersecurity threats. Many of these regulations mandate two-factor authentication (2FA) to ensure that the right person is accessing sensitive information.
In this two-part blog series, we’ll discuss some of the most common regulations that affect schools—PCI DSS, HIPAA, GLBA, and NIST SP-800-171—as well as what 2FA requirements exist for each regulation. To start, let’s take a closer look at NIST SP-800-171 and PCI DSS.
NIST SP-800-171 is a set of federal regulations published by the National Institute of Standards and Technology that requires colleges and universities that enter into contracts with federal agencies to meet certain minimum cybersecurity standards.
To which higher education institutions does NIST SP-800-171 apply? Any college or university that wants to continue receiving federal or research grants or working with federal government data needs to take the necessary steps to comply.
More specifically, NIST SP-800-171 states that “all Department of Defense (DoD) contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.”
Let’s Talk CUI
CUI refers to any non-classified data received from the federal government that is being shared with a non-federal entity and that has no other federal law or regulation already addressing how to protect the underlying data. This includes controlled technical information, patent information, export control data, research data, engineering data and drawings, agricultural data, privacy data, financial information, health records, student records, and genetic data.
Schools can receive CUI through their research. Contracts with the DoD stipulate what kind of data the federal government is sharing and that the university or college must follow the terms of NIST SP-800-171 in order to utilize that information.
What happens if your institution doesn’t comply with NIST SP-800-171? It will lose the ability to receive federal grants and research contracts, as well as the ability to complete other transactions with the government.
Complying with NIST SP-800-171’s 14 Families of Security Requirements
Complying with NIST SP-800-171 involves adhering to 14 control families of security requirements, comprising 109 individual controls. The three control families most relevant to Identity and Access Management (IAM) and 2FA are Access Control, Identification and Authentication, and Maintenance (you can see the full list here).
The Access Control (3.1) family relates to properly limiting and controlling system access. Section 3.1.1 requires institutions to “limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”
Identification and Authentication (3.5) deals with the requirements relating to central authentication and multi-factor authentication for local and network access to resources. Here are the most relevant sections when it comes to 2FA:
- 3.5.2: Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems.
- 3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- 3.5.4: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
The Maintenance family (3.7), specifically section 3.7.5, states that multi-factor authentication is required “to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.”
To learn more about what your institution can do to meet the NIST SP-800-171 MFA requirements, check out our recent blogs on the subject:
- What New Federal Regulations Mean for Student Data Management in Higher Education
- Meeting the DFARS MFA Requirements—What You Need to Know
Payment Card Industry Data Security Standards (PCI DSS)
PCI DSS is a set of requirements put in place by the credit card industry to ensure that organizations that accept, process, store, or transmit credit card information maintain a secure environment for that data. It applies to the higher education space because universities and colleges process credit card payments for various transactions.
If your college or university doesn’t comply with PCI’s rules and is the target of a data breach, your institution will be subject to fines. Moreover, your campus could lose the ability to accept credit card payments. You would also need to undergo more stringent audits, which would involve hiring a qualified security assessor to review your records (as opposed to merely inspecting those records yourself).
2FA Requirements Mandated By PCI DSS
PCI updated its standards in April 2016 to strengthen encryption and 2FA requirements. Previous versions of PCI DSS, including 3.1, only called for 2FA for remote access to card data. Now, 2FA is a must for all non-console administrative access and all remote access in the cardholder data environment. The deadline to implement 2FA for PCI compliance was February 1, 2018.
So, of which 2FA-related PCI DSS requirements should your institution be aware?
Requirement 8, Identify and Authenticate Access to System Components, calls for the assignment of a unique ID to each user to ensure that each individual is uniquely accountable for their actions. The requirement states, “When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.”
Requirement 8 is applicable for all accounts, including point-of-sale accounts with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties.
In addition, Requirement 8.3.1 obligates you to incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
The following requirement, 8.3.2, entails the use of MFA for all remote network access originating from outside the entity’s network (both user and administrator access, and including third-party access for support or maintenance).
To learn more about how your college or university can meet the PCI DSS compliance requirements, here’s some further reading on the subject:
- PCI Compliance as Part of University Security...Why So Difficult?
- Multi-Factor Authentication Changes with PCI-DSS 3.2
In Part 2, we will discuss HIPAA and GLBA, as well as how to get started with 2FA at your university or college.