At the end of 2017, the first deadline passed to comply with a new set of federal regulations that will force colleges and universities that enter into contracts with federal agencies to tighten their cybersecurity practices. The Department of Education has made it clear that it will compel universities and colleges to comply with NIST’s Special Publication 800-171, which is designed to protect the confidentiality of controlled unclassified information (CUI).
What does this mean for higher education institutions? If colleges and universities want to continue receiving federal grants, research grants, or working with federal government data, they’ll have to significantly tighten their cybersecurity.
Read on to learn more about these regulations and what your institution can do to comply with them.
What Are the New Regulations that Universities and Colleges Face?
The NIST regulations are designed to protect controlled unclassified information (CUI). CUI refers to any data received from the federal government that isn’t designated as classified. It can be (but isn’t limited to) controlled technical information, patent information, export control data, research data, engineering data and drawings, agricultural data, privacy data, financial information, health records, student records, and genetic data.
To effectively protect CUI, universities and colleges must adhere to 14 families of security requirements, comprising 109 individual controls. These are:
- Access control: limiting who has access to data
- Awareness training: making employees aware of information security risks
- Audit and accountability: ensuring system logs are created, maintained, and reviewed
- Configuration management: creating baseline configurations
- Identification authentication: using MFA to access resources
- Incident response: developing and carrying out plans to deal with incidents
- Maintenance: performing appropriate maintenance on information systems
- Media protection: cleaning and destroying media containing CUI
- Personnel security: screening people to ensure only the right people have access to CUI
- Physical protection: physical barriers to systems containing CUI
- Risk assessment: assessing risk to the organization due to handling CUI
- Security assessment: are current school security policies enough?
- System and communication protection: using secure design principles in system architecture and software development life cycle
- System and information security: monitoring the system for flaws
The Path to NIST 800-171 Compliance
Some institutions of higher education are already well on their way to complying with NIST 800-171, such as those that already receive significant defense research funding. However, many schools are just starting their journey to compliance and are still trying to figure out what their first steps should be.
The effort it will take for universities and colleges to become compliant will vary from school to school, depending on what cybersecurity measures they already have in place. EDUCAUSE and Deloitte recently released a helpful guide with steps that every university or college can put into place to work towards compliance.
These steps include:
- Form a Working Group to Manage the Process: Gather a cross section of representatives from across the school (academic, administrative, and researchers). It’s crucial to obtain support from the school’s highest levels of leadership and to engage them throughout the entire process.
- Analyze the Impact and Scope: Determine the applicable contracts and data subject to NIST 800-171 controls. Then, evaluate the value of receiving and using that information.
- Assess Your Institution’s Current Security State: Is there CUI that resides in on-premises campus systems or in the cloud? If so, how is it processed? You must consult with the owners of these systems to discover what security measures are already in place. With that knowledge, you’ll need to perform a gap analysis to learn whether those measures meet NIST 800-171 standards.
- Develop a Plan: After analyzing what measures need to be strengthened, you must define the roles and responsibilities necessary to maintain compliance. You also need to create an action plan to address existing gaps.
- Establish Responsibilities and Efficient Processes to Achieve Long-Term Compliance: Remember that achieving and maintaining compliance is an ongoing effort. That’s why it’s important to engage with everyone affected by these regulations, communicating with them and providing training. Conducting self-assessments and putting a process in place for continuous improvement are also critical.
- Undertake an Independent Review of Current Practices: Bring in an impartial third party to review your security practices and identify blind spots.
Ready to Become NIST 800-171 Compliant?
For many universities and colleges, security is a lower priority, resulting in an ad hoc approach to data management. However, with these new regulations, if schools want federal grants and research contracts, this approach won’t cut it.
Proactive data security and complying with these regulations gives colleges and universities a competitive advantage. However, to reach this point, institutions need to invest more effort and resources into identity-driven security.
This means putting identity and access management (IAM) at the core of your security program—that includes automated lifecycle management, multi-factor authentication (MFA), privileged access management (PAM), and robust audit and governance capabilities.
Fortunately, we can help. Identity Automation offers a comprehensive IAM platform and portfolio that can be implemented as a complete IAM solution or as point solutions that augment your existing infrastructure. We are also knowledgeable about the NIST guidelines and have helped many organizations address these regulations.
If you’re ready to assess your NIST 800-171 compliance standing and technology needs, schedule a free consultation with our NIST experts today.