At the end of 2017, the first deadline passed to comply with a new set of federal regulations that will force colleges and universities that enter into contracts with federal agencies to tighten their cybersecurity practices. The Department of Education has made it clear that it will compel universities and colleges to comply with NIST’s Special Publication 800-171, which is designed to protect the confidentiality of controlled unclassified information (CUI).
What does this mean for higher education institutions? If colleges and universities want to continue receiving federal grants, research grants, or working with federal government data, they’ll have to significantly tighten their cybersecurity.
Read on to learn more about these regulations and what your institution can do to comply with them.
The NIST regulations are designed to protect controlled unclassified information (CUI). CUI refers to any data received from the federal government that isn’t designated as classified. It can be (but isn’t limited to) controlled technical information, patent information, export control data, research data, engineering data and drawings, agricultural data, privacy data, financial information, health records, student records, and genetic data.
To effectively protect CUI, universities and colleges must adhere to 14 families of security requirements, comprising 109 individual controls. These are:
Some institutions of higher education are already well on their way to complying with NIST 800-171, such as those that already receive significant defense research funding. However, many schools are just starting their journey to compliance and are still trying to figure out what their first steps should be.
The effort it will take for universities and colleges to become compliant will vary from school to school, depending on what cybersecurity measures they already have in place. EDUCAUSE and Deloitte recently released a helpful guide with steps that every university or college can put into place to work towards compliance.
These steps include:
For many universities and colleges, security is a lower priority, resulting in an ad hoc approach to data management. However, with these new regulations, if schools want federal grants and research contracts, this approach won’t cut it.
Proactive data security and complying with these regulations gives colleges and universities a competitive advantage. However, to reach this point, institutions need to invest more effort and resources into identity-driven security.
This means putting identity and access management (IAM) at the core of your security program—that includes automated lifecycle management, multi-factor authentication (MFA), privileged access management (PAM), and robust audit and governance capabilities.
Fortunately, we can help. Identity Automation offers a comprehensive IAM platform and portfolio that can be implemented as a complete IAM solution or as point solutions that augment your existing infrastructure. We are also knowledgeable about the NIST guidelines and have helped many organizations address these regulations.
If you’re ready to assess your NIST 800-171 compliance standing and technology needs, schedule a free consultation with our NIST experts today.