The Department of Education is suggesting NIST SP 800-171
In June 2015, the National Institute of Standards and Technology (NIST) released NIST Special Publication 800-171. This document, titled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, details required controls nonfederal entities, such as defense contractors, should have in place for protecting the confidentiality of Controlled Unclassified Information (CUI). There are 14 security control families in NIST SP80-171, including Access Control, Awareness and Training, Personnel and Physical Security, to name a few. While our IT audit and security division, OCD Tech, has worked with defense contractors to ensure they have the controls and system security plans in place to comply with this new publication, Higher Education was not on the radar for these technical controls.
Then, on July 1, 2016, Undersecretary Ted Mitchell of the United States Department of Education sent a “Dear Colleague” letter, GEN-16-12, reminding institutions of their legal obligations to protect student information used in the administration of the Title IV Federal student financial aid program. Of note in the letter is the following:
We also advise institutions that important information related to cyber security protection is in the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171). Specifically, the NIST SP 800-171 identifies recommended requirements for ensuring the appropriate long-term security of certain Federal information in the possession of institutions.
Additionally:
The Department strongly encourages institutions to review and understand the standards defined in the NIST SP 800-171, the recognized information security publication for protection “Controlled Unclassified Information (CUI),” a subset of Federal data that includes unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Federal policies.
And finally:
Thus, we strongly encourage those institutions that fall short of NIST standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model.
It appears the Department of Education is likening institutions handling of federal student aid to that of defense contractors handling of controlled unclassified information, and expecting those same levels of controls to be in place.
More about NIST: NIST publications can be found at the website csrc.nist.gov. While SP 800-171 is over 75 pages, it is only one publication of over 100 the agency has released that detail computer/cyber/information security guidelines, recommendations and reference materials. The earliest guideline, released in December 1995, SP 800-13, details the security controls for network telecommunications management. Most recently, in July 2016, a publication, SP 800-183, describes the Network of Things, and the effect this highly interconnected world, including the Internet of Things, will have when everything has a sensor and is directly connected. Keeping up with all of these publications is overly onerous if your organization does not use NIST as its framework for Information Technology. NIST created 800-171 to help those organizations that work with federal information, or have federal protected information, but they themselves are not a federal agency.
Defense contractors have until December 31, 2017 to comply with NIST 800-171 or risk losing their highly lucrative defense contracts and given the speed of acceptance and implementation of 800-171 as a framework for protecting controlled un-classified information in the defense industry, it’s reasonable to assume that a mandate for compliance may come for higher education sooner rather than later. The Department of Education has not set that same timeline for Higher Education institutions, but with the long lead time to become acquainted with the NIST framework, and the time it takes to implement and test the controls contained within, an organization cannot afford to delay starting their review and can benefit from being proactive in the face of potential new compliance requirements.
More about OCD Tech: OCD Tech, the IT Audit & Security Division of O’Connor & Drew P.C. provides independent and objective assurance of your IT controls. Using industry recognized frameworks and best practices, they assess your institutions technology risks and evaluate existing controls for risk mitigation. Staffed with industry veterans, members of OCD Tech are IT security professionals, some with over 20 years experience in IT audit & security. For more information about OCD Tech, or how they can help in your NIST 800-171 efforts, check out their website at www.ocd-tech.com/800-171
What are the requirements of Special Publication 800-171?
Special Publication 800-171 includes 109 controls split among 14 control families. These control families cover all critical aspects of information security:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
How can OCD Tech help achieve NIST SP 800-171 compliance?
Our staff are experts at assessing organizational compliance against the NIST frameworks, including SP800-171. We help Higher Education institutions document their existing environments, outline compliance gaps, and help build remediation plans. We have proprietary templates and toolkits designed specifically for SP 800-171 compliance.