NIST 800-171 for Higher Education

While it’s been more than four years since Educause released the Introduction to NIST Special Publication 800-171 for Higher Education Institutions, Federal Student Aid (FSA, an office of the U.S. Department of Education (DoEd)) plans to encourage a self-assessment effort in 2021 to understand the higher education community’s readiness to comply with NIST 800–171 Rev 2.

According to the FSA announcement from December 2020, “The self-assessment effort will help the Department determine the cybersecurity posture, maturity and future compliance of each [institute of higher education] with NIST 800–171 and other cybersecurity requirements.”

It remains to be seen whether DoEd Secretary Miguel Cardona, who was appointed subsequent to the FSA announcement, will make modifications to the effort or its timeline, but institutes of higher education (IHE) should nevertheless begin to consider their readiness to comply.

Information within the scope of potential NIST 800-171 compliance is considered Controlled Unclassified Information (or CUI), i.e., information that is not classified in the sense that one must obtain a security clearance to handle it, but controlled due to its sensitivity. Within the context of IHE, it’s information that’s used in the administration of federal student aid programs authorized under Title IV of the Higher Education Act.

The recent abundance of data breaches at organizations entrusted with personally identifiable information has necessitated the DoEd and IHEs to collaboratively fight cybersecurity threats and to strengthen the cybersecurity infrastructure at each IHE.

Of note is that under the Higher Education Act, the Family Educational Rights and Privacy Act, the Privacy Act of 1974 (as amended), the GLBA and state data breach and privacy laws, institutions may be responsible for losses, fines and penalties (including criminal penalties) as a result of data breaches, so mitigating the risk of such breaches occurring is a first necessary step.

To assess its readiness to comply with NIST 800-171, an IHE should first identify what CUI it stores, processes and disposes of and where that CUI is logically and physically located. Next it should assess which of the 110 individual controls are being performed currently and which are not. Controls not being met are gaps the IHE should strive to close.

Admittedly, the challenge is with the timeline. When will IHEs need to evidence their compliance or even readiness for compliance? When will sanctions be handed down to force compliance? As this remains unknown, striving for clean cyber hygiene and performing reasonable controls to safeguard CUI are crucial to protecting such information and should be commonplace in the higher education industry and beyond.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Top Risks to Consider in 2022
The Benefits of Having an Independent SAP Controls Team on Your SAP S/4HANA Project
OMB Releases 2021 Compliance Supplement
What to Know About the Latest Title IX Guidance
Universities Are Exploring New Business Models
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×