NIST 800-171 for Higher Education

While it’s been more than four years since Educause released the Introduction to NIST Special Publication 800-171 for Higher Education Institutions, Federal Student Aid (FSA, an office of the U.S. Department of Education (DoEd)) plans to encourage a self-assessment effort in 2021 to understand the higher education community’s readiness to comply with NIST 800–171 Rev 2.

According to the FSA announcement from December 2020, “The self-assessment effort will help the Department determine the cybersecurity posture, maturity and future compliance of each [institute of higher education] with NIST 800–171 and other cybersecurity requirements.”

It remains to be seen whether DoEd Secretary Miguel Cardona, who was appointed subsequent to the FSA announcement, will make modifications to the effort or its timeline, but institutes of higher education (IHE) should nevertheless begin to consider their readiness to comply.

Information within the scope of potential NIST 800-171 compliance is considered Controlled Unclassified Information (or CUI), i.e., information that is not classified in the sense that one must obtain a security clearance to handle it, but controlled due to its sensitivity. Within the context of IHE, it’s information that’s used in the administration of federal student aid programs authorized under Title IV of the Higher Education Act.

The recent abundance of data breaches at organizations entrusted with personally identifiable information has necessitated the DoEd and IHEs to collaboratively fight cybersecurity threats and to strengthen the cybersecurity infrastructure at each IHE.

Of note is that under the Higher Education Act, the Family Educational Rights and Privacy Act, the Privacy Act of 1974 (as amended), the GLBA and state data breach and privacy laws, institutions may be responsible for losses, fines and penalties (including criminal penalties) as a result of data breaches, so mitigating the risk of such breaches occurring is a first necessary step.

To assess its readiness to comply with NIST 800-171, an IHE should first identify what CUI it stores, processes and disposes of and where that CUI is logically and physically located. Next it should assess which of the 110 individual controls are being performed currently and which are not. Controls not being met are gaps the IHE should strive to close.

Admittedly, the challenge is with the timeline. When will IHEs need to evidence their compliance or even readiness for compliance? When will sanctions be handed down to force compliance? As this remains unknown, striving for clean cyber hygiene and performing reasonable controls to safeguard CUI are crucial to protecting such information and should be commonplace in the higher education industry and beyond.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
How Internal Audit Can Assist with SOC Reviews at Higher Education Institutions
Controlled Unclassified Information: Labeling Requirements for CMMC and NIST 800-171
What is a SOC for Cybersecurity report and who needs one?
FedLine Solution Security and Resiliency Assurance Program Overview
Operationalizing a Third-Party Risk Management Program in Higher Education
NIST 800-171 for Higher Education
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]
p:571.380.9003