According to the FSA announcement from December 2020, “The self-assessment effort will help the Department determine the cybersecurity posture, maturity and future compliance of each [institute of higher education] with NIST 800–171 and other cybersecurity requirements.”
It remains to be seen whether DoEd Secretary Miguel Cardona, who was appointed subsequent to the FSA announcement, will make modifications to the effort or its timeline, but institutes of higher education (IHE) should nevertheless begin to consider their readiness to comply.
Information within the scope of potential NIST 800-171 compliance is considered Controlled Unclassified Information (or CUI), i.e., information that is not classified in the sense that one must obtain a security clearance to handle it, but controlled due to its sensitivity. Within the context of IHE, it’s information that’s used in the administration of federal student aid programs authorized under Title IV of the Higher Education Act.
The recent abundance of data breaches at organizations entrusted with personally identifiable information has necessitated the DoEd and IHEs to collaboratively fight cybersecurity threats and to strengthen the cybersecurity infrastructure at each IHE.
Of note is that under the Higher Education Act, the Family Educational Rights and Privacy Act, the Privacy Act of 1974 (as amended), the GLBA and state data breach and privacy laws, institutions may be responsible for losses, fines and penalties (including criminal penalties) as a result of data breaches, so mitigating the risk of such breaches occurring is a first necessary step.
To assess its readiness to comply with NIST 800-171, an IHE should first identify what CUI it stores, processes and disposes of and where that CUI is logically and physically located. Next it should assess which of the 110 individual controls are being performed currently and which are not. Controls not being met are gaps the IHE should strive to close.
Admittedly, the challenge is with the timeline. When will IHEs need to evidence their compliance or even readiness for compliance? When will sanctions be handed down to force compliance? As this remains unknown, striving for clean cyber hygiene and performing reasonable controls to safeguard CUI are crucial to protecting such information and should be commonplace in the higher education industry and beyond.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.