The Department of Defense (DoD) requires that all defense contractors be in compliance with NIST 800-171 by December 31 of this year – well that’s old news. Yet for higher education institutions, it is becoming a real concern and closer to home. For most higher education institutions, the regulations flowing down through the DoD have been out of site/out of mind. However, it is now becoming an issue for many universities – as the Department of Education’s (DoE) requirements are more closely aligning to the same level of compliance required by the DoD.
More importantly, many universities are rather under contract with the DoD or subcontractors to federal contractor businesses. Once all prime and subcontractors at the commercial level are compliant, the DoD inevitably will require that education institutions become fully compliant also. According to the Department, based on the proposal responses for the 2016 fiscal year, 54 academic institutions [participated] in 23 different research efforts that total over $162 million U.S. dollars over the next five years (DoD, Apr. 7, 2016).
This number only accounts for the universities that are involved in the specific research efforts as prime contractors. There are hundreds of other institutions who are subcontracted to commercial prime contractors providing research and development for various contracts, along with other services.
Some DoE Background
In 2015, the DoE issued a Dear Colleague Letter about protecting PII for the Title IV Federal student financial aid programs (DCL GEN-15-18). The DoE issued a follow-up letter in 2016 (DCL GEN-16-12). The follow-up letter reminded institutions about the obvious importance of protecting student data – by using the Gramm-Leach-Bliley Act (GLBA), which regulates financial institutions and their collection of PII. Additionally and more related to the conversation at hand, the letter advises on the cybersecurity and protection of information included in the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171).
NIST 800-171 is a set of requirements for non-Federal organizations that handle controlled unclassified information (CUI). The letter specifically calls out the following requirements:
- Access Control Requirements – limit information system access to authorized users
- Awareness and Training Requirements – ensure that system users are properly trained
- Audit and Accountability – create information system audit records
- Configuration Management Requirements – established baseline configurations and inventories of systems
- Identification and Authentication Requirements – identify and authenticate users appropriately
- Incident Response Requirements – establish incident-handling capability
- Maintenance Requirements – perform appropriate maintenance on information systems
- Media Protection Requirements – protect media, both paper and digital, containing sensitive information
- Personnel Security Requirements – screen individuals prior to authorizing access
- Physical Protection Requirements – limit physical access to systems
- Risk Assessment Requirements – conduct risk assessments
- Security Assessment Requirements – assess security controls periodically and implement action plans
- System and Communications Protection Requirements – monitor, control, and protect organizational communications
- System and Information Integrity Requirements – identify, report, and correct information flaws in a timely manner
AND There’s More
The Defense Federal Acquisition Regulation Supplement (DFARS) clause that applies to all DoD contractors is not mentioned in the DoE letter specifically (because it’s not their concern), but it is important to note here that this compliance requirement flows down to all subcontractors. No need to launch into DFARS here; however, there are several resources to check out to better understand the implications. (See Below)