NIST SP 800-171 Requirements for Institutions of Higher Education: How Do You Stack Up?

As a group, higher education may have performed better than other industry segments regarding NIST SP 800-171 compliance; however, a recent survey found that:

• No one was 100% compliant.
• Only 39% of organizations had implemented security controls.
• Over 80% failed to implement 16 specific controls.

The level of compliance was tied to an institution's existing processes, data segmentation, and staffing. Does your organization have procedures in place to ensure data security? Where does your institution stand when it comes to NIST compliance?

What is NIST SP 800-171?

NIST SP 800-171 is a U.S. standard for the protection of controlled unclassified information (CUI). CUI refers to information shared with non government entities by federal agencies. For higher education institutions, shared data may include information for federally-funded research or grants. It may also include student financial aid information. Although other government regulations exist for data protection such as FISMA and GLBA, NIST SP 800-171 is designed to address those instances where cybersecurity compliance is not explicitly addressed.

What Are the Requirements?

Complying with NIST SP 800-171 means meeting over 100 individual controls across the following groups:

• Access Control. Set limits on the number of authorized users.
• Awareness. Advise and train employees on security risks.
• Authentication and Identification. Implement centralized authentication with multi-factor identification.
• Accountability. Create, protect, retain, and audit system logs.
• Change management. Use change management processes against a configuration baseline.
• Incident response. Establish incident response protocols for detecting, analyzing, containing, recovering, and responding to cybersecurity incidents.
• Maintenance. Maintain all systems.
• Media disposal. Define processes for sanitizing and destroying all media containing CUI.
• Personnel security. Develop a robust screening process before granting access to CUI.
• Physical security. Limit physical access to facilities with CUI systems to authorized personnel.
• Risk assessment. Assess the risk to CUI associated with processing, storing, and transmitting data.
• Security assessment. Evaluate security controls and address deficiencies to limit vulnerabilities.
• Infrastructure protection. Design secure system infrastructures and software development processes.
• System security. Monitor infrastructure for flaws and vulnerabilities.

In a 2016 letter, the government recognized the level of investment and effort required to comply with these standards; however, it stressed the importance of compliance because of increased cybersecurity threats.

Why Comply?

Institutions of higher education may regard NIST standards as excessive. Many of the smaller institutions do not see themselves as possible targets of a cyberattack and are not concerned with 100% compliance. Unfortunately, that assumption is incorrect.

According to a 2020 report on data breaches, ransomware was responsible for 80% of malware-related incidents at higher education institutions, which is 48% higher than last year. Malware distribution through websites was the primary cause of the large number of unmonitored emails and internet activity from students, faculty, and staff who use their own devices.

A primary concern for educational institutions is incident reporting. Almost 25% lack a reporting process, and 50% could not supply the required evidence of an incident. These lapses can result in a cyberattack that damages an institution's reputation and incurs financial penalties. Depending on the agency, non-compliance could result in a loss of federal funding.

Reputation

According to an IBM report, loss of reputation has the largest financial impact on an organization because it translates into lost customers. It can take years to rebuild consumer confidence, and in some instances, it is never restored. With more institutions incorporating distance learning, the chances of a cyberattack increase as the number of endpoints increase. Maintaining high-security standards is essential to mitigating the risk of a cyber-incident.

Funding

Depending on the government agency and the severity of a breach or incident, institutions could lose funding. For research institutions, the loss of government funding or the revoking of grants not only hurts the financial health of the organization, but it also impacts its ability to attract researchers. Researchers are not going to attend an institution if they might lose their funding because of a failure to comply.

Penalties

Although the government has given institutions years to comply, there will come a time when compliance will be expected. When an institution is out of compliance, penalties may result. These may be financial penalties above a loss of funding. Compliance is the only way for organizations to ensure their economic viability.

What are Best Practices?

The best approach to compliance includes the following:

• Document what CUI, as well as other sensitive data, resides on the network. Some government agencies may help with identifying the types of data that need to be secured. Even if they do not, an institution is still responsible for classifying data such as routing numbers, resident status, or identification numbers.
• Implement a least-privilege model for accessing the information. Grouping similar data makes it easier to restrict access than if the data is spread throughout the network. Be prepared to report on who has access to CUI data.
• Audit all activity and report abnormal activity according to NIST guidelines. The process should include details on what evidence should be collected to evaluate an incident.

These three steps identify CUI data, where it is stored, and who has access. It requires a restricted permissions model that can be tightened with more rigorous authentication methods such as multi-factor authentication and a centralized identity entity. It puts into place an auditing framework that can be applied as institutions address each security control.

Isn't GLBA Enough?

The Gramm-Leach-Bliley Act or GLBA was designed to protect an individual's financial information. Although intended for the financial services sector, it applies to any organization that retains financial information. Since most students use financial aid, higher education institutions must comply with the GLBA.

GLBA protects financial information only. It does not protect other unclassified information that may be used to direct and evaluate government-funded research. NIST SP 800-171 is an umbrella standard that sets standards for enterprise-wide data collection, storage, and transmission. Complying with GLBA is not enough to satisfy the NIST SP 800-171 standards.

We're Here to Help

Cybersecurity incidents can ruin a higher education institution's reputation. In the educational sector, reputation is everything. Without a solid reputation, schools cannot attract students or faculty. Research dollars are harder to find. At GreyCastle Security, we understand how overwhelming the NIST standard can be. That's why we are ready to help you stay in compliance and protect your reputation.