As a group, higher education may have performed better than other industry segments regarding NIST SP 800-171 compliance; however, a recent survey found that:
The level of compliance was tied to an institution's existing processes, data segmentation, and staffing. Does your organization have procedures in place to ensure data security? Where does your institution stand when it comes to NIST compliance?
NIST SP 800-171 is a U.S. standard for the protection of controlled unclassified information (CUI). CUI refers to information shared with non government entities by federal agencies. For higher education institutions, shared data may include information for federally-funded research or grants. It may also include student financial aid information. Although other government regulations exist for data protection such as FISMA and GLBA, NIST SP 800-171 is designed to address those instances where cybersecurity compliance is not explicitly addressed.
Complying with NIST SP 800-171 means meeting over 100 individual controls across the following groups:
In a 2016 letter, the government recognized the level of investment and effort required to comply with these standards; however, it stressed the importance of compliance because of increased cybersecurity threats.
Institutions of higher education may regard NIST standards as excessive. Many of the smaller institutions do not see themselves as possible targets of a cyberattack and are not concerned with 100% compliance. Unfortunately, that assumption is incorrect.
According to a 2020 report on data breaches, ransomware was responsible for 80% of malware-related incidents at higher education institutions, which is 48% higher than last year. Malware distribution through websites was the primary cause of the large number of unmonitored emails and internet activity from students, faculty, and staff who use their own devices.
A primary concern for educational institutions is incident reporting. Almost 25% lack a reporting process, and 50% could not supply the required evidence of an incident. These lapses can result in a cyberattack that damages an institution's reputation and incurs financial penalties. Depending on the agency, non-compliance could result in a loss of federal funding.
According to an IBM report, loss of reputation has the largest financial impact on an organization because it translates into lost customers. It can take years to rebuild consumer confidence, and in some instances, it is never restored. With more institutions incorporating distance learning, the chances of a cyberattack increase as the number of endpoints increase. Maintaining high-security standards is essential to mitigating the risk of a cyber-incident.
Depending on the government agency and the severity of a breach or incident, institutions could lose funding. For research institutions, the loss of government funding or the revoking of grants not only hurts the financial health of the organization, but it also impacts its ability to attract researchers. Researchers are not going to attend an institution if they might lose their funding because of a failure to comply.
Although the government has given institutions years to comply, there will come a time when compliance will be expected. When an institution is out of compliance, penalties may result. These may be financial penalties above a loss of funding. Compliance is the only way for organizations to ensure their economic viability.
The best approach to compliance includes the following:
These three steps identify CUI data, where it is stored, and who has access. It requires a restricted permissions model that can be tightened with more rigorous authentication methods such as multi-factor authentication and a centralized identity entity. It puts into place an auditing framework that can be applied as institutions address each security control.
The Gramm-Leach-Bliley Act or GLBA was designed to protect an individual's financial information. Although intended for the financial services sector, it applies to any organization that retains financial information. Since most students use financial aid, higher education institutions must comply with the GLBA.
GLBA protects financial information only. It does not protect other unclassified information that may be used to direct and evaluate government-funded research. NIST SP 800-171 is an umbrella standard that sets standards for enterprise-wide data collection, storage, and transmission. Complying with GLBA is not enough to satisfy the NIST SP 800-171 standards.
Cybersecurity incidents can ruin a higher education institution's reputation. In the educational sector, reputation is everything. Without a solid reputation, schools cannot attract students or faculty. Research dollars are harder to find. At GreyCastle Security, we understand how overwhelming the NIST standard can be. That's why we are ready to help you stay in compliance and protect your reputation.