NIST Special Publication 800-171 (NIST SP 800-171 or NIST 800-171) is a set of security controls within the NIST Cybersecurity Framework that establishes baseline security standards for federal government organizations. NIST SP 800-171 is mandatory for all non-government organizations operating with federal information systems.
Many colleges and universities have begun adopting the NIST 800-171 security framework in recent years, given their partnerships and contractual ties to federal agencies. Because the education sector historically does not protect itself well against external cyber threats, it is critical for any higher education institution with a third-party affiliation with the government to prioritize cybersecurity compliance.
This article will discuss how colleges and universities can implement NIST 800-171 into their security programs and better protect their most sensitive information, business operations, digital assets, and network servers.
What is the NIST Cybersecurity Framework?
The NIST (National Institute of Standards and Technology) Framework is a set of recommended guidelines, standards, rules, and best practices for organizations to follow to improve their risk management processes. It’s a voluntary set of procedures and control baselines used worldwide by organizations looking to improve their overall security posture and information security.
Standardizing a common risk management framework can improve communication across different businesses and industries, allowing organizations to learn from each other and safeguard themselves from cyber attacks. The goal of the NIST Framework is to help all organizations, both small and large, better understand their security risks and how to prevent, respond, remediate, and recover from a potential attack.
What is NIST SP 800-171?
NIST SP 800-171 is part of the NIST-SP 800-series, based on research efforts by the Information Technology Laboratory (ITL). There are 110 security and privacy controls allocated into 14 control families that organizations can choose from based on the type of protection and security they need.
To determine which controls the organization will need, they need to perform a risk assessment test to determine which areas they need to prioritize. The risk assessment identifies which areas have the highest importance and have the most serious impact if a cyber attack occurs. The threat impact levels are Low, Medium, and High.
The fourteen control families are:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
What Regulations Does NIST SP 800-171 Cover for Colleges & Universities?
The following are federal regulatory standards that NIST SP 800-171 can help schools comply with:
- Family Educational Rights and Privacy Act (FERPA)
- Federal Information Security Management Act (FISMA)
- Gramm-Leach-Biley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Higher Education Act (HEA)
- NIST Risk Assessment and Audit Standards
- Payment Card Industry Data Security Standards (PCI-DSS)
- Student Aid Internet Gateway (SAIG) Enrollment Agreement
What is the Difference Between NIST SP 800-53 and NIST SP 800-171?
NIST SP 800-171 was created from NIST SP 800-53 controls specifically for protecting controlled unclassified information (CUI) or data shared by government agencies with non-government entities. NIST 800-53 is a more comprehensive framework that helps federal organizations reach the minimal level of protection for their security infrastructure.
NIST 800-53 outlines security standards for federal agencies, while NIST 800-171 provides security controls for nonfederal information systems and organizations, particularly for defense contractors, subcontractors, or those under supply chain operations to the federal government.
The US Department of Defense (DoD) requires NIST 800-171 compliance for all third-party government contractors to ensure that CUI is secured under the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS).
The NIST 800-171 framework can be applied to any organization that receives government data or documents (automatically classified as CUI), especially if they are contracted. Any school or university that receives federal funding for research or grants can also apply NIST 800-171 to its security policies.
NIST SP 800-171 Compliance Tips for Colleges & Universities
To meet the compliance requirements of NIST SP 800-171, colleges and universities should follow these best practices to implement the minimum cybersecurity requirements for their business needs.
1. Classify Data & Determine Scope
Schools should organize their most sensitive data into tiers of importance and impact level (low, medium, high). Data classification will help structure the data into categories to make it more efficient to access and easier for schools to prioritize data security processes. Schools should categorize data to eliminate duplicates (non-backup files), define data paths and life cycles, and determine where CUI data resides.
Classifying data allows schools to identify their data flow and storage processes, including where and how it is stored, maintained, transmitted, and received. Schools should follow the FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems) for standardized security categories and learn how each impact level can affect organizational goals and business continuity.
For schools, the most important data to secure are:
- Enrollment numbers
- Tuition payment information
- Student financial aid information (both state and federal grants)
- Personal data of students, employees, and staff
- Healthcare information of students, employees, and staff
- Classified research data
- Critical infrastructure plans
2. Evaluate Current Security Capabilities
NIST provides a guide for evaluating cybersecurity risk under NIST SP 800-30. The NIST risk assessment audit includes basic security standards to follow that also comply with regulatory requirements and assesses the current security measures in the school systems. An annual risk assessment is extremely important for any organization to gain a better understanding of its overall security posture and vulnerabilities.
A security assessment is a comprehensive audit process that can address risk management processes, infrastructure security, and security gaps that need to be filled. It also requires organizations to create detailed incident response procedures in the event of a cyber attack to ensure prevention, mitigation, remediation, recovery, and analysis processes are properly implemented.
In addition, a gap analysis can reveal the costs required to meet compliance standards. The risk assessment will identify the time and resources needed to fill the gaps and provide a cost/benefit analysis. In some cases, schools may need to decline certain government contracts if the costs outweigh the benefits.
3. Develop a Cybersecurity & Compliance Program
By using the NIST 800-171 security framework, schools can begin to fill in any security gaps in their cybersecurity program, address compliance requirements, and define specific roles and responsibilities of the IT team. Based on the risk assessment audit findings, schools may also need to create multiple incident response plans to address new attack vectors and cyber threats.
The compliance program should also include:
- Actionable milestones to achieve in the short and long-term
- Funding needed to achieve security goals
- New security budgets to maintain security protocol
- Team roles and responsibilities to meet goals and maintain security controls
- Data governance policies
To maintain strong cybersecurity and compliance standards, programs should be consistently updated to stay updated with the latest compliance procedures and cybersecurity standards. Schools can conduct self-assessments or hire third-party auditors to monitor their overall progress in response to changes in regulations.
More importantly, to ensure that the same standards are upheld over time, schools must mandate cybersecurity education and training for all staff, employees, and even students. Effective education can help schools keep up with changing threat landscapes, updated technology, and new malware.
4. Implement a System Security Plan
A system security plan (SSP) is a formal document that provides a complete overview of an organization’s information system security requirements and related security controls. Having an SSP in place is important to outline the entire organization’s road map or plan of action for its cybersecurity goals and program.
The SSP defines and identifies the following:
- Data protection and privacy policies
- User access privileges
- IT team roles and responsibilities
- Access control policies
- Traffic monitoring
- Network segmentation
- Incident response plans
- Threat intelligence
- Reporting processes
Without an SSP, the school may not be compliant with NIST 800-171 and, therefore, will not pass the compliance assessment test. If the school does not pass the compliance assessment, the federal government most likely will reject the school’s bid for a contract.
5. Perform a Cybersecurity Audit
Like a risk assessment, schools should consistently review their cybersecurity programs, SSPs, and regulatory compliance with a cybersecurity audit. Regulatory standards may change yearly, and new attack vectors may present themselves, requiring schools to review and update their security policies at least once a year.
Although audits can be performed internally by the IT team, it’s highly recommended to hire an external third-party auditor. A third-party evaluation can identify system and network vulnerabilities, find new security gaps, and suggest new security policies to better defend against cyber threats.
Most importantly, a cybersecurity audit can help reinforce good security practices, especially for schools trying to stay compliant with NIST 800-171 and looking to bid on government contracts.