Re: student systems and NIST 800-171

[Jarret Cummings <jcummings () EDUCAUSE EDU>]

Hi, All - I wanted to gather a few threads together. At this point, the U.S. Dept. of Ed. and Federal Student Aid don't 
have a mechanism for requiring or enforcing 800-171 compliance in relation to colleges and universities; that's why you 
see the language about "encouraging" institutions to pursue 800-171 adoption in the IFAP notice that was previously 
mentioned (https://ifap.ed.gov/electronic-announcements/121820CybersecurityProtectStudentInfoComplianceCUInGLBA) as 
well as in the prior "Dear Colleague Letters" on cybersecurity it references.

The current notice highlights the NARA CUI Program (https://www.archives.gov/cui) requirement that federal agencies 
have to work with their relevant stakeholders to extend the agencies' responsibilities for implementing the CUI 
Program's uniform requirements to those stakeholders via a contract or similar agreement. In turn, this is supposed to 
entail federal agencies incorporating a uniform Federal Acquisition Regulation (FAR) clause into their 
contracts/agreements so that the CUI requirements are themselves uniformly implemented across non-defense federal 
agencies. (DoD has had its 800-171 requirement implemented in the Defense Federal Acquisition Regulations Supplement 
(DFARS) for a couple of years now.)

The uniform FAR clause on CUI has been delayed since 2018, though, and it's not clear when it will finally be released. 
The FSA notice indicates that FSA feels the need to move ahead with preparing an institutional agreement to cover CUI 
compliance for FSA data in the meantime, given FSA's sense that it may be able to move forward in this fashion (we'll 
have to see how the NARA CUI Program regulations come into play on that point) and that cybersecurity is now too 
important of an issue for it not to.

The notice also indicates, however, that FSA knows it doesn't have enough information about what 800-171 compliance 
would mean for different types of institutions or how to pursue it in a productive, sustainable fashion across 
different institutional types; this is consistent with a small group discussion that EDUCAUSE arranged between FSA 
officials and a few CISOs representing different institutional types. That's where the "preview of coming attractions" 
references to an 800-171 self-assessment come into play. To the questions about the "when" and the "what" of the 
process, there isn't any information available at this time. I have pressed that issue as well as the question of where 
FSA's authority to require a self-assessment would come from, and I plan to revisit those points with FSA and the Dept. 
of Ed. again soon.

So, FSA is strongly signaling that 800-171 compliance related to federal student financial aid data is coming, and my 
read of the notice is that FSA is anticipating those compliance requirements could follow the relevant data that 
institutions get from FSA wherever the data goes across institutional systems. FSA isn't yet in a position to require 
800-171 compliance, however, and it looks like there's a good way to go before they'll be in a position to do so. That 
said, this may be the time to start trying to get out in front of FSA on 800-171 if your institution isn't already so 
the institution has the chance to proceed on its own timetable. - Jarret

_______________________________________________
Jarret S. Cummings
Senior Advisor, Policy and Government Relations

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5372 | educause.edu<http://www.educause.edu/>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Fugett, Julie C
Sent: Thursday, January 28, 2021 11:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] student systems and NIST 800-171

Is anyone aware of templates, checklists, or other guidance around performing this self-assessment? I just watched Mia 
Jordan's talk from the 2020 Virtual FSA training conference and while the talk was informative, she didn't provide any 
resources or a timeline for the self-assessment process. I'm reaching out to the contact email in the slides, but I'm 
wondering if I've missed something somewhere along the way.

______________________________________
Julie C. Fugett, CISSP
Chief Information Security Officer
KU Information Technology
The University of Kansas
Email jcf () ku edu<mailto:jcf () ku edu>
Mobile +1 785 691 9023
Office +1 785 864 0490
She/Her/Hers



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ross Mukai
Sent: Wednesday, January 27, 2021 6:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] student systems and NIST 800-171

Some slides from the 2020 student aid conference describing a compliance framework for glba + CUI
The bullet points on the near-term plan on pg 18 include the 12/18/20 letter and self-assessments
https://fsaconferences.ed.gov/conferences/library/2020/2020FSAConfSessionBO15.pdf<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffsaconferences.ed.gov%2Fconferences%2Flibrary%2F2020%2F2020FSAConfSessionBO15.pdf&data=04%7C01%7C%7C91a86d5538c2457d5a4f08d8c3aac0a8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637474485436887413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LDaxlxWkrivRH%2BAv5m4TiKaZ1zJ6qDNDs7yOB9DUNtc%3D&reserved=0>

On Wed, Jan 27, 2021 at 2:01 PM Sam Horowitz <samh () ucsb edu<mailto:samh () ucsb edu>> wrote:
https://ifap.ed.gov/electronic-announcements/121820CybersecurityProtectStudentInfoComplianceCUInGLBA<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap.ed.gov%2Felectronic-announcements%2F121820CybersecurityProtectStudentInfoComplianceCUInGLBA&data=04%7C01%7C%7C91a86d5538c2457d5a4f08d8c3aac0a8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637474485436897406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=gLXv6PZxJZo%2F0X2fqpu5c6Y%2FVJJq2cBB5o9BWTwUycQ%3D&reserved=0>

-------------------------------------------
Sam Horowitz, CISSP, CISM
Chief Information Security Officer
he/him/his
Office: (805) 893-5005
Email: samh () ucsb edu<mailto:samh () ucsb edu>


On Wed, Jan 27, 2021 at 3:38 PM Alex Jalso <ACJalso () mail wvu edu<mailto:ACJalso () mail wvu edu>> wrote:
Hello Everyone,

In a meeting with peer institutions it was said that at the Federal level there's been discussions that university 
student information systems must treat resident data as CUI and have their systems be compliant with NIST 800-171 or 
risk losing financial aid.  Has anyone heard something similar to this or received communications about it?

Alex

Alex Jalso, PMP, CISM, CDPSE
Chief Information Security Officer
Information Technology Services
West Virginia University
p: 304-293-4457

Defend your data. ITS will NEVER ask you for your WVU Login credentials, Social Security number or credit card 
information via email. NEVER click on suspicious email links or attachments, even those that appear to be from a 
legitimate source. Hover over links to see where they really lead before clicking on them. When in doubt, contact 
DefendYourData () mail wvu edu<mailto:DefendYourData () mail wvu edu>.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C91a86d5538c2457d5a4f08d8c3aac0a8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637474485436897406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hzQmQL4if9RZmk3LI4K1bhlBSuxXWpjTBhbjxLcGfF0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C91a86d5538c2457d5a4f08d8c3aac0a8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637474485436907399%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8D2vDkbk78wrhJQCfWPcmmBD5CohAJLDa6V9voxb5ms%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C91a86d5538c2457d5a4f08d8c3aac0a8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637474485436917394%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6hVrbC5%2FxuvBGM3GnbxbwZVTjZz2mD0TrPiIv2FFDWk%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community