Re: endpoints in NIST 800-171

[Joanna Grama <jgrama () EDUCAUSE EDU>]

Hello,
I know it’s not directly on point to Blake’s original question, but EDUCAUSE has published some NIST 800-171 resources 
for those wanting to learn more.

The best page to visit is: 
https://library.educause.edu/resources/2016/4/an-introduction-to-nist-special-publication-800-171-for-higher-education-institutions
This is a link to a white paper that EDUCAUSE volunteers created on NIST 800-171, and at the bottom of the page are 
links to some other related resources that you might find interesting.

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Attend the EDUCAUSE Metrics 
Mania!<https://events.educause.edu/webinar/2017/metrics-mania-using-metrics-to-bolster-your-higher-education-information-security-program>
 online seminar, August 9, 2017.




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy
Sent: Friday, June 9, 2017 10:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] endpoints in NIST 800-171

The one weakness with the AWS cloud solutions to the NIST 800-171 is with the endpoints. Specifically, the need to 
physically isolate the endpoints from the rest of an office/lab is a stumbling block. Something like the old citrix 
(dumb terminal) devices might meet the requirement but it is burdensome on the researcher. How one provides adequate 
800-171 physical protections in a way that's not burdensome to researchers.
-r.

On Fri, Jun 9, 2017 at 3:45 PM, Cathy Bates <cathy.bates () vantagetcg com<mailto:cathy.bates () vantagetcg com>> wrote:
Hi Blake,

Just a few thoughts to add to the conversation….

As with any compliance program, it’s good to have a strategy to isolate 800-171 compliant work from the rest of campus 
computing environment where possible unless you are working to move the whole campus environment to a NIST framework 
(no small feat!).  Some institutions are working to set up an isolated environment for 800-171 research either in an 
on-campus private cloud or in a compliant cloud environment.  I really like this approach because it reduces the 
compliance footprint and because it can provide a real research advantage with providing a flexible and responsive 
research environment.

From my experience in leading these efforts, it will be important to conduct a gap analysis between your current 
security controls and those required by 800-171 when you are setting up a compliance zone in your current environment.  
You are likely covering some of the requirements already.  Jeff Murphy listed a good starting point with the EDUCAUSE 
reference.

For research associated with CUI, the first step is to look at grants/contracts to see if data is identified as CUI and 
that it falls under 800-171.  The data category will indicate whether it follows Basic or Specified compliance 
guidelines.  I am pretty sure that contracts without that specification are not yet required to follow 800-171, but 
someone should chime in if they have an alternate view.

An interesting note that I haven’t heard many people talk about is that any endpoint devices, systems, etc. that 
contain CUI must be physically marked so that it is identified as containing CUI.

The Department of Education does fall under the CUI effort and that includes Financial Aid and FERPA data protections.  
The impact of 800-171 is both wide and deep.  Where you can’t move to an isolated cloud environment, it would be 
interesting to hear what others are planning for their compliance strategy.

Best,

Cathy

Cathy Bates
cathy.bates () vantagetcg com<mailto:cathy.bates () vantagetcg com>