UPDATE FOR RESEARCH INSTITUTIONS RE: 800-171B (Draft) comment period closes on 7/19

[Jarret Cummings <jcummings () EDUCAUSE EDU>]

Hi, All - For those of you at AAU institutions, AAU issued an action alert late last week to their members' senior 
research officers with copy to their institutional federal relations directors highlighting concerns about NIST SP 
800-171B and encouraging feedback, both to AAU for consideration in relation to the association comments on which we're 
working as well as to NIST via direct institutional submissions on the request for comments. 
(https://csrc.nist.gov/publications/detail/sp/800-171b/draft)

We worked with AAU<http://www.aau.edu/>, APLU<http://www.aplu.org/>, and COGR<http://www.cogr.edu/> to submit a letter 
asking NIST to extend the formal comment deadline again from Aug. 2 to mid-September, but NIST declined our request. 
They did note, however, that they will accept comments on publications like SP 800-171B at any time, so you may want to 
consider that if and when you reach out to sponsored research, or if and when sponsored research reaches out to you, 
about a possible institutional response.

With NIST acknowledging that Aug. 2nd may be the deadline for the advertised comment period, but that it doesn't 
foreclose commenting altogether, you may want to see what the association submission looks like on Friday (and with the 
lack of time, we'll probably be pushing the deadline) and then consider at that point whether a possible institutional 
submission would add more grist to the mill or amplify what's there. In the meantime, we at EDUCAUSE will share what we 
can when we can. - Jarret

_______________________________________________
Jarret S. Cummings
Senior Advisor, Policy and Government Relations

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5372 | educause.edu<http://www.educause.edu/>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brian Kelly
Sent: Monday, July 8, 2019 10:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] 800-171B (Draft) comment period closes on 7/19

Good morning,
The comment period for SP 800-171B closes on the 19th.

The enhanced security requirements found in 800-171B apply only to components of nonfederal systems that process, 
store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a 
critical program or high value asset (HVA). The enhanced security requirements are only applicable for a nonfederal 
system or organization when mandated by a federal agency in a contract, grant, or other agreement.

I'm interested in learning your thoughts on impact and scope...
 - Are your currently working with Critical Program or HVA data?
 - Is the cost analysis document directly relatable to higher ed institutions ( attached)?

Please feel free to email me directly if you're not comfortable responding via listserv

https://csrc.nist.gov/publications/detail/sp/800-171b/draft<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-171b%2Fdraft&data=02%7C01%7C%7C4fa266464781414f39f508d703b4afb8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636981946950660695&sdata=eslxYYyJVM%2BY2fS71MrkYQNiy5lTIsFECXFSE4V81b8%3D&reserved=0>
[https://csrc.nist.gov/CSRC/media/images/CSRC-logo-open-graph.png]<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-171b%2Fdraft&data=02%7C01%7C%7C4fa266464781414f39f508d703b4afb8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636981946950660695&sdata=eslxYYyJVM%2BY2fS71MrkYQNiy5lTIsFECXFSE4V81b8%3D&reserved=0>
SP 800-171B (DRAFT), Protecting CUI: Enhanced Security Reqs for High Value Assets - 
csrc.nist.gov<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-171b%2Fdraft&data=02%7C01%7C%7C4fa266464781414f39f508d703b4afb8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636981946950670691&sdata=HKoi8eqnNHQimNyW3Wt0UmVhEpidVNjwBfO2emiO%2FBs%3D&reserved=0>
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of 
paramount importance to federal agencies and can directly impact the ability of the federal government to successfully 
conduct its essential missions and functions. This publication provides federal agencies with recommended enhanced 
security requirements for protecting the ...
csrc.nist.gov


Brian Kelly

Director, Cybersecurity Program

EDUCAUSE
Uncommon Thinking for the Common Good

Follow HEISC on 
LinkedIn<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fhigher-education-information-security-council-heisc-%2F&data=02%7C01%7C%7C4fa266464781414f39f508d703b4afb8%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C636981946950670691&sdata=i9zZul3ybQmBty73kuYYIuEFoeOwZG5vGcEQ0VkXt9M%3D&reserved=0>
 | Twitter: @HEISCouncil | bkelly () educause edu<mailto:bkelly () educause edu>

direct: 720.406.6757 | mobile 475.449.6440 | educause.edu<http://www.educause.edu/>

1150 18th Street, NW, Suite 900 Washington, DC 20036