Educause Security Discussion mailing list archives
Re: DRAFT NIST 800-171 - READ THIS!
From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Tue, 19 May 2015 19:30:42 +0000
Dear Security Discussion list members, Here is a URL to the EDUCAUSE library abstract that includes both letters submitted to NIST regarding 800-171: http://www.educause.edu/library/resources/educause-comments-nist-controlled-unclassified-information-guidelines In late 2014, the National Institute of Standards and Technology (NIST) released an initial public draft of a new set of guidelines for federal agencies to follow in securing sensitive unclassified federal information residing in non-federal systems. An example of this would be when a federal research grant leads to a university information system holding data that, while not classified, is still subject to government controls on its further dissemination due to security, technological, or economic implications. In active consultation and collaboration with our member-led Higher Education Information Security Council (HEISC), EDUCAUSE submitted comments on both the initial draft report, NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as well as on the final public draft released in April 2015. Among other requests, EDUCAUSE asked NIST to clarify a number of proposed CUI requirements and how those would relate to other applicable laws and regulations. EDUCAUSE also requested that NIST further highlight the document’s guidance on the flexibility that colleges and universities have in addressing CUI requirements. If you have any questions or comments, please let me know. Valerie Vogel Program Manager EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/> From: Valerie Vogel <vvogel () educause edu<mailto:vvogel () educause edu>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, April 27, 2015 at 9:16 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] DRAFT NIST 800-171 - READ THIS! Hi Randy, EDUCAUSE submitted comments on behalf of the higher education community for the first draft of NIST 800-171 in January. Please see attached. The second draft of SP 800-171 was recently released in response to the comments that they received at the beginning of the year. We are currently reviewing the second draft with members of the HEISC Technologies, Operations, and Practices working group. EDUCAUSE is planning to submit another letter to address the most important remaining issues from the higher education perspective by the May 12 deadline. We are working with Dave Nevin (Oregon State University) and Tom Siu (Case Western Reserve University) in case you would like to speak with them further about the first round of comments or the second letter that is in development. Thank you, Valerie Valerie Vogel Program Manager EDUCAUSE Uncommon Thinking for the Common Good direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/> From: Randy Marchany <marchany () vt edu<mailto:marchany () vt edu>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Monday, April 27, 2015 at 8:57 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] DRAFT NIST 800-171 - READ THIS! We were just told about a new NIST draft SP 800-171 "Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations". http://csrc.nist.gov/publications/drafts/800-171/sp800_171_second_draft.pdf It establishes "infosec" standards and guidelines for protecting CUI. They apply to the components of nonfederal info systems that process, store or transmit CUI. The "problem" is there is a BROAD definition of CUI that can impact how research institutions will have to deal with data in these categories. Just wondering if anyone else has looked at this draft and if they're as concerned about it. -Randy Marchany VA Tech IT Security Office and Lab
Current thread:
- DRAFT NIST 800-171 - READ THIS! randy (Apr 27)
- Re: DRAFT NIST 800-171 - READ THIS! Valerie Vogel (Apr 27)
- Re: DRAFT NIST 800-171 - READ THIS! Valerie Vogel (May 19)
- Re: DRAFT NIST 800-171 - READ THIS! Valerie Vogel (Apr 27)