Re: DRAFT NIST 800-171 - READ THIS!

[Valerie Vogel <vvogel () EDUCAUSE EDU>]

Dear Security Discussion list members,

Here is a URL to the EDUCAUSE library abstract that includes both letters submitted to NIST regarding 800-171:
http://www.educause.edu/library/resources/educause-comments-nist-controlled-unclassified-information-guidelines


In late 2014, the National Institute of Standards and Technology (NIST) released an initial public draft of a new set 
of guidelines for federal agencies to follow in securing sensitive unclassified federal information residing in 
non-federal systems. An example of this would be when a federal research grant leads to a university information system 
holding data that, while not classified, is still subject to government controls on its further dissemination due to 
security, technological, or economic implications.

In active consultation and collaboration with our member-led Higher Education Information Security Council (HEISC), 
EDUCAUSE submitted comments on both the initial draft report, NIST Special Publication 800-171: Protecting Controlled 
Unclassified Information in Nonfederal Information Systems and Organizations, as well as on the final public draft 
released in April 2015. Among other requests, EDUCAUSE asked NIST to clarify a number of proposed CUI requirements and 
how those would relate to other applicable laws and regulations. EDUCAUSE also requested that NIST further highlight 
the document’s guidance on the flexibility that colleges and universities have in addressing CUI requirements.


If you have any questions or comments, please let me know.
Valerie Vogel Program Manager

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/>

From: Valerie Vogel <vvogel () educause edu<mailto:vvogel () educause edu>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Monday, April 27, 2015 at 9:16 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] DRAFT NIST 800-171 - READ THIS!

Hi Randy,

EDUCAUSE submitted comments on behalf of the higher education community for the first draft of NIST 800-171 in January. 
Please see attached.

The second draft of SP 800-171 was recently released in response to the comments that they received at the beginning of 
the year. We are currently reviewing the second draft with members of the HEISC Technologies, Operations, and Practices 
working group. EDUCAUSE is planning to submit another letter to address the most important remaining issues from the 
higher education perspective by the May 12 deadline. We are working with Dave Nevin (Oregon State University) and Tom 
Siu (Case Western Reserve University) in case you would like to speak with them further about the first round of 
comments or the second letter that is in development.

Thank you,
Valerie

Valerie Vogel Program Manager

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/>

From: Randy Marchany <marchany () vt edu<mailto:marchany () vt edu>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Monday, April 27, 2015 at 8:57 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] DRAFT NIST 800-171 - READ THIS!

We were just told about a new NIST draft SP 800-171 "Protecting Controlled Unclassified Information (CUI) in Nonfederal 
Information Systems and Organizations". http://csrc.nist.gov/publications/drafts/800-171/sp800_171_second_draft.pdf

It establishes "infosec" standards and guidelines for protecting CUI. They apply to the components of nonfederal info 
systems that process, store or transmit CUI.

The "problem" is there is a BROAD definition of CUI that can impact how research institutions will have to deal with 
data in these categories.

Just wondering if anyone else has looked at this draft and if they're as concerned about it.

-Randy Marchany
VA Tech IT Security Office and Lab