Educause Security Discussion mailing list archives

Re: DRAFT NIST 800-171 - READ THIS!

From: Valerie Vogel <vvogel () EDUCAUSE EDU>
Date: Mon, 27 Apr 2015 16:16:18 +0000

Hi Randy,

EDUCAUSE submitted comments on behalf of the higher education community for the first draft of NIST 800-171 in January. 
Please see attached.

The second draft of SP 800-171 was recently released in response to the comments that they received at the beginning of 
the year. We are currently reviewing the second draft with members of the HEISC Technologies, Operations, and Practices 
working group. EDUCAUSE is planning to submit another letter to address the most important remaining issues from the 
higher education perspective by the May 12 deadline. We are working with Dave Nevin (Oregon State University) and Tom 
Siu (Case Western Reserve University) in case you would like to speak with them further about the first round of 
comments or the second letter that is in development.

Thank you,
Valerie

Valerie Vogel Program Manager

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/>

From: Randy Marchany <marchany () vt edu<mailto:marchany () vt edu>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Monday, April 27, 2015 at 8:57 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] DRAFT NIST 800-171 - READ THIS!

We were just told about a new NIST draft SP 800-171 "Protecting Controlled Unclassified Information (CUI) in Nonfederal 
Information Systems and Organizations". http://csrc.nist.gov/publications/drafts/800-171/sp800_171_second_draft.pdf

It establishes "infosec" standards and guidelines for protecting CUI. They apply to the components of nonfederal info 
systems that process, store or transmit CUI.

The "problem" is there is a BROAD definition of CUI that can impact how research institutions will have to deal with 
data in these categories.

Just wondering if anyone else has looked at this draft and if they're as concerned about it.

-Randy Marchany
VA Tech IT Security Office and Lab

Attachment: EDUCAUSE NIST SP 800-171 01-15-15[1].pdf
Description: EDUCAUSE NIST SP 800-171 01-15-15[1].pdf

Current thread:

DRAFT NIST 800-171 - READ THIS! randy (Apr 27)
- Re: DRAFT NIST 800-171 - READ THIS! Valerie Vogel (Apr 27)
  - Re: DRAFT NIST 800-171 - READ THIS! Valerie Vogel (May 19)