NIST 800-171 Questionnaire

[Nick Giacobe <nxg13 () PSU EDU>]

Colleagues on the EDUCAUSE Security list,

 

I have a small team of students who are conducting a class research project
and they'd like your help.  Please consider answering their questions about
your organization's understanding of the impact of NIST 800-171. Since this
is an in-class project and results will be used by the students only (for
their edification) and internally for the Office of Information Security,
results will NOT be published.

 

Here is their request:

 

 

We are students in Penn State's College of Information Sciences and
Technology. In one of our capstone courses, we were tasked by Penn State's
Office of Information Security to translate NIST 800-171 into a usable
framework that will yield compliance. We would like to ask you some
questions about how your university plans to handle compliance with NIST
800-171.

 

If you are interested in replying, please send your responses to Chris
Eckert cme5230 () psu edu <mailto:cme5230 () psu edu> 

 

NIST 800-171 is a Federal compliance document that standardizes controlled
unclassified information (CUI) systems within Federally funded research
environments. Penn State and other research universities will need to ensure
that these systems are compliant with NIST 800-171 to continue receiving
federal funds. 

 

Depending on the nature of the University's research topics, the information
handled may or may not be considered CUI and be subject to compliance. This
type of information pertains to research projects that are funded by federal
programs. These programs include agriculture, critical infrastructure,
emergency management, intelligence, law enforcement, and various other
government affiliated projects that contain data that is labeled as
Controlled Unclassified Information. NIST 800-171 is a set of Federal
compliance standards to ensure this sensitive data is secure. The following
link contains all areas of research that are considered CUI data:
<http://www.archives.gov/cui/registry/category-list.html>
http://www.archives.gov/cui/registry/category-list.html

 

Here are the seven questions we would like you to answer:

 

1.    What is your organization's awareness of NIST 800-171? 

 

2.    Describe how access control is implemented at your University. What
are the mechanisms that you use for access controls? (i.e. smart badge,
biometrics, validation techniques) Do these access control mechanisms differ
from research labs that receive federal grants and those that don't?

 

3.    Are there controls for non-university devices containing CUI? If so,
describe them.

 

4.    How often are your employees trained for security awareness? If so,
how often is the training program updated?

 

5.    How does your program handle audits for regulations like HIPAA,
Personably Identifiable Information, Payment Card Information, etc.? Is this
group of audits responsible for NIST 800-171 or is this the responsibility
of another auditing group?

 

6.    Does your group have an inventory of systems housing CUI data? If so,
what are the controls surrounding them? (i.e. segmentation, access
controlled, etc.)

 

7.    Do you require multi-factor authentication?  If so, at what levels do
you require multi-factor authentication?

 

We appreciate the time you took to collaborate with our team. 

 

Thank you,

 

James Armour

Chris Eckert

Nate Forzato

Zach Mullins 

Dalton Reid

 

 

Thank you for considering responding to this questionnaire.  If you have
concerns or questions about these questions, use of information or process,
please feel free to email or call me.

 

-- Nick

 

---

Nicklaus A. Giacobe, Ph.D.

Research Associate and Lecturer

Phone: 814-865-8233

College of Information Sciences and Technology

Penn State University

101 Information Sciences and Technology Building

University Park, PA 16802