Educause Security Discussion mailing list archives
NIST 800-171 Questionnaire
From: Nick Giacobe <nxg13 () PSU EDU>
Date: Wed, 6 Apr 2016 17:34:15 -0400
Colleagues on the EDUCAUSE Security list, I have a small team of students who are conducting a class research project and they'd like your help. Please consider answering their questions about your organization's understanding of the impact of NIST 800-171. Since this is an in-class project and results will be used by the students only (for their edification) and internally for the Office of Information Security, results will NOT be published. Here is their request: We are students in Penn State's College of Information Sciences and Technology. In one of our capstone courses, we were tasked by Penn State's Office of Information Security to translate NIST 800-171 into a usable framework that will yield compliance. We would like to ask you some questions about how your university plans to handle compliance with NIST 800-171. If you are interested in replying, please send your responses to Chris Eckert cme5230 () psu edu <mailto:cme5230 () psu edu> NIST 800-171 is a Federal compliance document that standardizes controlled unclassified information (CUI) systems within Federally funded research environments. Penn State and other research universities will need to ensure that these systems are compliant with NIST 800-171 to continue receiving federal funds. Depending on the nature of the University's research topics, the information handled may or may not be considered CUI and be subject to compliance. This type of information pertains to research projects that are funded by federal programs. These programs include agriculture, critical infrastructure, emergency management, intelligence, law enforcement, and various other government affiliated projects that contain data that is labeled as Controlled Unclassified Information. NIST 800-171 is a set of Federal compliance standards to ensure this sensitive data is secure. The following link contains all areas of research that are considered CUI data: <http://www.archives.gov/cui/registry/category-list.html> http://www.archives.gov/cui/registry/category-list.html Here are the seven questions we would like you to answer: 1. What is your organization's awareness of NIST 800-171? 2. Describe how access control is implemented at your University. What are the mechanisms that you use for access controls? (i.e. smart badge, biometrics, validation techniques) Do these access control mechanisms differ from research labs that receive federal grants and those that don't? 3. Are there controls for non-university devices containing CUI? If so, describe them. 4. How often are your employees trained for security awareness? If so, how often is the training program updated? 5. How does your program handle audits for regulations like HIPAA, Personably Identifiable Information, Payment Card Information, etc.? Is this group of audits responsible for NIST 800-171 or is this the responsibility of another auditing group? 6. Does your group have an inventory of systems housing CUI data? If so, what are the controls surrounding them? (i.e. segmentation, access controlled, etc.) 7. Do you require multi-factor authentication? If so, at what levels do you require multi-factor authentication? We appreciate the time you took to collaborate with our team. Thank you, James Armour Chris Eckert Nate Forzato Zach Mullins Dalton Reid Thank you for considering responding to this questionnaire. If you have concerns or questions about these questions, use of information or process, please feel free to email or call me. -- Nick --- Nicklaus A. Giacobe, Ph.D. Research Associate and Lecturer Phone: 814-865-8233 College of Information Sciences and Technology Penn State University 101 Information Sciences and Technology Building University Park, PA 16802
Current thread:
- NIST 800-171 Questionnaire Nick Giacobe (Apr 06)