Educause Security Discussion mailing list archives
Re: endpoints in NIST 800-171
From: Cathy Bates <cathy.bates () VANTAGETCG COM>
Date: Fri, 9 Jun 2017 13:45:52 -0600
Hi Blake, Just a few thoughts to add to the conversation…. As with any compliance program, it’s good to have a strategy to isolate 800-171 compliant work from the rest of campus computing environment where possible unless you are working to move the whole campus environment to a NIST framework (no small feat!). Some institutions are working to set up an isolated environment for 800-171 research either in an on-campus private cloud or in a compliant cloud environment. I really like this approach because it reduces the compliance footprint and because it can provide a real research advantage with providing a flexible and responsive research environment. From my experience in leading these efforts, it will be important to conduct a gap analysis between your current security controls and those required by 800-171 when you are setting up a compliance zone in your current environment. You are likely covering some of the requirements already. Jeff Murphy listed a good starting point with the EDUCAUSE reference. For research associated with CUI, the first step is to look at grants/contracts to see if data is identified as CUI and that it falls under 800-171. The data category will indicate whether it follows Basic or Specified compliance guidelines. I am pretty sure that contracts without that specification are not yet required to follow 800-171, but someone should chime in if they have an alternate view. An interesting note that I haven’t heard many people talk about is that any endpoint devices, systems, etc. that contain CUI must be physically marked so that it is identified as containing CUI. The Department of Education does fall under the CUI effort and that includes Financial Aid and FERPA data protections. The impact of 800-171 is both wide and deep. Where you can’t move to an isolated cloud environment, it would be interesting to hear what others are planning for their compliance strategy. Best, Cathy Cathy Bates cathy.bates () vantagetcg com
Current thread:
- endpoints in NIST 800-171 Penn, Blake C (Jun 05)
- Re: endpoints in NIST 800-171 Steven W Andariese (Jun 05)
- Message not available
- Re: endpoints in NIST 800-171 Jeff Murphy (Jun 05)
- <Possible follow-ups>
- Re: endpoints in NIST 800-171 Cathy Bates (Jun 09)
- Re: endpoints in NIST 800-171 randy (Jun 09)
- Re: endpoints in NIST 800-171 Joanna Grama (Jun 10)
- Re: endpoints in NIST 800-171 randy (Jun 09)