Educause Security Discussion mailing list archives

Re: endpoints in NIST 800-171

From: Cathy Bates <cathy.bates () VANTAGETCG COM>
Date: Fri, 9 Jun 2017 13:45:52 -0600

Hi Blake,

Just a few thoughts to add to the conversation….

As with any compliance program, it’s good to have a strategy to isolate 800-171 compliant work from the rest of campus
computing environment where possible unless you are working to move the whole campus environment to a NIST framework
(no small feat!). Some institutions are working to set up an isolated environment for 800-171 research either in an
on-campus private cloud or in a compliant cloud environment. I really like this approach because it reduces the
compliance footprint and because it can provide a real research advantage with providing a flexible and responsive
research environment.

From my experience in leading these efforts, it will be important to conduct a gap analysis between your current
security controls and those required by 800-171 when you are setting up a compliance zone in your current environment.
You are likely covering some of the requirements already. Jeff Murphy listed a good starting point with the EDUCAUSE
reference.

For research associated with CUI, the first step is to look at grants/contracts to see if data is identified as CUI and
that it falls under 800-171. The data category will indicate whether it follows Basic or Specified compliance
guidelines. I am pretty sure that contracts without that specification are not yet required to follow 800-171, but
someone should chime in if they have an alternate view.

An interesting note that I haven’t heard many people talk about is that any endpoint devices, systems, etc. that
contain CUI must be physically marked so that it is identified as containing CUI.

The Department of Education does fall under the CUI effort and that includes Financial Aid and FERPA data protections.
The impact of 800-171 is both wide and deep. Where you can’t move to an isolated cloud environment, it would be
interesting to hear what others are planning for their compliance strategy.

Best,

Cathy

Cathy Bates
cathy.bates () vantagetcg com

Current thread:

endpoints in NIST 800-171 Penn, Blake C (Jun 05)
- Re: endpoints in NIST 800-171 Steven W Andariese (Jun 05)
- Message not available
  - Re: endpoints in NIST 800-171 Jeff Murphy (Jun 05)
- <Possible follow-ups>
- Re: endpoints in NIST 800-171 Cathy Bates (Jun 09)
  - Re: endpoints in NIST 800-171 randy (Jun 09)
    - Re: endpoints in NIST 800-171 Joanna Grama (Jun 10)