Re: NIST 800-171 Checkup & Lessons Learned

[Joanna Grama <jgrama () EDUCAUSE EDU>]

Hi Adam,
That is my understanding as well.  Thank you for sharing.
Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and 
valuable peer networks | Discover membership<https://www.educause.edu/about/discover-membership>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam 
Maynard
Sent: Tuesday, November 14, 2017 10:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] NIST 800-171 Checkup & Lessons Learned

The GLBA for FSA is a requirement for the FY18 audit process. NIST 800-171 is separate from that, but recommended by 
the DoE. https://ifap.ed.gov/eannouncements/Cyber.html

NIST 800-171 is for "Controlled Unclassified Information" that comes from the Fed and not already covered by something 
else, like FISMA. It should be spelled out in any govt contract or grant agreement when it's renewed/updated in 2018.


-Adam

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alfred 
Barker
Sent: Tuesday, November 14, 2017 10:27
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] NIST 800-171 Checkup & Lessons Learned

I may be reading into this, Department of Education has stated beginning January 1st 2018, all Federal Student Aid 
systems must show GLBA safeguard rules compliance, and that compliance must be demonstrated using NIST 800-171.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jarret 
Cummings
Sent: Tuesday, November 14, 2017 10:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] NIST 800-171 Checkup & Lessons Learned

Hi, Darren - Just for clarification, are you referring to the DOD's application of 800-171 to defense contracts via 
DFARS? I'm not familiar with any deadline related to 800-171 other than for defense contracts, so I wanted to make sure 
I was following you correctly. Thanks! - Jarret

_______________________________________________
Jarret S. Cummings
Director of Policy and Government Relations

EDUCAUSE
Uncommon Thinking for the Common Good
direct: 202.331.5372 | main: 202.872.4200 | educause.edu<http://www.educause.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Darren 
Yezo
Sent: Tuesday, November 14, 2017 7:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] NIST 800-171 Checkup & Lessons Learned

Hi all,

I would love to hear how everyone is doing in regards to complying with the Dec 31st deadline for NIST 800-171 
applicable networks and systems.  I am particularly curious about the architectural strategies some of the smaller 
schools adopted and any lessons learned during your deployment that you would be willing to share. Feel free to contact 
me privately as well.

Best Regards,
Darren Yezo

Chief Information Security Officer
Division of Information Technology
dyezo () stevens edu<mailto:dyezo () stevens edu>
T 201 216 3944
STEVENS INSTITUTE OF TECHNOLOGY<http://www.stevens.edu/>