Educause Security Discussion mailing list archives
Re: student systems and NIST 800-171
From: Andrew Scheifele <drew () SALTYCLOUD COM>
Date: Thu, 28 Jan 2021 11:06:04 -0600
The Department of Education mentioned NIST 800-171 in the context of GLBA for FSA in a Dear Colleague Letter (GEN-16-12). “…strongly encourages…” We have also heard it come up occasionally from some EDUs in guidance from legal/audit. That being said I haven’t heard any EDUs that are mandating it yet as GLBA is not prescriptive on which framework/standard to use in for risk assessments. Link to ED DCL: GEN-16-12 < https://ifap.ed.gov/dear-colleague-letters/07-01-2016-gen-16-12-subject-protecting-student-information#:~:text=(GEN%2D16%2D12)%20Subject%3A%20Protecting%20Student%20Information,-Publication%20Date%3A%20July&text=Postsecondary%20educational%20institutions%20entrusted%20with,to%20strengthen%20their%20cybersecurity%20infrastructure .> Re: NIST 800-171 templates, in addition to the DoD scoring methodology and the 800-171A documents make sure to check out the 800-171A supplemental Material. The CUI SSP template in word is helpful for evaluating and documenting compliance for a single system or enclave. Best regards, Drew -- *Andrew Scheifele, PhD * CEO & Co-Founder | SaltyCloud, PBC. CMMC Registered Practitioner <saltycloud.com> +1.512.222.9711 [image: image.png] On Thu, Jan 28, 2021 at 10:57 AM Schornstein, Matt <schornst () augsburg edu> wrote:
Educause has this template available that appears to have been updated as recently as 2019. https://library.educause.edu/resources/2016/9/nist -sp-800-171-compliance-template Matt Schornstein Associate Director, IT Systems Augsburg University and Luther Seminary On Thu, Jan 28, 2021 at 10:42 AM Colin Glover <colin.glover () sera-brynn com> wrote:In addition to 171a, NIST provided the NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements which provides a bit more plain language breakdown of the requirements, https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf -----Original Message----- From: The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Laura Raderman Sent: Thursday, January 28, 2021 11:39 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] student systems and NIST 800-171 [WARNING: External Email Source] Not related to financial aid systems, but the DoD has created a self-assessment scoring system for themselves on 800-171, and NIST provides 800-171a, they are a starting point https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.acq.osd.mil%2Fdpap%2Fpdi%2Fcyber%2Fdocs%2FNIST%2520SP%2520800-171%2520Assessment%2520Methodology%2520Version%25201.2%2520%25206.24.2020.pdf&data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637474487234476852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0utKnKwkzKmgWT17TF01fuScafm4WIhhdPZkxzq%2Bjzk%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-171a%2Ffinal&data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637474487234476852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=81A4qbng3xR1g0uEjf5LT1PR6DQu3gc1VxzIwW5u2UA%3D&reserved=0 Laura Raderman ISO Policy & Compliance Coordinator Carnegie Mellon University lraderman () cmu eduOn Jan 28, 2021, at 11:35 AM, Fugett, Julie C <jcf () ku edu> wrote: Is anyone aware of templates, checklists, or other guidance aroundperforming this self-assessment? I just watched Mia Jordan's talk from the 2020 Virtual FSA training conference and while the talk was informative, she didn't provide any resources or a timeline for the self-assessment process. I'm reaching out to the contact email in the slides, but I'm wondering if I've missed something somewhere along the way.______________________________________ Julie C. Fugett, CISSP Chief Information Security Officer KU Information Technology The University of Kansas Email jcf () ku edu Mobile +1 785 691 9023 Office +1 785 864 0490 She/Her/Hers From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ross Mukai Sent: Wednesday, January 27, 2021 6:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] student systems and NIST 800-171 Some slides from the 2020 student aid conference describing a compliance framework for glba + CUI The bullet points on the near-term plan on pg 18 include the 12/18/20 letter and self-assessments https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffsac onferences.ed.gov%2Fconferences%2Flibrary%2F2020%2F2020FSAConfSessionB O15.pdf&data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e1 24064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637 474487234476852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2 luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FuZEwrD%2FocEd%2 Bn2rrZ36vzV%2Bb7E7IuUe2BGorGj1Ev0%3D&reserved=0 On Wed, Jan 27, 2021 at 2:01 PM Sam Horowitz <samh () ucsb edu> wrote: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap .ed.gov%2Felectronic-announcements%2F121820CybersecurityProtectStudent InfoComplianceCUInGLBA&data=04%7C01%7Ccolin.glover%40SERA-BRYNN.CO M%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f3716 7%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=s 8L4yvNAbzePreodZiyJvC1qLPOWSMF0Oyo5%2Fl2cufo%3D&reserved=0 ------------------------------------------- Sam Horowitz, CISSP, CISM Chief Information Security Officer he/him/his Office: (805) 893-5005 Email: samh () ucsb edu On Wed, Jan 27, 2021 at 3:38 PM Alex Jalso <ACJalso () mail wvu edu>wrote:Hello Everyone, In a meeting with peer institutions it was said that at the Federallevel there's been discussions that university student information systems must treat resident data as CUI and have their systems be compliant with NIST 800-171 or risk losing financial aid. Has anyone heard something similar to this or received communications about it?Alex Alex Jalso, PMP, CISM, CDPSE Chief Information Security Officer Information Technology Services West Virginia University p: 304-293-4457 Defend your data. ITS will NEVER ask you for your WVU Logincredentials, Social Security number or credit card information via email. NEVER click on suspicious email links or attachments, even those that appear to be from a legitimate source. Hover over links to see where they really lead before clicking on them. When in doubt, contact DefendYourData () mail wvu edu.********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. educause.edu%2Fcommunity&data=04%7C01%7Ccolin.glover%40SERA-BRYNN. COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37 167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata =qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. educause.edu%2Fcommunity&data=04%7C01%7Ccolin.glover%40SERA-BRYNN. COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37 167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata =qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. educause.edu%2Fcommunity&data=04%7C01%7Ccolin.glover%40SERA-BRYNN. COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37 167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata =qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. educause.edu%2Fcommunity&data=04%7C01%7Ccolin.glover%40SERA-BRYNN. COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37 167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata =qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&reserved=0********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&reserved=0 CONFIDENTIALTY NOTICE: This email and any attachment(s) contain confidential, privileged and/or proprietary information of Sera-Brynn, LLC. Do not copy or distribute without prior written consent. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- student systems and NIST 800-171 Alex Jalso (Jan 27)
- Re: student systems and NIST 800-171 Sam Horowitz (Jan 27)
- Re: student systems and NIST 800-171 Ross Mukai (Jan 27)
- Re: student systems and NIST 800-171 Fugett, Julie C (Jan 28)
- Re: student systems and NIST 800-171 Robert Smith (Jan 28)
- Re: student systems and NIST 800-171 Laura Raderman (Jan 28)
- Re: student systems and NIST 800-171 Colin Glover (Jan 28)
- Re: student systems and NIST 800-171 Schornstein, Matt (Jan 28)
- Re: student systems and NIST 800-171 Andrew Scheifele (Jan 28)
- Re: student systems and NIST 800-171 Ross Mukai (Jan 27)
- Re: student systems and NIST 800-171 Sam Horowitz (Jan 27)
- Re: student systems and NIST 800-171 Jarret Cummings (Jan 28)
- Message not available
- Re: student systems and NIST 800-171 Harry Hoffman (Jan 29)
- Re: student systems and NIST 800-171 Sidiqyar, Masood (Jan 29)
- Re: student systems and NIST 800-171 Boyd, Daniel (Jan 29)
- Re: student systems and NIST 800-171 Curt Kappenman (Jan 29)
- Re: student systems and NIST 800-171 Pifer, Michael (Feb 02)
- Re: student systems and NIST 800-171 Boyce-Werner, Rori (Feb 02)
- Re: student systems and NIST 800-171 Mike Nowakowski (Feb 02)
- Re: student systems and NIST 800-171 Jarret Cummings (Feb 02)
- Re: student systems and NIST 800-171 Dave Broucek (Jan 29)