Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: student systems and NIST 800-171

From: Andrew Scheifele <drew () SALTYCLOUD COM>
Date: Thu, 28 Jan 2021 11:06:04 -0600
The Department of Education mentioned NIST 800-171 in the context of GLBA
for FSA in a Dear Colleague Letter (GEN-16-12). “…strongly encourages…”
We have also heard it come up occasionally from some EDUs in guidance from
legal/audit. That being said I haven’t heard any EDUs that are mandating it
yet as GLBA is not prescriptive on which framework/standard to use in for
risk assessments. Link to ED DCL: GEN-16-12 <
https://ifap.ed.gov/dear-colleague-letters/07-01-2016-gen-16-12-subject-protecting-student-information#:~:text=(GEN%2D16%2D12)%20Subject%3A%20Protecting%20Student%20Information,-Publication%20Date%3A%20July&text=Postsecondary%20educational%20institutions%20entrusted%20with,to%20strengthen%20their%20cybersecurity%20infrastructure
.>

Re: NIST 800-171 templates, in addition to the DoD scoring methodology and
the 800-171A documents make sure to check out the 800-171A supplemental
Material. The CUI SSP template in word is helpful for evaluating and
documenting compliance for a single system or enclave.

Best regards,
Drew

--

*Andrew Scheifele, PhD *

CEO & Co-Founder | SaltyCloud, PBC.

CMMC Registered Practitioner
<saltycloud.com>

+1.512.222.9711

[image: image.png]

On Thu, Jan 28, 2021 at 10:57 AM Schornstein, Matt <schornst () augsburg edu>
wrote:



Educause has this template available that appears to have been updated as
recently as 2019.
https://library.educause.edu/resources/2016/9/nist
-sp-800-171-compliance-template


Matt Schornstein
Associate Director, IT Systems
Augsburg University and Luther Seminary


On Thu, Jan 28, 2021 at 10:42 AM Colin Glover <colin.glover () sera-brynn com>
wrote:


In addition to 171a, NIST provided the NIST MEP Cybersecurity
Self-Assessment Handbook For Assessing NIST SP 800-171 Security
Requirements in Response to DFARS Cybersecurity Requirements which provides
a bit more plain language breakdown of the requirements,
https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf


-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Laura Raderman
Sent: Thursday, January 28, 2021 11:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] student systems and NIST 800-171

[WARNING: External Email Source]

Not related to financial aid systems, but the DoD has created a
self-assessment scoring system for themselves on 800-171, and NIST provides
800-171a, they are a starting point


https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.acq.osd.mil%2Fdpap%2Fpdi%2Fcyber%2Fdocs%2FNIST%2520SP%2520800-171%2520Assessment%2520Methodology%2520Version%25201.2%2520%25206.24.2020.pdf&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637474487234476852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=0utKnKwkzKmgWT17TF01fuScafm4WIhhdPZkxzq%2Bjzk%3D&amp;reserved=0


https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-171a%2Ffinal&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637474487234476852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=81A4qbng3xR1g0uEjf5LT1PR6DQu3gc1VxzIwW5u2UA%3D&amp;reserved=0


Laura Raderman
ISO Policy & Compliance Coordinator
Carnegie Mellon University
lraderman () cmu edu


On Jan 28, 2021, at 11:35 AM, Fugett, Julie C <jcf () ku edu> wrote:

Is anyone aware of templates, checklists, or other guidance around

performing this self-assessment? I just watched Mia Jordan's talk from the
2020 Virtual FSA training conference and while the talk was informative,
she didn't provide any resources or a timeline for the self-assessment
process. I'm reaching out to the contact email in the slides, but I'm
wondering if I've missed something somewhere along the way.


______________________________________
Julie C. Fugett, CISSP
Chief Information Security Officer
KU Information Technology
The University of Kansas
Email jcf () ku edu
Mobile +1 785 691 9023
Office +1 785 864 0490
She/Her/Hers



From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ross Mukai
Sent: Wednesday, January 27, 2021 6:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] student systems and NIST 800-171

Some slides from the 2020 student aid conference describing a
compliance framework for glba + CUI The bullet points on the near-term
plan on pg 18 include the 12/18/20 letter and self-assessments
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffsac
onferences.ed.gov%2Fconferences%2Flibrary%2F2020%2F2020FSAConfSessionB
O15.pdf&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e1
24064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637
474487234476852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=FuZEwrD%2FocEd%2
Bn2rrZ36vzV%2Bb7E7IuUe2BGorGj1Ev0%3D&amp;reserved=0

On Wed, Jan 27, 2021 at 2:01 PM Sam Horowitz <samh () ucsb edu> wrote:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fifap
.ed.gov%2Felectronic-announcements%2F121820CybersecurityProtectStudent
InfoComplianceCUInGLBA&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.CO
M%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f3716
7%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=s
8L4yvNAbzePreodZiyJvC1qLPOWSMF0Oyo5%2Fl2cufo%3D&amp;reserved=0

-------------------------------------------
Sam Horowitz, CISSP, CISM
Chief Information Security Officer
he/him/his
Office: (805) 893-5005
Email: samh () ucsb edu


On Wed, Jan 27, 2021 at 3:38 PM Alex Jalso <ACJalso () mail wvu edu>

wrote:

Hello Everyone,

In a meeting with peer institutions it was said that at the Federal

level there's been discussions that university student information systems
must treat resident data as CUI and have their systems be compliant with
NIST 800-171 or risk losing financial aid.  Has anyone heard something
similar to this or received communications about it?


Alex

Alex Jalso, PMP, CISM, CDPSE
Chief Information Security Officer
Information Technology Services
West Virginia University
p: 304-293-4457

Defend your data. ITS will NEVER ask you for your WVU Login

credentials, Social Security number or credit card information via email.
NEVER click on suspicious email links or attachments, even those that
appear to be from a legitimate source. Hover over links to see where they
really lead before clicking on them. When in doubt, contact
DefendYourData () mail wvu edu.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email
reply. Additional participation and subscription information can be
found at
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
educause.edu%2Fcommunity&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.
COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37
167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata
=qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email
reply. Additional participation and subscription information can be
found at
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
educause.edu%2Fcommunity&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.
COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37
167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata
=qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email
reply. Additional participation and subscription information can be
found at
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
educause.edu%2Fcommunity&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.
COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37
167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata
=qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&amp;reserved=0

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email
reply. Additional participation and subscription information can be
found at
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
educause.edu%2Fcommunity&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.
COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37
167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata
=qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&amp;reserved=0




**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=04%7C01%7Ccolin.glover%40SERA-BRYNN.COM%7C2071586f4e124064835f08d8c3ab2b09%7C8dbd8e950ddf4dea8a1ab00e65f37167%7C0%7C0%7C637474487234486847%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=qq9BvuyKoy6LX1r6d%2FcnNRbqGXRXtPi7sX8QRy8qqDM%3D&amp;reserved=0
CONFIDENTIALTY NOTICE: This email and any attachment(s) contain
confidential, privileged and/or proprietary information of Sera-Brynn, LLC.
Do not copy or distribute without prior written consent. If you are not a
named recipient to the message, please notify the sender immediately and do
not retain the message in any form, printed or electronic.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Previous By Date Next
Previous By Thread Next

Current thread: