Educause Security Discussion mailing list archives

Re: student systems and NIST 800-171

From: Mike Nowakowski <mike.nowakowski () UTORONTO CA>
Date: Tue, 2 Feb 2021 20:36:30 +0000

I’m not sure if it was already mentioned in the discussion but NIST also just released today - NIST 800-172 (final) 
Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special 
Publication 800-171 

 

https://csrc.nist.gov/publications/detail/sp/800-172/final

 

Mike Nowakowski

Manager, Information Systems Security

Faculty of Kinesiology & Physical Education

University of Toronto

55 Harbord Street

416-978-5034

 

This email and the information contained in this email including any attachments may contain information that is 
private, confidential, and / or legally privileged. It is intended for the sole use of the intended recipient(s). You 
must not distribute to others or allow others to review this message without the specific consent of the sender. If you 
are not an intended recipient, you must not review, copy or distribute this email, and you are asked to immediately 
notify the sender and delete this email.

 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Boyce-Werner, Rori
Sent: Tuesday, February 2, 2021 12:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] student systems and NIST 800-171

 

EXTERNAL EMAIL:

I would also be interested.

 

 

Rori Boyce-Werner

Director, Cybersecurity GRC, DR/BC

Cybersecurity & Networking

 
<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.usnh.edu%2F&data=04%7C01%7Cmike.nowakowski%40UTORONTO.CA%7C16690478925b4211a39b08d8c79d899a%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637478827944230884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cVqQamFTkWctOJOyoLyMV6%2FhC6S3zEWuGKssLgpyQ9I%3D&reserved=0>
 University System of New Hampshire

 
<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.usnh.edu%2Fit%2F&data=04%7C01%7Cmike.nowakowski%40UTORONTO.CA%7C16690478925b4211a39b08d8c79d899a%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637478827944240885%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=briX%2BH2QNfziZo4KlD4Iba1vPwRvBQUod4l00teVljQ%3D&reserved=0>
 Enterprise Technology & Services

d.  (603) 862-2377

m. (603) 731-9071

 

 

 

 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> > On Behalf Of Pifer, Michael
Sent: Tuesday, February 2, 2021 10:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] student systems and NIST 800-171

 

Caution - External Email

I would be interested in the working group.

 

Michael Pifer
Senior Security Operations Analyst

 

Grinnell College
Information Technology Services

The Forum

1119 6th Avenue
Grinnell IA  50112

 

Office: 641-269-9990

Technology Services Desk: 641-269-4901

 
<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.grinnell.edu%2F&data=04%7C01%7Cmike.nowakowski%40UTORONTO.CA%7C16690478925b4211a39b08d8c79d899a%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637478827944240885%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=z%2BIzfjGq5NA2Q%2BHat7UoS6IPcmSlhZbqZJdgUrX%2B9qQ%3D&reserved=0>
 grinnell.edu

 

Remember: Use caution when clicking on links in all emails. If you have any doubt about the email, please contact the 
Technology Services Desk before opening the link.

 

My office may not be accessible to individuals using wheelchairs or who are unable to climb multiple steps. If you 
would like to meet in person, I am happy to schedule an appointment in an alternative location that is more accessible.

 

This email may contain confidential information belonging to Grinnell College. Any unauthorized or improper disclosure, 
copying, distribution, or use of the contents of this email and attached document(s) is prohibited. The information 
contained in this email and attached document(s) is intended only for the personal and confidential use of the intended 
recipient(s). If you have received this communication in error, please notify pifer () grinnell edu <mailto:pifer () 
grinnell edu>  immediately and delete the original email, any copies of its content, and any attachment(s).

 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> > On Behalf Of Boyd, Daniel
Sent: Friday, January 29, 2021 9:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] student systems and NIST 800-171

 

I would also be interested in an interest/working group. Tennessee might think 800-171 is a low bar, but it has enough 
challenges that we are looking at other options like the very elemental NIST CSF.

 

Dan

 

 

Daniel H. Boyd (94C)
Director of Information Security

Office of Information Technology

Information Security Advisory Group Chair
Berry College
Phone: 706-236-1750
Web: https://infosec.berry.edu & https://berry.edu/oit/information-security 


There are two rules to follow concerning your account passwords:
1. NEVER SHARE YOUR PASSWORDS WITH ANYONE (EVEN OIT!!!!)
2. If unsure, consult rule #1

 

Information Security wants to know what you want to know about! If there is a topic within information security you 
would like to know more about please let me know using any of my contact information above.

 

 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> > On Behalf Of Sidiqyar, Masood
Sent: Friday, January 29, 2021 10:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] student systems and NIST 800-171

 

BEWARE: This email originated outside of Berry. Do not click links, open attachments, or respond unless you are certain 
it is safe. If in doubt, report it using the “Report Email as Phishing” button.

We are also looking into this very closely, knowing the need for cybersecurity related to student financial data will 
only increase and come from multiple directions. In addition to the federal lense, the state of TN now ‘requires’ 
FedRamp or ISO27001 certification before they provide the necessary information in support of processing lottery 
scholarships. The folks we’ve talked to at the state consider 800-171 a very low bar! I support forming an 
interest/working group.

 

Best,

Masood 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> > On Behalf Of Harry Hoffman
Sent: Friday, January 29, 2021 7:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] student systems and NIST 800-171

 


[WARNING: This email originated from outside of Vanderbilt University. Please treat this message with additional 
caution.]

We're just starting to look into this among a broader effort around compliance. I'd be interested in what other are 
doing or forming an interest/working group if there's enough folks keen to do so. 

 

Cheers,

Harry

 

 

On Thu, Jan 28, 2021 at 11:35 AM Fugett, Julie C <jcf () ku edu <mailto:jcf () ku edu> > wrote:

Is anyone aware of templates, checklists, or other guidance around performing this self-assessment? I just watched Mia 
Jordan’s talk from the 2020 Virtual FSA training conference and while the talk was informative, she didn’t provide any 
resources or a timeline for the self-assessment process. I’m reaching out to the contact email in the slides, but I’m 
wondering if I’ve missed something somewhere along the way.

 

______________________________________

Julie C. Fugett, CISSP

Chief Information Security Officer

KU Information Technology

The University of Kansas

Email jcf () ku edu <mailto:jcf () ku edu> 

Mobile +1 785 691 9023

Office +1 785 864 0490

She/Her/Hers

 

 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> > On Behalf Of Ross Mukai
Sent: Wednesday, January 27, 2021 6:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] student systems and NIST 800-171

 

Some slides from the 2020 student aid conference describing a compliance framework for glba + CUI 

The bullet points on the near-term plan on pg 18 include the 12/18/20 letter and self-assessments

https://fsaconferences.ed.gov/conferences/library/2020/2020FSAConfSessionBO15.pdf

 

On Wed, Jan 27, 2021 at 2:01 PM Sam Horowitz <samh () ucsb edu <mailto:samh () ucsb edu> > wrote:

https://ifap.ed.gov/electronic-announcements/121820CybersecurityProtectStudentInfoComplianceCUInGLBA


 


-------------------------------------------
Sam Horowitz, CISSP, CISM


Chief Information Security Officer


he/him/his


Office: (805) 893-5005 
Email:  <mailto:samh () ucsb edu> samh () ucsb edu

        

 

 

On Wed, Jan 27, 2021 at 3:38 PM Alex Jalso <ACJalso () mail wvu edu <mailto:ACJalso () mail wvu edu> > wrote:

Hello Everyone,  

 

In a meeting with peer institutions it was said that at the Federal level there’s been discussions that university 
student information systems must treat resident data as CUI and have their systems be compliant with NIST 800-171 or 
risk losing financial aid.  Has anyone heard something similar to this or received communications about it?  

 

Alex

 

Alex Jalso, PMP, CISM, CDPSE

Chief Information Security Officer

Information Technology Services

West Virginia University

p: 304-293-4457

 

Defend your data. ITS will NEVER ask you for your WVU Login credentials, Social Security number or credit card 
information via email. NEVER click on suspicious email links or attachments, even those that appear to be from a 
legitimate source. Hover over links to see where they really lead before clicking on them. When in doubt, contact  
<mailto:DefendYourData () mail wvu edu> DefendYourData () mail wvu edu.

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 
<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmike.nowakowski%40UTORONTO.CA%7C16690478925b4211a39b08d8c79d899a%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637478827944320822%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eNo8x1QvESXr9NPSLjsqyka%2BOlZk%2BtKSF7f24BavnZY%3D&reserved=0>
  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community 
<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmike.nowakowski%40UTORONTO.CA%7C16690478925b4211a39b08d8c79d899a%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637478827944330821%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VHyt%2FwFdNsXDE2EfzbRRzNheZ7gQNGV%2FAhH9hm5j8Zo%3D&reserved=0>
  


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description:

Current thread:

Re: student systems and NIST 800-171, (continued)
- - - Re: student systems and NIST 800-171 Colin Glover (Jan 28)
    - Re: student systems and NIST 800-171 Schornstein, Matt (Jan 28)
    - Re: student systems and NIST 800-171 Andrew Scheifele (Jan 28)
    - Re: student systems and NIST 800-171 Jarret Cummings (Jan 28)
    - Message not available
    - Re: student systems and NIST 800-171 Harry Hoffman (Jan 29)
    - Re: student systems and NIST 800-171 Sidiqyar, Masood (Jan 29)
    - Re: student systems and NIST 800-171 Boyd, Daniel (Jan 29)
    - Re: student systems and NIST 800-171 Curt Kappenman (Jan 29)
    - Re: student systems and NIST 800-171 Pifer, Michael (Feb 02)
    - Re: student systems and NIST 800-171 Boyce-Werner, Rori (Feb 02)
    - Re: student systems and NIST 800-171 Mike Nowakowski (Feb 02)
    - Re: student systems and NIST 800-171 Jarret Cummings (Feb 02)
    - Re: student systems and NIST 800-171 Dave Broucek (Jan 29)
    - Re: student systems and NIST 800-171 Josh Boon (Jan 29)
    - Re: student systems and NIST 800-171 Snider, Jodie (Jan 29)
    - Re: student systems and NIST 800-171 Koppel, Lorna (Jan 29)
    - Re: student systems and NIST 800-171 Bertone, John (Jan 29)
    - Re: [External]:Re: [SECURITY] student systems and NIST 800-171 Ferland, William (Jan 29)
    - Re: student systems and NIST 800-171 Fugett, Julie C (Jan 29)
    - Re: student systems and NIST 800-171 Jeremy Livingston (Jan 29)
    - Re: [EXTERNAL] Re: [SECURITY] student systems and NIST 800-171 Hart, Michael (Jan 29)

(Thread continues...)