The National Institute of Standards and Technology (NIST) has published Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The publication provides guidance for federal agencies to ensure that certain types of federal information are protected when processed, stored, and used in non-federal information systems. NIST 800-171 applies to Controlled Unclassified Information (known as CUI) shared by the federal government with a nonfederal entity.
In the context of higher education institutions, the federal government often shares data with institutions for research purposes, execution of grant requirements, or in order to carry out the everyday work of various federal agencies. In many cases, other federal laws or regulations might address how that information must be protected (e.g., FISMA). In other cases, however, there may not be a law, contract or agreement that specifically addresses how the CUI data received from the federal government should be protected.
In those instances, NIST 800-171 is the best framework to apply when the federal government shares controlled unclassified information with higher education institutions. The controls specified in NIST 800-171 should be addressed in those higher education institutional IT systems that store CUI as a way to protect that data.
Photo by Priscilla Du Preez on Unsplash
The controls specified in NIST 800-171 are based on NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. The controls were tailored from NIST 800-53 specifically to protect CUI in nonfederal IT systems from unauthorized disclosure.
There are 14 families of security requirements outlined in NIST 800-171, comprising 109 individual controls.
The families are:
1. Access control: Limits system access to authorized users
2. Awareness and training: Alerts employees to information security risks
3. Audit and accountability: The creation, protection, retention and review of system logs
4. Configuration management: Creation of baseline configurations and use of robust change management processes
5. Identification and authentication: Central authentication and multi-factor identification for local and network access to resources
6. Incident response: Developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents affecting information
7. Maintenance: Maintenance of systems
8. Media protection: The sanitization and destruction of media containing CUI
9. Personnel security: Screening individuals before granting them access to information systems with CUI
10. Physical protection: Limiting physical access to systems to only authorized individuals
11. Risk assessment: Assessing the operational risk associated with processing, storage, and transmission of CUI
12. Security assessment: Assessing effectiveness of security controls and addressing deficiencies to limit vulnerabilities
13. System and communications protection: Use of secure design principles in system architecture and software development life cycle
14. System and information security: Monitoring for and alerting on system flaws and vulnerabilities
Sounds daunting, right?
As the operational leader for several software-as-a-service (SaaS) companies over the past decade, I have been required to put my organizations through security audits that test similar control functions (e.g. SSAE 18 SOC 1, 2 & 3). The process can be onerous, expensive and a major distraction for your teams if not managed properly. So, the goal of this post is to share a few quick thoughts on how to best approach the NIST controls.
First, let me touch on the bad news if it is not already obvious. Who has the time or money for this? The word “audit” doesn’t exactly conjure up inspiring thoughts. The reality is that the last thing that any institution that must symmetrically balance costs and revenues wants to budget money for is an audit. And it is not as if universities can raise tuition or eat into their endowments to cover these costs. Typically, audits are time-consuming and expensive because specialized firms must carry them out – and they tend to make the process more convoluted and mysterious than it actually needs to be.
Because the market dictates that supply and demand drive the costs of these engagements, the precipitous increase in cybersecurity compliance requirements across many industries (e.g. financial services, healthcare, IT and cloud services) has caused the demand to overtake the supply from credible firms. So, cost being commensurate with this phenomenon means that it’s getting very expensive. Compliance projects, on average, can range from a couple thousand dollars to hundreds of thousands of dollars depending on the number and complexity of the IT controls being audited. This is not to mention the fact that audits can be extremely time-consuming and your staff (particularly the limited IT staff you may have) is going to be stretched in order to get through the audit process effectively and efficiently.
But there is good news for many higher education institutions. First, the incumbent software companies that provide both front and back office business applications and IT infrastructure to higher education institutions provide an excellent foundation for compliance with NIST 800-171 because the CUI is typically housed in these systems. Cloud-based systems for grant management and operations are key in minimizing disruption to an organization’s research and grants management processes. Cloud providers should be performing SOC audits and providing NIST certifications to higher education institutions, so that the compliance burden is shifted to them.
An often overlooked area of compliance that comes into play with NIST 800-171 standards is the Customer Relationship Management (CRM) system. CRMs help organizations manage constituent engagement and manage fundraising efforts by providing a robust toolset for managing your constituent base. The two nonprofit and higher education software market leaders, Blackbaud and Salesforce, are good examples of world-class software, services and cloud infrastructure providers that not only specialize in the nonprofit and higher education world, but also provide the systems that collect, store, and transmit CUI. These systems monitor who has access your documents and data, as well as all edits to your information and documents. Their systems also store data in secure data facilities monitored 24/7 with triple redundancy. Therefore, business application platforms like Blackbaud and Salesforce provide the technology underpinning that protects against nonconformity to security standards.
Second, there are complimentary software solutions that enable higher education institutions to take more of a self-service approach to auditing themselves as a first step before engaging an audit firm. Rizepoint is a market leader in audit software and has developed pre-configured templates for audits like NIST. With Rizepoint, higher education institutions can significantly reduce the cost and time associated with enforcing compliance by automating their own assessment of the NIST 800-171 controls. These controls have traditionally been difficult to automate, and therefore resource-intensive to maintain and audit. However, Rizepoint’s platform automates the management of these controls, which significantly reduces resource requirements while improving the quality of the control. So have your operations and IT teams look at solutions like Rizepoint as a system of record for compliance and to compliment platforms like Blackbaud and Salesforce.
Third, you don’t want to make the audit process a “one-and-done” exercise. Make sure that it is a salvageable effort both in terms of time and money. The catalyst for making the audit an enduring investment is deploying a system of record that is THE repository for all artifacts related to the audit. This ensures that the process can be easily maintained on a consistent basis, opposed to it becoming a fire drill later on.
Finally, there are audit firms addressing the fact that higher education and nonprofit organizations are up against a daunting process with enormous risk and have broken the paradigm around how they approach both the cost and delivery of these audits. The vast majority of the end-to-end audit process is taking the client organization through a “readiness assessment” and creating a gap analysis that outlines the controls that they must put in place in order to be compliant. Subsequently, the client must actually implement these control procedures before the audit firm re-engages to perform the actual evaluation. The ideal scenario is for the clients to be able to lead themselves through the readiness assessment by leveraging a system like Rizepoint, and then only bring the audit firm in to conduct the actual audit.
Frankly, most audit firms from my experience have a “business as usual” mentality and have not adapted their thinking to meet the needs of higher education institutions that must get this done quickly without blowing out their budgets. They are destined to be disrupted, in my humble opinion.
While it’s a novel idea that a firm would be paid to perform only an audit, a good example of a firm that “gets it” is HORNE LLP. They will configure their delivery model to address the fact that many of their clients would prefer to perform the readiness assessment and other upfront activities in more a self-service manner (as opposed to with an auditor with a clipboard), and only be engaged to conduct the final audit. Moreover, if the client runs systems like Rizepoint, they can expedite the engagement because all of the documentation around process and data are already housed within this platform. The auditor does not need to go on a reconnaissance mission to discover evidence that the client is compliant with the compulsory controls.
In summary, leverage the fact that software platforms running in the cloud as CRM solutions, such as Blackbaud and Salesforce, are an excellent foundational layer that will enable you to effectively assess and manage the NIST 800-171 controls. Compliment your business systems with a solution like Rizepoint. If you have these systems in place, you are in good shape and ready to tackle putting the 14 control areas in place at your organization.
If you have either obsolete or disparate IT systems that are in silos and not managed under a single security framework, I would advise you to engage either an IT consultancy and solution provider specializing in higher education. Also consider engaging your software vendors and partners about helping you design a solid reference architecture and create a future-proof application roadmap that will allow you to be compliant for years to come. And of course, do not hesitate to reach out to me any time with questions or if you need further guidance.
David Rode is an experienced CEO, President & Chief Operations Officer with extensive global experience and a demonstrated track record in the cloud & software-as-a-service industries. Skilled in Operations; Technical Leadership & Product Management; Negotiation; Sales; Customer Relationship Management (CRM); Go-to-market Strategies & Managed/Professional Services, David is a strong strategic and operational leader and holds an MBA in Finance from Wharton School, University of Pennsylvania.
P.S. What did you think of this blog post?