IT AUDIT & SECURITY

Protecting Student Information: Institutions of Higher Education and Compliance with NIST 800-171

19 May 2021

Kate Upton CMMC Team Lead, OCD Tech

In a publication from the US Department of Education (Department), dated December 18, 2020, the department stresses the importance of protecting Controlled Unclassified Information (CUI) to Institutions of Higher Educations (IHEs). As data breaches become more widespread, particularly on government institutions and their public partners, safeguarding sensitive information has never been more important.

CUI that IHE’s are almost certain to retain are student records. Student records fall under the CUI index grouping Privacy and may include dissemination controls. Dissemination controls are controls that the IHE must implement to safeguard the information from those who are not authorized to handle it.

Federal Student Aid (FSA) has stated that this announcement is meant to inform IHEs and their third-party servicers about upcoming activities to ensure compliance with NIST 800-171 Rev 2. Compliance with this standard is in accordance with 32 C.F.R Part 2002 and the federal government-wide requirement that institutions receiving CUI from the US Department of Education comply with NIST 800-171.

Through this announcement published in 2020, it is the expectation that IHEs have already been preparing compliance programs for CUI that are aligned with NIST 800-171. The Department has stated that this year (2021), they will post additional information to provide further information and guidance, including the cybersecurity self-assessment.

OCD Tech has our finger on the pulse of all changing, evolving, and emerging compliance needs coming from the US Government. Since the inception of the DFARS Clause 252.204-7012 published in 2017, requiring Department of Defense contractors to comply with NIST 800-171, OCD Tech has been providing readiness assessments to help those organizations with their unique compliance needs.

If your Institution of Higher Education needs help complying with NIST 800-171 through its obligations to the US Department of Education, OCD Tech’s experienced team is here to assist.