Safeguarding sensitive and exploitable student data continues to challenge the higher education sector. A report from SecurityScorecard shows that the sector continues to lag behind other industries in cybersecurity maturity, while facing a continuous increase in breaches and cyber incidents. The value of a single student’s record on the dark web is approximately $300. When thousands of records are housed by poorly protected or archaic technology, our institutions of higher education (IHEs) become an attractive target. For example, the Federal Student Aid Post-Secondary Institution Cyber Team reported that actual and potential cyber incidents rose from just 15 in 2015 to 432 in 2019 — a 2,880% increase in four years.
The constantly growing cyberthreat landscape combined with new — sometimes untested — technologies and methods to educate in a remote format pose a significant challenge to IHEs. Data breaches and ransomware incidents can have far-reaching impacts on an institution’s financial, legal, statutory and reputational domains. In certain cases, entire institutions were brought to a complete halt.
So how do you get your data security house in order? What if your cyber maturity is still at an initial, ad hoc state?
While it can seem like an overwhelming obstacle, the do-nothing approach is not an option. Keep in mind that the federal government’s significant compliance drivers are going to persuade IHEs to improve their overall cyber posture.
Compliance and other benefits of implementing an NIST framework
In its DHS Strategic Plan for Fiscal Years (FY) 2020-2024
, the Department of Education’s Office of Federal Student Aid (FSA) identified “Strengthen Data Protection and Cyber Security Safeguards” as one of their foundational goals. To this end, in December 2020, the FSA issued an Electronic Announcement that designates Student Information as controlled unclassified information (CUI), which requires protection under Title IV of the Higher Education Act, as amended. Specifically, any FSA data that is stored, managed and/or processed by an IHE must adopt and implement the requirements stated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, Protecting CUI in Nonfederal Systems.
NIST SP 800-171 consists of 110 security controls organized into 14 security domains, such as access control, configuration management and incident response. The FSA will follow a multiyear, phased implementation — a Campus Cybersecurity Program — that will start with requiring IHEs to conduct self-assessments against this control framework and may ultimately result in report or audit requirements. The FSA’s intention is to partner and collaborate with IHEs and other organizations to enhance the resilience and maturity across IHEs by establishing a cybersecurity baseline, sharing information and overseeing compliance with NIST SP 800-171 Rev. 2 and other cybersecurity requirements.
Along with compliance with the Department of Education’s Campus Cybersecurity Program mandates, there are additional benefits to implementing an NIST SP 800-171 framework in your IT environment:
- Strategic advantage when competing for research grants – Many research programs sponsored by the federal government involve transmission and handling of other sources of sensitive data. For example, the Department of Defense may provide military satellite data to an IHE to conduct research on weather patterns and climate change. This satellite data would be considered CUI and therefore subject to the requirements of NIST SP 800-171. IHEs that can demonstrate their compliance with NIST SP 800-171 in their research department infrastructure will have a clear advantage in the grant bidding process.
- Best-practices framework that can be harmonized with other compliance standards – NIST Special Publications are increasingly embraced by the private sector and incorporated as a best practice. The thorough, business-focused structure of NIST guidance is now being coded into security technologies such as governance, risk and compliance solutions, as well as sophisticated vulnerability scanning and penetration testing tools. Additionally, NIST has mapped its control set across numerous other compliance standards, e.g., Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Association of International Certified Professional Accountants SOC2, and FERPA. This cross-referencing allows for a “test once, use many” approach to compliance.
- Free resources available to assist with implementation – NIST has published an NIST 800-171 Resource Center that provides tools, templates, supplemental material and related publications that help facilitate the adoption and evaluation of controls. This includes Plan of Action and Milestones and System Security Plan templates, as well as mapping documents to other frameworks.
Start now to ensure your data security house is in order; consider the FSA a partner in your cybersecurity activities and reinforce your compliance efforts by implementing an NIST framework.
The challenge of safeguarding CUI
A major university’s Office of Research Compliance department engaged Grant Thornton to conduct an assessment of the university’s compliance with the NIST Special Publication 800-171 Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.
Over a three-month period, Grant Thornton conducted detailed assessments of the IT control environment supporting eight in-scope contracts that are supported by the four programs using the NIST SP 800-171 framework through interviews and review of documentation. Grant Thornton identified significant control gaps and recommended the following activities to support remediation:
Assessment coordination and execution
- Develop an onboarding and discovery process
- Leverage the services of an NIST-compliant external cloud service provider
- Develop policies, procedures and standards to specifically address NIST SP 800-171 requirements
- Develop and implement awareness and training programs to support the identification of and implementation of controls
- Develop a monitoring program to assess enterprise-wide compliance
The Grant Thornton assessment team coordinated schedules and time frames to conduct in-depth controls assessments for all in-scope research units. The university’s IT security department was decentralized and relatively siloed in their operations with a diverse set of objectives and missions. Every assessment was tailored to meet the needs and requirements of each entity.
The following two findings were of importance:
A phased approach to securing data
Phase 1: Establish baselines and identify gaps
- Research programs did not have sufficient security personnel or functions in place, and there was a limited understanding of security and risk controls.
- Many program leaders felt they needed to implement expensive technology or dramatically change their processes to become compliant.
The Grant Thornton assessment team conducted a series of assessments, workshops and interviews covering more than 400 individual control requirements. The team worked with each program’s IT manager to identify a baseline of established security controls and safeguards in accordance with the NIST SP 800-171 framework and Defense Federal Acquisition Regulation Supplement (DFARS).
The team undertook the following efforts:
Phase 2: Develop NIST SP 800-171 CUI Secure Data Enclave Project
- Worked requirement-by-requirement with each department to gain an understanding of the issues
- Identified gaps and deficiencies in accordance with DFARS and NIST SP 800-171
- Reviewed implemented security technologies and methodologies (e.g., firewalls, VPNs, Active Directory policies and encryption) to gain an understanding of design implementation and relative effectiveness of each solution
Building on the results of the Phase 1 gap assessment, the Grant Thornton team provided technical assistance and facilitation to establish a hybrid-cloud Secure Data Enclave to centralize, secure and limit the exposure of CUI data. The team also provided a roadmap for data onboarding to allow for future CUI contractual requirements to be identified, processed and routed appropriately. Additionally, the team worked with the university management to develop policies, procedures, System Security Plans and Plans of Action and Milestones to meet DFARS reporting requirements.
The project management approach consisted of three major workstreams:
Phase 3: Create roadmaps, follow recommendations
The Grant Thornton team created roadmaps for each operating unit to guide the coordination of remediation activities and help facilitate compliance by the deadline established by the DFARS supplement and NIST SP 800-171.
The team provided recommendations for potential security technologies and solutions:
Phase 4: Migrate to a CUI Secure data enclave architecture
- Physical sensors and research equipment
- Network perimeter (firewall, IPS, VPN)
- Multifactor authentication
- Security incident and event management
- Cloud service solutions (GovCloud)
- Audit logging, reduction and correlation
Based on the findings and recommended roadmap, developed in Phases 1-3, the team then helped the university IT department facilitate migration from a decentralized, disparate, on-premise IT infrastructure to a secure hybrid cloud solution. This approach allowed research programs to manage their IT components (servers, workstations, etc.) and support CUI within an external cloud solution. The solution leveraged existing IT department resources (e.g., VPN, MFA) whenever possible. Hence, the research program administrators could procure IT department services to establish the solution’s technical components.
Foundational security tenets of the CUI Secure Data Enclave included:
- Segregation of contract data — Access to each container (i.e., cloud partition) is managed via access to designated Active Directory groups.
- Least privilege access controls — Researchers only have access to their respective container on a need-to-know basis.
- Enhanced remote access technology — Researchers access the Data Enclave using university VPN and MFA.
- Clearly defined data boundaries and interfaces — System Security Plan and architecture diagrams conclusively define where CUI is stored and processed both within the university infrastructure and external parties.
Principal, Public Sector Cyber Risk
+1 703 373 8698
National Managing Partner
Not-for-Profit and Higher Education Practices
+1 732 516 5582