New federal data protection regulation. Will Higher Ed get a passing grade?
It’s not exactly the New Year’s Eve event that colleges and universities had in mind. As the ball drops in Times Square, new data protection requirements will kick in for all colleges and universities that receive government research contracts.
The reason for the new mandate is to safeguard controlled unclassified information (CUI) that institutions receive as part of federal grants and research contracts. Typical CUI include technical and patent information, research, agricultural, privacy, and genetic data, even health and financial records.
The federal agencies that dole out grants and contracts have been under cyber attack for some time. The number of cyber incidents has skyrocketed from 5,500 in 2006 to over 77,000 in 2015. During this time period, President Obama issued Executive Order 13556, which defined CUI as unclassified protected information for all federal agencies. That led to a procurement rule that established The National Institute of Standards and Technology’s (NIST) Special Publication 800-171 as the minimum security standard that institutions must follow for protecting CUI.
While information security professionals for colleges and universities are aware of the new federal data regulation requirements (many have already implemented NIST 800-171), the increased focus and strings attached may catch some institutional leaders by surprise. If leaders and boards of trustees are even aware of NIST 800-171, they tend to view it as an IT initiative rather than a development that could lead to revoked funding and a tarnished reputation.
Bring collaboration to decentralized structures
The unstructured nature and open culture common with colleges and universities fall short in protecting or securely sharing information. In many institutions, each department has its own IT staff with its own processes and standards for protecting data. This presents a significant challenge for CISOs and information security teams responsible for CUI protection.
To meet new federal data protection requirements for protecting CUI, institutions need to overcome their decentralized structures. What’s needed is a way to connect people, processes, and technology regardless of the decentralized structure of the institution while limiting access to those who have the authority. Call it enabling and protecting.
For example, The University of Chicago Biological Sciences Division encompasses 5,000 faculty and staff, spread across 32 departments all operating independently. Each department has its own management and IT support with different cyber security requirements.
The Biological Sciences Division overcame this challenge with a governance, risk management, and compliance (GRC) platform. They were able to unify all 32 departments in pursuing a shared goal. This entailed process mapping, defining roles and responsibilities, classifying and taking inventory, and defining a process that automated many tasks. The university structure didn’t change. What did change was how the 32 department stakeholders came together and collaborated.
Protect open culture
According to a joint report by Deloitte and EDUCAUSE on the impact of new federal data protection requirements on higher education institutions, “the culture heritage of higher education institutions is one of openness and sharing. If a U.S. researcher is building on research done by a colleague in another country, it’s normal for the two to talk, share information, and even collaborate.”
Since its founding in 1890, The University of Chicago’s enduring commitment has been twofold: open inquiry and interdisciplinary research. Information security is important but more of an afterthought. The key isn’t to change the culture but rather to introduce a safeguard.
Protect your institution’s open culture by enforcing controls and policies for compliance. To illustrate, imagine creating policy and procedures around data protection and then automatically notifying a targeted list of recipients. Afterwards, test their comprehension and set up a policy review schedule.
The culture of openness and sharing prevalent on college campuses doesn’t have to go away. What’s needed is a more refined definition of the culture that allows for certain assets and data to be protected to meet the new federal requirements for protecting CUI.
The new federal data protection requirements mandate colleges and universities to use NIST 800-171. The trouble is, institutions and individual departments often have many regulations to comply with as well, including HIPAA, Title IX, Clery Act, FERPA, and FAR. For individual departments with limited capabilities, the compliance challenge is too burdensome.
What if there was a solution that could house NIST 800-171 security controls and all the regulations needed for compliance? The right people would be given access to perform their tasks. Compliance synergy is attainable.
December 31, 2017 will mark the first compliance deadline for institutions to protect CUI data. It’s a challenge for colleges and universities that are decentralized and have open cultures. For those that yearn to learn, the right technology platform can adapt to your institution’s decentralized structure to unify interdepartmental goals and promote collaboration, as well as bring security to your school’s open culture, integrate multiple frameworks, including NIST, and streamline compliance requirements.
Like reading our blog? Get it delivered in your inbox. Sign up here.
Read about some of the highlights from our expert panel discussion.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
“If it sounds too good to be true, it probably is.” That helps explain the attraction and danger with assessment exchanges for third-party risk management.