A glossary of acronyms and definitions to help higher education professionals understand cybersecurity compliance.
Post-secondary and higher education institutions are awash with state, federal, and industry-driven requirements aimed at protecting both student and government data. Student data is at the core of some requirements, government-funded research data is at the core of others. As a guide for institutions of higher education, we have compiled a list of acronyms prevalent in cybersecurity frameworks.
If you H8 acronyms, SVS.* But we hope this takes the sting out of it.
-The Team at Sera-Brynn
CDI stands for covered defense information. It is the class of information that triggers compliance with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.
CSP is short for cloud service provider. How an institution uses cloud-based services and products should be addressed in a cybersecurity compliance review. See FedRAMP definition.
CUI is controlled unclassified information. It is unclassified information that the U.S. Government wants to protect from public disclosure. Developed and maintained by the National Archives, the CUI Registry includes categories from Agriculture to Privacy to Transportation. Notably for research institutions and higher education, the Privacy category includes specific sub-categories for Student Records and information on Military personnel.
DFARS means Defense Federal Acquisition Regulation Supplement. The DFARS supplements the Federal Acquisition Regulation (FAR) and is administered by the Department of Defense.
DFARS clause 252.204-7012 is the regulation titled, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” It adds two key information security requirements in addition to other acquisition requirements: (1) adequate security and (2) incident reporting. This clause, unlike the FAR Final Rule 52.204-21, provides for detailed implementation and reporting standards based on NIST guidelines.
DIBNet is the DoD’s online portal for incident reporting. DIB stands for Defense Industrial Base.
FAR stands for Federal Acquisition Regulation and is the set of regulations governing acquisitions and contracting procedures in the Federal government. FAR Final Rule 52.204-21 is the regulation titled “Basic Safeguarding of Contractor Information Systems.” It addresses fifteen provisions that mandate minimum controls. This clause does not reference any NIST standard now, but the FAR is undergoing rulemaking in spring 2018 and we expect significant changes.
FedRAMP stands for the Federal Risk and Authorization Management Program. It is a U.S. Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. An institution’s use of a cloud service may raise questions about whether the cloud service provider is FedRAMP approved.
FERPA is the Family Education Rights and Privacy Act. FERPA regulations protect the privacy of student education records. The U.S. Department of Education recommends NIST SP 800-171 for protecting records and student financial information, although it is not a requirement.
FISMA assigns responsibility to agencies and departments within the U.S. Federal Government to ensure data security. In place since 2002 and updated in 2014, much of the requirements research institutions and companies have for working with government data are a result of agencies planning for adequate security.
GDPR is the European Union (EU) General Data Protection Regulation. GDPR is a regulation that is intended to provide data privacy and security protection for residents of the EU regardless of where they are. It becomes effective May 25, 2018. Data concerning EU students and faculty should be assessed.
GLBA is fun to say (“Glibba!”) and stands for the Gramm-Leach-Bliley Act. GLBA’s security safeguards, as applied to colleges and universities by the U.S. Department of Education, offer protections to student privacy.
GRC means governance, risk, and compliance, as in a university’s GRC program.
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. HIPAA-protected data is common in the university setting.
MFA is Multi-Factor Authentication, which is authentication through verification of at least two types of authentication factors. In other words, two ways to log into your computer – like a password plus a token, card, or fingerprint. MFA is a required control if complying with NIST 800-171.
NARA stands for National Archives and Records Administration. It is the agency that implements the Federal Government-wide CUI Program. Identifying university data types often involves an analysis of the information and how it is classified by NARA.
NIST (rhymes with “twist”) stands for The National Institute of Standards and Technology. NIST is part of the U.S. Department of Commerce.
NIST 800 is the series of documents that sets forth the U.S. Government’s computer security policies, procedures and guidelines.
NIST SP 800-171 is the NIST Special Publication titled, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” It is the publication that contains the final version of its guidance for federal agencies to ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations.
NIST SP 800-53 is the NIST Special Publication titled “Security and Privacy Controls for Federal Information Systems and Organizations.” It is the guidance for securing Federal information systems and is used for FedRAMP.
POA&M is a Plan of Action and Milestones. This document is used to identify actions needed for compliance and assigns dates and responsibility for completion.
PCI stands for Payment Card Industry. PCI outlines standards that retail merchants must follow if they choose to accept credit cards. A QSA, or Qualified Security Assessor, can help with interpreting, applying and assessing the DSS, Data Security Standards.
PII is sensitive Personally Identifiable Information.” In higher education, PII could trigger different requirements depending on whether the information is U.S. student information, financial information, veteran’s information, active duty military student data, Department of Defense civilian data, or European Union student PII. For example, federal student aid applicants and their parents provide PII.
PHI is Protected Health Information. This includes any information about health care status and payments that can be linked to a specific person. Research institutions commonly try to remove the elements of PHI from a dataset. Under HIPAA, there are 18 elements related to privacy, including biometric identifiers, photographs, and email addresses that if used with health data will create PHI.
RMF is the Risk Management Framework. It provides six steps to integrate security and risk management into a system life-cycle. Using this approach allows a truly “baked-in” approach and requires system owners to categorize data, select controls, implement controls, assess the effectiveness, authorize the operation of the system, and continuously monitor the security state.
SSP is a System Security Plan. It outlines the controls assigned to a system and describes how the control is implemented to achieve the system’s desired state of security. It’s a required document if complying with NIST 800-171.
*Translation: If you hate acronyms, so very sorry.
© Sera-Brynn, LLC 2018
Sera-Brynn, a leading cybersecurity audit and advisory firm, specializes in compliance and risk assessment services. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn also provides threat management, threat hunting, and incident response services. It is ranked #9 worldwide on the Cybersecurity 500 list.
By Colleen H. Johnson, Senior Cyber Legal Analyst, firstname.lastname@example.org .