The Higher Ed Model for Cybersecurity Compliance

NIST 800-171There are fundamental challenges to fully implementing the NIST 800-171 cybersecurity framework. However, a new study shows that higher education institutions overcome these challenges and place among the top tier of organizations for compliance.

Organizations that handle sensitive government information and data face a foreign intelligence threat that is unprecedented in history. Despite this, most organizations are struggling to implement the 110 cybersecurity controls of NIST SP 800-171, even when they are required to do so. There are fundamental challenges to fully implementing NIST 800-171. US colleges and universities are among the few sectors overcoming these challenges.

Unignorable Threats
Cyberattacks on colleges and universities have resulted in a significant loss of sensitive information and data, thwarting their ability to develop and “deliver uncompromised”1 technology.

For example, in 2015, the Penn State College of Engineering was the target of two sophisticated cyberattacks by advanced persistent threat (APT) actors. That same year, the University of Virginia was targeted in an attempt to exfiltrate sensitive data by targeting individuals whose work was connected to China.2

In 2018, the US Department of Justice charged nine Iranian hackers in a three-year campaign to penetrate and exfiltrate more than 31 terabytes of information from more than 300 American and foreign universities. According to reports, the intellectual property value of that theft was more than $3 billion.3

The targeting of higher education institutions by foreign intelligence agencies and cybercriminals with similar capabilities is thought to be part of a larger state strategy. As Verizon’s 2019 Data Breach Investigations Report put it:

Universities that partner with private Silicon Valley companies, run policy institutes or research centers are probably more likely to be a target of cyber-espionage than secondary school districts. Understand what data you have and the type of adversary who historically seeks it. Your institution of learning may not be researching bleeding-edge tech, but you have PII on students and faculty at the very least.4

How Higher Ed Measures Up
As of January 1, 2018, organizations that store, process, or transmit covered defense information5 from the US Department of Defense are subject to DFARS 252.204-7012,the cybersecurity clause that requires implementation of NIST SP 800-171. Compliance with NIST 800-171 is not the only measure of good security, but it is measurable—and colleges and universities fared well when measured.

As covered by Inside Defense,6 a recent Sera-Brynn industry report summarizing NIST 800-171 assessment results found that higher ed IT environments were among the most compliant, alongside software developers and aerospace companies. Indeed, as the report noted:

Institutes of higher learning appeared to be very cognizant of resource allocation towards 800-171 compliance and were subsequently the most secure. Most often, this was because business processes were already segmented, and the environment assessed was used for conducting research and supporting government clients.7

Other key findings include the following:

  • Of the companies assessed, none were 100% compliant.
  • On average, organizations in the study had implemented only 39% of the required security controls.
  • More than 80% of the assessed organizations failed to implement 16 specific controls.

The Higher Ed Compliance Approach
So, why do higher education institutions seem to clear their NIST 800-171 hurdles with more ease? The report authors cited several contributing factors.

Segmentation
First, colleges and universities often build segmented, digital environments specifically to handle government data. These environments were designed with built-in security controls, which greatly improves system security. In contrast, companies often lack such segmentation, which makes it difficult to get all the security controls working together while also allowing business operations to continue.

Although not required, segmentation is one way to reduce the effort of implementing NIST 800-171.

Processes and Structures
Second, colleges and universities typically have a strategic plan and a deliberate process for decision-making in research settings. Further, they often already have decision-making processes and organizational structures that support change management. These processes and structures are an asset when implementing a cybersecurity framework.

Staffing
Third, colleges and universities often have permanent security staff and the resources to allocate toward additional security. Although NIST 800-171 compliance ultimately buys down risk and reduces data breaches and similar events, organizations still need to resource technical solutions up front.

A Model Worth Emulating
Ultimately, cybersecurity resilience in higher education remains an important component of the US defense strategy. As such, higher ed efforts to prevent, preempt, and deter cyber adversaries should be emulated. Doing so means diverting energy to ensure that what should be NIST 800-171 compliant is, in fact, compliant—from an operational perspective.

  1. Notes
    1. Chris Nissen, John Gronager, Robert Metzger, and Harvey Rishikof, Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience Response to the Changing Character of War,research report, (McLean, VA: The MITRE Center for Technology & National Security, August 2018).
  2. 2. Marcus Robinson, “College of Engineering Network Disabled in Response to Sophisticated Cyberattack, “Penn State News, May 15, 2015; Shane Harris and Alexa Corse, “Chinese Hackers Target U.S. University with Government Ties,” Daily Beast, August 21, 2015.
  3. 3. Garrett M. Graff, “DOJ Indicts 9 Iranians for Brazen Cyberattacks against 144 US Universities,” Wired, March 23, 2018.
  4. 4. 2019 Data Breach Investigations Report (New York: Verizon, 2019), p. 40.
  5. 5. “Covered defense information” is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies.” A more complete definition can be found in Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016), Defense Federal Acquisition Regulation Supplement, part 252.204-7012, revised June 28, 2019.
  6. 6. Justin Doubleday, “New Report Finds Defense Contractors Struggling with Cybersecurity,” Inside Defense, May 21, 2019.
  7. 7. “Reality Check: Defense Industry’s Implementation of NIST SP 800-171” (Suffolk, VA: Sera-Brynn, May 2019), p. 4.

Colleen H. Johnson is a Senior Legal Analyst at Sera-Brynn.

Article originally published as Colleen Johnson, “The Higher Ed Model for Cybersecurity Compliance,” Security Matters (blog) EDUCAUSE Review, August 12, 2019. © 2019 Colleen Johnson. Text licensed under Creative Commons CC-BY 4.0. Reprinted with permission.