NIST SP 800-171 Services for Higher Education

Comply with NIST SP 800-171 and protect federal information in your higher education environment

Higher education organizations process data and provide services to the U.S. government in the form of federal financial aid administration or distribution, grant awards for research, or contract awards for services. This makes educational institutions an attractive target for hackers attempting to gain access to personally identifiable information, such as student financial aid data.

To protect against such cyber-attacks, universities and colleges may be subject to federal security standard requirements outlined in NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations". This typically occurs in the following scenarios:

  • If your institution has been awarded a contract and is subject to FAR or DFARS regulations.
  • If the language in an awarded grant stipulates security requirements.
  • If you’ve received a notification from the Department of Education as part of your responsibility for protecting date related to financial aid.

NIST SP 800-171 provides the guidance you need to ensure that certain types of federal information is protected when processed, stored, and used in non-federal information systems, and helps rotect the confidentiality of Controlled Unclassified Information (CUI).

The CUI requirements within NIST SP 800-171 are directly linked to the baseline controls described in NIST SP 800-53 -- "Security and Privacy Controls for Federal Information Systems and Organizations" -- and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations.

How Coalfire Helps

Coalfire provides advisory and assessment services to meet your NIST SP 800-171 needs.

Our experience with higher education institutions means we understand the unique nature of distributed systems in a university setting. From controls mapping of various environments, to documentation development for a system security plan (SSP), to security testing and more, Coalfire can do it all through an assessment process follows a Risk Management Framework (RMF) approach.

  • NIST SP 800-171 Assessment – Includes:
    • FIPS 199 system categorization
    • FIPS 200 and agency control selection (Department of Education, contract/grant award)
    • Implementation of applicable security controls
    • Assessment of security controls
    • Authorization recommendation of systems
    • Continuous monitoring
  • NIST SP 800-171 Advisory – We support or create NIST 800-171 required documentation sets including a System Security Plan (SSP) to protect and ensure the control of CUI and any additional guidance based on client or agency (Department of Education, contract/grant award) requirements.

Why Choose Coalfire for your NIST-Based Assessment Services

  • Coalfire has been working with higher education institutions including entire state university systems for PCI DSS compliance, FISMA compliance, GLBA and cyber risk program development since our inception in 2001.

  • Coalfire is an accredited Federal Risk and Authorization Management Program (FedRAMP) third party assessment organization (3PAO), a designation obtained in part through demonstrated, technical experience with NIST 800-53 assessments.

Coalfire has conducted FISMA and other NIST-based assessments that are relied on by leading agencies such as HHS, CMS, NIH, DHS, DOT and more.