NIST SP 800-171 Services for Higher Education

Higher Education institutions subject to NIST SP 800-171

Higher Education organizations process data and provide services to the U.S. government in the form of federal financial aid administration or distribution, grant award for research or contract award for services. This makes educational institutions an attractive target for cyber-attacks as a vector to gain federal information and personally identifiable information.

Universities and colleges can be subject to meeting federal security standard requirements such as NIST SP 800-171 compliance through:

  • award of a contract and subject to FAR or DFARS regulations
  • the language in their awarded grant states security requirements
  • notification from the Department of Education as part of the Universities responsibility for protecting data related to federal financial aid.

The Department of Education sent a ‘Dear Colleague’ letter in July 2016 (DOE PDF) reminding institutions of their obligation to protect Federal student financial aid information and advises that NIST SP 800-171 standards for security be used and assessed against. Likewise, recent updates to FAR and DFARS regulations cite NIST SP 800-171 as security guidelines to be met. Awarded contracts are subject to FAR, DFARS requirements and many awarded grants point to those same requirements.

NIST SP 800-171 "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" provides guidance for federal Agencies to ensure that certain types of federal information is protected when processed, stored, and used in non-federal information systems. Agencies require NIST SP 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST SP 800-171 are directly linked to NIST SP 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations" baseline controls and are intended for use by federal Agencies in contracts or other agreements established between those Agencies and nonfederal organizations.

Why choose Coalfire?

  • Coalfire has been working with Higher Education institutions including entire State University systems for PCI DSS compliance, FISMA compliance, GLBA and cyber risk program development since our inception in 2001.
  • Coalfire is an accredited Federal Risk and Authorization Management Program (FedRAMP) third party assessment organization (3PAO), a designation obtained in part through demonstrated, technical experience with NIST 800 series assessments.
  • Coalfire has conducted FISMA and other NIST based assessments that are relied on by leading Agencies such as HHS, CMS, NIH, DHS, DOT and more.

Services for NIST SP 800-171

Coalfire provides advisory and assessment services to meet your NIST SP 800-171 assessment needs.

Coalfire works with many Higher Education institutions today and understands the unique nature of distributed systems in a university setting. We take that into consideration as we provide our services in the form of controls mapping of various environments, to documentation development for a system security plan (SSP) to the assessment through security testing and POA&M management, Coalfire can do it all. The assessment process follows a Risk Management Framework (RMF) approach.

  • NIST SP 800-171 Assessment – Includes system categorization as defined by federal guidance in FIPS 199 categorization, FIPS 200 and Agency (Department of Education, Agency contract/grant award) control selection, implementation of applicable security controls, assessment of security controls, authorization recommendation of system and continuous monitoring.
  • NIST SP 800-171 Advisory – support or create NIST 800-171 required documentation sets including System Security Plan (SSP) to protect and ensure the control of Controlled Unclassified Information and any additional guidance based on client or Agency (Department of Education, Agency contract/grant award) requirements.