In late 2014, the National Institute of Standards and Technology (NIST) released an initial public draft of a new set of guidelines for federal agencies to follow in securing sensitive unclassified federal information residing in non-federal systems. An example of this would be when a federal research grant leads to a university information system holding data that, while not classified, is still subject to government controls on its further dissemination due to security, technological, or economic implications.
In active consultation and collaboration with our member-led Higher Education Information Security Council (HEISC), EDUCAUSE submitted comments on both the initial draft report, NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as well as on the final public draft released in April 2015. Among other requests, EDUCAUSE asked NIST to clarify a number of proposed CUI requirements and how those would relate to other applicable laws and regulations. EDUCAUSE also requested that NIST further highlight the document’s guidance on the flexibility that colleges and universities have in addressing CUI requirements.