This introduction to NIST 800-171 provides a brief overview of the special publication, how Controlled Unclassified Information (CUI) is defined, common types of data in higher education that “may” be called CUI, and what intuitional information should be “out of scope.” To illustrate how institutions are currently responding to NIST 800-171, three brief case studies are provided by the University of Notre Dame, the University of Pittsburgh, and North Carolina State University.
As stated in the conclusion of this document, institutions continue to refine their understanding of the impact of NIST Special Publication 800-171 on their IT systems and the data they receive from the federal government. Until the federal government creates additional guidance, the following list summarizes key points in this document:
NIST 800-171 applies to data that the federal government designates as Controlled Unclassified Information (CUI) when they are shared by the federal government with a nonfederal entity and when no other federal law or regulation (e.g., FISMA) addresses how to protect the underlying data.
Depending on the type of data received from the federal government, CUI could include data received as part of a research grant or data received to conduct business (e.g., student financial aid information).
A higher education institution must review its contracts with federal agencies carefully. There must be a document (contract) referencing both (1) the data the federal agency is sharing that it has specifically identified as CUI, and (2) that the institution must follow the terms of NIST 800-171.