EDUCAUSE Comments: Draft CUI Guidelines for “Critical Programs” and “High Value Assets”

Abstract

On August 2, 2019, EDUCAUSE joined the Council on Governmental Relations (COGR), the Association of American Universities (AAU), the Association of Public and Land-grant Universities (APLU), and the American Council on Education (ACE) in submitting comments to the National Institute of Standards and Technology (NIST) regarding its draft Special Publication 800-171B (NIST SP 800-171B). In 800-171B, NIST proposes enhanced security requirements for controlled unclassified data that the Department of Defense and other national security agencies could apply to federal research activities they designate as “critical programs” or “high value assets.” These requirements would be in addition to standards that were established for CUI security in non-federal information systems under NIST SP 800-171.

EDUCAUSE and its sister associations argue that NIST does not sufficiently address when, where, and how national security agencies might apply the “critical program” or “high value asset” designations; this creates great uncertainty in the higher education research and IT communities about when they might be required to implement the 800-171B standards. Given that many of the proposed requirements are expensive and cannot be implemented on an ad hoc basis, the potential for institutions and faculty to face 800-171B requirements during contract negotiations after an award has been made has significant, negative implications for basic research. The associations ask NIST to clarify:

• The criteria and processes for designating critical programs and high value assets outside of federal information systems;
• The parameters that will ensure consistency among federal agencies in the application of such designations and thus the 800-171B requirements;
• The flexibility and discretion that agencies and institutions will have in determining which controls truly fit the CUI in the research being conducted; and