A new set of federal regulations is forcing colleges and universities to tighten their cybersecurity practices, which will require changes in the way colleges manage their data, according to a new report.
Higher education institutions will have to fulfill new contractual obligations to maintain federal grants, research contracts and other transactions in which the institutions receive data from the federal government, according to the report, issued by Deloitte’s Center for Higher Education Excellence and nonprofit EDUCAUSE.
In 2016, the U.S. Department of Education signaled it would make colleges comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of “controlled unclassified information.” The first compliance deadline schools have to meet is Dec. 31.
“Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards,” said Joanna Lyn Grama, director of cybersecurity and IT GRC programs at EDUCAUSE. “Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required.”
According to the report, while higher education CIOs and CISOs are aware of the new standard, “this awareness hasn’t necessarily translated into progress.”
“Many institutions are still working out how to get started and get everyone on board,” the report says. “Other institutions, notably those that receive significant defense research funding, are much further down the path.”
Colleges will have to overcome many existing challenges in order to fulfill the requirements, according to experts at Deloitte and EDUCAUSE. And those challenges go beyond just technological problems. They also encompass organizational change management, training, end-user adoption and process controls.
Specific challenges outlined in the report include a lack of executive and board-level attention on NIST’s regulations. Since many institutional leaders and boards of trustees simply do not know enough about the requirements, in order to grab their attention, the report suggests reframing the conversation in terms of enterprise risk management — laying out a direct business impact to the institution.
Another challenge involves cultural barriers. Since colleges and universities traditionally rely on open-source information-sharing, and enjoy a culture of openness, it seems to go against instinct to no longer communicate, share information and collaborate.
A third challenge revolves around governance coordination. According to the report’s authors, it is not effective or economical to engage in information security and data management protections in a decentralized way. What’s needed is an institutional, enterprise-level solution to examine and certify data and access compliance.
Mike Wyatt, national managing principal for identity solutions at Deloitte US, said universities need to conduct their own analyses to determine which issues affect them.
“To get started down the path to compliance, institutions will first need to understand the challenges they’ll face in complying with the new standard and then chart a course for getting from here to there,” Wyatt said. “A tailored approach — encompassing, among other things, organizational change management, training, end-user adoption and process controls — is essential to achieving and sustaining compliance.”
He added, “Colleges and universities can see this challenge in two ways — as a risk to their federal grants and research funding or as a competitive advantage if they are more proactive in their compliance.”
Deloitte and EDUCAUSE offered six steps for higher education leaders to take in order to develop a viable compliance program:
- Form a working group with representatives from each of the institution’s three main business units: academics, administration and research. The working group should have top-down support and the sustained engagement of leadership.
- Analyze the impact and scope by determining the applicable contracts and identifying data that must be controlled.
- Assess the current state of security and understand where CUI data resides (in on-premise campus systems and in cloud systems) and how it’s processed from the point of receiving through the lifecycle.
- Develop a plan to achieve compliance and mitigate existing gaps by defining roles and responsibilities to achieve and maintain compliance.
- Establish responsibilities and efficient processes to achieve sustained compliance over the long haul.
- Employ third parties to provide a thorough review of current practices across the entire academic enterprise.