Our colleagues on EAB’s IT Forum interviewed almost 50 security directors and chief information security officers (CISOs) at member universities to understand their emerging concerns around IT security. Many members discussed the challenge of NIST Special Publication 800-171, which provides guidance on how non-federal entities must protect Controlled Unclassified Information (CUI) shared by the federal government. The guidelines for compliance go into effect December 17, 2017 for affected DOD contracts. Non-compliance would put millions of dollars in research funding at risk, and is likely the opening salvo in increased scrutiny for the protection of federal data across agencies.
Related on-demand webconference
This summer, the IT Forum presented strategies to Chief information officers about how to proceduralize information security-related research compliance, including processes related to NIST 800-171. During that webconference, they also polled participants about their institutions’ plans to become NIST 800-171 compliant, the results of these surveys are below.
Which below best describes your institution’s ambitions for consolidating research security policies in the next two years?
Almost 60% of surveyed research institutions plan to consolidate around a single framework (and of those, 75% will consolidate around NIST 800-171). As expected, master’s and baccalaureate institutions do no not plan to consolidate around NIST 800-171, although the percentage that do not plan to consolidate at all is greater than anticipated.
How much staff and budget is your institution allocating to NIST 800-171 compliance in the next months?
Unsurprisingly, over half of surveyed institutions (including 57% of research institutions) have not allocated resources to pursue their selected NIST 800-171 compliance strategy. Security and research staff who secured these resources have typically been successful either because it was necessary to secure a specific grant, or by adding up the value of grants that will require NIST 800-171 compliance and sharing the total revenue at risk through non-compliance with campus leadership.
What strategy will you pursue to achieve NIST 800-171 compliance?Respondents could select multiple responses.
At even the most decentralized institutions, the skills, costs, and political capital associated with implementing a NIST 800-171 compliant environment leads to Central IT typically owning the service. Eight respondents from research institutions indicated that Central IT would provide both a permanent cloud solution and an on-premise solution, emphasizing comments that greater flexibility for researchers will lead to greater compliance.