Most of the data received from the Department used in the administration of Title IV programs is considered CUI and thus subject to the CUI Rule.
The U.S. Department of Education has announced that it is finalizing a Campus Cybersecurity Program framework. The new program will be implemented over the next few years. As part of the plan, the Department will ensure that Title IV institutions of higher education (IHE) comply with the “CUI Rule,” which requires nongovernment agencies receiving controlled unclassified information (CUI) to comply with the National Institute of Standards and Technology Special Publication 800-171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800-171). Most of the data received from the Department used in the administration of Title IV programs is considered CUI and thus subject to the CUI Rule. The Department previously encouraged compliance with this standard in its 2016 Dear Colleague Letter (GEN 16-12), and strongly encouraged institutions that fall short of NIST 800-171 standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model.
The Department has outlined a multiyear implementation plan that includes near-term, intermediate-term and long-term goals, starting with a self-assessment program to understand the community’s readiness to comply with NIST 800-171.
- Electronic announcement – December 2020
- Engage community stakeholders
- IHE self-assessment
- Collect IHE cybersecurity data
- Implement IHE risk profiles
- Initiate pilot using risk profiles
- Fulfill ED and FSA CUI mandate
- Refine IHE support structure
The Department will be publishing guidelines and best practices to implement the NIST 800-171 standard, as well as additional information regarding the upcoming cybersecurity self-assessment.
Depending on an IHE’s existing security posture, it can often take several months (and in some cases 1-2 years) to comply with the robust NIST 800-171 security controls. IHEs should start assessing any gaps in their information security program to identify any controls that are not addressed and immediately work toward closing those gaps. They may also consult with legal counsel to consider whether to conduct these assessments under attorney-client privilege.
For More Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, any of the attorneys in our Education Technology Group, attorneys in our Higher Education Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.