WASHINGTON, Oct. 31, 2017 /PRNewswire/ -- Institutions of higher education are facing a series of upcoming federal data protection requirements, necessitating changes in their data management to maintain federal research and grants programs, says a new report, "Federal funding for Higher Education Institutions at Risk," issued today by Deloitte's Center for Higher Education Excellence and EDUCAUSE. The first compliance deadline for data received from the federal government (e.g., for certain defense-related research grants data) is Dec. 31, 2017.
"Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards," said Joanna Lyn Grama, Director of Cybersecurity and IT GRC Programs at EDUCAUSE. "Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required."
"To get started down the path to compliance, institutions will first need to understand the challenges they'll face in complying with the new standard and then chart a course for getting from here to there," said Mike Wyatt, principal, Deloitte & Touche LLP, and a cyber-risk leader. "A tailored approach – encompassing, among other things, organizational change management, training, end-user adoption and process controls – is essential to achieving and sustaining compliance.
"Colleges and universities can see this challenge in two ways – as a risk to their federal grants and research funding or as a competitive advantage if they are more proactive in their compliance."
These new requirements are designed to safeguard a broad set of data known as controlled unclassified information (CUI). The National Institute of Standards and Technology's (NIST) Special Publication 800-171 states the requirements for protecting CUI when it shared by the federal government with nonfederal entities like colleges and universities. These data protection requirements are gradually being incorporated into federal government contracts. The Defense Federal Acquisition Regulation Supplement (DFARS) has now established NIST 800-171 as the minimum security standard for protecting both CUI and Covered Defense Information (CDI) (with compliance required by the end of this year). A Federal Acquisition Regulation (FAR) clause is expected to be published before the end of 2017 and apply NIST 800-171 standards to protect CUI associated with a broader set of civilian contracts. Additionally, in 2016, the US Department of Education communicated its intention to make student financial data subject to those same standards in the future.
Deloitte and EDUCAUSE have identified three challenges that may exist in many college and university settings, which may impact an institution's path to compliance:
- Lack of executive and board-level attention: While awareness of NIST 800-171 is generally very high within the information technology and security community, it is not yet on the radar of many institutional leaders or boards of trustees because the issue has been cast as one of merely implementing a set of technical information security controls. To gain traction with institutional leaders, the conversation must be reframed in terms of enterprise risk management, with the business impact to the institution clearly spelled out.
- Cultural barriers: The cultural heritage of higher education institutions is one of openness and sharing. If a US researcher is building on research done by a colleague in another country, it's normal for the two to talk, share information, and even collaborate. As a result, outside of defense-related research, there may be inherent resistance to the changes necessitated by NIST 800-171.
- Governance coordination: With the growing demands for compliance work for International Traffic in Arms Regulations (ITAR), Health Insurance Portability and Accountability Act (HIPAA), Gramm Leach Bliley Act (GLBA), and other standards and now with NIST 800-171 compliance, it is no longer effective or economical to engage in information security and data management protections in a decentralized manner. An institutional, enterprise-level solution is needed, as well as a central authority, to assess and certify data and access compliance.
Deloitte and EDUCAUSE outlined six steps higher education leaders can take to develop a sustainable compliance program:
- Form a working group with representatives from each of the institution's three main business units: academics, administration and research. The working group should have top-down support and the sustained engagement of leadership.
- Analyze the impact and scope by determining the applicable contracts and identifying data that must be controlled.
- Assess the current state of security and understand where CUI data resides (in on-premise campus systems and in cloud systems) and how it's processed from the point of receiving through the lifecycle.
- Develop a plan to achieve compliance and mitigate existing gaps by defining roles and responsibilities to achieve and maintain compliance.
- Establish responsibilities and efficient processes to achieve sustained compliance over the long haul.
- Employ third parties to provide a thorough review of current practices across the entire academic enterprise.
To review the Deloitte and EDUCAUSE report, go here.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including more than 85 percent of the Fortune 500 and more than 6,000 private and middle market companies. Our people work across more than 20 industry sectors to make an impact that matters — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them.
EDUCAUSE (www.educause.edu) is a higher education technology association and the largest community of IT leaders and professionals committed to advancing higher education. Technology, IT roles and responsibilities, and higher education are dynamically changing. Formed in 1998, EDUCAUSE supports those who lead, manage, and use information technology to anticipate and adapt to these changes, advancing strategic IT decision making at every level within higher education. A global nonprofit organization, EDUCAUSE members include U.S. and international higher education institutions, corporations, not-for-profit organizations and K-12 institutions. With a community of more than 85,000 individual participants located around the world, EDUCAUSE encourages diversity in perspective, opinion and representation. The EDUCAUSE Cybersecurity Program offers a number of resources to help colleges and universities develop and mature their information security and privacy programs.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.