EDUCAUSE Responds to Research Cybersecurity Regulations in Q1 2024

min read

EDUCAUSE responded to three major comment processes in the first quarter of 2024, all of which have significant implications for research cybersecurity.

In the first quarter of 2024, the EDUCAUSE community responded to a series of cybersecurity regulatory processes that are particularly meaningful for higher education research enterprises. The comment period for the final public draft of the National Institute of Standards and Technology (NIST) Special Publication 800-171, Revision 3 (NIST SP 800-171 Rev. 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and the initial public draft of NIST SP 800-171A Rev. 3, Assessing Security Requirements for Controlled Unclassified Information, closed on January 26. With input and support from the EDUCAUSE HEISC 800-171 Compliance Community Group, the association provided in-depth feedback on both resources.

EDUCAUSE asked NIST to consider delaying the release of the final version of 800-171 Rev. 3 until the final version of 800-171A Rev. 3 is ready. Member representatives indicated that higher education institutions and other stakeholders find the assessment guide to be a very helpful resource for understanding what the controlled unclassified information (CUI) cybersecurity standards actually mean; therefore, releasing these resources in tandem could greatly improve stakeholder comprehension and compliance. The EDUCAUSE comments also noted that 800-171 Rev. 3 diverges from the cybersecurity guidelines for federal information systems in NIST SP 800-53 (the source from which 800-171 derives) in terms of when and how federal agencies should develop and deploy organization-defined parameters (ODPs) for cybersecurity requirements. The authors of 800-171 Rev. 3 noted that one of their goals is to ensure the publication aligns more closely with 800-53. For this reason, EDUCAUSE requested that the final draft of 800-171 Rev. 3 include an explanation of the guiding principles NIST used to develop and deploy ODPs under 800-53 and 800-171, and how 800-53 and 800-171 will necessarily diverge concerning ODPs. Finally, EDUCAUSE identified terms that NIST did not define in the final public draft of 800-171 Rev. 3 and advised the agency to clearly define these terms in the final release of the special publication. EDUCAUSE also urged NIST to adopt an advisory group model for 800-171 similar to the NIST Generative AI Public Working Group.

While the relevance of 800-171 to colleges and universities extends beyond the research cybersecurity space, this resource has particular implications for research cybersecurity due to its role in the Cybersecurity Maturity Model Certification (CMMC) program developed by the U.S. Department of Defense (DOD).Footnote1 Federal contractors that handle federal contract information (FCI) or CUI as part of their contracts are already required to comply with the cybersecurity requirements for FCI or CUI, respectively. The CMMC program, originally proposed during the Trump administration, would impose third-party certification requirements on affected DOD contractors or subcontractors and prevent them from bidding on or participating in contracts unless they have the appropriate cybersecurity certification for the type of data they would handle as part of the contract or subcontract. The Biden administration has worked since November 2021 on revising the regulations to implement the CMMC program. It released the CMMC 2.0 regulations on December 26, 2023. The deadline for public comments was February 26, 2024.

EDUCAUSE, the Council on Governmental Relations (COGR), the Association of American Universities (AAU), the Association of Public and Land-grant Universities (APLU), and the American Council on Education (ACE) submitted a joint response to the proposed CMMC 2.0 regulations on February 26. We began our comments by thanking the DOD for acknowledging the central point that we raised in our November 2020 letter concerning the original CMMC rulemaking—that fundamental research projects as defined by the DOD do not generally involve FCI or CUI; therefore, they should not involve CMMC requirements.Footnote2 While we expressed appreciation to the DOD for accepting this position, we noted that the rulemaking notice briefly discussed the potential for edge cases to arise. For example, if FCI or CUI were to appear in projects that otherwise constitute fundamental research, CMMC requirements would be triggered for those projects. To avoid confusion among the relevant stakeholders, including DOD contract officers, we asked the DOD to work with the higher education research community to develop a publicly available framework that would explain how it would identify and manage edge cases in relation to CMMC.Footnote3

Following are other key issues that EDUCAUSE, COGR, AAU, APLU, and ACE raised about CMMC 2.0 in our February 26 response:

  • The importance of integrating prior DOD guidance on CUI designation and marking into the regulations to ensure that CMMC requirements are only applied as appropriate
  • The need for the DOD to revise the proposed rule to eliminate the inappropriate extension of CUI security requirements to security protection data (SPD) or incorporate a clear definition of SPD and account for the costs and effects of extending CMMC requirements to SPD in its regulatory analysis and program implementation
  • A call for the DOD to again allow Plans of Action and Milestones (POA&Ms) to cover a much broader array of assessment requirements and extend the timeframe for fulfilling a POA&M to 360 days
  • A recommendation for the DOD to extend the overall phase-in period for adding certification requirements to solicitations or allow organizations to fulfill CMMC Level 2 requirements via self-assessment through Phase 4 of the phase-in process due to long-term challenges concerning the availability of assessment leaders and professionals
  • The need to revise the Defense Federal Acquisition Regulation Supplement (DFARS) so that the version of SP 800-171 that a contractor must comply with aligns with the version that the CMMC regulations will require
  • A proposal that the CMMC regulations require the lead assessors of CMMC assessment teams to have knowledge and experience in the industry of the organization that is being assessed

In addition to the NIST SP 800-171 and CMMC regulatory processes, a third rulemaking related to research cybersecurity required an EDUCAUSE response in Q1 2024. The federal agencies that are primarily responsible for the development and maintenance of the Federal Acquisition Regulation (FAR), which sets the requirements for federal contracting, proposed changes to the FAR that would impose cyber incident reporting and software bill of materials (SBOM) requirements on federal contractors. COGR and AAU joined EDUCAUSE in submitting a response to these proposals on February 2.

The response noted that the cyber incident and SBOM mandates being considered may be appropriate for the direct providers of IT and operational technology (OT) products and services to federal agencies.Footnote4 The proposed regulations seem to target those entities, and incident reporting and SBOM requirements for such providers would make sense, given the direct impact their software and services have on the cybersecurity of federal agencies. However, the FAR changes as written appear to apply to all federal contractors based on any use of IT or OT products and services in the performance of their contracts, regardless of whether the use would have any reasonable bearing on the cybersecurity of the contracting agency. EDUCAUSE, COGR, and AAU indicated that, in many cases, the decentralized nature of IT management in the academic research context would ascribe reporting and SBOM responsibilities directly to researchers and their graduate assistants. The FAR provisions would mandate tight reporting timeframes, and noncompliance could result in a loss of research funding. Therefore, we argued that the overly broad scope of the proposed changes would likely lead to significant overreporting, which in turn would create a major "signal-to-noise" problem that would obscure real cybersecurity threats to the federal government.

As written, the proposed regulations seem to apply SBOM mandates to any software that a contractor or subcontractor might use to fulfill its obligations. This overly broad scope could cause resources to be siphoned away from the research that federal agencies contract with colleges and universities to conduct, again without contributing to the cybersecurity of the agencies.Footnote5 Colleges and universities tend to license general administrative and productivity software at the institutional level. Accordingly, researchers at institutions whose providers of such software fail to meet the SBOM requirements would have to use project funds to license applications from providers who do meet the requirements, thus reducing the resources available for research purposes. For specialized software acquired to meet a specific need or discipline, a provider's failure to develop or maintain an SBOM could be even more problematic because no good alternatives may be available. In addition, the proposed SBOM requirements do not anticipate higher education research contexts in which a researcher or research team develops software specifically for a contracted project. In such cases, the software development process may be very iterative and ad hoc, and tracking and updating every code tweak for SBOM purposes may impose excessive administrative overhead—especially considering that the software in question would be unlikely to affect the cybersecurity profile of the federal agency in any way.

The public comment periods for these processes have closed. Therefore, EDUCAUSE, the associations we have collaborated with, and the relevant stakeholder communities will have to wait until later this year at the earliest to learn whether the lead agencies for these guidelines or regulations make changes to their proposed requirements based on our input. Since the NIST SP 800-171 and NIST SP 800-171A processes involve guidelines and not regulations, the final version of 800-171 Rev. 3 will likely emerge this spring or summer. The regulatory processes for CMMC 2.0 and FAR cyber incident reporting and SBOM mandates require the relevant agencies to review and consider all public comments that have been submitted, and the volume of comments received greatly impacts the speed at which an agency can issue final rules. For these reasons, fall 2024 is likely the earliest timeframe in which the final CMMC 2.0 and FAR cyber incident reporting and SBOM regulations could become available.

EDUCAUSE will continue to monitor for the release of the final NIST SP 800-171 and NIST SP 800-171A guidelines, CMMC program regulations, and FAR cyber incident reporting and SBOM mandates. We will continue to work with members to identify key considerations for the EDUCAUSE community.

Notes

  1. For example, Federal Student Aid data shared with higher education institutions is considered CUI, and the U.S. Department of Education has announced plans for a NIST SP 800-171 compliance rulemaking related to such data later this year. Jump back to footnote 1 in the text.
  2. American Council on Education, Association of American Universities, Association of Public and Land-grant Universities, Council on Governmental Relations, and EDUCAUSE, letter to Office of the Department of Defense, Comments in response to Docket Number DoD–2023–OS–0063 / Regulatory Identifier, Number (RIN) 0790–AL49, “Cybersecurity Maturity Model Certification (CMMC) Program," February 26, 2024; Council on Governmental Relations, EDUCAUSE, Association of American Universities, Association of Public and Land-grant Universities, American Council on Education, comment letter on RIN 0750-AK81 (DFARS Case 2019-D041), November 24, 2020. Jump back to footnote 2 in the text.
  3. ACE, AAU, APLU, COGR, EDUCAUSE letter to DOD regarding DoD–2023–OS–0063. Jump back to footnote 3 in the text.
  4. EDUCAUSE, Council on Governmental Relations, and the Association of American Universities, Comments in response to FAR Case 2021-017, "Federal Acquisition Regulation: Cyber Threat and Incident Reporting and Information Sharing," February 2, 2024. Jump back to footnote 4 in the text.
  5. Ibid. Jump back to footnote 5 in the text.

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.

© 2024 Jarret Cummings. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.