EDUCAUSE QuickPoll Results: NIST SP 800-171 Compliance Efforts and Challenges in Higher Education

EDUCAUSE is helping institutional leaders, IT professionals, and other staff address their pressing challenges by sharing existing data and gathering new data from the higher education community. This report is based on an EDUCAUSE QuickPoll. QuickPolls enable us to rapidly gather, analyze, and share input from our community about specific emerging topics.^Footnote1

The Challenge

According to PrivacyRights.org, data breaches have become commonplace with the expanding collection of information in digital form. Securing data is critical because protecting sensitive information from threats ensures privacy, trust, and integrity. Consequently, the National Institute of Standards and Technology (NIST) developed Special Publication (SP) 800-171 ("Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations"), which provides federal agencies with recommended security requirements for protecting controlled unclassified information (CUI) from unauthorized access when the information is held in nonfederal systems. Institutions of higher education that are contractors or subcontractors on DoD projects involving CUI are subject to SP 800-171, as are certain NIH research projects involving genomic data, but no other formal CUI security requirements are currently in place. The National Archives and Records Administration (NARA) CUI Registry, however, identifies "student records" as a category of CUI, and based on that, the Department of Education has provided guidance indicating that it plans to establish SP 800-171 compliance requirements for federal student financial aid data. The timing and extent of those requirements remain unclear at this time, given the recent change in presidential administrations, but in all likelihood the SP 800-171 cybersecurity guidelines will be applied to all institutional systems that touch student financial aid data. This QuickPoll seeks to understand institutional awareness, planning and execution, resources that helped facilitate efforts, and best practices for implementation regarding SP 800-171.

The Bottom Line

Although 54% of respondents said that their institution had established a formal plan for SP 800-171 compliance, there was considerable variation across institutions in terms of levels of compliance for different data types, timelines for compliance, and even awareness of compliance requirements. For example, target timelines for compliance ranged from the next six months to two years or more, and respondents reported varying levels of leadership awareness of compliance requirements. Common pain points institutions were facing included limited personnel and funding to facilitate compliance efforts and competing priorities taking precedence. Respondents emphasized that taking immediate action, controlling project scope, and seeking support from leadership, cross-functional teams, and collaborative peer networks played a critical role in helping institutions achieve compliance.

The Data: Institutional Differences Regarding SP 800-171

Individual knowledge of and plans to bring data into compliance fluctuate across institutions. A majority of respondents (55%) are extremely familiar with SP 800-171 compliance requirements. The remaining respondents indicated that they are slightly/somewhat/moderately familiar. Awareness differed when respondents were asked to assess how familiar their institutional leadership is with SP 800-171. About 9% of respondents indicated that leadership is not at all familiar. Most respondents reported leadership was familiar at least to some degree: slightly (28%), somewhat (23%), moderately (23%), and extremely (16%). Only about 2% of respondents stated they don't know. Further, respondents were asked to indicate which research data their institution plans to bring under compliance (see figure 1). Respondents identified Department of Defense (DoD) research data (CMMC audited 34%; self attestation 41%) and contract data (44%), in addition to National Institutes of Health (NIH) data (54%). Almost a quarter (22%) of respondents noted their plans to extend compliance to additional types of research data, such as other federal data (e.g., Department of Education), data governed by use agreements, and other personally identifiable information (PII) in accordance with best practices.

An institution's level of compliance varies by data type. A small number of institutions are not working toward compliance for the following data types: DoD-related research (11%), non-DoD research data (9%), or non-research data (13%) (see figure 2).^Footnote2 Most institutions are either working toward compliance, are partially compliant, or are mostly compliant. Similarly, effort and compliance status vary by data type, with a lower proportion reporting working toward compliance or being partially or mostly compliant for DoD-related research data (39%) compared to either non-DoD research data (54%) or non-research data (57%). For these three data types, just 8–13% of respondents said their institution is  compliant.

Primary responsibility for overseeing compliance differs by institution but is typically held within IT. Generally, the responsibility of managing compliance is within IT offices at institutions, though about 6% of respondents indicated that no single person/team is primarily responsible. Even within IT, the specific role responsible for compliance varies. Most often, the chief information security officer (CISO) supervises compliance (38%), followed by the information security/IT security team (13%), the chief information officer (CIO) (9%), a vice president for research (or equivalent role) (9%), and an IT governance, risk, and compliance (GRC) team (8%).

The Data: Compliance Prioritization and Timelines

Most respondents said that SP 800-171 compliance is a moderate to high priority for their institution. With the exception of those who said their institution was compliant or said that compliance was not applicable for the three data types, respondents were asked how much of a priority SP 800-171 compliance was to their institution. Of these, 36% said it was a high priority, 41% indicated that it was a moderate priority, and 13% a low priority. Several respondents who indicated that compliance was a low priority or not a priority attributed this lack of prioritization to ambiguity. As one respondent explained, "Based on the uncertainties with the federal government, the fact that none of our DoD contracts currently require NIST 800-171, and the costs [associated] with compliance, our institution has opted to wait until we are required to meet compliance." Other respondents indicated that their institution was not prioritizing compliance because they were focused on other more pressing security priorities.

Projected timelines for achieving SP 800-171 compliance vary. A slight majority of respondents (54%) reported that their institution had established a formal plan for SP 800-171 compliance, and 44% said their institution had not. Respondents whose institutions are pursuing compliance were asked about timelines for achieving compliance. Of these, 26% said their institution planned to be compliant within six months to a year, 19% said within the next six months, and 16% planned to be compliant in more than one year but less than two years (see figure 3). Notably, though, 16% of respondents said their institution had no specific timeline or plan for compliance, and 14% did not know.

The Data: Compliance Strategies and Barriers

The top institutional strategy for achieving compliance is investing in cybersecurity tools. Respondents working toward compliance with SP 800-171 were asked about their institution's strategies for meeting the requirements. The most frequently selected institutional strategy was investing in cybersecurity tools and technologies to support compliance (62%) (see figure 4). Other frequently selected strategies included conducting a formal gap assessment against SP 800-171 requirements (54%), implementing required security controls and policies (54%), and providing training and awareness programs for faculty and staff (52%). However, one respondent noted that no strategies taken had been sufficient: "[We] realized that we are not funded or staffed to [achieve compliance], but we still somehow have to do it."

Limited personnel, competing priorities, and insufficient funding are primary barriers to SP 800-171 compliance. Respondents identified several key barriers to compliance, including limited personnel to oversee and/or facilitate compliance efforts (76%), competing priorities or other institutional initiatives taking precedence (70%), and insufficient funding or resources (66%) (see figure 5).

Perhaps not surprisingly, the internal resources that respondents felt would be most helpful for supporting institutional compliance corresponded with the barriers they were facing: increased funding for compliance efforts (78%), additional dedicated personnel to support compliance (76%), and increased support and/or prioritization from leadership (58%) (see figure 6). External resources that respondents most frequently selected as helpful for supporting compliance efforts included clearer federal guidance on compliance expectations (75%), increased funding for compliance efforts (68%), and clearer federal guidance on compliance timelines (66%).

Common Challenges

Compliance efforts vary significantly across institutions. Institutions are implementing diverse strategies to meet SP 800-171 compliance. No one-size-fits-all approach to meeting these requirements will suit all colleges and universities, so institutions will need to tailor their efforts based on the type(s) of CUI they handle and their specific circumstances, such as resource availability, organizational structure, and the complexity of their data environments. This variability underscores how important it is for institutions to be flexible and adaptable in meeting compliance.

Internal and external factors are limiting institutions' ability to meet compliance. Institutions must navigate numerous barriers to achieve compliance. These obstacles may include a lack of personnel to oversee and/or facilitate efforts, competing institutional priorities, and the need for clear and consistent federal guidance. These challenges emphasize the necessity for targeted strategies and collaborative efforts.

Promising Practices

Best practices for compliance include engaging in self-assessment, avoiding scope creep, and partnering with collaborative networks. Respondents who indicated that their institution was working toward compliance were asked to share best practices or lessons learned for institutions just starting to work toward SP 800-171 compliance.

• Start with a self-assessment to document current policies and procedures, identify gaps, and build a compliance roadmap.
• Gain executive support and, if possible, identify champions at the highest levels who can help advance and sustain compliance efforts.
• Establish strong partnerships with cross-functional teams—including IT, cybersecurity, legal, faculty, and research administration—to ensure awareness and participation.
• Keep the scope as precise as possible to maintain alignment with objectives and prevent scope creep.
• Get involved with collaborative networks for research security and regulatory compliance, including the Regulated Research Community of Practice (RRCoP), Trusted CI, and the EDUCAUSE Regulated Information Security Compliance (RISC) Community Group, who can share resources and offer practical insights.

EDUCAUSE Resources

EDUCAUSE has published several resources about NIST SP 800-171 requirements that may interest readers looking to learn more:

• "EDUCAUSE Responds to Research Cybersecurity Regulations in Q1 2024"
• EDUCAUSE Comments: NIST SP 800-171, Revision 3
• "No 800-171 in the New SAIG Agreement"
• NIST SP 800-171 Toolkit

Notes

1. QuickPolls are less formal than EDUCAUSE survey research. They gather data in a single day instead of over several weeks and allow timely reporting of current issues. This poll was conducted between March 17-18, 2025, consisted of 21 questions, and resulted in 121 responses for analysis. The poll was distributed by EDUCAUSE staff to relevant EDUCAUSE Community Groups rather than via our enterprise survey infrastructure, and we are not able to associate responses with specific institutions. Our sample represents a range of institution types and FTE sizes. Jump back to footnote 1 in the text.↩
2. Responses labeled "prefer not to answer" were excluded from the graphical representation. Percentages throughout have been rounded to the nearest whole number. Jump back to footnote 2 in the text.↩

---

Kristen Gay is Researcher at EDUCAUSE.

Jaclyn Smith is Research Data Analyst at EDUCAUSE.