EDUCAUSE and other higher education groups responded to a National Institute of Standards and Technology proposal for enhanced CUI security guidelines covering "critical program" or "high value asset" research. Our comments stressed the need for much greater clarity on how these designations would be made and thus trigger institutional compliance responsibilities.
EDUCAUSE, the Council on Governmental Relations (COGR), the Association of American Universities (AAU), the Association of Public and Land-grant Universities (APLU), and the American Council on Education (ACE) recently submitted comments1 to the National Institute of Standards and Technology (NIST) regarding its draft Special Publication (SP) 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. This new document presents a proposed set of controlled unclassified information (CUI) guidelines specifically for research activities designated by national security agencies as "critical programs" or "high value assets (HVAs)." This collection of guidelines is designed to be an additional layer of CUI requirements on top of those previously released in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which form the basis for the federal government's uniform CUI regulation.
EDUCAUSE and its sister associations highlighted the need for NIST to more clearly and completely explain in SP 800-171B the guidelines and processes by which relevant agencies apply the "critical program" or "HVA" designations. The higher education groups found that the requirements proposed in SP 800-171B could require significant time and resources to implement, particularly if the scope of the requirements was not more definitively limited to the research activities they are intended to cover. Without specifying upfront when, where, and how academic researchers and institutions might encounter these designations, as well as prominently highlighting in requests for proposals when they may apply to a given project, researchers and institutions might not realize that they need to meet SP 800-171B requirements until they are already in the process of negotiating the terms and conditions of an award and have limited ability to accommodate the time and expense necessary.
The groups also questioned whether SP 800-171B effectively addresses "the level of complexity and sophistication required to deploy a number of the controls" and whether that complexity and sophistication is warranted for the security of CUI as compared to classified research. Our joint response noted that "[m]any of the security controls involve costly tactics and counterintelligence activity" (e.g., penetration testing by designated agents and red teams; enhanced personnel screening even when the CUI level does not warrant it; and misdirection, tainting, and disinformation), and the deployment of these tactics and activities may not reflect an appropriate balance of costs and benefits given the unclassified information involved. In addition to the above-mentioned resource concerns, EDUCAUSE and its partners asked NIST to consider whether such measures might negatively impact the academic research environment at affected institutions, given the importance of academic freedom and freedom of expression to that environment.
In conclusion, we requested that NIST revise SP 800-171B to clarify the following items:
- The criteria and processes for designating critical programs and HVAs.
- How federal agencies will ensure consistency in their use of those designations and the related SP 800-171B requirements.
- The flexibility that agencies and institutions will have in deciding which controls are necessary for unclassified information given the research involved.
- The potential administrative burden for establishing compliance.
- The possibility of a multiyear or phased-in adoption of SP 800-171B security controls.
- The ways in which agencies and institutions might lessen the costs of compliance.
We also asked NIST to provide another, longer comment period for its next draft so that the higher education research and IT communities could more carefully consider the proposed requirements in light of their revised scope and application.
NIST has not provided a timeline for the release of either a second or final draft of SP 800-171B. EDUCAUSE will continue to work with its higher education research partners, however, to track and respond to further developments in relation to research-focused CUI guidelines and their impact on member interests.
For more information about policy issues impacting higher education IT, please visit the EDUCAUSE Review Policy Spotlight blog as well as the EDUCAUSE Policy page.
Note
- "EDUCAUSE Comments: Draft CUI Guidelines for 'Critical Programs' and 'High Value Assets,'" EDUCAUSE, August 6, 2019. ↩
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2019 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.