Alerts and Updates

Most of the data received from the Department used in the administration of Title IV programs is considered CUI and thus subject to the CUI Rule.

The U.S. Department of Education has announced that it is finalizing a Campus Cybersecurity Program framework. The new program will be implemented over the next few years. As part of the plan, the Department will ensure that Title IV institutions of higher education (IHE) comply with the “CUI Rule,” which requires nongovernment agencies receiving controlled unclassified information (CUI) to comply with the National Institute of Standards and Technology Special Publication 800-171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800-171). Most of the data received from the Department used in the administration of Title IV programs is considered CUI and thus subject to the CUI Rule. The Department previously encouraged compliance with this standard in its 2016 Dear Colleague Letter (GEN 16-12), and strongly encouraged institutions that fall short of NIST 800-171 standards to assess their current gaps and immediately begin to design and implement plans in order to close those gaps using the NIST standards as a model.

The Department has outlined a multiyear implementation plan that includes near-term, intermediate-term and long-term goals, starting with a self-assessment program to understand the community’s readiness to comply with NIST 800-171.

Near Term

  • Electronic announcement – December 2020
  • Engage community stakeholders
  • IHE self-assessment
  • Education

Intermediate Term

  • Collect IHE cybersecurity data
  • Implement IHE risk profiles
  • Initiate pilot using risk profiles

Long Term

  • Fulfill ED and FSA CUI mandate
  • Refine IHE support structure

The Department will be publishing guidelines and best practices to implement the NIST 800-171 standard, as well as additional information regarding the upcoming cybersecurity self-assessment.

Depending on an IHE’s existing security posture, it can often take several months (and in some cases 1-2 years) to comply with the robust NIST 800-171 security controls. IHEs should start assessing any gaps in their information security program to identify any controls that are not addressed and immediately work toward closing those gaps. They may also consult with legal counsel to consider whether to conduct these assessments under attorney-client privilege.