Re: endpoints in NIST 800-171

[randy <marchany () VT EDU>]

The one weakness with the AWS cloud solutions to the NIST 800-171 is with
the endpoints. Specifically, the need to physically isolate the endpoints
from the rest of an office/lab is a stumbling block. Something like the old
citrix (dumb terminal) devices might meet the requirement but it is
burdensome on the researcher. How one provides adequate 800-171 physical
protections in a way that's not burdensome to researchers.

-r.

On Fri, Jun 9, 2017 at 3:45 PM, Cathy Bates <cathy.bates () vantagetcg com>
wrote:

> Hi Blake,
>
> Just a few thoughts to add to the conversation….
>
> As with any compliance program, it’s good to have a strategy to isolate
> 800-171 compliant work from the rest of campus computing environment where
> possible unless you are working to move the whole campus environment to a
> NIST framework (no small feat!).  Some institutions are working to set up
> an isolated environment for 800-171 research either in an on-campus private
> cloud or in a compliant cloud environment.  I really like this approach
> because it reduces the compliance footprint and because it can provide a
> real research advantage with providing a flexible and responsive research
> environment.
>
> From my experience in leading these efforts, it will be important to
> conduct a gap analysis between your current security controls and those
> required by 800-171 when you are setting up a compliance zone in your
> current environment.  You are likely covering some of the requirements
> already.  Jeff Murphy listed a good starting point with the EDUCAUSE
> reference.
>
> For research associated with CUI, the first step is to look at
> grants/contracts to see if data is identified as CUI and that it falls
> under 800-171.  The data category will indicate whether it follows Basic or
> Specified compliance guidelines.  I am pretty sure that contracts without
> that specification are not yet required to follow 800-171, but someone
> should chime in if they have an alternate view.
>
> An interesting note that I haven’t heard many people talk about is that
> any endpoint devices, systems, etc. that contain CUI must be physically
> marked so that it is identified as containing CUI.
>
> The Department of Education does fall under the CUI effort and that
> includes Financial Aid and FERPA data protections.  The impact of 800-171
> is both wide and deep.  Where you can’t move to an isolated cloud
> environment, it would be interesting to hear what others are planning for
> their compliance strategy.
>
> Best,
>
> Cathy
>
> Cathy Bates
> cathy.bates () vantagetcg com