A new report by Deloitte and nonprofit organization Educause says higher education institutions that aim to maintain their federal research contracts and grants should introduce changes to their data management practices as they comply with the National Institute of Standards and Technology‘s federal data protection rules.
NIST’s Special Publication 800-171 includes requirements that seek to protect controlled unclassified information that federal agencies share with universities and colleges and sets Dec. 31 as the initial compliance deadline for nonfederal entities that receive CUI in defense contracts, Deloitte said Tuesday.
“A tailored approach – encompassing, among other things, organizational change management, training, end-user adoption and process controls – is essential to achieving and sustaining compliance,” said Mike Wyatt, a principal at Deloitte & Touche LLP.
Educause and Deloitte cited the three challenges that higher education institutions need to address to comply with federal data protection standards and those include cultural barriers, governance coordination and lack of executive-level attention.
The report also enumerated six measures that college and university leaders can implement to comply with the NIST 800-171 standards.
Those include the creation of a working group; analysis of the scope and impact of the federal requirements; security assessment; development of a plan to mitigate gaps and achieve compliance; establishment of responsibilities to achieve compliance; and employment of third parties to review current practices.