Type of Policy
Administrative
Effective Date:
Last Revised:
Review Date:
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

NIST Special Publication 800-171 (NIST 800-171), is a Federal standard that standardizes security controls applied to Controlled Unclassified Information (CUI) and systems and processes involved with this data within federally funded environments. Georgia Tech is obligated to ensure that all systems and processes involved with CUI are compliant with NIST 800-171 to continue receiving Federal funds associated with the use of this data (either directly received from the government or indirectly through associated covered contracts and contractors).

Policy Statement

This approval process applies to all activities involving the use of CUI: All environments (see definitions section) involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls) and follow the guidance provided by the Georgia Tech System Security Plan (GT SSP). Any deviations from the GT SSP must be approved by the Chief Information Security Officer (CISO). The CISO will route such request to either the Executive Vice President of Research (for research-related activities) or the Executive Vice President for Administration and Finance (for administrative activities), as appropriate, for additional approval. All environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Cyber Security before interacting with CUI. These assessments will result in an attestation report signed by the CISO, or designee. The assessment results will be reported to the Georgia Tech Research Corporation and the Executive Vice President of Research (for research-related activities) or the Executive Vice President for Administration and Finance (for administrative activities). Any items of non-compliance found during the assessment must be remediated before any interaction with CUI is allowed. All environments that are involved with CUI must also operate in a manner which allows incident reporting of cyber incidents involving CUI within 72 hours. This policy provides requirements and guidance for all use of CUI for the Georgia Institute of Technology. These are the minimum requirements for securing CUI - all Institute and other applicable requirements still apply as well.

Scope

Anyone who handles CUI on behalf of the Institute must abide by this policy.

Definitions:

Compensating Controls

A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.  Compensating controls for a NIST 800-171 requirement need to mitigate the underlying risk that the requirement is designed to address.  Cyber Security will work with the labs and units to design and approve compensating controls.  

Controlled Unclassified Information (CUI)

Controlled Unclassified Information is any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Environment

Environment is defined as the systems upon which CUI resides and the physical infrastructure that houses these systems.  Examples might be an individual research lab consisting of a room with desktop computers housing CUI or a student records system residing on multiple servers within a cabinet in a datacenter.  The room(s) or area(s) housing the computer systems along with the computer systems themselves define the environments to which this policy applies. 

Policy History
Revision Date Author Description
December 2017 Cyber Security New Policy