MAD Security NIST 800-171 Solutions for Higher Education

Understand and prepare for data protection requirements mandated by NIST 800-171.

Higher education institutions have legal obligations to protect student information used in the administration of the Title IV Federal student financial aid programs.


This student financial aid information is called Controlled Unclassified Information (CUI). CUI could also include data received as part of a research grant or data received to conduct business. NIST 800-171 is the recognized information security publication for protecting CUI and identifies recommended requirements for ensuring the appropriate security of Federal information in the possession of institutions. The controls specified in NIST 800-171 will need to be addressed in those higher education institutional IT systems that store CUI.

The Department of Education has strongly encouraged institutions to review and understand the standards defined in NIST 800-171. The Department intends to make student financial aid subject to NIST 800-171 security controls in the very near future.

It is imperative that institutions continue to enhance their cybersecurity posture in order to meet evolving threats to CUI and the challenges to the security of institutions.

In order to become compliant with NIST 800-171, the following steps are laid out based on the controls in NIST 800-171:



The controls in NIST 800-171 have been specifically tailored to protect CUI in non-federal IT systems from unauthorized disclosure.  There are 14 families of security requirements outlined in NIST 800-171. These families are:

3.1 Access Control

Limits system access to authorized users.


3.2 Awareness & Training

Alerts employees to information security risks.

3.3 Audit & Accountability

Involves the creation, protection, retention, and review of system logs.

3.4 Configuration Management

Involves the creation of baseline configurations and use of robust change management processes.

3.5 Identification & Authentication

Involves central authentication and multi-factor for local and network access to resources.

3.6 Incident Response

Involves developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents affecting information.

3.7 Maintenance

Involves maintenance of systems housing CUI.

3.8 Media Protection

Involves the sanitization and destruction of media containing CUI.

3.9 Personnel Security

Involves screening individuals before granting them access to information systems with CUI.

3.10 Physical Protection

Limiting physical access to systems to only authorized individuals.

3.11 Risk Assessment

Involves assessing the operational risk associated with processing, storage, and transmission of CUI.

3.12 Security Assessment

Assessing the effectiveness of security controls and addressing deficiencies to limit vulnerabilities.

3.13 System & Communications Protection

Involves use of secure design principles in system architecture and software development life cycle.

3.14 System & Information Integrity

Monitoring for an alerting on system flaws and vulnerabilities.

The full documentation of the NIST 800-171 controls can be found at