Minimum Standards for Security and Privacy
What are the Minimum Standards?
The “Minimum Standards for Security and Privacy” are the security and privacy requirements which must be implemented on your networks and information systems that process, transmit or store any of the types of data identified in the Appendix A: Covered Information Examples. None of the minimum standards are optional, they must be implemented in their entirety to meet the objective of having a minimum standard of security and privacy.
How are the Minimum Standards related to FERPA?
The minimum standards are complementary to the Family Educational Rights and Privacy Act (FERPA).
The minimum standards are specific and technical and apply to the configuration of networks and IT systems.
Specifics on FERPA can be found here:
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
What is Covered Information?
Covered Information refers to all individually identifiable student or employee information in any form, electronic or non-electronic, that is held or transmitted by an entity. This includes individually identifiable student or employee information in paper records that never has been electronically stored or transmitted.
Can schools implement more rigorous security and privacy protections?
Yes, schools may implement more stringent (rigorous) security and privacy protections of their choosing. It is recommended that a school consult their board before implementing more restrictive security and privacy protections to ensure they align with the data security and privacy governance plan.
How will the Minimum Standards be enforced?
Each education agency is responsible for determining how best to implement regular reviews to ensure the minimum standards are being met and enforced. General guidance is to appoint a team to handle the review in partnership with an outside cybersecurity firm or audit body.
Reviews should be conducted at least annually.
Do the Minimum Standards apply to vendor hosted applications or services?
Yes, the minimum standards apply to any vendor who provides or hosts an application or service that collects, processes, transmits or stores any of the student, teacher or “covered information” identified in (Appendix A)
How can you measure/assess your implementation of the Minimum Standards?
Each of the minimum standards maps back to a specific security or privacy requirement of the NIST SP 800-171 rev2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf). There is also a companion document titled “Assessing Security Requirements for Controlled Unclassified Information” (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171A.pdf). This document provides processes and procedures to assess each security requirement or sub requirements as defined in the NIST SP 800-171 rev2.
When using an outside cybersecurity firm to perform a risk assessment, security assessment or both the cybersecurity vendor should assess against the Minimum Standards as well as the companion security requirements from NIST SP 800-171 rev2
What if I still have questions about how to implement or interpret the Minimum Standards
Please consult with your department of education or a cybersecurity consulting company.
Minimum Standards for Security and Privacy
Access Control
- Limit system access to authorized users, processes acting on behalf of authorized users, and authorized devices (including other systems). (NIST SP 800-171: 3.1.1)
- Limit system access to the types of transactions and functions that authorized users are permitted to execute. (NIST SP 800-171: 3.1.2)
- Limit unsuccessful logon attempts (NIST 800-171: 3.1.8)
- Employ the principle of least privilege, including for specific security functions and privileged accounts. (NIST SP 800-171: 3.1.13)
- Employ cryptographic mechanisms to protect the confidentiality of remote access sessions (NIST SP 800-171: 3.1.13)
- Authorize wireless access prior to allowing wireless connections[MA1] . (NIST SP 800-171: 3.1.16)
- Protect wireless access using authentication and encryption (NIST SP 800-171: 3.1.17)
Awareness and Training
- Ensure that managers, systems administrators, and users of organizational systems, including administrative, educational, and financial systems, are made aware of the applicable policies, standards and procedures related to the security of those systems (NIST SP 800-171: 3.2.1)
- Ensure that personnel are trained to carry out their assigned information security related duties and responsibilities (NIST SP 800-171: 3.2.2)
Audit and Accountability
- Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (NIST SP 800-171: 3.3.1)
- Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions (NIST SP 800-171: 3.3.2)
Configuration Management
- Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (NIST SP 800-171: 3.4.1)
- Establish and enforce security configuration settings for information technology products employed in organizational systems. (NIST SP 800-171: 3.4.2)
- Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols, and services. (NIST SP 800-171: 3.4.7)
Identification and Authentication
- Identify system users, processes acting on behalf of users, and devices. (NIST SP 800-171: 3.5.1)
- Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. (NIST SP 800-171: 3.5.2)
- Enforce a minimum password complexity and change of characters when new passwords are created (NIST SP 800-171: 3.5.7)
Incident Response
- Establish an operational incident-handling capability for organizational systems that include preparation, detection, analysis, containment, recovery and user response activities. (NIST SP 800-171: 3.6.1)
- Track, document and report incidents to designated officials and/or authorities both internal and external to the organization. (NIST SP 800-171 3.6.2)
Maintenance
- Perform maintenance on organizational systems. (NIST SP 800-171: 3.7.1)
- Provide controls on the tools, techniques, mechanisms, and personnel used to conduct systems maintenance. (NIST SP 800-171 3.7.2)
- Ensure equipment removed for off-site maintenance is sanitized of any Covered Information in accordance with NIST SP 800-88 Revision 1(NIST SP 800-171: 3.7.3)
Media Protection
- Protect (i.e., physically control and securely store) system media containing Covered Information, both paper and digital. (NIST SP 800-171: 3.8.1)
- Limit access to Covered Information on system media to authorized users. (NIST SP 800-171: 3.8.2)
- Sanitize or destroy system media containing Covered Information in accordance with NIST SP 800-88 Revision 1 before disposal or release for reuse. (NIST SP 800-171: 3.8.3)
- Control access to media containing Covered Information and maintain accountability for media during transport outside of controlled areas. (NIST SP 800-171: 3.8.5)
Personnel Security
- Screen individuals prior to authorizing access to organizational systems containing Covered Information (NIST SP 800-17: 3.9.1)
- Ensure that organizational systems containing Covered Information are protected during and after personnel actions such as terminations and transfers. (NIST SP 800-171: 3.9.2)
Physical Protection
- Limit physical access to organizational systems, equipment and the respective operating environments to authorized individuals. (NIST SP 800-171: 3.10.1)
- Protect and monitor the physical facility and support infrastructure for organizational systems. (NIST SP 800-171: 3.10.2)
Risk Assessment
- Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, transmission or storage of Covered Information. (NIST SP 800-171: 3.11.1)
- Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. (NIST SP 800-171: 3.11.2)
- Remediate vulnerabilities in accordance with risk assessments (NIST SP 800-171: 3.11.3)
Security Assessment
- Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. (NIST SP 800-171: 3.12.3)
- Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (NIST SP 800-171: 3.12.2)
- Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. (NIST SP 800-171: 3.12.3)
System and Communications Protection
- Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems (NIST SP 800-171: 3.13.1)
- Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). (NIST SP 800-171: 3.13.6)
- Protect the confidentiality of Covered Information at rest (NIST SP 800-171: 3.13.16)
System and Information Integrity
- Identify, report, and correct systems flaws in a timely manner. (NIST SP 800-171: 3.14.1)
- Provide protection from malicious code (i.e., Antivirus and Antimalware) at designated locations within organizational systems (NIST SP 800-171: 3.14.2)
- Monitor system security alerts and advisories and take action in response. (NIST SP 800-171: 3.14.3)
- Update malicious code protections mechanisms when new release are available. (NIST SP 800-171: 3.14.4)