Minimum Standards for Security and Privacy

What are the Minimum Standards?

The “Minimum Standards for Security and Privacy” are the security and privacy requirements which must be implemented on your networks and information systems that process, transmit or store any of the types of data identified in the Appendix A: Covered Information Examples.  None of the minimum standards are optional, they must be implemented in their entirety to meet the objective of having a minimum standard of security and privacy.

How are the Minimum Standards related to FERPA?

The minimum standards are complementary to the Family Educational Rights and Privacy Act (FERPA).

The minimum standards are specific and technical and apply to the configuration of networks and IT systems.

Specifics on FERPA can be found here:

https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

What is Covered Information?

Covered Information refers to all individually identifiable student or employee information in any form, electronic or non-electronic, that is held or transmitted by an entity. This includes individually identifiable student or employee information in paper records that never has been electronically stored or transmitted.

Can schools implement more rigorous security and privacy protections?

Yes, schools may implement more stringent (rigorous) security and privacy protections of their choosing. It is recommended that a school consult their board before implementing more restrictive security and privacy protections to ensure they align with the data security and privacy governance plan.

How will the Minimum Standards be enforced?

Each education agency is responsible for determining how best to implement regular reviews to ensure the minimum standards are being met and enforced. General guidance is to appoint a team to handle the review in partnership with an outside cybersecurity firm or audit body.

Reviews should be conducted at least annually. 

Do the Minimum Standards apply to vendor hosted applications or services?

Yes, the minimum standards apply to any vendor who provides or hosts an application or service that collects, processes, transmits or stores any of the student, teacher or “covered information” identified in (Appendix A)  

How can you measure /assess your implementation of the Minimum Standards?

Each of the minimum standards maps back to a specific security or privacy requirement of the NIST SP 800-171 rev2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf). There is also a companion document titled “Assessing Security Requirements for Controlled Unclassified Information” (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171A.pdf). This document provides processes and procedures to assess each security requirement or sub requirements as defined in the NIST SP 800-171 rev2.

When using an outside cybersecurity firm to perform a risk assessment, security assessment or both the cybersecurity vendor should assess against the Minimum Standards as well as the companion security requirements from NIST SP 800-171 rev2

What if I still have questions about how to implement or interpret the Minimum Standards

Please consult with your department of education or a cybersecurity consulting company.

Minimum Standards for Security and Privacy

Access Control

  1. Limit system access to authorized users, processes acting on behalf of authorized users, and authorized devices (including other systems). (NIST SP 800-171: 3.1.1)
  • Limit system access to the types of transactions and functions that authorized users are permitted to execute. (NIST SP 800-171: 3.1.2)
  • Limit unsuccessful logon attempts (NIST 800-171: 3.1.8)
  • Employ the principle of least privilege, including for specific security functions and privileged accounts. (NIST SP 800-171: 3.1.13)
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions (NIST SP 800-171: 3.1.13)
  • Protect wireless access using authentication and encryption (NIST SP 800-171: 3.1.17)

Awareness and Training

  1. Ensure that managers, systems administrators, and users of organizational systems, including administrative, educational, and financial systems, are made aware of the applicable policies, standards and procedures related to the security of those systems (NIST SP 800-171: 3.2.1)
  2. Ensure that personnel are trained to carry out their assigned information security related duties and responsibilities (NIST SP 800-171: 3.2.2)

Audit and Accountability

  1. Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (NIST SP 800-171: 3.3.1)
  2. Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions (NIST SP 800-171: 3.3.2)

Configuration Management

  1. Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (NIST SP 800-171: 3.4.1)
  2. Establish and enforce security configuration settings for information technology products employed in organizational systems. (NIST SP 800-171: 3.4.2)
  3. Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols, and services. (NIST SP 800-171: 3.4.7)

Identification and Authentication

  1. Identify system users, processes acting on behalf of users, and devices. (NIST SP 800-171: 3.5.1)
  2. Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. (NIST SP 800-171: 3.5.2)
  3. Enforce a minimum password complexity and change of characters when new passwords are created (NIST SP 800-171: 3.5.7)

Incident Response

  1. Establish an operational incident-handling capability for organizational systems that include preparation, detection, analysis, containment, recovery and user response activities. (NIST SP 800-171: 3.6.1)
  2. Track, document and report incidents to designated officials and/or authorities both internal and external to the organization. (NIST SP 800-171 3.6.2)

Maintenance

  1. Perform maintenance on organizational systems. (NIST SP 800-171: 3.7.1)
  2. Provide controls on the tools, techniques, mechanisms, and personnel used to conduct systems maintenance. (NIST SP 800-171 3.7.2)
  3. Ensure equipment removed for off-site maintenance is sanitized of any Covered Information in accordance with NIST SP 800-88 Revision 1(NIST SP 800-171: 3.7.3)

Media Protection

  1. Protect (i.e., physically control and securely store) system media containing Covered Information, both paper and digital. (NIST SP 800-171: 3.8.1)
  2. Limit access to Covered Information on system media to authorized users. (NIST SP 800-171: 3.8.2)
  3. Sanitize or destroy system media containing Covered Information in accordance with NIST SP 800-88 Revision 1 before disposal or release for reuse. (NIST SP 800-171: 3.8.3)
  4. Control access to media containing Covered Information and maintain accountability for media during transport outside of controlled areas. (NIST SP 800-171: 3.8.5)

Personnel Security

  1. Screen individuals prior to authorizing access to organizational systems containing Covered Information (NIST SP 800-17: 3.9.1)
  2. Ensure that organizational systems containing Covered Information are protected during and after personnel actions such as terminations and transfers. (NIST SP 800-171: 3.9.2)

Physical Protection

  1. Limit physical access to organizational systems, equipment and the respective operating environments to authorized individuals. (NIST SP 800-171: 3.10.1)
  2. Protect and monitor the physical facility and support infrastructure for organizational systems. (NIST SP 800-171: 3.10.2)

Risk Assessment

  1. Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, transmission or storage of Covered Information. (NIST SP 800-171: 3.11.1)
  2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. (NIST SP 800-171: 3.11.2)
  3. Remediate vulnerabilities in accordance with risk assessments (NIST SP 800-171: 3.11.3)

Security Assessment

  1. Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. (NIST SP 800-171: 3.12.3)
  2. Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (NIST SP 800-171: 3.12.2)
  3. Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. (NIST SP 800-171: 3.12.3)

System and Communications Protection

  1. Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems (NIST SP 800-171: 3.13.1)
  2. Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). (NIST SP 800-171: 3.13.6)
  3. Protect the confidentiality of Covered Information at rest (NIST SP 800-171: 3.13.16)

System and Information Integrity

  1. Identify, report, and correct systems flaws in a timely manner. (NIST SP 800-171: 3.14.1)
  2. Provide protection from malicious code (i.e., Antivirus and Antimalware) at designated locations within organizational systems (NIST SP 800-171: 3.14.2)
  3. Monitor system security alerts and advisories and take action in response. (NIST SP 800-171: 3.14.3)
  4. Update malicious code protections mechanisms when new release are available. (NIST SP 800-171: 3.14.4)

 

 

 

 

Appendix A

Covered Information Examples


Depending on your state or country of residence the definitions of Personally Identifiable Information (PII) or Personal data as defined by the General Data Protection Regulation (GDPR) https://gdpr.eu/ could vary significantly. The bold items are common among most legislation and privacy best practices. This is not an exhaustive list by any means, and it is advisable to check with an attorney to understand the specific data elements and regulations around personal information for your state or country.

Definition[MA2]  of Personally Identifiable Information (PII) – Is any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual.

Sensitive PII (SPII) – Is Personally Identifiable Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Sensitive PII requires stricter handling guidelines because of the increased risk to an individual if the data are compromised.

Examples[MA3]  of personal or sensitive data

  • A processor or device serial number
  • A unique device identifier
  • An Internet Protocol (IP) address
  • Attendance
  • Authentication Information (passwords and information to re-enable passwords)
  • Biometric Identifiers (x-ray, retinal scan, voice, fingerprints, etc.)
  • Credit card numbers
  • Country, state, city, postcode
  • Course-Taking
  • Cookies
  • Date of birth
  • Device IDs
  • DNA Profile
  • Driver’s license number
  • Dropout
  • Educational Environment
  • Email address
  • English Language Proficiency Level
  • Financial Information (bank account, credit / debit card, etc.)
  • First or last name (if common)
  • Free and Reduced Lunch Eligibility Status
  • Full name
  • Gender
  • Habitual Truancy
  • Home address
  • Homeless Status
  • Job position and workplace
  • Location data
  • Medical Information
  • Migrant Status
  • Non-specific age (e.g. 30-40 instead of 30)
  • Passport number
  • Place of Birth
  • Primary Disability Category
  • Race
  • Retention
  • Sensitive context where PII data is viewed (queried or reported)
  • Social security number
  • Student Number
  • Suspension/Expulsion
  • Telephone number
  • Test Results (AP, ACT, etc.)
  • Vehicle Registration Number (i.e. car, boat, motorcycle, ATV, snowmobile)
  • Vehicle Title Number

Examples of non-personal or non-sensitive data

  • A company registration number
  • Anonymized data
  • Information that can’t be used to identify an individual

Appendix B

Glossary

authenticationVerifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.
availabilityEnsuring timely and reliable access to and use of information.
confidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
configuration settingsThe set of parameters that can be changed in hardware, software, or firmware that affect the security posture and /or functionality of the system.
external systemA system or component of a system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.
external system serviceA system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by, but not part of, the organizational system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.
external system service providerA provider of external system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements (; licensing agreements; and/or supply chain exchanges.
external networkA network not controlled by the organization
incidentAn occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, transmits or stores or that constitutes a violation or imminent threat of violation of security polices, security procedures or acceptable use policies.
information securityThe protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
information technologyAny equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For the purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishings of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.
integrityGuarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
internal networkA network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints, provides the same effect (with regard to confidently and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.   
least privilegeThe principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform it’s function.
mediaPhysical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within a system.
multifactor authenticationAuthentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN number, password); something you have (e.g., device, token, cryptographic identification device); or something you are (e.g., biometric).
networkA system implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
privileged accountA system account with authorizations of a privileged user
privileged userA user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
remote accessAccess to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet)
riskA measure of the extent to which an entity is threatened by a potential circumstances or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. System-related security risks are those risk that arise from the loss of confidentiality, integrity or availability of information systems. Such risks reflect the potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and the Nation.
risk assessmentThe process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, risk assessment incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
sanitizationActions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means. Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.
security controlA safeguard or countermeasures prescribed for a system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.
security control assessmentThe testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.
System componentA discrete, identifiable information technology asset (hardware, software, firmware) that represents a building block of a system. System components include commercial information technology products.
userIndividual, or (system) process acting on behalf of an individual, authorized to access a system.