The Cybersecurity and Infrastructure Security Agency (CISA) is proposing a new rule that would make it necessary for covered entities to report cyber incidents and ransomware payments to CISA within hours. CISA is required to initiate this process by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022.
While CIRCIA will not immediately apply to higher education institutions, higher education will not be likely to get a hall pass. Institutions that depend on Department of Defense (DOD) contracts for essential research programs will soon need to show compliance with Cybersecurity Maturity Model Certification (CMMC) — a program designed to safeguard any organization participating in the defense industrial supply chain by protecting controlled unclassified information (CUI) and federal contract information (FCI), with the penalties for non-compliance and cyber incidents likely to increase.
Under the NIST SP 800-171 CUI guidelines, institutions must meet certain requirements that are designed to protect the confidentiality of CUI residing in non-federal systems. While college and university CIOs and CISOs are aware of the standard, under CMMC 2.0 these mandates demand renewed attention. Institutions that do not comply risk losing federal research funding. The new CMMC program could add even greater limits on peer review research and require schools to prove full compliance before they can fill out applications for federal contracts or grants.
Higher education institutions can leverage a set of strategies to create a continuous, more modernized approach to cybersecurity compliance:
Manage risks as a top priority: Unlike commercial enterprises, educational institutions operate differently; a traditional model of mapping risk to business activities doesn’t easily convert. Regardless, protection must still be provided for critical assets and infrastructure, sensitive and regulated data and intellectual property across the board. Research institutions that are actively engaged in government research must adhere to CUI guidelines, since the cost of a breach or compliance failure will impact future funding. Institutional CISOs and CIOs must be strongly linked to the “business” of the university to understand the value of critical assets and environments to prioritize protection.
Know the enemy in advance: Threats against educational institutions are always on the rise. Institutions must have the ability to predict attack patterns. Threat modeling and mapping of potential attack scenarios against existing controls must be considered a foundational capability for educational institutions pursuing sensitive research. Periodic threat modeling should inform risk management decisions, which requires leaders to know the state of their controls and their effective capacity to defend against incoming threats in real time.
Prep with observability: Campus environments are extremely dynamic and challenging to manage with traditional approaches in enterprise security and compliance. Higher education institutions will find it imperative to create a model for continuous, real-time, reliable monitoring of critical controls deployed in defense of their environment.
With the advent of stricter cybersecurity compliance mandates, higher education stakeholders from compliance, risk and security should join forces for a more effective approach to prepare against today’s cyber threats — soon it could be mandatory.