What is the HBCU Targeted Capacity Building (IT Modernization-Cyber Security) Component?
This SFI Component is intended to assist participating HBCU comply with the recently approved Department of Education cyber security requirements, defined within the National Institute of Standards and Technology (NIST) 800-171 Rev 2.
How does a participating HBCU know it is or is not NIST 800-171 Rev 2 compliant?
Each participating HBCU will be assessed using a unifying standard, Cybersecurity Maturity Model Certification (CMMC) Level 3.
What is the relationship between National Institute of Standards and Technology (NIST) 800-171 Rev 2 and CMMC Level 3?
CMMC Level 3 includes the 110 security requirements specified in NIST 800-171. The CMMC also includes additional practices and processes from other standards, references, and/or sources to further enable HBCUs to be more secure and competitive for future opportunities.
What is the approach used for the HBCU Targeted Capacity Building (IT Modernization-Cyber Security) Component?
Each HBCU’s IT Infrastructure and their status regarding compliance with NIST 800-117 Rev 2 is unique. Therefore, while leveraging a standard, repeatable method the technical solution(s) provided will be unique to the participating HBCUs.
What is the method to be used to deliver and sustain the technical solution for the participating HBCUs?
First, SFI and the technical solution providers will group HBCUs into Cohorts to increase efficiency in the tasks performed.
Second, the team will work with the participating HBCU to perform a NIST assessment and identify gaps. Third, the team will identify the people, process, governance, and technology that can address the gap. Fourth, the team will order the mutually agreed upon technical solution(s) and stage the technology at a team member’s facility. Finally, the technical solution will be installed, HBCU staff trained on the use of the technical solution, and the technical solution will be sustained for 12 months.
Is SFI charging HBCUs any costs for participating in Targeted Capacity Building (IT Modernization-Cyber Security) Component?
There is no charge to identify and mitigate the gaps between the current IT infrastructure and what is required to meet NIST 800-171 Rev 2 requirements. Additionally, there is charge for the initial 12 months of support following the installation of the technical solution.
Are there any other costs of which the HBCUs should be aware to participate in HBCU Targeted Capacity Building (IT Modernization-Cyber Security) Component?
Yes. There are other costs which the HBCU would require to be compliant, which include the costs necessary to provide the people, processes, and governance necessary to identify and mitigate the gaps required to meet the NIST 800-171 Rev 2 requirements. Additionally, to maintain accreditation each participating HBCU will be required to provide support for the technical solution following the 12 months provided.
What is the schedule for completion of the HBCU Targeted Capacity Building (IT Modernization-Cyber Security) Component?
The schedule for each participating HBCU will be unique to their individual circumstances. Therefore, there will not be a standard “one size fits all” or a single schedule for all HBCUs.
In collaboration with its technical solution providers, SFI intends to work complete the initial over the next four years to accommodate the ~120 HBCUs who choose to participate in the program. From the start of the NIST assessment through the completion of installation of the technical solution, SFI anticipates taking as long as 30 weeks per participating HBCU.
Why does it take so long to achieve CMMC level 3 compliance?
SFI has initially allocated 8 weeks to complete the NIST assessments for a given Cohort; however, because each participating HBCU is unique the schedule to address the corresponding gaps will vary. The delivery of equipment could take as long as 12-16 weeks and the delivery of the required technical solutions to mitigate the gaps cannot be reliably predicted because of COVID-19 related disruptions to the supply chain. Staging and installation could take as long as 10 weeks.
How will HBCUs be selected?
All HBCUs are eligible to participate. The sequence in which efforts start at a specific HBCUs will be based on multiple criteria (e.g., HBCU readiness, geographic location of HBCUs that are ready to start, and team capacity).
How does SFI determine HBCU readiness to be sequenced for the start of the process?
Each HBCU is asked to:
(1) Confirm intent to participate (via email to TBD@StudentFreedomInitiative.org)
(2) Attend an information session to better understand the HBCU Targeted Capacity Building (IT Modernization-Cyber Security) Component.
(3) Complete the SFI Information Technology Survey
(4) Identify Technology Point of Contact (name, position/title, email, phone number, mailing address)
(5) Identify Contracts/Legal Point of Contact (name, position/title, email, phone number, mailing address)
(6) Identify any existing technical solutions currently deployed within infrastructure
(7) Identify any restrictions imposed by state and Board of Directors/Trustees that might impact participation
(8) Provide change management/control processes
(9) Describe current activities and status to achieve CMMC level 3
(10) Sign the Common SFI-HBCU HBCU Targeted Capacity Building (IT Modernization-Cyber Security) Agreement
When will a HBCU be notified it has been selected as part of an NIST Cohort?
Initially, SFI intends to notify HBCU at the start of each Calendar Year (CY) Quarter (Jan, Apr, Jul, and Oct) the next NIST Cohorts based on those completing the required readiness activities through the prior CY Quarter. This information will be posted at StudentFreedomInitiative.org