The joint letter from the Association of American Universities (AAU) and the Council on Governmental Relations (COGR) to the National Institute of Standards and Technology (NIST) addresses concerns regarding the draft NIST Special Publication 800-171, which outlines security requirements for protecting controlled unclassified information (CUI) in nonfederal organizations. The authors acknowledge NIST’s recognition of the need for appropriate, non-federal security approaches and the effort to standardize requirements for federal contractors. However, they express significant apprehension over the expanding and inconsistent federal regulations regarding CUI, highlighting that such requirements often diverge from longstanding federal policy, notably National Security Decision Directive 189 (NSDD-189), which protects the openness of fundamental research unless formal classification is warranted.
The letter further criticizes the draft’s tendency to conflate basic research with federal information, requesting clearer definitions of “federal information” and “federal information systems.” The associations note that applying the proposed standards, which encompass extensive security controls derived from federal frameworks, could impose substantial administrative and financial burdens on research universities, particularly large or decentralized campuses and small research labs. Specific concerns include the practicality and costs of controls such as mandatory multifactor authentication for all users. The letter urges NIST to distinguish between illustrative and prescriptive controls, advocate for flexibility and recognition of alternative security approaches, and clarify that compliance costs should be considered in project budgets. The authors also call for clearer guidance from federal agencies regarding CUI requirements in contracts, emphasizing the importance of not automatically imposing these standards across all federal research agreements.
