Information Security Framework
In 2025, the University of North Carolina (UNC) Information Security Council authorized NC State to change its information security framework from ISO 27002:2022 to the National Institute of Standards and Technology (NIST) framework, NIST 800-171, Revision 3. Each UNC System school may choose either NIST 800-171 or the Center for Internet Security (CIS) Critical Security Controls as its information security framework but must also map back to ISO 27002:2022 as a baseline standard for developing its institutional IT security policies.
Why
Changing our framework from ISO 27002 to NIST 800-171 helps NC State comply with state, federal and contractual obligations. Many partners and suppliers are moving to this framework, including the Manufacturing Extension Partnership, National Science Foundation, National Department of Education Office of Federal Student Aid, National Institutes of Health, and Department of Defense research contracts for Controlled Unclassified Information.
How
NC State completed an initial self-assessment and gap analysis for meeting NIST 800-171 controls in September 2025, which included a clear crosswalk to ISO 27002. The 2025 gap analysis assessed enterprise maturity using the Cybersecurity and Data Privacy Capability Maturity Model. Finally, MCNC will conduct a formal baseline maturity third-party assessment in 2026.
Moving forward, the UNC Information Security Council will continue to act as a peer reviewer for annual enterprise assessments at UNC institutions. The council is composed of security leads from the 17 UNC institutions and the UNC System Office.
Benefits of NIST 800-171
- NIST 800-171, Revision 3 was released on July 24, 2024 with significant improvements to the 2020 version. Revision 3 better aligns with other state, federal and international standards; expands coverage of supply chain, privacy and emerging technologies; and uses common security control language.
- The NIST framework allows customization. NIST 800-171 includes customization guidance and risk-based security controls that can be uniquely defined to match the university’s risk profile. Additionally, NC State can incorporate elements from NIST 800-53, when applicable, to further enhance its security measures and risk profile.
- The NIST framework includes a library of special publications and an audit guide that provides implementation guidance and best practices. NC State plans to implement NIST 800-171 using supplemental resources that include the NIST Cybersecurity Framework 2.0 and NIST Special Publication 800-37, Revision 2.
Related Documentation
- NC State Adoption Letter (updated link to be provided 1Q26)
- NIST SP 800-171, Revision 3
- NIST SP 800-171, Revision 2 to Revision 3 Change Analysis
- NIST SP 800-171, Revision 3 – NIST FAQs
- NIST SP 800-171, Revision 3 – 800-53 Overlay
- Control Baselines for Information Systems and Organizations
- CMMC 2.0 – Government Assessment Program
- CMMC 2.0 FAQs