Stanford Working to Achieve NIST 800-171 Compliance

Over the next year, Stanford Research Computing (SRC) and University IT’s Information Security Office (ISO) are working to ready several of Stanford’s key research computing systems–Nero, Carina, and SCG for NIST 800-171 compliance. The team is also investigating the possibility of developing a NIST-compliant laptop option for researchers working on a smaller scale with data subject to the NIST requirements.

Why do we need to be NIST compliant?

While Nero and Carina are already secure and approved for Stanford High Risk and HIPAA data, and SCG is secure and approved for NIH Controlled Access data, they do not fully meet the NIST 800-171 requirements. Achieving compliance ensures these systems are eligible for use with datasets and contracts that mandate NIST 800-171 compliance, while also preparing Stanford for the broader adoption of these requirements in the future.

By complying with NIST 800-171, Stanford will safeguard its research capabilities, protect its funding streams, and maintain its position as a leading academic and research institution, benefiting faculty, students, and the broader scientific community.

What is the impact?

SRC and ISO are identifying, analyzing, and implementing the necessary controls to achieve NIST 800-171 compliance as well as developing system security plans for Nero, Carina, and SCG. They are leveraging existing security standards and expert consultation to meet compliance requirements while strengthening overall cybersecurity. 

This initiative will significantly benefit Stanford’s research community by:

• Facilitating eligibility for federal grants and funding opportunities
• Ensuring adherence to applicable requirements and laying a foundation for potential future compliance requirements
• Enhancing data security protocols against potential threats and breaches
• Building organizational credibility and trust with stakeholders and partners
• Identifying and mitigating risks associated with information handling
• Reducing friction points for researchers, SRC, and offices such as ISO, the Office of Research Administration, and the Research Management Group in navigating new requirements and identifying compliant environments
• Fostering a culture of continuous evaluation and improvement  of compliance practices
• Setting a foundation for a potential future project to obtain Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance

This initiative may result in some changes to how researchers interact with systems and processes. If changes are needed, the project team will communicate with Stanford’s research community in advance. At this time, no major changes have been identified.

Have questions?

For more details, resources, and questions, visit the NIST Readiness webpage. For questions about NIST Compliance, submit a Help request.