compliance workbook/guidance
CYBERSECURITY
Compliance

Learn more about SLAC Cybersecurity's compliance with industry standards and government regulations.

Cybersecurity Compliance

STANDARDS & POLICIES

Cybersecurity Compliance

As a School of Stanford (SU), as well as a contractor for the Department of Energy (DOE), SLAC must comply with various contract obligations, policies, orders, and directives regarding its cyber security posture.  SLAC's specific compliance obligations are detailed below.

SLAC's institutional policies and requirements apply to everyone at SLAC. Find the complete list, including the Computing & IT Policies, here.

CONTRACTUAL

DOE & SU Prime Contract

The U.S. Department of Energy & Stanford University Contract specifies requirements for the management and operation of the SLAC National Accelerator Laboratory.

INSTITUTIONAL

SLAC Computing & IT Policies

See "Computing & IT" for all policies, including SLAC's cybersecurity and information security protocols.

See SLAC Policies
GOVERNMENT

Cybersecurity Regulatory Compliance

The federal government requires partner organizations to maintain a strong security posture to protect data breaches, reduce cyber attacks, and ensure compliance with industry best practices.  SLAC must comply with both DOE regulations as well as NIST 800-53

Below are policies, guidelines, publications, and federal information processing standards that SLAC complies with.

Government

U.S. Department of Energy

Directives are the DOE's primary method for establishing policies, requirements, responsibilities, and procedures for partner entities and contractors.

Guidance, Special Publications & Federal Information Processing Standards

NIST Cybersecurity Framework

In 2014, NIST (National Institute of Standards and Technology) established a framework for managing and reducing cybersecurity risk. It was designed to create a standard protocol for cybersecurity management, communications, and practices for U.S. Government organizations, contractors, subcontractors, and external parties. 

Below are relevant resources from NIST regarding cybersecurity best practices. 

General Guidance

NIST Cybersecurity Framework

 

NIST Computer Security Resource Center

 

Publications

Protecting Sensitive Information

SP 800-122, Guide to Protecting the Confidentiality of PII

 

SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems & Organizations

Security Architecture & Assessments

SP 1800-35, Implementing a Zero Trust Architecture 

 

SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems

 

SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations

 

SP 800-30 Rev. 1, Guide for Conducting Risk Assessments

 

SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

 

SP 800-61 Rev. 2, Computer Security Incident Handling Guide

Technology Specific Guidance

SP 800-223, High-Performance Computing (HPC) Security: Architecture, Threat Analysis, and Security Posture 

 

SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security

 

SP-800-63, Digital Identity Guidelines

 

SP 800-81-2, Secure Domain Name System (DNS) Deployment Guide 

 

SP 800-88 Rev. 1, Guidelines for Media Sanitization

 

FIPS 199, Standards for Security Categorization of Federal Information and Information Systems

 

FIPS 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors