Cybersecurity Compliance
Cybersecurity Compliance
As a School of Stanford (SU), as well as a contractor for the Department of Energy (DOE), SLAC must comply with various contract obligations, policies, orders, and directives regarding its cyber security posture. SLAC's specific compliance obligations are detailed below.
SLAC's institutional policies and requirements apply to everyone at SLAC. Find the complete list, including the Computing & IT Policies, here.
The U.S. Department of Energy & Stanford University Contract specifies requirements for the management and operation of the SLAC National Accelerator Laboratory.
See "Computing & IT" for all policies, including SLAC's cybersecurity and information security protocols.
Cybersecurity Regulatory Compliance
The federal government requires partner organizations to maintain a strong security posture to protect data breaches, reduce cyber attacks, and ensure compliance with industry best practices. SLAC must comply with both DOE regulations as well as NIST 800-53.
Below are policies, guidelines, publications, and federal information processing standards that SLAC complies with.
Directives are the DOE's primary method for establishing policies, requirements, responsibilities, and procedures for partner entities and contractors.
NIST Cybersecurity Framework
In 2014, NIST (National Institute of Standards and Technology) established a framework for managing and reducing cybersecurity risk. It was designed to create a standard protocol for cybersecurity management, communications, and practices for U.S. Government organizations, contractors, subcontractors, and external parties.
Below are relevant resources from NIST regarding cybersecurity best practices.
Security Architecture & Assessments
Technology Specific Guidance
SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security
SP-800-63, Digital Identity Guidelines
SP 800-81-2, Secure Domain Name System (DNS) Deployment Guide
SP 800-88 Rev. 1, Guidelines for Media Sanitization
FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
FIPS 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors