NIST 800-171 Compliance for Longleaf

NIH is increasingly requiring Universities to adopt and formally attest to the NIST 800-171 security and compliance framework for systems housing and computing on data provided by NIH.

To meet these unfunded requirements, UNC ITS has hired a security vendor and is now in posession of a NIST 800-171 System Security Plan along with a POAM (plan of action and milestones) for Longleaf enumerating the remaining work, re-work of existing processes, and new IT security documentation that must be completed to meet this obligation.

However, your work on Longleaf is Not covered by this security framework unless and until you self-identify to ITS-RC that you have data on Longleaf that is subject to the obligation and complete a registration process identifying all locations on Longleaf where the data are held, along with an attestation from you that the group of authorized users with access to this data is accurate and in accordance with all contracts, grants, DUAs, IRBs, etc.

To register your work on Longleaf as NIST 800-171 compliant, please send the following items to our helpdesk for each grant, contract or agreement of any kind that requires UNC to make an attestation of NIST 800-171 compliance:

1. Top level directory where the data is stored e.g. /proj/mynamelab/myNIHproject1

2. Contract or Grant number for which OSR must make an 800-171 attestation

3. Confirmation that you have reviewed the access permissions on the directory specified in item 1 above, and that you agree they are accurate and correct. Please request assistance on this item if you are unable to complete this step on your own.

Additional Resources:

Understanding and managing Cluster User Groups