NIST SP 800-171 – Guidance for Research Computing and Data Centers

The introduction of 800-171 requirements reinforces the need for researchers to understand that, while their institution holds ultimate responsibility for compliance, they also have individual responsibilities to operate within the compliance framework. Moreover, 800-171 compliance cannot be addressed solely through technical or architectural configurations. Achieving compliance often requires a culture shift among RCD center staff, faculty, and the broader institution. Recognizing that cultural change can be challenging in large organizations, this paper outlines several interconnected challenges institutions face in implementing and sustaining compliant environments for regulated research. Some challenges are technical, but many are organizational, requiring cross-functional collaboration and strategic alignment among leadership, IT, information security and privacy offices, legal counsel, research administration, and faculty stakeholders.

This paper aims to highlight pressing issues and describe potential solutions for leaders and managers of RCD center infrastructure and support organizations who are faced with understanding and implementing 800-171 compliance. It will serve as a resource for stakeholders at research-intensive institutions – including members of the Coalition for Academic Scientific Computation (CASC), Chief Information Officers (CIOs), Vice Presidents for Research (VPRs), Chief Information Security Officers (CISOs), and Research Integrity and Compliance Officers.