Compliance & Governance

The Campus Cloud uses a shared responsibility model. The Landing Zone provides a compliance baseline; you are responsible for the controls that depend on your specific workloads and processes.

The Campus Cloud is designed to align with two key standards:

  • UC Policy IS-3 — University of California information security policy. All Campus Cloud accounts must comply.
  • NIST 800-171 — federal standard for protecting Controlled Unclassified Information (CUI). Required to receive federal research funding involving sensitive data.

Compliance Built Into Every Account

Every Campus Cloud account gets a baseline set of controls at creation:

  • Audit logging of all API calls and console actions
  • Detection controls for common misconfigurations (unencrypted storage, public access, missing MFA)
  • Security monitoring via provider-native tools (Security Hub, Defender for Cloud, Security Command Center)
  • Guardrails that prevent high-risk actions (deploying outside allowed regions, disabling audit logging, using root credentials)

These controls satisfy a significant portion of IS-3 and NIST 800-171 requirements, but they do not cover everything. You are responsible for the remaining controls that depend on your specific workloads and processes.

Do You Need a NIST 800-171 Compliant Account?

If your research involves Controlled Unclassified Information (CUI) — such as federally funded research with export controls, or data subject to ITAR, HIPAA, or similar frameworks — you should request a NIST-compliant account.

This applies to all three providers. The request process is the same: follow the standard procurement process and select “NIST Compliant Account” on the Campus Cloud form.

A NIST-compliant account is placed in an Organizational Unit (AWS), Management Group (Azure), or Folder (GCP) with additional controls enabled:

  • Additional detective controls check encryption, access, and network configuration
  • Additional preventive controls block non-compliant configurations
  • Regular automated compliance reports are available on request

Migrating an Existing Account to NIST-Compliant

If you already have a Campus Cloud account that is not in the NIST-compliant tier, you have two options:

  1. Migrate your account to the NIST-compliant OU/folder. The Cloud Team can help with this process.
  2. Enable additional controls on your existing account to increase compliance coverage.

Email info@cloud.ucsb.edu to discuss your options, or open a ServiceNow ticket if you are ready to proceed.

Compliance Tracking Tool

The Cloud Team has developed a NIST 800-171 Controls Evaluation Spreadsheet that maps each NIST requirement to controls available in the Campus Cloud. It documents what the Campus Cloud Landing Zone provides, what local controls you own, and provides progress tracking with color-coded dashboards.

To request a copy: info@cloud.ucsb.edu

Cross-Provider Security Monitoring

Each provider’s security monitoring tools send findings to consolidated views:

  • AWS: Security Hub aggregates GuardDuty, Config, and other findings.
  • Azure: Microsoft Defender for Cloud provides the unified security posture.
  • GCP: Security Command Center provides organization-wide findings.

In addition, Wiz is available for cross-provider security posture scanning. Contact the Cloud Team for details.

Account Compliance Requirements

Regardless of account type, every Campus Cloud account must:

  1. Have administrative passwords secured and MFA enabled
  2. Have valid alternate contacts (billing, security, operations)
  3. Apply data classification tags to resources
  4. Use the account only for UCSB business purposes in accordance with UC IS-3

For provider-specific controls, see: AWS Guardrails · Azure Guardrails · GCP Guardrails