Thursday, April 18, 2019

Leverage Trusted CI in your NSF SaTC Proposal

NSF SaTC solicitations are focused on areas critical to cybersecurity research and development. NSF's current Secure and Trustworthy Cyberspace Frontiers Solicitation (LOI Due July 5th, Proposal due Sept 30th) in conjunction with the SaTC program solicitation NSF 18-572 includes the following guidance:
The goals of the SaTC program are aligned with the Federal Cybersecurity Research and Development Strategic Plan (RDSP) and the National Privacy Research Strategy (NPRS) to protect and preserve the growing social and economic benefits of cyber systems while ensuring security and privacy. The RDSP identified six areas critical to successful cybersecurity research and development: (1) scientific foundations; (2) risk management; (3) human aspects; (4) transitioning successful research into practice; (5) workforce development; and (6) enhancing the research infrastructure.
Trusted CI, the NSF Cybersecurity Center of Excellence, has engaged practitioners in research, academia, industry, and government to identify top cybersecurity needs and gaps which might be filled through successful transitioning of cybersecurity research into practice , as reported on the Trusted CI TTP blog. We may be able to connect you with practitioners enunciating needs which your project innovations may address. We have identified NSF funded cybersecurity researchers actively working to address some of the top cybersecurity needs, with whom we can connect you to enable collaboration for NSF research transition.

We offer the following suggestions to engage us in these areas.

Reach out to us at ttp@trustedci.org to let us know the focus for your project, and the types of practitioners or researchers you would like to collaborate with to support your proposal. 

Participate in the Cybersecurity TTP Program. Request an invitation to attend the June 19, 2019 Cybersecurity TTP workshop in Chicago, where you will meet researchers and practitioners.

Indicate Your Intent to Approach the CCoE regarding your proposal. We invite proposing NSF SaTC projects to indicate their intention to approach Trusted CI once they are funded. Proposers are free to include language showing an awareness of cybersecurity of a specific issue and showing you are aware of Trusted CI, how we can help, and that you plan to approach us if funded to collaborate. You can do this unilaterally without any commitment from Trusted CI (and please be aware it does not commit Trusted CI, we do our best to help all NSF projects, but are subject to our own resource availability). We ask that you let us know if you reference Trusted CI, this way to help us plan ahead.

Possible language to include in a proposal:
Our proposal team recognizes [the need to collaborate with operational leaders and cybersecurity researchers to enable practical cybersecurity innovations to be accelerated into operational environments in our areas of focus including xxx]. To address this we plan to approach the NSF-funded Cybersecurity Center of Excellence (trustedci.org). The Cybersecurity Center of Excellence (CCoE) engages researchers and practitioners to identify and help address cybersecurity challenges and maintain the trustworthy nature of cyberinfrastructure. We understand that engagements with CCoE are collaborative, and have budgeted resources in our project to work with CCoE on our challenge.
Trusted CI can also provide a letter of collaboration for your proposal using this template.

Include the CCoE in your Proposal. You can include one or more of the CCoE Partners (IU, Internet2, LBNL, NCSA, PSC, U. Wisconsin) via a subcontract on your proposal, a process that provides a firm commitment of our participation. Please contact us to discuss which partner would be most appropriate, whether the commitment would be exclusive for a given solicitation, and the level of effort that would be involved. In this case, we would provide a custom letter of collaboration indicating our agreement to the terms of the subcontract.

If you are preparing a SaTC, CICI, or other NSF proposal and would like additional assistance from Trusted CI, don't hesitate to contact us to discuss how Trusted CI can help.


Wednesday, April 10, 2019

Welcoming Eric Cross to the Trusted CI Advisory Committee

I am happy to welcome Eric Cross to the Trusted CI Advisory Committee. Eric is the Information Technology Manager for the National Solar Observatory (NSO) in Boulder, Colorado, and has in the past served in the same role at the National Ecological Observatory Network (NEON) and the Raytheon Company. During his time at the NSO, he has played key roles in major projects including moving the organization to cloud-based collaboration applications via Google GSuite, deploying IT services at a newly constructed facility for Daniel K. Inouye Solar Telescope (DKIST) support and science research staff, and managing the procurement and deployment of the DKIST Operations Network and IT infrastructure at the Haleakalā summit on the island of Maui, Hawai’i.

Eric replaces David Halstead of NRAO on the advisory committee. I thank David for his contributions to Trusted CI on the committee.

Jim Basney
Deputy Director, Trusted CI

Tuesday, April 9, 2019

Cyberinfrastructure Vulnerabilities 2019 Q1 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available to all by subscribing to Trusted CI’s mailing lists (see below).

We monitor a number of sources for software vulnerabilities of interest, then determine which ones are of the most critical interest to the community. While it’s easy to identify issues that have piqued the public news cycle, we strive to alert on issues that affect the CI community in particular. These are identified using the following criteria: the affected technology’s or software’s pervasiveness in the CI community; the technology’s or software’s importance to the CI community; type and severity of potential threat, e.g., remote code execution; the threat’s ability to be remotely triggered; the threat’s ability to affect critical core functions; and if mitigation is available. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, the NSF supercomputing centers, and the ResearchSOC (the newly formed CaaS MSSP) on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Some of the sources we monitor for possible threats to CI include:
In 1Q2019 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 124 subscribers:
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Monday, April 8, 2019

CCoE Webinar April 22nd at 11am ET: REED+: A cybersecurity framework for research data at Purdue University

Preston Smith is presenting the talk "REED+: A cybersecurity framework for research data at Purdue University" on Monday April 22nd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The REED+ framework integrates NIST SP 800-171 and other related NIST publications as the foundation of the framework. This framework serves as a standard for campus IT to align with security regulations and best practices, and create a single process for intake, contracting, and facilitate easy mapping of controlled research to CI resources for the sponsored programs office, human subjects office, and export control office.

The framework allows researchers to experience faster intake of new funded projects and be more competitive for research dollars. Using student-developed training materials and instruction, researchers, administrators, and campus IT are now able to more clearly understand previously complicated data security regulations affecting research projects.

The ecosystem developed from this project enables new partnerships with government agencies, and industry partners from the defense, aerospace, and life science sectors. Experiences and best practices in providing cyberinfrastructure and security awareness developed from this collaboration are documented and shared with the broader CI and campus community through conferences, journals and workshop.

Addition to the IT challenges - security controls, technology, or regulations, the REED+ team will discuss the use of research facilitators dedicated to regulated research, building relationships between campus IT organizations, appropriate compliance offices, research administration, IRBs, and export control offices; and improving institutional processes.

Ultimately the goal is to create a systematic approach which results in rapid flow from contracts to actionable technical requirements to implementation to approval, so that research data can begin in the minimum possible time frame.
Speaker bio:

Preston Smith is the Director of Research Computing Services at Purdue University. Supporting over 180 HPC faculty, and 550 labs using research data systems, Purdue's Community Cluster program is a pioneering program for delivering "condo-style" HPC. At Purdue, his organization designs, builds, and operates compute systems, and delivers advanced research support to the campus community.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, March 20, 2019

Jim Basney appointed as Trusted CI Deputy Director



I’m happy to announce that as of March 15th, Jim Basney is serving as Trusted CI’s Deputy Director. In this role, Jim will work closely with me to manage Trusted CI’s many activities as well as help with outreach to the research community. Jim has been with Trusted CI since its inception and has more than two decades of experience working with the research community. He is an internationally recognized leader in open science identity and access management, and leads the CILogon project.

It’s my pleasure to officially welcome Jim into this new role at Trusted CI.

Von Welch, Director, Trusted CI

Scripps Institution of Oceanography, Trusted CI, and CACR Launch Engagement

We are pleased to announce the start of an engagement with Scripps Institution of Oceanography at the University of California San Diego. Scripps Oceanography is supported by multiple NSF awards, including # 1327683, 1212770, and 1556466, as well as research awards from the Department of Defense and National Oceanographic and Atmospheric Administration (among others).

This engagement is in collaboration with the DOD-funded Principles-Based Assessment for Cybersecurity Toolkit (PACT) project. PACT is a methodology and tool set based on the Information Security Practice Principles and developed in collaboration by Trusted CI, the IU Center for Applied Cybersecurity Research, and Naval Surface Warfare Center Crane. Lessons learned from applying the methodology to Scripps Oceanography will be used to refine PACT.  Scripps Oceanography’s interest in engaging with Trusted CI and the PACT project presented a perfect opportunity to leverage Trusted CI’s expertise and knowledge of complex open science environments, while advancing a methodology with potential for very broad application.


Tuesday, March 19, 2019

Including Trusted CI in your NSF CSSI Proposal

Cybersecurity is an important element in every cyberinfrastructure project plan. For example, NSF's current Cyberinfrastructure for Sustained Scientific Innovation (CSSI) solicitation (Due Monday, April 8th) includes the following guidance:
The description of the CI architecture and processes should explain how security, trustworthiness, provenance, reproducibility, and usability will be addressed by the project and integrated into the proposed system and the engineering process, and how adaptability to new technologies and changing requirements will be addressed by the project and built into the proposed system, as appropriate.
It's often the case that while writing a proposal you will identify a cybersecurity challenge suited to a collaboration with Trusted CI. We offer the following suggestions to indicate your intent to engage with Trusted CI to solve the challenge, hence indicating in your proposal that you both recognize the challenge and take it seriously.

Identify and utilize Trusted CI resources. Our cybersecurity program guide provides recommendations and templates for establishing and maintaining cybersecurity programs. Our online training materials and webinars cover many cybersecurity topics tailored to the NSF CI community. Our annual cybersecurity summit provides a venue for training sessions for cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community.

Indicate Your Intent to Approach the CCoE. We invite proposing NSF CI projects to indicate their intention to approach Trusted CI once they are funded. Trusted CI resources and staff are available to assist NSF projects with cybersecurity plans and training, via one-on-one engagements, and other Trusted CI activities. For example, Trusted CI recently engaged with the Environmental Data Initiative (EDI). Proposers are free to include language showing an awareness of cybersecurity of a specific issue and showing you are aware of Trusted CI, how we can help, and that you plan to approach us if funded to collaborate on addressing the issue. You can do this unilaterally without any commitment from Trusted CI (and please be aware it does not commit Trusted CI, we do our best to help all NSF projects, but are subject to our own resource availability). We ask that you let us know if you reference Trusted CI, this way to help us plan ahead.

Possible language to include in a proposal:
Our proposal team recognizes [that cybersecurity is important for the effort we are undertaking | we have a cybersecurity challenge with regards to XXX]. To address this issue we plan to approach the NSF-funded Cybersecurity Center of Excellence (trustedci.org). The Cybersecurity Center of Excellence (CCoE) engages projects such as the one we propose to help them address cybersecurity challenges and maintain the trustworthy nature of the computational science we support. We understand that engagements with CCoE are collaborative, and have budgeted resources in our project to work with CCoE on our challenge.
Trusted CI can also provide a letter of collaboration for your proposal using this template.

Include the CCoE in your Proposal. You can include one or more of the CCoE Partners (IU, Internet2, LBNL, NCSA, PSC, U. Wisconsin) via a subcontract on your proposal, a process that provides a firm commitment of our participation. Please contact us to discuss which partner would be most appropriate, whether the commitment would be exclusive for a given solicitation, and the level of effort that would be involved. In this case, we would provide a custom letter of collaboration indicating our agreement to the terms of the subcontract.

If you are preparing a CSSI proposal and would like additional assistance from Trusted CI, don't hesitate to contact us to discuss how Trusted CI can help.