Tuesday, September 22, 2020

Trusted CI Webinar: Cybersecurity Maturity Model Certification (CMMC) on Tues Oct 6 @11am Eastern

Trusted CI's Scott Russell is presenting the webinar, Cybersecurity Maturity Model Certification (CMMC), on Tuesday October 6th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The US has historically taken a fairly minimalist approach to cybersecurity regulation, but recent years have evidenced a trend toward increasing regulation. The latest in this trend is the US Department of Defense’s “Cybersecurity Maturity Model Certification” (CMMC). CMMC has garnered quite a bit of attention recently, as it intends to impose cybersecurity compliance requirements on the entire Defense Industrial Base (DIB), over 300,000 organizations (including some universities). CMMC has emerged at a breakneck pace, and there is still a great deal of uncertainty regarding who is impacted, what is required, and how organizations should respond.

This talk will 1) introduce US cybersecurity regulation and compliance generally; 2) provide the background and context leading to CMMC; 3) overview CMMC; and 4) suggest approaches for thinking about cybersecurity compliance moving forward.
Speaker Bio:

Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research. Scott was previously the Postdoctoral Fellow in Information Security Law & Policy. Scott’s work thus far has emphasized private sector cybersecurity best practices, data aggregation and the First and Fourth Amendments, and cybercrime in international law. Scott studied Computer Science and History at the University of Virginia and received his J.D. from the Indiana University, Maurer School of Law.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Get an early look at a chapter from the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

In anticipation of the 2020 NSF Cybersecurity Summit, Trusted CI has released v0.9 of a chapter from the forthcoming Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators.  The chapter is focused on Must 15: Organizations must adopt and use a baseline control set. The chapter explains the nature of baseline control sets and the rationale for making adoption an absolute “Must.” It provides Research Cyberinfrastructure Operators (RCOs) a roadmap and advice on addressing this fundamental step toward a mature cybersecurity program. This chapter is the result of Trusted CI’s years of accumulated experience conducting research, training, assessments, consultations, and collaborating closely with the research community. It has been reviewed and vetted by the Framework Advisory Board. 


Read on to learn more. For inquiries, please contact info@trustedci.org. 


About the Trusted CI Framework


The Trusted CI Framework is a tool to help organizations establish cybersecurity programs.  In response to an abundance of cybersecurity guidance focused narrowly on security controls, Trusted CI set out to develop a framework that would empower organizations to confront their own cybersecurity challenges from a mission-oriented and full organizational lifecycle perspective. Within Trusted CI’s mission is to lead development of an NSF Cybersecurity Ecosystem that enables trustworthy science, the Framework fills a gap in emphasizing these programmatic fundamentals.


The Trusted CI Framework is structured around 4 “Pillars” which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls


Within these pillars are 16 “Musts” that identify the concrete, critical elements required for running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the “Framework Core,” which is designed to be applicable in any environment and for any organization and which is unlikely to change significantly over time.


About the forthcoming Framework Implementation Guide


This Framework Implementation Guide is designed for direct use by research cyberinfrastructure operators (RCOs). A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.


We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing.


Trusted CI will publish v1 of the FIG in early CY2021.


About the Framework Advisory Board


As a product ultimately designed for use in the Research and Higher Education communities, this Framework Implementation Guide is being developed with significant input from stakeholders that represent a cross section of the target audience. The Framework Advisory Board (FAB) includes 19 stakeholders with diverse interests and roles in the research and education communities. Over the course of 2020, Trusted CI’s Framework project team is engaging the FAB on a monthly basis, and the group is providing substantial critique and constructive inputs on draft material. 


The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)


Thursday, September 17, 2020

Trusted CI Webinar: ACCORD: Integrating CI policy and mechanism to support research on sensitive data on Sep. 28th at 11am (EDT)

University of Virginia's Ron Hutchins, Tho Nguyen, and Neal Magee, are presenting, ACCORD: Integrating CI policy and mechanism to support research on sensitive data, on Monday September 28th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Today, a large number of researchers do not have access to secure, compliance-capable research computing infrastructure at their home institutions. Traditional institutional secure CI only supports “in-house” users. The ACCORD project is set up to address the challenge of scaling institutional secure research computing services to support community users. To accomplish this goal, we are deploying a policy-centric cyberinfrastructure that prioritizes security, compliance, and accessibility. In this presentation, we describe ACCORD’s approach of leveraging the latest CI tools to compartmentalize research environments into reusable containers that can be catalogued and managed. For example, we rely on InCommon federation to streamline user authentication hurdles, COmanage to lessen user onboarding and management difficulties, and containers coupled with a web-driven interface to alleviate the user accessibility burden. The challenge is to, hopefully, hit the right levels of simplicity and security for a variety of users. In this presentation we will also share the current project status, lessons learned, and future goals. Discussion will be welcome.
Speaker Bio:

Dr. Ronald R. Hutchins currently serves as Vice President for Information Technology. In this role, Ron focuses on creating a university-wide strategy in IT for teaching, learning, research, and administrative technologies while honoring the University’s deep culture and tradition. Prior to joining UVA, Ron served as Associate Vice Provost for Research and Technology, Chief Technology Officer at the Georgia Institute of Technology in Atlanta, Georgia.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, September 15, 2020

Trusted CI Begins Engagement with SCiMMA

The Scalable Cyberinfrastructure Institute for Multi-Messenger Astrophysics (SCiMMA), funded under NSF grant #1934752, is a planned collaboration between data scientists, computer scientists, astronomers, astro-particle physicists, and gravitational wave physicists.  Leveraging NSF investments in astronomical and multi-messenger facilities and in advanced cyberinfrastructure, SCiMMA intends to prototype a publish-subscribe system based on Apache Kafka to distribute alerts from gravitational wave, neutrino and electromagnetic observatories to authorized subscribers (initially, public alerts so that all subscribers are authorized, but eventually proprietary alerts).  The system will additionally rely on supporting infrastructure, including: machine learning algorithms to analyze and classify alerts; an AARC2-style federated identity and access management suite; and event databases for richer data mining. The pub/sub prototype will be hosted on cloud resources, including a commercial cloud. Upon award completion, SCiMMA will pursue funding for a sustained distributed institute that will expand the scope and depth of the prototyped system.


To this end, SCiMMA is seeking help on and-or with various components of their prototype cyberinfrastructure. Primarily, they seek to develop a sound IT security program. Through a kick-off meeting and post-discussion, Trusted CI and SCiMMA have defined and prioritized their needs using a subset of tasks, outlining the goals of the engagement, specifically:


  1. Perform a security review of SCiMMA’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet in order to assess the target level of cybersecurity needed;

  2. Using information documented in step 1, develop the start of a security program leveraging a master information security policies and procedures document; 

  3. Develop an asset inventory to be used by the security program in step 2, and;

  4. Perform a nascent risk assessment using identified assets with a corresponding residual risk registry.


Upon completion of the engagement, Trusted CI will produce a final, publishable report describing the work performed, potential impact to the open-science community, and areas SCiMMA may find appropriate for future engagements.


Thursday, September 10, 2020

Data Confidentiality Issues and Solutions in Academic Research Computing

Many universities have needs for computing with “sensitive” data, such as data containing protected health information (PHI), personally identifiable information (PII), or proprietary information.  Sometimes this data is subject to legal restrictions, such as those imposed by HIPAA, CUI, FISMA, DFARS, GDPR, or the CCPA, and at other times, data may simply not be sharable per a data use agreement.  It may be tempting to think that such data is typically only in the domain of DOD and NIH funded research, but it turns out that this assumption is far from reality.  While this issue arises in numerous scientific domains, including ones that people might immediately think of, such as medical research, it also arises in numerous others, including economics, sociology, and other social sciences that might look at financial data, student data or psychological records; chemistry and biology particularly that which relates to genomic analysis and pharmaceuticals, manufacturing, and materials; engineering analyses, such as airflow dynamics; underwater acoustics; and even computer science and data analysis, including advanced AI research, quantum computing, and research involving system and network logs.  Such research is funded by an array of sponsors, including the National Science Foundation (NSF) and private foundations.

Few organizations currently have computing resources appropriate for sensitive data.  However, many universities have started thinking about how to enable computing of sensitive data, but may not know where to start.

In order to address the community need for insights on how to start thinking about computing on sensitive data, in 2020, Trusted CI examined data confidentiality issues and solutions in academic research computing.  Its report, “An Examination and Survey of Data Confidentiality Issues and Solutions in Academic Research Computing,” was issued in September 2020.  The report is available at the following URL:

https://escholarship.org/uc/item/7cz7m1ws

The report examined both the varying needs involved in analyzing sensitive data and also a variety of solutions currently in use, ranging from campus and PI-operated clusters to cloud and third-party computing environments to technologies like secure multiparty computation and differential privacy.  We also discussed procedural and policy issues involved in campuses handling sensitive data.

Our report was the result of numerous conversations with members of the community.  We thank all of them and are pleased to acknowledge those who were willing to be identified here and also in the report:

  • Thomas Barton, University of Chicago, and Internet2
  • Sandeep Chandra, Director for the Health Cyberinfrastructure Division and Executive Director for Sherlock Cloud, San Diego Supercomputer Center, University of California, San Diego
  • Erik Deumens, Director of Research Computing, University of Florida
  • Robin Donatello, Associate Professor, Department of Mathematics and Statistics, California State University, Chico
  • Carolyn Ellis, Regulated Research Program Manager, Purdue University
  • Bennet Fauber, University of Michigan
  • Forough Ghahramani, Associate Vice President for Research, Innovation, and Sponsored Programs, Edge, Inc.
  • Ron Hutchins, Vice President for Information Technology, University of Virginia
  • Valerie Meausoone, Research Data Architect & Consultant, Stanford Research Computing Center
  • Mayank Varia, Research Associate Professor of Computer Science, Boston University

For the time being, this report is intended as a standalone initial draft for use by the academic computing community. Later in 2020, this report will be accompanied by an appendix with additional technical details on some of the privacy-preserving computing methods currently available.  

Finally, in late 2020, we also expect to integrate issues pertaining to data confidentiality into a future version of the Open Science Cyber Risk Profile (OSCRP). The OSCRP is a document that was first created in 2016 to develop a “risk profile” for scientists to help understand risks to their projects via threats posed through scientific computing. While the first version included issues in data confidentiality, a revised version will include some of our additional insights gained in developing this report.

As with many Trusted CI reports, both the data confidentiality report and the OSCRP are intended to be living reports that will be updated over time to serve community needs. It is our hope that this new report helps answer many of the questions that universities are asking, but also that begins conversations in the community and results in questions and feedback that will help us to make improvements to this report over time.  Comments, questions, and suggestions about this post, and both documents are always welcome at info@trustedci.org

Going forward, the community can expect additional reports from us on the topics mentioned above, as well as a variety of other topics. Please watch this space for future blog posts on these studies.


Friday, September 4, 2020

Introducing the Law and Policy Student Affiliate Program

The CACR-Maurer Student Affiliate program is a collaboration between the IU Center for Applied Cybersecurity Research (CACR), which leads Trusted CI, and the IU Maurer School of Law, wherein law students with a demonstrated interest in privacy and cybersecurity are given an opportunity to work on real world legal problems. The student affiliates work directly with Scott Russell, who is a Senior Policy Analyst at CACR, Trusted CI team member, and a Maurer graduate, and contribute to law and policy guidance materials produced by Trusted CI.

Previous student affiliates have conducted research relating to Controlled Unclassified Information, the EU General Data Protection Regulation, the California Consumer Privacy Act, US Export Control Laws and Regulations, the DoD Cybersecurity Maturity Model Certification, and Artificial Intelligence & Ethics. Materials developed by these student affiliates have directly contributed to guidance materials Trusted CI has created for the NSF science community, including webinars, live presentations, trainings, blog posts, internal whitepapers, and memorandi


For the Fall 2020 semester, there will be one student affiliate: Madeline Blaney. Madeline is a second year law student at Maurer and the President of the Maurer Cybersecurity and Privacy Law Association. 


The program is managed by Maurer professor Joseph Tomain, who also manages the Maurer Graduate Certificate in Cybersecurity Law and Policy and the Graduate Certificate in Information Privacy Law and Policy. Student affiliates receive 1 credit hour for participating in the program. Participation in the student affiliate program is typically reserved for students pursuing a Maurer Graduate Certificate in Cybersecurity Law and Policy but is also open to non-certificate students with sufficient background in privacy and cybersecurity law. This is CACR’s fourth semester with student affiliates, building on a long history of collaboration between CACR and Maurer.


Wednesday, August 26, 2020

Welcoming Kelli Shute as Trusted CI’s Executive Director

I am happy to announce that Kelli Shute, who joined IU CACR and Trusted CI as a project manager last year, has accepted the role of Executive Director for Trusted CI. During her time, Kelli has demonstrated great leadership in keeping the 30 individuals across six sites that contribute to Trusted CI day-to-day, and our growing set of partners, moving forward in an effective, coordinated manner. Kelli will work closely with myself as the PI and Director, Jim Basney as Trusted CI’s Deputy Director, and the other co-PIs and leadership team.

Please join me in congratulating and welcoming Kelli in her new role.

Von Welch

Trusted CI Director and PI