Monday, March 1, 2021

Published: The Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators


On the behalf of Trusted CI, we are pleased and excited to announce the release of version 1.0 of the Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators (RCOs). This guide is the culmination of many years of accumulated experience conducting cybersecurity research, training, assessments, consultations, and collaborating closely with the research community. It has been reviewed and vetted by our Framework Advisory Board, a diverse collection of stakeholders from the research community. This launch of the first FIG represents a major step forward in advancing Trusted CI’s mission to enable trustworthy science through cybersecurity guidance, templates, and tools, empowering those projects to focus on their science endeavors. [1]

We also published a new Cybersecurity Program Strategic Plan template along with releasing significantly updated versions of the Incident Response Policy and Master Information Security Policy & Procedures templates.

Learn more about the Framework, download FIG v1.0, explore our templates and tools, offer feedback, and share your experiences by visiting https://www.trustedci.org/framework. [2]

About the Trusted CI Framework


The Trusted CI Framework is a tool to help organizations establish and refine their cybersecurity programs. In response to an abundance of guidance focused narrowly on cybersecurity controls, Trusted CI set out to develop a new framework that would empower organizations to confront cybersecurity from a mission-oriented, programmatic, and full organizational lifecycle perspective.

The Trusted CI Framework is structured around 4 Pillars which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls. 

Composing these pillars are 16 Musts that identify the concrete, critical requirements for establishing and running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the Framework Core, which is designed to be applicable in any environment and useful for any organization.

About the Framework Implementation Guide for Research Cyberinfrastructure Operators (RCOs)


This Framework Implementation Guide is designed for use by research cyberinfrastructure operators (RCOs). We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, scientific instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing. The chapters in this FIG provide RCOs with roadmaps for establishing mature cybersecurity programs, pointers to resources, and advice on overcoming potential challenges.

About the Framework Advisory Board (FAB)


As a product ultimately designed for use in the research and higher education communities, this Framework Implementation Guide was developed with significant input from stakeholders that represent a cross section of the target audience. This Framework Advisory Board (FAB) is a collection of 19 volunteers with diverse interests and roles in the research and education communities. From January 2020 through January 2021, Trusted CI’s Framework project team engaged the FAB on a monthly basis, conducting two meetings per month to accommodate the broad geographic distribution of all its members. The FAB provided substantial input, suggestions, questions, and critiques during the drafting of the FIG content. Based on this input from the FAB, the authors refined and published version 1.0.
 
The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)

Thank you for your interest. We look forward to your feedback and hearing about your experiences with the Framework and FIG.

***

[1] A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.

[2] This page now includes templates and tools from the “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects” webpage. Visitors accessing the old “Guide” page will be redirected to the Framework webpage going forward. Finally, we are leveraging the Zenodo.org Trusted CI Community to archive FIG v1.0. Zenodo.org is a catch-all repository for open science and is funded by the European Commission via OpenAIRE (https://www.openaire.eu/about) and CERN (https://home.cern/about). 

Thursday, February 25, 2021

Trusted CI Engagement Application is now Open

    Trusted CI Engagement Application Period is Open

                        Applications Due April 2, 2021

                Apply for a one-in-one engagement with Trusted CI for early 2021

 

Trusted CI is accepting applications for one-on-one engagements to be executed in July-Dec 2021. Applications are due April 2, 2020 (Slots are limited and in demand, so this is a hard deadline!)


To learn more about the process and criteria, and to complete the application form, visit our site:

http://trustedci.org/application


During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

 As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

   

Thursday, February 18, 2021

Trusted CI Announces The 2021 Fellows

 

Trusted CI, the NSF Cybersecurity Center of Excellence, is excited to announce the Trusted CI Open Science Cybersecurity Fellows. Eight individuals with professional interests in cybersecurity have been selected from a nationally competitive pool.  During the year of their Fellowship, they will receive recognition and cybersecurity professional development including training and travel funding to cybersecurity related events.


The 2021 Trusted CI Open Science Cybersecurity Fellows are:

Deb McCaffrey

Research Computing Facilitator at Michigan Medicine

Deb McCaffrey is a Research Computing Facilitator at Michigan Medicine, the University of Michigan's health system and medical school. She fell backwards into facilitation after completing a PhD in physical chemistry at UC Berkeley and has never looked back. She loves being involved in all the different research projects on campus and learning something new every day. Her long-term career goal is to get NIH and NSF to collaborate on cyberinfrastructure and provide NSF-like programs researchers with sensitive data."

 

 


Amiya Maji

Senior Computational Scientist at Purdue University

Amiya works as a Sr. Computational Scientist at Purdue University, where he collaborates with researchers from various scientific domains to streamline their scientific processes and reduce application ‎and data bottlenecks. He also leads the software build automation and testing efforts for Purdue's HPC clusters. Amiya’s research focuses on reliability and security of distributed computing systems; more specifically on vulnerability analysis and testing of mobile and cloud applications, and of IoT devices. Amiya and his colleagues have discovered several vulnerabilities in Android mobile applications and more recently in Wear OS. Amiya is also passionate about emerging socio-technological issues such as ethical AI and spread of misinformation in social networks.




Dr. Elie Alhajjar

Research Scientist at the Army Cyber Institute (ACI)

Dr. Elie Alhajjar is a research scientist at the Army Cyber Institute (ACI) and jointly an Assistant Professor in the Department of Mathematical Sciences at the United States Military Academy (USMA) in West Point, NY, where he teaches and mentors cadets from all academic disciplines. His research interests include mathematical modeling machine learning and network analysis, from a cybersecurity viewpoint. He has presented his research work in international meetings in North America, Europe, and Asia. Before coming to West Point, Dr. Elie Alhajjar had a research appointment at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD. He holds a Master of Science and a PhD in mathematics from George Mason University, as well as master’s and bachelor’s degrees from Notre Dame  University.  

 

Matthew Peterson

Senior Faculty Research Assistant at Oregon State Univ.

Matthew is a Senior Faculty Research Assistant at Oregon State University's (OSU) Center for Genome Research and Biocomputing, where he is responsible for managing REDCap (Research Electronic Data Capture) platforms, assisting with health-related data management in the Cloud, and developing software pipelines for computational processing of genomics laboratory data. This past year, he has also been responsible for secure data management for the OSU TRACE-COVID-19 study that examines the prevalence of the novel coronavirus in communities. Matthew holds an M.S. in Applied Information Management from the University of Oregon and a Graduate Certificate in College and University Teaching from OSU. He is passionate about teaching and serves as an instructor for high performance computing and programming courses.

 


Mauricio Tavares

System and Network Administrator at RENCI

Mauricio Tavares has worked in the credit card and medical industry, which led to an interest in the behavioral aspect of data security and privacy.  He has published in topics ranging from aerospace engineering to computer automation and data privacy.  At RENCI he is a member of the FABRIC security working group helping craft the policies and procedures and advise IT staff to effectively protect this multinational research project."

 


Richard Wagner

Systems Integration Engineer at University of California, San Diego

Rick is part of the UCSD Research IT team, where he helps design and build cyberinfrastructure solutions for highly complex research projects that cut across the campus and beyond it. His career began with using cyberinfrastructure as a tool for research in astrophysics, solving data challenges in cosmology and supersonic turbulence. From there he worked in HPC at the San Diego Supercomputer and with Globus at the University of Chicago.



Shuyuan Mary Ho

Associate Professor at Florida State University

Shuyuan’s research focuses on trusted human-computer interactions, investigating issues of computer-mediated deception, disinformation, cyberbullying, hate speech, cloud forensics, cyber insider threat, and interactive cyber defense. She adopts heuristic approaches to coaching the next-gen cybersecurity workforce. Shuyuan is a sociotechnical behavioral scientist designing human-centered computing experiments that simulate complex trust interactions in cyberinfrastructure. Novel methodologies are invented to computationally model the defense of cyberspace, while addressing information ethics and privacy.




Michael Kyle

Scientific Applications Consultant at University of Delaware

Michael’s background is in Meteorology and has several years of experience as a scientific programmer. He currently works at the University of Delaware (UD) in the Information Technologies Research Cyberinfrastructure unit. In this role, Michael works directly with UD’s researchers and its partnering organizations to assist them in the best use of UD’s HPC resources. He is currently working on a Master’s in Cybersecurity at UD and wants to combine his passions for cybersecurity and research cyberinfrastructure to continue developing a safe, and secure computing environment for all types of research.


The Fellows will receive training consisting of a Virtual Institute, providing 20 hours of basic cybersecurity training over six months. The training will be delivered by Trusted CI staff and invited speakers. The Virtual Institute will be presented as a weekly series via Zoom and recorded to be publicly available for later online viewing. Travel support is budgeted (during their first year only) to cover fellows’ attendance at the NSF Cybersecurity Summit, PEARC, and one professional development opportunity agreed to with Trusted CI. The Fellows will be added to an email list to discuss any challenges they encounter that will receive prioritized attention from Trusted CI staff. Trusted CI will recognize the Fellows on its website and social media. Fellowships are funded for one year, after which the Trusted CI Fellows will be encouraged to continue participating in Trusted CI activities in the years following their fellowship year. After their training in the Virtual Institute, Fellows, with assistance from the Trusted CI team, are expected to help their science community with cybersecurity and make them aware of Trusted CI for complex needs. By the end of the year, they will be expected to present or write a short white paper on the cybersecurity needs of their community and some initial steps they will take (or have taken) to address these needs. After the Fellowship year Trusted CI will continue to recognize the cohort of Fellows and give them prioritized attention. Over the years, this growing cohort of Fellows will broaden and diversify Trusted CI’s impact.

 About the Trusted CI Fellows Program

Trusted CI serves the scientific community as the NSF Cybersecurity Center of Excellence, providing leadership in and assistance in cybersecurity in the support of research. In 2019, Trusted CI establish an Open Science Cybersecurity Fellows program. This program establish and support a network of Fellows with diversity in both geography and scientific discipline. These fellows will have access to training and other resources to foster their professional development in cybersecurity. In exchange, they will champion cybersecurity for science in their scientific and geographic communities and communicate challenges and successful practices to Trusted CI.

Fellows come from a variety of career stages. They demonstrate a passion for their area, the ability to communicate ideas effectively, and a real interest in the role of cybersecurity in research. Fellows are empowered to talk about cybersecurity to a wider audience, network with others who share a passion for cybersecurity for open science and learn key skills that benefit them and their collaborators.

Tuesday, February 16, 2021

Trusted CI Begins Engagement with Open OnDemand

 

Open OnDemand is funded by NSF OAC and is an open-source HPC portal based on the Ohio Supercomputer Center original OnDemand portal. The goal of Open OnDemand is to provide an easy way for system administrators to provide web access to their HPC resources.

Open OnDemand is now facing increased community adoption. As a result, it is becoming a critical production service for many HPC centers and clients. By improving the overall security of the project, we will ensure that it continues to be a trusted and reliable platform for the hundreds of centers and tens of thousands of clients that regularly utilize it. 

Open OnDemand has engaged with Trusted CI to support their efforts to further develop the project’s ability to produce secure software. Trusted CI previously conducted an in-depth vulnerability assessment applying the FPVA methodology to Open OnDemand software. The results of this prior assessment will help to inform the activities of this engagement. During the course of the prior FPVA assessment, Trusted CI staff worked directly to test Open OnDemand’s software to identify vulnerabilities with support from the Open OnDemand team. Trusted CI will now work with Open OnDemand to improve the project’s ability to maintain the security of their software as changes are made and to identify and mitigate future vulnerabilities.

Upon completion of the engagement, Trusted CI will produce a published report describing the work performed, potential impact to the open-science community, and areas Open OnDemand may find appropriate for future engagements.

Monday, February 15, 2021

Trusted CI Begins Engagement with FABRIC

FABRIC: Adaptive Programmable Research Infrastructure for Computer Science and Science Applications, funded under NSF grants 1935966 and 2029261, is a national scale testbed that connects to prior existing testbeds, such as PAWR, as well as the real Internet. FABRIC aims to expand its outreach, enabling new science applications, using a diverse array of networks, integrating machine learning, and preparing the next generation of computer science researchers.

The FABRIC project began in 2019 and reached out to Trusted CI for an engagement during this early phase of development. The engagement goals are focused on reviewing FABRIC's software development process, the trust boundaries in the FABRIC system, and the FABRIC security and monitoring architecture.

We will be publishing a report from the engagement when it concludes in June.

Monday, February 8, 2021

Trusted CI Webinar: CARE: Cybersecurity in Application, Research and Education Mon Feb 22 @11am Eastern

Temple University's Aunshul Rege is presenting the talk, CARE: Cybersecurity in Application, Research and Education on Monday February 22nd at 11am (Eastern)

Please register here. Be sure to check spam/junk folder for registration confirmation email.

In an era where big data, machine learning algorithms, and simulations are used to understand cyberattacks and cybersecurity, is there room for qualitative or 'thick' data? This talk shares a social scientist’s perspective on the relevance of thick data in understanding the ‘how’ and ‘why’ of adversarial behavior, movement, decision-making, adaptation to disruptions, and group dynamics. More specifically, it highlights potential for symbiotic relationships between social science methodologies, such as observations and focus groups, and technical methodologies, such as time series analysis, social network analysis, and machine learning and prediction. The talk will then share how social science students must be trained via discipline-specific education to effectively engage in the cybersecurity discourse. It details specific educational efforts via social engineering course projects and capture-the-flag competitions that not only cater to social science students, but also technical students, and how these efforts help break silos to foster multidisciplinary dialog.

Speaker Bio: Dr. Aunshul Rege is an Associate Professor with the Department of Criminal Justice. She is the Director of the CARE (Cybersecurity in Application, Research, and Education) Lab, which focuses on the human and social aspects of cyberattacks and cybersecurity. Dr. Rege is the recipient of numerous National Science Foundation grants, including the prestigious NSF CAREER award. Her research examines adversarial decision-making, adaptation and movement, and she has worked with Computer Scientists and Engineers in academia, industry and government. Dr. Rege and her team at the CARE Lab have generated a critical infrastructure ransomware incident dataset, which maps to the MITRE ATT&CK framework and is highly requested by organizations, governments, academics, and students from all over the world. Dr. Rege is also passionate about cybersecurity education and has designed several experiential social engineering learning projects, which have been mapped to the NICE cybersecurity workforce framework and downloaded worldwide by educators and businesses. A month ago, she hosted a purely social engineering capture the flag competition at Temple University, which featured professional social engineers as judges and six undergraduate student teams. This competition is the first cybersecurity capture-the-flag competition to emphasize the human factor that is grounded in the social sciences. Dr. Rege has received a new NSF education grant, which will allow her to pursue this endeavor starting 2021. Not only has Dr. Rege's work been published in well-regarded journals and peer-reviewed conference proceedings, but her efforts have also been recognized in highly regarded cybersecurity outlets like Security Week, Bleeping Computer, and Dark Reading. She hopes to continue to make the social sciences more mainstream and embedded in the cybersecurity discourse.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

 

Wednesday, February 3, 2021

Trusted CI and SGCI Collaborate to Secure the Galaxy Science Gateway Platform

Galaxy, an open-source, scientific workflow system developed by the Galaxy Project (GP) Community, provides a means to build multi-step computational analyses using a graphical web user interface that allows a user to specify the type of data to operate on, what steps to take, and in what order. It accelerates innovation by allowing researchers to carry out analyses without having to do any programming. Galaxy is also heavily used as a tool integration platform for biology and genomics with thousands of popular tools available. It supports data uploads from a user endpoint and many well-known, online data sources (such as the UCSC Genome Browser, BioMart, and InterMine), allowing users to analyze public data or bring their own.

In the second half of 2020, the Galaxy Project team engaged with Trusted CI to review the security of a new Galaxy software distribution being developed as a containerized package, with an eye toward its use with sensitive information such as protected health information (PHI). The Trusted CI team used effort funded by the SGCI and Trusted CI partnership.

The teams met weekly over the engagement period to develop a shared understanding of Galaxy’s architecture, data flows, existing safeguards, and software development practices. Trusted CI used the NIST 800-53 control catalog to guide the discussions and created a Galaxy System Security Plan (SSP), which will be offered to the Galaxy Community as a template to support compliance with security regulations for local installations. The engagement concluded with a report containing a series of recommendations to further improve Galaxy’s security posture. Trusted CI also identified opportunities for future engagements between Trusted CI and Galaxy as the scope for the present engagement was limited to the containerized package.

The Trusted CI team would like to extend our sincere thanks to the entire Galaxy team for their partnership throughout the engagement and we look forward to future opportunities to collaborate.