Friday, September 30, 2022

Trusted CI at 2022 NSF Research Infrastructure Workshop in Boulder

Earlier this month, members of Trusted CI presented a workshop at the NSF 2022 Research Infrastructure Workshop in Boulder, Colorado. 

The Research Infrastructure Workshop was a four-day event on safety, cyberinfrastructure, cybersecurity, and science communication. The hybrid event included a poster session, social gatherings, site tours of NCAR’s Research Aviation Facility, GAGE, and NEON, and virtual ice breaker and speed dating sessions to facilitate networking opportunities for everyone. Several members of Trusted CI attended the multi-day event, making new connections with operational and senior leadership at major facilities, midscale facilities, and the NSF.

Our workshop on Friday targeted cyber security officers and focused on the JASON advisory report on Cybersecurity at NSF Major Facilities, cybersecurity guidelines in the Research Infrastructure Guide (RIG), a panel on building a cybersecurity program using the Trusted CI Framework, ransomware, and how the ResearchSOC supports NSF major facilities.

Representatives from the NSF, NRAO, OOI, GAGE, and the ResearchSOC presented and participated during the workshop. We thank Craig Risien (OOI), Wade Craig (NRAO), and Doug Ertz (GAGE) for participating in the Framework panel.

Trusted CI’s partner, CI Compass, led a cyberinfrastructure workshop earlier in the day that included panels on data management and workforce development.

We are grateful to the event organizers for giving us the opportunity to present, as well as meeting with our community members, both online and in-person.

Slides and videos from the event will be posted to the NSF Research Infrastructure Knowledge Sharing Gateway when they become available.


Trusted CI's Jim Basney and NSF's Jim Ulvestad
NSF's Robert Beverly
Trusted CI's Scott Russell
Framework panel

Trusted CI's Ryan Kiser
ResearchSOC's Susan Sons


Monday, September 19, 2022

Trusted CI Presenting at CENIC 2022, Streaming Option Available

Trusted CI Deputy Director and Co-PI Sean Peisert is presenting the talk, “Experiences with Adoption and Implementation of the Trusted CI Framework,” at the 2022 CENIC Annual Conference on Monday September 26th at 11:50 a.m. (Pacific) in the Main Ballroom. This talk will be available for streaming (click here for streaming instructions).

CENIC is the Corporation for Education Network Initiatives in California. It is a non-profit corporation formed to provide high-performance, high-bandwidth networking services to California universities and research institutions. CENIC 2022, “brings together CENIC’s richly diverse community, with participants from all education segments, including public and private research universities; public libraries; scientific, cultural, and performing arts institutions; private sector technology businesses; public policy and government; healthcare; and R&E partners from across the country and around the world.”

Presentation abstract:

Trusted CI, the NSF Cybersecurity Center of Excellence, has existed for the past ten years with the goal of creating high-quality, trustworthy cyberinfrastructure to support high-quality, trustworthy science. The Trusted CI Framework, a product of Trusted CI, is a tool to help organizations establish cybersecurity programs. In response to an abundance of cybersecurity, guidance focused narrowly on security controls, Trusted CI set out to develop a framework that would empower organizations to confront their cybersecurity challenges from a mission-oriented and full organizational lifecycle perspective. Within Trusted CI’s mission is to lead the development of an NSF Cybersecurity Ecosystem that enables trustworthy science, the Framework fills a gap in emphasizing these programmatic fundamentals. The Trusted CI Framework is a resource to help organizations establish and refine their cybersecurity programs. It is the product of Trusted CI’s many years of accumulated experience conducting cybersecurity research, training, assessments, consultations, and collaborating closely with the research community.

Tuesday, September 13, 2022

Trusted CI Webinar: Regulated Communities of Practice, September 26th @11am EST

Carolyn Ellis and Erik Deumens will be presenting the talk, Lowering the barrier to entry for Regulated Research through community building, September 26th at 11am (Eastern).

Please register here.

Keeping up on the newest Federal regulations or supporting it appropriately is a full time job even though it is rarely able to be a dedicated position. We will share how a new community of practice on the block is lowering the barrier to entry by elevating the entire community’s regulated research programs through: 1) Building relationships 2) Collecting best practices 3) Opening the dialogue on challenges by broadly sharing lessons learned 4) Aligning with other communities 5) Simplifying compliance 6) Advocating for the community

Regulated Research Community of Practice (RRCoP) is a partner of Trusted CI looking to extend the reach towards research compliance and advocacy of the special circumstances that make research in academic institutions different from industry.

Join us for glimpse of RRCoP roots, recent contributions, lessons learned, and what the future holds.

Speaker Bios:

Carolyn Ellis is the CMMC Program Manager at University of California, San Diego, where she builds and leads sustainable regulated research programs. Carolyn has significant experience in grants, research, and implementing the security enclaves for DOD contracts. As leadership of NSF award # 2201028, Building a Community of Practice for Supporting Regulated Research, Carolyn is passionate about growing future leaders within the research compliance community. Her community building efforts also include mentoring within various women in STEM communities such as WiCys (Women in Cybersecurity).

Erik Deumens has a PhD in computational nuclear and chemical physics and has done research in modeling of chemical reactions and designed complex computational software. Since 2011, he is the full time director of the department of Research Computing in UFIT at the University of Florida. Starting 2015, he and his staff have been in charge of a FISMA 800-53 moderate computing environment for research. During 2018 a second generation system was completed to meet both FISMA and CUI 800-171 requirements. The new system has the advantage that it is more cost effective for research budgets. The system was assessed for compliance by a 3PAO. See https:///www.rc.ufl.edu for details on UFIT RC.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

 

Monday, August 8, 2022

New Trusted CI Software Security Training Materials for the Community

In a world of continuous cyber attacks, cybersecurity is a responsibility of every person involved in the software development life cycle: managers, designers, developers, and testers. Trusted CI offers an evolving collection of training materials on software security covering topics such as secure design, secure implementation, testing, code auditing, dependency tools, static analysis tools, and fuzz testing.

The materials are freely available at https://www.cs.wisc.edu/mist/SoftwareSecurityCourse. Apart from videos and corresponding book chapters, they include hands-on exercises and quizzes for many of the topics. Classroom exercises and the solutions to the hands-on exercises and quizzes are provided to instructors by request. Most of the videos now have captions in both English and Spanish.

These materials are being continuously updated, as we develop new modules. The latest additions are modules on address space layout optimization (ASLR), memory safety checks, fuzz testing and using AFL, and dependency analysis tools.

These materials have been used at conferences, workshops, and government agencies to train CI professionals in secure coding, design, and testing. They are also used at the University of Wisconsin-Madison to teach CS542, Introduction to Software Security.

Trusted CI Webinar: CIS Controls, August 22nd @11am EST

Trusted CI's Shane Filus and Mark Krenz will be giving a presentation on CIS Controls on Monday, August 22nd at 11am (Eastern).

Please register here.

The Trusted CI Information Security Office (ISO) team will be presenting a webinar on the CIS Controls. This will include background and information on the CIS controls, our recent experiences using the controls to assess Trusted CI’s own cybersecurity program and operations, and how that can be applied to your own project.
Topics include:
  • Who Trusted CI is and why we have a cybersecurity program.
  • Background on the CIS controls and what an assessment is.
  • What led us to perform a CIS assessment. 
  • Overview and discussion of our results. 
  • Differences between control versions 7.1 and 8. 
  • Discussion on methodology and tools that can be used in assessments.

Speaker Bios:

Shane Filus serves as a Senior Security Engineer at the Pittsburgh Supercomputer Center, and works with Trusted CI, XSEDE/ACCESS, and HuBMAP projects on all aspects of cybersecurity; from operations, to incident response, to policy, and everything in between.

Mark Krenz serves as Chief Security Analyst at Indiana University’s Center for Applied Cybersecurity Research. Mark’s focus is on cybersecurity operations, research and education. He has more than two decades of experience in system and network administration and has spent the last decade focused on cybersecurity. He serves as the CISO of the ResearchSOC and the Deputy CISO of Trusted CI.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, August 1, 2022

Analysis of NSPM-33: Cybersecurity Requirements for Federally Funded Research Organizations

By: Anurag Shankar and Scott Russell

This blog post provides research organizations a summary of the National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) and the recent Office of Science and Technology Policy (OSTP) / National Science and Technology Council (NSTC) guidance, along with analysis of the requirements. 

Summary

In January 2021, then President Trump issued a directive “National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) to all federal agencies to: 1) standardize disclosure requirements and 2) mandate a research security program for all institutions receiving a total of $50 million or more in federally-funded research. In January 2022, the Office of Science and Technology Policy (OSTP) released further guidance on these requirements, including details on four elements specified in NSPM-33: cybersecurity, foreign travel security, research security training, and export control training. The cybersecurity guidance identifies 14 controls that it recommends as requirements for federal agencies to flow down to organizations receiving federal research funding. Twelve of these controls are included in the 17 “basic hygiene” controls specified by CMMC Level 1 and the 15 “minimum security controls” specified by FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” The rest are NSPM-33 specific, addressing training and ransomware/data integrity.

The OSTP guidance also includes a number of additional recommendations for federal agencies to flow down to research organizations, summarized below:

  1. Documentation: Research organizations should be required to document their research security program and provide this documentation within 30 days of a request from a research agency that is funding an award or considering an application for award funding.

  2. Certification: Research organizations should be required to provide certification of compliance with the research security program requirement. OSTP, in consultation with the NSTC Subcommittee on Research Security and OMB, plans to develop a single certification standard and process that will apply across all research agencies.

  3. Timeline: Research organizations should establish a research security program as soon as possible, but given one year from the date of issuance of the formal requirement to comply. Organizations that become subject to the requirement in subsequent years are supposed to be similarly provided one additional year to comply.

  4. Assistance: The Federal Government should provide technical assistance to support development of training content and program guidelines, tools, and best practices for research organizations to incorporate at their discretion. Agencies represented on the National Counterintelligence Task Force, in conjunction with the National Counterintelligence and Security Center, should jointly develop content that research organizations can leverage to meet requirements for research security programs and training. The Federal Government should consider supporting the formation of a community consortium to develop and maintain research security program information and implementation resources for research organizations, to include resources suitable for use within research security programs. The development of program content should be a collaborative effort between the government and organizations.

  5. Discretion: Research organizations should be provided flexibility to structure the organization’s research security program to best serve its particular needs, and to leverage existing programs and activities where relevant, provided that the organization implements all required program components. Research organizations should be given flexibility in how they choose to integrate research security requirements into existing programs, such as existing cybersecurity programs. Research organizations should be strongly encouraged to integrate some or all elements into a coherent research security program, where applicable and feasible.

  6. Funding agencies should consider integrating the research security program requirement into the Compliance Supplement’s Research and Development Cluster audit guidance as part of the single audit of Federal grant and assistance programs (2 C.F.R. Part 200, Appendix XI).

Analysis

The primary questions raised by NSPM-33 and the NTSC/OSTP guidance are 1) How will these requirements be flowed down to research organizations; 2) To what extent will funding agencies follow the guidance put forth by the NTSC; and 3) What is the scope of the requirements? 

Regarding the first question, NSPM-33 only directly impacts federal funding agencies (e.g., NSF, DOE): the NSPM does not impose any requirements directly on research institutions. Instead, it instructs federal funding agencies to impose these requirements on research institutions receiving federal research funding. While the NTSC/OSTP guidance specifies January 2023 as the deadline for eligible institutions to comply, it does not specify how the requirements should be imposed. Moreover, the provision of NSPM-33 that specifically mentions cybersecurity is only intended to apply to research institutions receiving over $50 million in federal research funding, without clarifying how these institutions should be identified.

Practically speaking, the funding agencies may impose these requirements on all *new* grants. So although existing grants are technically unaffected, research institutions that wish to continue to get funding will be forced to implement the requirements regardless. 

Moreover, it is also unclear to what extent federal funding agencies are bound by the NTSC guidance. NSPM-33 only instructs OSTP to “promulgate guidelines for research institutions to mitigate risks to research security and integrity”: it is not empowered to dictate what requirements federal funding agencies impose. Indeed, neither OSTP nor NTSC were mentioned in the subsection referencing research security programs and cybersecurity.

Scope is another issue. The guidance does not clarify whether the security program requirements apply only to researchers receiving federal funding or every researcher within the organization. It specifies controls for programs to implement but does not explicitly state if every system used by researchers (e.g, their workstations) is in scope or institutional systems only. Since this has financial repercussions, clarity is needed on what the requirements cover.

A research security program clearly requires controls to secure projects. However, prescribing a set of controls which research systems must implement can be problematic, as research systems have unique needs that may not function using traditional controls (instead requiring alternate controls to achieve their mission.) Moreover, the focus on system-centric controls is not well suited for securing research workflows, which require more than technical controls alone. The uniqueness of research systems (telescopes, sensors, microscopes, etc.) requires different approaches than controls designed to secure “systems.” For example, the Trusted CI Framework is a more appropriate fit for research programs. It includes controls, but provides the institution flexibility in choosing a baseline control set that is tailored to the institution’s mission. Additionally, this baseline control set is supplemented with additional and alternate controls that are particularly important in the research context, as research infrastructure often requires specialized protections. Securing research ultimately requires flexibility.

Applying the same level of security to all research is also unwise. How research is protected is currently scoped to data by sensitivity and regulatory requirements. This is done for a reason, namely to apply security proportionally to risk to contain cost. Expanding it indiscriminately will be wasteful and unnecessary. For instance, public data does not need the same level of security as patient data.

The guidance asks agencies to allow flexibility on which program components institutions choose to implement but also directs them to “strongly encourage” choosing them all. With a documentation submission requirement, it is unclear how the program will be judged and what the impact of a “less than perfect choice” might be (e.g., of not having all of the controls in place).

The certification requirement also is likely to present challenges. As the CMMC rollout shows, designing a certification process for compliance at this scale is extremely challenging. And whereas CMMC is limited in scope, NSPM-33 is potentially much broader. With CMMC compliance, most organizations can design isolated environments for controlled data CUI to limit scope, certifying compliance for research will be much more challenging, given the variety and complexity of research infrastructure.

Friday, July 29, 2022

Trusted CI Co-authors Identity Management Cookbook for NSF Major Facilities

Trusted CI’s Josh Drake has co-authored a new document addressing many identity management (IdM) challenges present at NSF Major Facilities. Due to their size and collaborative missions, Major Facilities often have many users, across multiple organizations, all with different access permissions to a diverse collection of CI resources. The Federated Identity Management Cookbook aims to address these challenges by providing time-tested “recipes” for building IdM capabilities, as well as a primer on the topic of IdM itself.

“While operating the IdM working group and CI Compass, we had many opportunities to engage with major facilities on identity and access management issues facing researchers. We were able to explore a variety of options to help researchers integrate federated identities into their cyberinfrastructure,” said Josh Drake. “This cookbook represents the distilled version of months of engagement with the MF community and a primer to identity management concepts that we hope will be of use to research cyberinfrastructure operators everywhere.” Trusted CI’s Ryan Kiser and Adrian Crenshaw also participated in the engagements that contributed to the cookbook.

This work was created in partnership with Erik Scott (RENCI) and CI Compass. CI Compass provides expertise and active support to cyberinfrastructure practitioners at NSF Major Facilities in order to accelerate the data lifecycle and ensure the integrity and effectiveness of the cyberinfrastructure upon which research and discovery depend.

The cookbook is available in the CI Compass Resource Library  and on Zenodo. See CI Compass’s website to read the full press release.