Friday, May 16, 2014

CTSC Advice on Cybersecurity for NSF IRNC Solicitation

NSF’s IRNC solicitation has the following special award condition:

The awardee is responsible for security of all equipment and information systems funded directly or indirectly by this award. The awardee may be required to present to the cognizant NSF Program Officer and Grants and Agreements Officer an IT security plan addressing policies and procedures for review and approval within 60 days of award. The plan should include evaluation criteria that will measure the successful implementation and deployment of the plans, policies and procedures.

CTSC has the following advice when crafting this security plan, some of which you may want to mention in your proposal:
  1. When considering cybersecurity, consider the security of the network routing, monitoring and operations infrastructure, as well as the information security needs of the endpoint customers you are serving.
  2. Review the outcomes of the Security at the Cyber Border workshop which discusses the shared cybersecurity responsibilities of link operators and the organizational endpoints they serve. The report also discusses challenges of making network data available to researchers.
  3. When considering the cybersecurity of the network, take a risk-based approach as described by NIST and CTSC. CTSC has online training on developing a risk-based cybersecurity program.
  4. For monitoring needs, consider Bro and the NSF-funded Bro Center of Expertise.

Finally, CTSC exists to help NSF project with cybersecurity challenges. We can give your plan a quick review for completeness, or collaboratively help you address challenges. Please feel free to contact us either before or after proposal submission.