Wednesday, August 29, 2018

NRAO and Trusted CI Complete Comprehensive Cybersecurity Program Assessment

Trusted CI and the National Radio Astronomy Observatory (an NSF Large Facility supported in part by NSF Award # 1647378) have completed a successful engagement focused on assessing and facilitating the continued maturation of NRAO’s information security program.  On an accelerated schedule to dovetail with NRAO’s budgetary cycle, we completed an intensive fact-finding phase and delivered a draft copy of a recommendations report providing specific, prioritized actions that NRAO could take to bolster their security program.  Before the engagement execution ended, NRAO used our recommendations to gain initial approval for a budgetary proposal to their executive team, proposing the internal restructuring of their team, hiring a new full-time security position, investing in tools to improve network visibility, and identifying key assets that require additional protection.

David Halstead, Chief Information Officer for NRAO, states,
The Trusted CI engagement allowed Information Services to take a holistic view of the risk and threat landscape facing the observatory’s CI instead of the more traditional audits which largely ignore the research infrastructure and focus on the financial systems.

Engagement Process

Fact-Finding. Trusted CI gathered information using a variety of methods, including dynamic question and answer sessions with NRAO staff and through review of over one hundred public and private documents obtained from publicly accessible websites and from NRAO’s internal document repository.  NRAO also completed our rigorous survey assessing the current state of their cyberinfrastructure.  During this phase of the engagement, we held seven one-hour conference calls together, focused mainly on building Trusted CI’s understanding of NRAO’s security program.

Site Visit. The Trusted CI and NRAO teams also met for a period of three days onsite in Charlottesville, Virginia, giving us an opportunity to interact face-to-face.  During that time, we performed a physical walkthrough of NRAO’s onsite computing infrastructure, interviewed personnel with security functions, and held detailed discussions on the current status of the security program as well as possible opportunities for maturation.  When a passing blizzard forced NRAO to close its doors for one of those days, the teams refused to be slowed down and instead met virtually, maximizing the amount of time we could dedicate to working together.

Recommendations Report. The subsequent report that Trusted CI delivered to NRAO first included a set of foundational recommendations.  Recommendations were marked ‘foundational’ if they appeared feasible to begin in the next six months; called for architectural, philosophical, or major resource additions or reallocations; and were expected to generate strong outcomes, particularly in facilitating other impactful actions.  We organized other recommendations by estimated benefit and cost to implement.  Grounded in best practices and community standards, these recommendations frequently referenced the Center for Internet Security (CIS) Controls and the Australian Signal Directorate’s Essential Eight, two evidence-based control sets, as well as Trusted CI’s four pillar framework for developing cybersecurity programs for open science.

Deep Dives. After delivering the final report, we used the remainder of our engagement time to facilitate phone and email discussions focused on implementing these recommendations.  Dr. Jim Basney and Ryan Kiser, Trusted CI subject matter experts in federated identity management and application authorization respectively, each joined for a conference call focused on his area of expertise in order to share insights and answer questions posed by NRAO.  Other topics of conversation included inventory and asset management, network visibility, and Trusted CI’s process and tools for self-assessing gaps and actions under the CIS Controls v7.

Reflections and Acknowledgements

NRAO’s effort and openness were critical to the success of this engagement.  Their willingness to share information, including providing access to NRAO’s internal documents, allowed us to tailor our recommendations to their specific level of maturation in each area.  We would like to thank all of the NRAO staff who spent time talking with us and responding to our questions, especially our primary engagees David Halstead and Pat Murphy, as well as Chris Clark, Karyn Roberts, Derek Hart, Josh Malone, Matthew McCleary, Ferzen Manglicmot, Wolfgang Baudler, Warren Richardson, and Guilhem Werbelow.

NRAO’s commitment extended beyond participation and into implementation, as evidenced by how quickly the organization created a plan based on Trusted CI’s recommendations and moved to enact it.  We are excited to see this engagement already having a major impact on the funding, structure, and visibility of their security program.

We would also like to thank Steven Berukoff and Tony Hays from the Daniel K. Inouye Solar Telescope (DKIST) project for permitting us to share one of their internal network diagrams with NRAO.  Steven and Tony had presented this diagram to us during a prior Trusted CI engagement and agreed to let us share it with NRAO.  Their example of “documentation done well” assisted in facilitating a discussion on the kinds of network documentation most useful from a security and operations support standpoint.

Through interacting with NRAO and learning about their cybersecurity needs, the Trusted CI team continued to refine our understanding of the unique challenges and opportunities involved with securely supporting science.  We look forward to continuing to engage, advise, and grow with the community in this evolving landscape.  For more information on how to work with us, please visit our engagements page.

Monday, August 27, 2018

Apply for a One-on-One Engagement with Trusted CI for Early 2019

Trusted CI is accepting applications for one-on-one engagements to be executed in January - June 2019.  Applications are due October 1, 2018. (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:

During CTSC’s first 5 years, we’ve conducted more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, CTSC’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

Tuesday, August 14, 2018

Trusted CI Begins Engagement with the Environmental Data Initiative

The Environmental Data Initiative (NSF DBI-1565103 and DEB-1629233) is an NSF-funded project accelerating curation and archive of environmental data, emphasizing data from projects funded by NSF’s Divisions of Biological Infrastructure and Environmental Biology.  EDI provides support, training, and resources to help archive and publish high-quality data and metadata. They operate a secure data repository and work closely with the Long Term Ecological Research Network (LTER) and DataONE to promote data management best practices.

The goals of this engagement are to review current authentication and authorization mechanisms, identify features and requirements for the future version of the EDI Data Portal and associated backend API, and document currently available authentication and authorization solutions. 

The Trusted CI-Environmental Data Initiative engagement began August 2018 and is scheduled to conclude by the end of December 2018.

Monday, August 13, 2018

CCoE Webinar August 27th at 11am ET: NIST 800-171 Compliance Program at U. Connecticut

Jason Pufahl is presenting the talk "NIST 800-171 Compliance Program at University of Connecticut" on Monday August 27th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The Department of Defense established DFARS 252. 204-701 which specifies that any research containing Controlled Unclassified Information (CUI) be protected using NIST 800-171. This presentation will discuss the University of Connecticut's approach to implementing the NIST 800-171 framework, including: Contracting, Faculty Engagement, Infrastructure Implementation, Training and Controls Review. 
The intention of this presentation is to provide a complete picture of what compliance with the NIST Standard requires. I will endeavor to describe the entire compliance process starting from conceptualization of the technology solution through to the post implementation review. The talk will be designed to appeal to compliance staff, technical staff and project managers and will emphasize elements required to build and sustain the compliance program. I will discuss the technology elements of our solution, generally, but will focus on how the technologies chosen met our goals of managing as many of the compliance requirements centrally as practical while providing a flexible solution.
Jason Pufahl is the Chief Information Security Officer for the University of Connecticut. He has 20 years of infrastructure and information security experience and has spent the last 10 years dedicated to information security and privacy. He has responsibility for information security for the institution, encompassing security awareness and training, disaster recovery, risk management, identity management, security policy and regulatory compliance, security analytics, and controls implementation.

Jason works closely with both the administrative and academic areas of the University. He is a member of the University’s Data Governance Committee, Joint Audit and Compliance Committee, and Public Safety Advisory Committee. He is also member of the University IRB with a primary focus of improving data privacy and security practices related to institutional research.

Jason has a Master’s in Education Technology and has a passion for professional development, security training and awareness. He designed and ran an information security and awareness game called HuskyHunt, founded the Connecticut Higher Education Roundtable on Information Security (CHERIS) to provide a quarterly forum for sharing of best practices in the field of information security targeted at higher education institutions in Connecticut and is active in the security community nationally. He is a frequent conference speaker and is a member of the NERCOMP vendor and licensing committee.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, August 8, 2018

Broader Impacts Project Report

In early 2018 Trusted CI undertook an effort to develop and implement a strategy to help meet the cybersecurity needs of a broader set of NSF projects through awareness and outreach; i.e., to broaden the impact of Trusted CI.
The project involved analyzing our existing impact on the NSF community, applying our observations to Trusted CI’s 5-year vision for an NSF cybersecurity ecosystem, and identifying six strategies for broader impacts.

The full report is available online. Some highlights of the report are summarized below.

The analysis portion of the project helped to identify a few major accomplishments for the project thus far:
  • Trusted CI has impacted over 190 NSF projects.
  • Over 150 members of NSF projects attended our NSF Cybersecurity Summit. 
  • Members of 70 NSF projects attended our webinars.
  • Almost 100 of these NSF projects are funded at $1 million or more.
  • 35 engagements have been conducted.
  • Over 250 hours of training seminars have been presented or hosted.

The project concluded with 6 recommendations:
  1. Fill in gaps in our collection of impact statistics (e.g., affiliation of training attendees).
  2. Explore outreach opportunities to the Education and Human Resources (EHR) and Biological Sciences (BIO) Directorates, which are currently underrepresented in our impact metrics.
  3. Increase attention on developing and maintaining the website, highlighting the content and services we are already providing. Our materials are only useful if our stakeholders can discover them. It’s helpful to consider different stakeholder perspectives when updating and reorganizing the website.
  4. Trusted CI should provide more materials addressing availability and integrity concerns from the community, leveraging external expertise.
  5. Trusted CI should document and share its experiences and expertise related to operating a community-focused center of excellence, to benefit other similar organizations.
  6. When implementing our 2019‐2023 vision, Trusted CI should emphasize outreach as an essential component of each strategic objective.
Our role in the NSF community is stable and growing. Trusted CI’s next five years present an exciting challenge to take what we have learned thus far and continue to support the cybersecurity needs of NSF projects.

Thursday, August 2, 2018

2018 NSF Cybersecurity Summit - TRAINING REGISTRATION OPEN

We are happy to announce that the registration for training sessions for the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure is now open.  The training day sessions will take place on Tuesday, August 21st. If you have not already registered for the Summit, please do so here.

Once you have registered for the summit and if you are planning to attend training day sessions, please use this form to reserve your seat for the available training sessions. A list of training session descriptions is available here.

The deadline for registration for training is Tuesday, August 14th, one week prior to the event.

Wednesday, August 1, 2018

Trusted CI begins engagement with SAGE2

SAGE2 is a multi-site collaboration and visualization tool designed for use with tiled display walls. The mission of SAGE2 is to provide an innovative, user-centered, web-based platform for enabling local and/or distributed teams to display, manage, share, and investigate large-scale datasets on tiled display walls to glean insights and discoveries with greater speed, accuracy, comprehensiveness, and confidence. The project achieves this using web-based technologies such as Node.js that are maintained by large user communities. The project provides installation packages for deployment as well as hardware recommendations for new users who are building display walls for the first time. More information about SAGE2 can be found here.

In the last 4 years, institutions have installed over 90 display walls, half of which are in the US and half international, forming an estimated hardware infrastructure investment in excess of $8M. In addition, SAGE2’s user community is growing to include sectors outside of traditional higher-ed and research communities. The diversity and distributed nature of the SAGE2 user base provides a growing set of security concerns. Identity and access management procedures in particular provide unique challenges given the variety of institutions using SAGE2 to collaborate using display walls.

The primary goal of this engagement is to outline Identity and Access Management (IAM) procedures appropriate for SAGE2’s distributed user base. Trusted CI will also seek to identify and prioritize future security goals and additional opportunities to improve the security of SAGE2.

This engagement began in July 2018 and concludes by the end of December 2018.