Monday, May 6, 2019

CCoE Webinar May 20th at 11am ET: Deployable Internet Routing Security

Amir Herzberg is presenting the talk "Deployable Internet Routing Security" on Monday May 20th at 11am (Eastern).

Note: we moved the webinar up one week to avoid the Memorial Day holiday.

Please register here. Check spam/junk folder for registration confirmation email.
Internet routing is woefully insecure - in spite of many attacks and extensive awareness and efforts. But, finally, there is progress - and even some deployable defenses, based on free open-source software - including some that we develop in a CICI NSF project, whose goal is to get Internet Routing Security deployed in educational and research networks. These tools may help against different attacks - including Denial of Service, a significant problem for campuses and for scientific collaboration.

In this webinar, we will explain the challenges of Internet Routing Security, and the main tools - already deployable, in-progress, and briefly mention some less likely to be deployed. We will also discuss our directions, which include development of tools as well as pilot deployment with UConn and Connecticut Education Network. We hope this may help some of you to make progress in improving the security and reliability of networks, and establish cooperation with us as we proceeds with our project. 
Speaker bio:

Amir Herzberg's is the Comcast professor for Cybersecurity Innovation in the department of Computer Science and Engineering, University of Connecticut. His research areas include: network security (esp. routing/DNS/transport, Denial-of-Service, Web), privacy and anonymity, applied cryptography, usable security, security for cyber-physical systems and social, economic and legal aspects of security.

Dr. Herzberg earned his Ph.D. in Computer Science in 1991 from the Technion in Israel.  From 1991 to 1995, he worked at the IBM T.J. Watson Research Center, where he was a research staff member and the manager of the Network Security research group.  From 1996 to 2000, Dr. Herzberg was the Manager of E-Business and Security Technologies at the IBM Haifa Research Lab.  From 2002 to 2017, he was a professor in Bar Ilan University (Israel).

Dr. Herzberg is the author of more than 150 research papers, five book chapters, and 24 patents. Dr. Herzberg has served on technical program committees of over 50 conferences, delivered keynote and plenary addresses at ten conferences,  organized multiple professional events, and has been TPC chair of IEEE CNS’19, editor of PoPETS (2014-) and ACM TISSEC (2011-14), and area chair of CNS (2013-17). Dr. Herzberg is recipient of the Internet Society's Applied Networking Research award, 2017.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, April 25, 2019

Trusted CI Announces Six Inaugural Fellows

Trusted CI, the NSF Cybersecurity Center of Excellence, is excited to announce the inaugural cohort of Trusted CI Open Science Cybersecurity Fellows. Six individuals with professional interests in cybersecurity have been selected from a nationally competitive pool and designated the first Trusted CI Fellows.  During the year of their Fellowship, they will receive recognition and cybersecurity professional development including training and travel funding to cybersecurity related events.

The 2019 Trusted CI Open Science Cybersecurity Fellows are:


Shafaq Chaudhry, Assistant director of graduate and research IT at the University of Central Florida. Shafaq's research interests include public safety communications, wireless networks and Software-Defined Networking. She is the Central Florida coordinator for Aspirations in Computing (AiC) program of National Center for Women & Information Technology (NCWIT) and the president of the Women in EECS group at UCF. Shafaq has been serving on the reviewer committee for the Grace Hopper Celebration conference since 2017.




Matias Carrasco Kind, Senior research and data scientist at the National Center for Supercomputing Applications. Matias is an expert in scientific cloud computing and scientific platforms.His interests in astrophysics are in cosmology, extragalactic astronomy, machine and deep learning, especially in large scale structures, galaxy formation and evolution, and photometric redshift estimation. He is also interested in data-intensive science, data visualization, image processing, web applications, scientific platforms, software engineering and architecture, and cyberinfrastructure in general.




Gabriella Perez, Research technology compliance specialist at the University of Iowa. Gabriella has served as the University of Iowa’s Research Technology Compliance Specialist since the position was created in May 2017. She is the primary campus point-of-contact for technology compliance questions among researchers and the campus OneIT network of technical specialists who utilize the campus computing cluster. She serves as a cybersecurity and compliance liaison with the Division of Sponsored Programs, the Human Subjects Office, and the UI Libraries.








Aunshul Rege, Associate Professor with the Department of Criminal Justice at Temple University. Anushul has been researching proactive cybersecurity in the context of cybercrimes against critical infrastructures for over 10 years. Specifically, her research examines adversarial and defender behavior, decision-making, adaptations, modus operandi, and group dynamics. Aunshul is also passionate about educating the next generation workforce across the social and hard sciences about the relevance of the human factor in cybersecurity through experiential learning.








Chrysafis Vogiatzis, Assistant professor at North Carolina A&T State University. Chrysafis' current research interests lie in network optimization and combinatorial optimization, along with their vast applications in modern socio-technical and biological systems. One of the main axes of his research is focusing on the study of centrality metrics in biological, social, and infrastructure networks, in order to identify groups and persons of interest.








S. Jay Yang, Professor at the Rochester Institute of Technology. Jay is currently a Professor and the Department Head for the Department of Computer Engineering at Rochester Institute of Technology and also serves as the Director of Global Outreach in the Center of Cybersecurity at RIT. His research group has developed several pioneering machine learning, attack modeling, and simulation systems to provide predictive analytics and anticipatory cyber defense. His earlier works included FuSIA, VTAC, ViSAw, F-VLMM, and attack obfuscation modeling.



The Fellows will receive training consisting of a Virtual Institute, providing 20 hours of basic cybersecurity training over six months. The training will be delivered by Trusted CI staff and invited speakers. The Virtual Institute will be presented as a weekly series via Zoom and recorded to be publicly available for later online viewing. Travel support is budgeted (during their first year only) to cover fellows’ attendance at the NSF Cybersecurity Summit, PEARC, and one professional development opportunity agreed to with Trusted CI. The Fellows will be added to an email list to discuss any challenges they encounter that will receive prioritized attention from Trusted CI staff. Trusted CI will recognize the Fellows on its website and social media. Fellowships are funded for one year, after which the Trusted CI Fellows will be encouraged to continue participating in Trusted CI activities in the years following their fellowship year. After their training in the Virtual Institute, Fellows, with assistance from the Trusted CI team, are expected to help their science community with cybersecurity and make them aware of Trusted CI for complex needs. By the end of the year, they will be expected to present or write a short white paper on the cybersecurity needs of their community and some initial steps they will take (or have taken) to address these needs. After the Fellowship year Trusted CI will continue to recognize the cohort of Fellows and give them prioritized attention. Over the years, this growing cohort of Fellows will broaden and diversify Trusted CI’s impact. About the Trusted CI Fellows Program Trusted CI serves the scientific community as the NSF Cybersecurity Center of Excellence, providing leadership in and assistance in cybersecurity in the support of research. In 2019, Trusted CI is establishing an Open Science Cybersecurity Fellows program. This program will establish and support a network of Fellows with diversity in both geography and scientific discipline. These fellows will have access to training and other resources to foster their professional development in cybersecurity. In exchange, they will champion cybersecurity for science in their scientific and geographic communities, and communicate challenges and successful practices to Trusted CI. Fellows come from a variety of career stages. They demonstrate a passion for their area, the ability to communicate ideas effectively, and a real interest in the role of cybersecurity in research. Fellows are empowered to talk about cybersecurity to a wider audience, network with others who share a passion for cybersecurity for open science, and learn key skills that benefit them and their collaborators.

Thursday, April 18, 2019

Leverage Trusted CI in your NSF SaTC Proposal

NSF SaTC solicitations are focused on areas critical to cybersecurity research and development. NSF's current Secure and Trustworthy Cyberspace Frontiers Solicitation (LOI Due July 5th, Proposal due Sept 30th) in conjunction with the SaTC program solicitation NSF 18-572 includes the following guidance:
The goals of the SaTC program are aligned with the Federal Cybersecurity Research and Development Strategic Plan (RDSP) and the National Privacy Research Strategy (NPRS) to protect and preserve the growing social and economic benefits of cyber systems while ensuring security and privacy. The RDSP identified six areas critical to successful cybersecurity research and development: (1) scientific foundations; (2) risk management; (3) human aspects; (4) transitioning successful research into practice; (5) workforce development; and (6) enhancing the research infrastructure.
Trusted CI, the NSF Cybersecurity Center of Excellence, has engaged practitioners in research, academia, industry, and government to identify top cybersecurity needs and gaps which might be filled through successful transitioning of cybersecurity research into practice , as reported on the Trusted CI TTP blog. We may be able to connect you with practitioners enunciating needs which your project innovations may address. We have identified NSF funded cybersecurity researchers actively working to address some of the top cybersecurity needs, with whom we can connect you to enable collaboration for NSF research transition.

We offer the following suggestions to engage us in these areas.

Reach out to us at ttp@trustedci.org to let us know the focus for your project, and the types of practitioners or researchers you would like to collaborate with to support your proposal. 

Participate in the Cybersecurity TTP Program. Request an invitation to attend the June 19, 2019 Cybersecurity TTP workshop in Chicago, where you will meet researchers and practitioners.

Indicate Your Intent to Approach the CCoE regarding your proposal. We invite proposing NSF SaTC projects to indicate their intention to approach Trusted CI once they are funded. Proposers are free to include language showing an awareness of cybersecurity of a specific issue and showing you are aware of Trusted CI, how we can help, and that you plan to approach us if funded to collaborate. You can do this unilaterally without any commitment from Trusted CI (and please be aware it does not commit Trusted CI, we do our best to help all NSF projects, but are subject to our own resource availability). We ask that you let us know if you reference Trusted CI, this way to help us plan ahead.

Possible language to include in a proposal:
Our proposal team recognizes [the need to collaborate with operational leaders and cybersecurity researchers to enable practical cybersecurity innovations to be accelerated into operational environments in our areas of focus including xxx]. To address this we plan to approach the NSF-funded Cybersecurity Center of Excellence (trustedci.org). The Cybersecurity Center of Excellence (CCoE) engages researchers and practitioners to identify and help address cybersecurity challenges and maintain the trustworthy nature of cyberinfrastructure. We understand that engagements with CCoE are collaborative, and have budgeted resources in our project to work with CCoE on our challenge.
Trusted CI can also provide a letter of collaboration for your proposal using this template.

Include the CCoE in your Proposal. You can include one or more of the CCoE Partners (IU, Internet2, LBNL, NCSA, PSC, U. Wisconsin) via a subcontract on your proposal, a process that provides a firm commitment of our participation. Please contact us to discuss which partner would be most appropriate, whether the commitment would be exclusive for a given solicitation, and the level of effort that would be involved. In this case, we would provide a custom letter of collaboration indicating our agreement to the terms of the subcontract.

If you are preparing a SaTC, CICI, or other NSF proposal and would like additional assistance from Trusted CI, don't hesitate to contact us to discuss how Trusted CI can help.


Wednesday, April 10, 2019

Welcoming Eric Cross to the Trusted CI Advisory Committee

I am happy to welcome Eric Cross to the Trusted CI Advisory Committee. Eric is the Information Technology Manager for the National Solar Observatory (NSO) in Boulder, Colorado, and has in the past served in the same role at the National Ecological Observatory Network (NEON) and the Raytheon Company. During his time at the NSO, he has played key roles in major projects including moving the organization to cloud-based collaboration applications via Google GSuite, deploying IT services at a newly constructed facility for Daniel K. Inouye Solar Telescope (DKIST) support and science research staff, and managing the procurement and deployment of the DKIST Operations Network and IT infrastructure at the Haleakalā summit on the island of Maui, Hawai’i.

Eric replaces David Halstead of NRAO on the advisory committee. I thank David for his contributions to Trusted CI on the committee.

Jim Basney
Deputy Director, Trusted CI

Tuesday, April 9, 2019

Cyberinfrastructure Vulnerabilities 2019 Q1 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available to all by subscribing to Trusted CI’s mailing lists (see below).

We monitor a number of sources for software vulnerabilities of interest, then determine which ones are of the most critical interest to the community. While it’s easy to identify issues that have piqued the public news cycle, we strive to alert on issues that affect the CI community in particular. These are identified using the following criteria: the affected technology’s or software’s pervasiveness in the CI community; the technology’s or software’s importance to the CI community; type and severity of potential threat, e.g., remote code execution; the threat’s ability to be remotely triggered; the threat’s ability to affect critical core functions; and if mitigation is available. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, the NSF supercomputing centers, and the ResearchSOC (the newly formed CaaS MSSP) on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Some of the sources we monitor for possible threats to CI include:
In 1Q2019 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 124 subscribers:
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Monday, April 8, 2019

CCoE Webinar April 22nd at 11am ET: REED+: A cybersecurity framework for research data at Purdue University

Preston Smith is presenting the talk "REED+: A cybersecurity framework for research data at Purdue University" on Monday April 22nd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The REED+ framework integrates NIST SP 800-171 and other related NIST publications as the foundation of the framework. This framework serves as a standard for campus IT to align with security regulations and best practices, and create a single process for intake, contracting, and facilitate easy mapping of controlled research to CI resources for the sponsored programs office, human subjects office, and export control office.

The framework allows researchers to experience faster intake of new funded projects and be more competitive for research dollars. Using student-developed training materials and instruction, researchers, administrators, and campus IT are now able to more clearly understand previously complicated data security regulations affecting research projects.

The ecosystem developed from this project enables new partnerships with government agencies, and industry partners from the defense, aerospace, and life science sectors. Experiences and best practices in providing cyberinfrastructure and security awareness developed from this collaboration are documented and shared with the broader CI and campus community through conferences, journals and workshop.

Addition to the IT challenges - security controls, technology, or regulations, the REED+ team will discuss the use of research facilitators dedicated to regulated research, building relationships between campus IT organizations, appropriate compliance offices, research administration, IRBs, and export control offices; and improving institutional processes.

Ultimately the goal is to create a systematic approach which results in rapid flow from contracts to actionable technical requirements to implementation to approval, so that research data can begin in the minimum possible time frame.
Speaker bio:

Preston Smith is the Director of Research Computing Services at Purdue University. Supporting over 180 HPC faculty, and 550 labs using research data systems, Purdue's Community Cluster program is a pioneering program for delivering "condo-style" HPC. At Purdue, his organization designs, builds, and operates compute systems, and delivers advanced research support to the campus community.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, March 20, 2019

Jim Basney appointed as Trusted CI Deputy Director



I’m happy to announce that as of March 15th, Jim Basney is serving as Trusted CI’s Deputy Director. In this role, Jim will work closely with me to manage Trusted CI’s many activities as well as help with outreach to the research community. Jim has been with Trusted CI since its inception and has more than two decades of experience working with the research community. He is an internationally recognized leader in open science identity and access management, and leads the CILogon project.

It’s my pleasure to officially welcome Jim into this new role at Trusted CI.

Von Welch, Director, Trusted CI

Scripps Institution of Oceanography, Trusted CI, and CACR Launch Engagement

We are pleased to announce the start of an engagement with Scripps Institution of Oceanography at the University of California San Diego. Scripps Oceanography is supported by multiple NSF awards, including # 1327683, 1212770, and 1556466, as well as research awards from the Department of Defense and National Oceanographic and Atmospheric Administration (among others).

This engagement is in collaboration with the DOD-funded Principles-Based Assessment for Cybersecurity Toolkit (PACT) project. PACT is a methodology and tool set based on the Information Security Practice Principles and developed in collaboration by Trusted CI, the IU Center for Applied Cybersecurity Research, and Naval Surface Warfare Center Crane. Lessons learned from applying the methodology to Scripps Oceanography will be used to refine PACT.  Scripps Oceanography’s interest in engaging with Trusted CI and the PACT project presented a perfect opportunity to leverage Trusted CI’s expertise and knowledge of complex open science environments, while advancing a methodology with potential for very broad application.


Tuesday, March 19, 2019

Including Trusted CI in your NSF CSSI Proposal

Cybersecurity is an important element in every cyberinfrastructure project plan. For example, NSF's current Cyberinfrastructure for Sustained Scientific Innovation (CSSI) solicitation (Due Monday, April 8th) includes the following guidance:
The description of the CI architecture and processes should explain how security, trustworthiness, provenance, reproducibility, and usability will be addressed by the project and integrated into the proposed system and the engineering process, and how adaptability to new technologies and changing requirements will be addressed by the project and built into the proposed system, as appropriate.
It's often the case that while writing a proposal you will identify a cybersecurity challenge suited to a collaboration with Trusted CI. We offer the following suggestions to indicate your intent to engage with Trusted CI to solve the challenge, hence indicating in your proposal that you both recognize the challenge and take it seriously.

Identify and utilize Trusted CI resources. Our cybersecurity program guide provides recommendations and templates for establishing and maintaining cybersecurity programs. Our online training materials and webinars cover many cybersecurity topics tailored to the NSF CI community. Our annual cybersecurity summit provides a venue for training sessions for cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community.

Indicate Your Intent to Approach the CCoE. We invite proposing NSF CI projects to indicate their intention to approach Trusted CI once they are funded. Trusted CI resources and staff are available to assist NSF projects with cybersecurity plans and training, via one-on-one engagements, and other Trusted CI activities. For example, Trusted CI recently engaged with the Environmental Data Initiative (EDI). Proposers are free to include language showing an awareness of cybersecurity of a specific issue and showing you are aware of Trusted CI, how we can help, and that you plan to approach us if funded to collaborate on addressing the issue. You can do this unilaterally without any commitment from Trusted CI (and please be aware it does not commit Trusted CI, we do our best to help all NSF projects, but are subject to our own resource availability). We ask that you let us know if you reference Trusted CI, this way to help us plan ahead.

Possible language to include in a proposal:
Our proposal team recognizes [that cybersecurity is important for the effort we are undertaking | we have a cybersecurity challenge with regards to XXX]. To address this issue we plan to approach the NSF-funded Cybersecurity Center of Excellence (trustedci.org). The Cybersecurity Center of Excellence (CCoE) engages projects such as the one we propose to help them address cybersecurity challenges and maintain the trustworthy nature of the computational science we support. We understand that engagements with CCoE are collaborative, and have budgeted resources in our project to work with CCoE on our challenge.
Trusted CI can also provide a letter of collaboration for your proposal using this template.

Include the CCoE in your Proposal. You can include one or more of the CCoE Partners (IU, Internet2, LBNL, NCSA, PSC, U. Wisconsin) via a subcontract on your proposal, a process that provides a firm commitment of our participation. Please contact us to discuss which partner would be most appropriate, whether the commitment would be exclusive for a given solicitation, and the level of effort that would be involved. In this case, we would provide a custom letter of collaboration indicating our agreement to the terms of the subcontract.

If you are preparing a CSSI proposal and would like additional assistance from Trusted CI, don't hesitate to contact us to discuss how Trusted CI can help.

Wednesday, March 13, 2019

Trusted CI presenting at the Great Plains Network Annual Meeting (May 21 - 23)

Members of Trusted CI will be presenting three training sessions at the Great Plains Network (GPN)'s Annual meeting  in Kansas City, Missouri (May 21st - 23rd).

Bob Cowles  and Mark Krenz are presenting, "Developing Cybersecurity Programs for NSF Projects." This tutorial describes Trusted CI's Framework for cybersecurity programs to protect science projects

Mark Krenz and Ishan Abhinit are presenting, "Security Log Analysis." Participants will learn how to collect and analyze system logs to help detect security incidents.
     
Anurag Shankar and Ryan Kiser are presenting, "Building NIST Risk Management Framework for HIPAA and FISMA." This session will familiarize participants with how to tackle HIPAA, FISMA, and NIST 800-171, US regulations that affect research computing.

More details about the conference will be posted here at it becomes available.

Monday, March 11, 2019

CCoE Webinar March 25th at 11am ET: The NSF CC-DNI SecureCloud Project

Casimer DeCusatis is presenting the talk "The NSF CC-DNI SecureCloud Project: Autonomic Cybersecurity for Zero Trust Cloud Computing" on Monday March 25th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Cyberinfrastructure is undergoing a radical transformation as traditional data centers are replaced by cloud computing. Cloud hosted applications tend to have a poorly defined network perimeter, large attack surfaces, and pose significant challenges for network visibility, segmentation, and authentication.  We discuss research from the NSF SecureCloud project, which addresses the unique requirements of cloud security using an autonomic, zero trust architecture. We have created and tested original software using a first-of-a-kind cybersecurity test bed constructed at the New York State Cloud Computing & Analytic Center, Marist College. We developed the first honeypot for software defined network (SDN) controllers , and created honeypots for graph database APIs, SSH, and other applications.  These honeypots collect raw data telemetry, which is processed into actionable threat intelligence using our Lightweight Cloud Analytics for Real Time Security (LCARS), an SIEM that includes the G-Star graph database and hive plot visualizer.  We have built a threat intelligence database including attack patterns and orchestrated response recipes. We demonstrate dynamic reconfiguration using REST APIs for network appliances, while we cloak high risk applications using a combination of Transport Layer Access Control and First Packet Authentication.  Use cases include reconfiguration of trust levels in response to distributed denial of service (DDoS) and other attacks.
Speaker bio:

Casimer DeCusatis is an Assistant Professor at Marist College.  He is a Cisco Distinguished Speaker, Fellow of IEEE, OSA, SPIE, and recipient of the following awards: IEEE Kiyo Tomiyasu, IEEE R1 Cybersecurity Education, Sigma Xi Walston Chubb, Mensa Copper Black, PSU Outstanding Alumnus, and IEEE/HKN OYEE.  He received his M.S.(1988) & Ph.D.(1990) from RPI and his B.S. from Penn State (1986).

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, March 5, 2019

Upcoming events featuring Trusted CI

Interested in the latest from Trusted CI? Want a chance to chat in person with us? Members of Trusted CI will be participating in a number of events over the next few months.

Internet2 Global Summit (March 5-8) in Washington, D.C.
The summit focuses on trust and identity; advanced networking; information security; and integrated solutions for research, scholarship and creativity. Von Welch will be presenting in the Executive Track on Tuesday on Cybersecurity for Open Science. On Friday Jim Basney and Von Welch will be co-presenting a talk with UC San Diego's Michael Corn "Strategies for Research Cybersecurity and Compliance from the Lab."

CENIC Annual Conference (March 18-20) in San Diego, CA.
The Corporation for Education Network Initiatives in California (CENIC) is hosting its annual conference bringing together participants from all education segments, research universities, public libraries, private sector technology businesses, public policy and government, and R&E partners. Von Welch will be presenting a talk on the Trusted CI framework.

ISGC 2019 (March 31-April 5) in Taipei, Taiwan.
The International Symposium on Grids and Clouds (ISGC) 2019 & Soundscape Conference is built around the FAIR concept -- data must be Findable, Accessible, Interoperable and Re-usable. The conference will bring together individual communities and national representatives to address this challenge. Von Welch will be giving a keynote address, "FAIR in an unfair world: cybersecurity, data breaches, data integrity, and open science."

WE-RIT Women in Engineering at RIT and Cybersecurity Research TTP (April 2-3) in Rochester, NY.
Florence Hudson will be at speaking at Rochester Institute of Technology at the WE-RIT event on April 2, and meeting with Cybersecurity Researchers April 2-3 to discuss how to accelerate cybersecurity research transition to practice (TTP) including business model development.

SIG-ISM/WISE Meeting (April 16-18) in Kaunas, Lithuania. 
The GÉANT Special Interest Group - Information Security Management (SIG-ISM) group and the Wise Information Security for Collaborating e-Infrastructures (WISE) are hosting joint meeting in Lithuania. The meeting aims to enhance the collaboration among large e-infrastructures and NRENs and their communities on handling security information. The groups will discuss their activities in the past few years, share the results and outcomes and tackle challenges together. Bob Cowles will be giving a talk on the new Trusted CI Framework.

IU Internet of Things Wearables in Motion Symposium (April 25-26) in Bloomington, IN.
The Indiana University School of Informatics, Computing, and Engineering, Innovate Indiana, IU Research and Technology Corp., The Mill and Indiana IoT Lab, will host academic and industry experts to discuss wearables and the Internet of Things (IoT) including novel sensors and actuators, scalable and secure cyberinfrastructures, and more. Florence Hudson will be presenting with Mitch Parker from IU Health on Protecting Health Wearables from Cyber Attack.

EDUCAUSE Security Professional Conference 2019 (May 13-15) in Chicago, IL.
EDUCAUSE brings higher education security professionals together to network and discuss information security and privacy trends and current issues with peers and solution providers. Anurag Shankar is presenting a talk on securing workflows. Also, Trusted CI's partner project, the ResearchSOC, will be presenting a talk on helping security professionals support sponsored research projects. And Florence Hudson and cohorts will be presenting a birds-of-a-feather (BOF) session on cybersecurity needs and partnering with researchers to fill the gaps.

The Great Plains Network (GPN) Annual Meeting (May 21-23) in Kansas City, MO.
The meeting brings together advanced network and cyberinfrastructure users, information technology staff, network engineers, faculty members, researchers, and graduate students from leading Midwestern universities and higher education networks. Mark Krenz, Bob Cowles, Ishan Abhinit, Anurag Shankar, and Ryan Kiser will be presenting talks on security log analysis, developing cybersecurity programs, and the NIST framework for HIPAA and FISMA compliance. 

Trusted CI's Technology Transition to Practice (TTP) Workshop (June 19) in Chicago, IL.
The Cybersecurity TTP workshop is an opportunity for Cybersecurity researchers and practitioners to discuss the needs and gaps we can fill with cybersecurity research, and enjoy co-creation of plans on accelerating this valuable research to practice. Florence Hudson and fellow members of Trusted CI will be hosting the workshop. Apply to request an invitation here.

PEARC19 in (July 28 - August 1) in Chicago, IL.
PEARC19 will explore the current practice and experience in advanced research computing including modeling, simulation, and data-intensive computing. Abstracts are still under review. Trusted CI intends to present many things at this year's conference and will update the community as more information is available.

The 2019 NSF Cybersecurity Summit (October 15 - 17) in San Diego, CA.
The Summit is hosted by Trusted CI and welcomes cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI Community, as well as key stakeholders and thought leaders from the broader scientific and information security communities. The Summit includes training sessions, plenary session, and opportunities to network and socialize with peers.

Whether you are an operational security pro, high speed networking researcher, NSF PI, or identity management specialist; the coming months present some interesting opportunities to network and collaborate. We look forward to seeing you at these events.

Monday, February 25, 2019

Trusted CI Begins Engagement with REED+

The Research Ecosystem for Encumbered Data (REED+) at Purdue University (https://www.rcac.purdue.edu/compute/reed), funded under the Office of Advanced Cyberinfrastructure (OAC #1840043), has the vision to implement a cost-effective ecosystem to manage regulated data that meets the compliance requirements found in a campus environment, e.g., protecting Controlled Unclassified Information (CUI).

REED+’s approach will integrate NIST SP 800-171 and other related NIST publications into its foundation. This will serve as a standard for campus IT to align with security regulations and best practices. The goal is to create a single process for intake and contracting, and to facilitate easy mapping of controlled research to cyberinfrastructure (CI) resources for the sponsored programs office, human subjects office, and export control office.

With the use of student-developed training materials and instruction, the approach will enable researchers, administrators, and campus IT to better understand previously complicated data security regulations affecting research projects. The goal is that the ecosystem developed from REED+ will enable new partnerships with government agencies and industry partners from the defense, aerospace, and life science sectors.

Trusted CI will engage with REED+ to review its strategic vision in providing CUI compliance across their institution’s CI. To achieve this, Trusted CI and REED+ will first inventory proposed components. Trusted CI will then analyze the components, assess them against other implementations, and provide recommendations. Finally, Trusted CI and REED+ will explore appropriate solutions for security awareness that can facilitate the plan.

The engagement began January, 2019 is scheduled to run to the end of June, 2019.

Comments on NSF's Major Facilities Guide from Trusted CI


Trusted CI has submitted the following comments in response to section 6.3 of


We are pleased to see NSF publish cybersecurity guidance for Major Facilities. In our experience working closely with Large Facilities via the Large Facility Security Team (LFST), one-on-one engagements, and at community events like the NSF Cybersecurity Summit, we know many cybersecurity and information technology practitioners at facilities have eagerly anticipated more guidance on cybersecurity expectations. Since 2014, we have collaborated with the Large Facilities Office to provide eight drafts of suggested content for this cybersecurity section of the Large Facility Manual (now Major Facilities Guide). We vetted the most recent Trusted CI drafts with the LFST.  While the published draft provides less detail and specificity than our most recent drafts, we believe much of the content is well-aligned with Trusted CI’s advice and experience working with the community. This MFG section will be well-aligned with the Trusted CI Framework and the companion Trusted CI Framework Implementation Guide for Providers of Scientific CyberInfrastructure we’re developing as a follow-on to our Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects.  That framework and its related products will provide explicit requirements for what it takes to stand up and maintain a competent cybersecurity program that supports open science missions.

The following are our detailed comments and suggested changes or additions.  The purpose of these suggestions is to aid in usability and readability, as well as alignment with Trusted CI’s guidance to the community.

Detailed comments:

1

Throughout the document

Suggested change: Replace “information security” with “cybersecurity” throughout or define them as being equivalent terms
Discussion: Cybersecurity and information security - both used but not explicitly described as equivalent.
Justification: Clarity and consistency

2

Throughout the document

Suggested change: Add page numbers to the document
Discussion: The lack of page numbers makes referencing or communicating about the text in the document more difficult.
Justification: Improve ease of communication about parts of the text.

3

6.3.1 Paragraph 1

Suggested change: Last sentence - strike “of the program”
Justification: redundant and awkward phrasing

4

6.3.2 Paragraph 1

Suggested paragraph replacement text:
A cybersecurity plan is a required element of the Project Execution Plan (PEP) per Section 3.4 of this Guide. Additionally, based on Uniform Guidance §200.303, to the extent the award recipient’s IT infrastructure is integral to internal controls, the relevant portion of the cybersecurity program should be compliant with guidance published by the Comptroller General or Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Further, the Cooperative Agreement Supplemental Financial & Administrative Terms and Conditions (CA-FATC) for Recipients of Major Facilities or Federally Funded Research and Development Centers (FFRDC) requires an information security program and identifies a modest set of required components for the program. [add footnote references where appropriate]
Discussion: The first paragraph is confusing since it is an amalgam of requirements from different sources with different scopes. We suggest moving the sentence with the broadest scope (the requirement for the PEP to include a cybersecurity plan) to the start of the paragraph. Next would be the requirement on the internal controls but reworded to narrow applicability to cases when internal controls implemented through information technology. Finally, close with the Cooperative Agreement Supplement(s). Note: Uniform Guidance §200.303 does not actually include the phrase “including technology infrastructure and security management”.
Justification: The document now applies to more than Large Facilities or FFRDCs, so it adds clarity to state the requirements in order of scope. Also, clarifying the application of 200.303 to IT implementations of internal controls.

5

6.3.2 Paragraph 2

Suggest changing the sentence “The three pillars of a cybersecurity program which rest on this foundation are governance; resources; and controls.”
To read “ The four pillars of a cybersecurity program which rest on this foundation are mission alignment, governance; resources; and controls.
Discussion: While the “research mission and goals of the facility” are foundational, the actual alignment of the cybersecurity program is an additional pillar because the program elements there need to evolve in concert with the other pillars.
Justification: Adding the Mission alignment pillar will be consistent with the upcoming Trusted CI Framework.

6

6.3.2 Paragraph 3

Suggest changing the sentence: “This framework is based on the previously mentioned three pillars of information security programs: Governance, Resources, and Controls.”
To read: “This framework is based on the previously mentioned four pillars of cybersecurity programs: Mission Alignment, Governance, Resources, and Controls.”
Discussion: Alignment with changes suggested for paragraph 2
Justification: Consistent changes

7

6.3.2 Paragraph 4

Suggest inserting a new page formatting command
Suggest changing the sentence: “The three pillars of a cybersecurity program rely on a project-specific inventory of “information assets” to be protected.”
To read:
“6.3.3 Mission Alignment


The other three pillars of a cybersecurity program rely on a project-specific inventory of “information assets” to be protected.”
Note: Requires changing the numbering of subsequent sections and updating page headers/footers
Discussion: Add the Mission Alignment pillar
Justification: See above

8

6.3.3.1 Paragraph 3

Suggest changing: “In addition, most cybersecurity programs identify a senior security role …:
To read: “In addition, cybersecurity programs should have an identified senior security role …”
Discussion: Having an individual responsible for the cybersecurity program is important and should not be an undue burden. The task is not necessarily full-time but the core responsibility for the program should be centralized.
Justification: Strengthen the guidance to have individual primary program responsibility

9

6.3.3.3 Paragraph 1

Suggest changing: “Center for Trustworthy Scientific Cyberinfrastructure (CTSC)”
To read: “Trusted CI”
Discussion: CTSC has changed its name to Trusted CI.
Justification: Update organization name

10

6.3.3.4 Paragraph 1

Suggest changing: “... organizations are advised to plan for …”
To read: “ … organizations should plan for …”
Suggest changing: “ …  the project is encouraged to consider …”
To read: “... the project should include in the NSF review …”
Discussion: Given that NSF oversight will require a review of the cybersecurity program, the language in this paragraph should be strengthened.
Justification: Ensure the cybersecurity program undergoes periodic evaluation and review

11

6.3.4.2 Paragraph 3

Suggest changing: “In addition to technical skills…”
To read: “While technical skills are important …”
Discussion: The sentence is easily misread due to the comma-separated list.
Justification: Better separation of “technical skills” from the other listed items

12

6.3.5 Paragraph 1

Suggested paragraph replacement text: “Controls are tailored to the facility’s portfolio of information assets and aligned to protect confidentiality, integrity, and availability based on the corresponding information classification for those information assets.”
Discussion: The paragraph is poorly worded or contains redundant information.
Justification: Better wording for the point being made.

13

6.3.5.1 and 6.3.5.2

Suggested change: Move the two sections under the Mission Alignment pillar and renumber the Control Set section. Make appropriate page header/footer alterations.
Discussion: The subsections now belong under Mission Alignment and should be moved entirely under that pillar.
Justification: These topics are part of the Mission Alignment pillar.