Thursday, April 18, 2019

Leverage Trusted CI in your NSF SaTC Proposal

NSF SaTC solicitations are focused on areas critical to cybersecurity research and development. NSF's current Secure and Trustworthy Cyberspace Frontiers Solicitation (LOI Due July 5th, Proposal due Sept 30th) in conjunction with the SaTC program solicitation NSF 18-572 includes the following guidance:
The goals of the SaTC program are aligned with the Federal Cybersecurity Research and Development Strategic Plan (RDSP) and the National Privacy Research Strategy (NPRS) to protect and preserve the growing social and economic benefits of cyber systems while ensuring security and privacy. The RDSP identified six areas critical to successful cybersecurity research and development: (1) scientific foundations; (2) risk management; (3) human aspects; (4) transitioning successful research into practice; (5) workforce development; and (6) enhancing the research infrastructure.
Trusted CI, the NSF Cybersecurity Center of Excellence, has engaged practitioners in research, academia, industry, and government to identify top cybersecurity needs and gaps which might be filled through successful transitioning of cybersecurity research into practice , as reported on the Trusted CI TTP blog. We may be able to connect you with practitioners enunciating needs which your project innovations may address. We have identified NSF funded cybersecurity researchers actively working to address some of the top cybersecurity needs, with whom we can connect you to enable collaboration for NSF research transition.

We offer the following suggestions to engage us in these areas.

Reach out to us at to let us know the focus for your project, and the types of practitioners or researchers you would like to collaborate with to support your proposal. 

Participate in the Cybersecurity TTP Program. Request an invitation to attend the June 19, 2019 Cybersecurity TTP workshop in Chicago, where you will meet researchers and practitioners.

Indicate Your Intent to Approach the CCoE regarding your proposal. We invite proposing NSF SaTC projects to indicate their intention to approach Trusted CI once they are funded. Proposers are free to include language showing an awareness of cybersecurity of a specific issue and showing you are aware of Trusted CI, how we can help, and that you plan to approach us if funded to collaborate. You can do this unilaterally without any commitment from Trusted CI (and please be aware it does not commit Trusted CI, we do our best to help all NSF projects, but are subject to our own resource availability). We ask that you let us know if you reference Trusted CI, this way to help us plan ahead.

Possible language to include in a proposal:
Our proposal team recognizes [the need to collaborate with operational leaders and cybersecurity researchers to enable practical cybersecurity innovations to be accelerated into operational environments in our areas of focus including xxx]. To address this we plan to approach the NSF-funded Cybersecurity Center of Excellence ( The Cybersecurity Center of Excellence (CCoE) engages researchers and practitioners to identify and help address cybersecurity challenges and maintain the trustworthy nature of cyberinfrastructure. We understand that engagements with CCoE are collaborative, and have budgeted resources in our project to work with CCoE on our challenge.
Trusted CI can also provide a letter of collaboration for your proposal using this template.

Include the CCoE in your Proposal. You can include one or more of the CCoE Partners (IU, Internet2, LBNL, NCSA, PSC, U. Wisconsin) via a subcontract on your proposal, a process that provides a firm commitment of our participation. Please contact us to discuss which partner would be most appropriate, whether the commitment would be exclusive for a given solicitation, and the level of effort that would be involved. In this case, we would provide a custom letter of collaboration indicating our agreement to the terms of the subcontract.

If you are preparing a SaTC, CICI, or other NSF proposal and would like additional assistance from Trusted CI, don't hesitate to contact us to discuss how Trusted CI can help.

Wednesday, April 10, 2019

Welcoming Eric Cross to the Trusted CI Advisory Committee

I am happy to welcome Eric Cross to the Trusted CI Advisory Committee. Eric is the Information Technology Manager for the National Solar Observatory (NSO) in Boulder, Colorado, and has in the past served in the same role at the National Ecological Observatory Network (NEON) and the Raytheon Company. During his time at the NSO, he has played key roles in major projects including moving the organization to cloud-based collaboration applications via Google GSuite, deploying IT services at a newly constructed facility for Daniel K. Inouye Solar Telescope (DKIST) support and science research staff, and managing the procurement and deployment of the DKIST Operations Network and IT infrastructure at the Haleakalā summit on the island of Maui, Hawai’i.

Eric replaces David Halstead of NRAO on the advisory committee. I thank David for his contributions to Trusted CI on the committee.

Jim Basney
Deputy Director, Trusted CI

Tuesday, April 9, 2019

Cyberinfrastructure Vulnerabilities 2019 Q1 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is freely available to all by subscribing to Trusted CI’s mailing lists (see below).

We monitor a number of sources for software vulnerabilities of interest, then determine which ones are of the most critical interest to the community. While it’s easy to identify issues that have piqued the public news cycle, we strive to alert on issues that affect the CI community in particular. These are identified using the following criteria: the affected technology’s or software’s pervasiveness in the CI community; the technology’s or software’s importance to the CI community; type and severity of potential threat, e.g., remote code execution; the threat’s ability to be remotely triggered; the threat’s ability to affect critical core functions; and if mitigation is available. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE, the NSF supercomputing centers, and the ResearchSOC (the newly formed CaaS MSSP) on drafting and distributing alerts to minimize duplication of effort and maximize benefit from community expertise. Some of the sources we monitor for possible threats to CI include:
In 1Q2019 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 124 subscribers:
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through This mailing list is public and the archives are available at

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at

Monday, April 8, 2019

CCoE Webinar April 22nd at 11am ET: REED+: A cybersecurity framework for research data at Purdue University

Preston Smith is presenting the talk "REED+: A cybersecurity framework for research data at Purdue University" on Monday April 22nd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The REED+ framework integrates NIST SP 800-171 and other related NIST publications as the foundation of the framework. This framework serves as a standard for campus IT to align with security regulations and best practices, and create a single process for intake, contracting, and facilitate easy mapping of controlled research to CI resources for the sponsored programs office, human subjects office, and export control office.

The framework allows researchers to experience faster intake of new funded projects and be more competitive for research dollars. Using student-developed training materials and instruction, researchers, administrators, and campus IT are now able to more clearly understand previously complicated data security regulations affecting research projects.

The ecosystem developed from this project enables new partnerships with government agencies, and industry partners from the defense, aerospace, and life science sectors. Experiences and best practices in providing cyberinfrastructure and security awareness developed from this collaboration are documented and shared with the broader CI and campus community through conferences, journals and workshop.

Addition to the IT challenges - security controls, technology, or regulations, the REED+ team will discuss the use of research facilitators dedicated to regulated research, building relationships between campus IT organizations, appropriate compliance offices, research administration, IRBs, and export control offices; and improving institutional processes.

Ultimately the goal is to create a systematic approach which results in rapid flow from contracts to actionable technical requirements to implementation to approval, so that research data can begin in the minimum possible time frame.
Speaker bio:

Preston Smith is the Director of Research Computing Services at Purdue University. Supporting over 180 HPC faculty, and 550 labs using research data systems, Purdue's Community Cluster program is a pioneering program for delivering "condo-style" HPC. At Purdue, his organization designs, builds, and operates compute systems, and delivers advanced research support to the campus community.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."