Thursday, December 19, 2019

NSF releases JASON report on research security with CUI finding

NSF recently released the JASON report on research security. Quoting Wikipedia, “JASON is an independent group of elite scientists which advises the United States government on matters of science and technology, mostly of a sensitive nature.“

Much of this report focuses on research integrity, that is the “objectivity, honesty, openness, fairness, accountability, and stewardship” of research. For research with confidentiality needs, cybersecurity has a role to play in research integrity, by protecting research such as intellectual property from being unfairly accessed. For open research, cybersecurity still has a large role in assuring data integrity: “
the assurance of the accuracy and consistency of data over its entire life-cycle” which is a small, but critical, part of research integrity and reproducibility.

In that context, this report contains a finding and discussion on CUI and research security:
8. Universities have mechanisms to handle Controlled Unclassified Information (CUI) under existing categories, such as HIPAA, FERPA, Export control, and Title XIII. CUI protection is difficult, but suited to these tasks, however it is ill-suited to the protection of fundamental research areas.

This finding is further discussed in Section 4.2, which concludes with the following statement:
Given the current state of affairs, JASON cannot recommend adoption of a CUI mechanism to secure additional categories of information generated by U.S. universities, beyond those currently covered by applicable laws designed to protect personal information (e.g., HIPAA, GINA, FERPA, Title 13, etc.). Rather, the general principle of creating high walls, i.e., classification, around narrowly defined areas should be adhered to, minimizing conflicts that might adversely affect U.S. open science practices.

A challenge we know many in the community face is internal pressure for all of research cybersecurity to shift to CUI. Trusted CI believes careful consideration is needed to select appropriate cybersecurity based on science mission, and agrees with the JASON report that CUI is not suitable for all research, including a fair amount of NSF-funded research. Trusted CI suggests approaches such as Trusted CI’s Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects and the emerging Trusted CI Framework are better suited.  We hope this report provides valuable input for ongoing discussions some of you may be having.