Wednesday, September 30, 2020

Thank you and congratulations to Florence Hudson!

Florence Hudson has been leading Trusted CI's transition to practice (TTP) efforts since 2018. She has been instrumental in fostering connections between researchers and practitioners and leading the creation of a suite of TTP resources based on best practices and successes. September 30th marks Florence's last day with Trusted CI and we wish Florence all the best in her role as Executive Director for the Northeast Big Data Innovation Hub.

Ryan Kiser has been working closely with Florence on TTP and will assume leadership of Trusted CI's TTP effort, supported by Sean Peisert, who brings a strong history of both research and practice in cybersecurity.

Von

Trusted CI PI and Director

Monday, September 28, 2020

Announcing Trusted CI's Open Science Cybersecurity Fellows Program (Applications due Nov.6th)

 Application Deadline: Friday Nov.6th  Apply here.

Overview

Trusted CI serves the scientific community as the NSF Cybersecurity Center of Excellence, providing leadership in and assistance in cybersecurity in the support of research. In 2019, Trusted CI is establishing an Open Science Cybersecurity Fellows program. This program will establish and support a network of Fellows with diversity in both geography and scientific discipline. These fellows will have access to training and other resources to foster their professional development in cybersecurity. In exchange, they will champion cybersecurity for science in their scientific and geographic communities and communicate challenges and successful practices to Trusted CI.

About the program

The vision for the Fellows program is to identify members of the scientific community, empower them with basic knowledge of cybersecurity and the understanding of Trusted CI’s services, and then have them serve as cybersecurity liaisons to their respective community. They would then assist members of the community with basic cybersecurity challenges and connect them with Trusted CI for advanced challenges. 

Trusted CI will select six fellows each year.  Fellows will receive recognition, cybersecurity professional development consisting of training and travel funding. The Fellows’ training will consist of a Virtual Institute, providing 20 hours of basic cybersecurity training over six months. The training will be delivered by Trusted CI staff and invited speakers. The Virtual Institute will be presented as a weekly series via Zoom and recorded to be publicly available for later online viewing. Travel support is budgeted (during their first year only) to cover fellows’ attendance at the NSF Cybersecurity Summit, PEARC, and one professional development opportunity agreed to with Trusted CI. The Fellows will be added to an email list to discuss any challenges they encounter that will receive prioritized attention from Trusted CI staff. Trusted CI will recognize the Fellows on its website and social media. Fellowships are funded for one year, but will be encouraged to continue to participating in TrustedCI activities the years following their fellowship year.

After the Virtual Institute, Fellows, with assistance from the Trusted CI team, will be expected to help their science community with cybersecurity and make them aware of Trusted CI for complex needs. By the end of the year, they will be expected to present or write a short white paper on the cybersecurity needs of their community and some initial steps they will take (or have taken) to address these needs. After the year of full support, Trusted CI will continue recognizing the cohort of Fellows and giving them prioritized attention. Over the years, this growing cohort of Fellows will broaden and diversify Trusted CI’s impact.

Application requirements

  • A description of their connection to the research community. Any connection to NSF projects should be clearly stated, ideally providing the NSF award number.
    A statement of interest in cybersecurity
  • Two-page biosketch
  • Optional demographic info
  • A letter from their supervisor supporting their involvement and time commitment to the program
  • A commitment to fully participate in the Fellows activities for one year (and optionally thereafter)

The selection of Fellows would be made by the Trusted CI PIs and Senior Personnel based on the following criteria:

  1. Demonstrated connection to scientific research, with preference given to those who demonstrate a connection to NSF-funded science.
  2. Articulated interest in cybersecurity.
  3. Fellows that broaden Trusted CI’s impact across all seven NSF research directorates (Trusted CI encourages applications for individuals with connections to NSF directorates other than CISE), with connections to any of the NSF 10 Big Ideas, or Fellows that increase the participation of underrepresented populations.

Who should apply?   

  • Professionals and post-docs interested in cybersecurity for science, with evidence of that in their past and current role
  • Research Computing, Data, and IT technical or policy professionals interested in applying cybersecurity innovations to scientific research
  • Domain scientists interested in data integrity aspects of scientific research
  • Scientists from all across the seven NSF research directorates interested in how data integrity fits with their scientific mission
  • Researchers in the NSF 10 Big Ideas interested in cybersecurity needs
  • Regional network security personnel working across universities and facilities in their region
  • People comfortable collaborating and communicating across multiple institutions with IT / CISO / Research Computing and Data professionals
  • Anyone in a role relevant to cybersecurity for open science

More about the Fellowship

Fellows come from a variety of career stages, they demonstrate a passion for their area, the ability to communicate ideas effectively, and a real interest in the role of cybersecurity in research. Fellows are empowered to talk about cybersecurity to a wider audience, network with others who share a passion for cybersecurity for open science, and learn key skills that benefit them and their collaborators.

If you have questions about the Fellows program, please let us know by email us at 
fellows@trustedci.org.

Application Deadline: Friday Nov 6, 2020  Apply here.

Applicants will be notified by Jan 15
, 2021

Tuesday, September 22, 2020

Trusted CI Webinar: Cybersecurity Maturity Model Certification (CMMC) on Tues Oct 6 @11am Eastern

Trusted CI's Scott Russell is presenting the webinar, Cybersecurity Maturity Model Certification (CMMC), on Tuesday October 6th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The US has historically taken a fairly minimalist approach to cybersecurity regulation, but recent years have evidenced a trend toward increasing regulation. The latest in this trend is the US Department of Defense’s “Cybersecurity Maturity Model Certification” (CMMC). CMMC has garnered quite a bit of attention recently, as it intends to impose cybersecurity compliance requirements on the entire Defense Industrial Base (DIB), over 300,000 organizations (including some universities). CMMC has emerged at a breakneck pace, and there is still a great deal of uncertainty regarding who is impacted, what is required, and how organizations should respond.

This talk will 1) introduce US cybersecurity regulation and compliance generally; 2) provide the background and context leading to CMMC; 3) overview CMMC; and 4) suggest approaches for thinking about cybersecurity compliance moving forward.
Speaker Bio:

Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research. Scott was previously the Postdoctoral Fellow in Information Security Law & Policy. Scott’s work thus far has emphasized private sector cybersecurity best practices, data aggregation and the First and Fourth Amendments, and cybercrime in international law. Scott studied Computer Science and History at the University of Virginia and received his J.D. from the Indiana University, Maurer School of Law.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Get an early look at a chapter from the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

In anticipation of the 2020 NSF Cybersecurity Summit, Trusted CI has released v0.9 of a chapter from the forthcoming Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators.  The chapter is focused on Must 15: Organizations must adopt and use a baseline control set. The chapter explains the nature of baseline control sets and the rationale for making adoption an absolute “Must.” It provides Research Cyberinfrastructure Operators (RCOs) a roadmap and advice on addressing this fundamental step toward a mature cybersecurity program. This chapter is the result of Trusted CI’s years of accumulated experience conducting research, training, assessments, consultations, and collaborating closely with the research community. It has been reviewed and vetted by the Framework Advisory Board. 


Read on to learn more. For inquiries, please contact info@trustedci.org. 


About the Trusted CI Framework


The Trusted CI Framework is a tool to help organizations establish cybersecurity programs.  In response to an abundance of cybersecurity guidance focused narrowly on security controls, Trusted CI set out to develop a framework that would empower organizations to confront their own cybersecurity challenges from a mission-oriented and full organizational lifecycle perspective. Within Trusted CI’s mission is to lead development of an NSF Cybersecurity Ecosystem that enables trustworthy science, the Framework fills a gap in emphasizing these programmatic fundamentals.


The Trusted CI Framework is structured around 4 “Pillars” which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls


Within these pillars are 16 “Musts” that identify the concrete, critical elements required for running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the “Framework Core,” which is designed to be applicable in any environment and for any organization and which is unlikely to change significantly over time.


About the forthcoming Framework Implementation Guide


This Framework Implementation Guide is designed for direct use by research cyberinfrastructure operators (RCOs). A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.


We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing.


Trusted CI will publish v1 of the FIG in early CY2021.


About the Framework Advisory Board


As a product ultimately designed for use in the Research and Higher Education communities, this Framework Implementation Guide is being developed with significant input from stakeholders that represent a cross section of the target audience. The Framework Advisory Board (FAB) includes 19 stakeholders with diverse interests and roles in the research and education communities. Over the course of 2020, Trusted CI’s Framework project team is engaging the FAB on a monthly basis, and the group is providing substantial critique and constructive inputs on draft material. 


The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)


Thursday, September 17, 2020

Trusted CI Webinar: ACCORD: Integrating CI policy and mechanism to support research on sensitive data on Sep. 28th at 11am (EDT)

University of Virginia's Ron Hutchins, Tho Nguyen, and Neal Magee, are presenting, ACCORD: Integrating CI policy and mechanism to support research on sensitive data, on Monday September 28th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Today, a large number of researchers do not have access to secure, compliance-capable research computing infrastructure at their home institutions. Traditional institutional secure CI only supports “in-house” users. The ACCORD project is set up to address the challenge of scaling institutional secure research computing services to support community users. To accomplish this goal, we are deploying a policy-centric cyberinfrastructure that prioritizes security, compliance, and accessibility. In this presentation, we describe ACCORD’s approach of leveraging the latest CI tools to compartmentalize research environments into reusable containers that can be catalogued and managed. For example, we rely on InCommon federation to streamline user authentication hurdles, COmanage to lessen user onboarding and management difficulties, and containers coupled with a web-driven interface to alleviate the user accessibility burden. The challenge is to, hopefully, hit the right levels of simplicity and security for a variety of users. In this presentation we will also share the current project status, lessons learned, and future goals. Discussion will be welcome.
Speaker Bio:

Dr. Ronald R. Hutchins currently serves as Vice President for Information Technology. In this role, Ron focuses on creating a university-wide strategy in IT for teaching, learning, research, and administrative technologies while honoring the University’s deep culture and tradition. Prior to joining UVA, Ron served as Associate Vice Provost for Research and Technology, Chief Technology Officer at the Georgia Institute of Technology in Atlanta, Georgia.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, September 15, 2020

Trusted CI Begins Engagement with SCiMMA

The Scalable Cyberinfrastructure Institute for Multi-Messenger Astrophysics (SCiMMA), funded under NSF grant #1934752, is a planned collaboration between data scientists, computer scientists, astronomers, astro-particle physicists, and gravitational wave physicists.  Leveraging NSF investments in astronomical and multi-messenger facilities and in advanced cyberinfrastructure, SCiMMA intends to prototype a publish-subscribe system based on Apache Kafka to distribute alerts from gravitational wave, neutrino and electromagnetic observatories to authorized subscribers (initially, public alerts so that all subscribers are authorized, but eventually proprietary alerts).  The system will additionally rely on supporting infrastructure, including: machine learning algorithms to analyze and classify alerts; an AARC2-style federated identity and access management suite; and event databases for richer data mining. The pub/sub prototype will be hosted on cloud resources, including a commercial cloud. Upon award completion, SCiMMA will pursue funding for a sustained distributed institute that will expand the scope and depth of the prototyped system.


To this end, SCiMMA is seeking help on and-or with various components of their prototype cyberinfrastructure. Primarily, they seek to develop a sound IT security program. Through a kick-off meeting and post-discussion, Trusted CI and SCiMMA have defined and prioritized their needs using a subset of tasks, outlining the goals of the engagement, specifically:


  1. Perform a security review of SCiMMA’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet in order to assess the target level of cybersecurity needed;

  2. Using information documented in step 1, develop the start of a security program leveraging a master information security policies and procedures document; 

  3. Develop an asset inventory to be used by the security program in step 2, and;

  4. Perform a nascent risk assessment using identified assets with a corresponding residual risk registry.


Upon completion of the engagement, Trusted CI will produce a final, publishable report describing the work performed, potential impact to the open-science community, and areas SCiMMA may find appropriate for future engagements.


Thursday, September 10, 2020

Data Confidentiality Issues and Solutions in Academic Research Computing

Many universities have needs for computing with “sensitive” data, such as data containing protected health information (PHI), personally identifiable information (PII), or proprietary information.  Sometimes this data is subject to legal restrictions, such as those imposed by HIPAA, CUI, FISMA, DFARS, GDPR, or the CCPA, and at other times, data may simply not be sharable per a data use agreement.  It may be tempting to think that such data is typically only in the domain of DOD and NIH funded research, but it turns out that this assumption is far from reality.  While this issue arises in numerous scientific domains, including ones that people might immediately think of, such as medical research, it also arises in numerous others, including economics, sociology, and other social sciences that might look at financial data, student data or psychological records; chemistry and biology particularly that which relates to genomic analysis and pharmaceuticals, manufacturing, and materials; engineering analyses, such as airflow dynamics; underwater acoustics; and even computer science and data analysis, including advanced AI research, quantum computing, and research involving system and network logs.  Such research is funded by an array of sponsors, including the National Science Foundation (NSF) and private foundations.

Few organizations currently have computing resources appropriate for sensitive data.  However, many universities have started thinking about how to enable computing of sensitive data, but may not know where to start.

In order to address the community need for insights on how to start thinking about computing on sensitive data, in 2020, Trusted CI examined data confidentiality issues and solutions in academic research computing.  Its report, “An Examination and Survey of Data Confidentiality Issues and Solutions in Academic Research Computing,” was issued in September 2020.  The report is available at the following URL:

https://escholarship.org/uc/item/7cz7m1ws

The report examined both the varying needs involved in analyzing sensitive data and also a variety of solutions currently in use, ranging from campus and PI-operated clusters to cloud and third-party computing environments to technologies like secure multiparty computation and differential privacy.  We also discussed procedural and policy issues involved in campuses handling sensitive data.

Our report was the result of numerous conversations with members of the community.  We thank all of them and are pleased to acknowledge those who were willing to be identified here and also in the report:

  • Thomas Barton, University of Chicago, and Internet2
  • Sandeep Chandra, Director for the Health Cyberinfrastructure Division and Executive Director for Sherlock Cloud, San Diego Supercomputer Center, University of California, San Diego
  • Erik Deumens, Director of Research Computing, University of Florida
  • Robin Donatello, Associate Professor, Department of Mathematics and Statistics, California State University, Chico
  • Carolyn Ellis, Regulated Research Program Manager, Purdue University
  • Bennet Fauber, University of Michigan
  • Forough Ghahramani, Associate Vice President for Research, Innovation, and Sponsored Programs, Edge, Inc.
  • Ron Hutchins, Vice President for Information Technology, University of Virginia
  • Valerie Meausoone, Research Data Architect & Consultant, Stanford Research Computing Center
  • Mayank Varia, Research Associate Professor of Computer Science, Boston University

For the time being, this report is intended as a standalone initial draft for use by the academic computing community. Later in 2020, this report will be accompanied by an appendix with additional technical details on some of the privacy-preserving computing methods currently available.  

Finally, in late 2020, we also expect to integrate issues pertaining to data confidentiality into a future version of the Open Science Cyber Risk Profile (OSCRP). The OSCRP is a document that was first created in 2016 to develop a “risk profile” for scientists to help understand risks to their projects via threats posed through scientific computing. While the first version included issues in data confidentiality, a revised version will include some of our additional insights gained in developing this report.

As with many Trusted CI reports, both the data confidentiality report and the OSCRP are intended to be living reports that will be updated over time to serve community needs. It is our hope that this new report helps answer many of the questions that universities are asking, but also that begins conversations in the community and results in questions and feedback that will help us to make improvements to this report over time.  Comments, questions, and suggestions about this post, and both documents are always welcome at info@trustedci.org

Going forward, the community can expect additional reports from us on the topics mentioned above, as well as a variety of other topics. Please watch this space for future blog posts on these studies.


Friday, September 4, 2020

Introducing the Law and Policy Student Affiliate Program

The CACR-Maurer Student Affiliate program is a collaboration between the IU Center for Applied Cybersecurity Research (CACR), which leads Trusted CI, and the IU Maurer School of Law, wherein law students with a demonstrated interest in privacy and cybersecurity are given an opportunity to work on real world legal problems. The student affiliates work directly with Scott Russell, who is a Senior Policy Analyst at CACR, Trusted CI team member, and a Maurer graduate, and contribute to law and policy guidance materials produced by Trusted CI.

Previous student affiliates have conducted research relating to Controlled Unclassified Information, the EU General Data Protection Regulation, the California Consumer Privacy Act, US Export Control Laws and Regulations, the DoD Cybersecurity Maturity Model Certification, and Artificial Intelligence & Ethics. Materials developed by these student affiliates have directly contributed to guidance materials Trusted CI has created for the NSF science community, including webinars, live presentations, trainings, blog posts, internal whitepapers, and memorandi


For the Fall 2020 semester, there will be one student affiliate: Madeline Blaney. Madeline is a second year law student at Maurer and the President of the Maurer Cybersecurity and Privacy Law Association. 


The program is managed by Maurer professor Joseph Tomain, who also manages the Maurer Graduate Certificate in Cybersecurity Law and Policy and the Graduate Certificate in Information Privacy Law and Policy. Student affiliates receive 1 credit hour for participating in the program. Participation in the student affiliate program is typically reserved for students pursuing a Maurer Graduate Certificate in Cybersecurity Law and Policy but is also open to non-certificate students with sufficient background in privacy and cybersecurity law. This is CACR’s fourth semester with student affiliates, building on a long history of collaboration between CACR and Maurer.