Friday, December 18, 2020

Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) and Global Ocean Biogeochemistry Array (GO-BGC) Complete Trusted CI CyberCheckup

The Southern Ocean Carbon and Climate Observations and Modeling (SOCCOM) project is a $21 million NSF-funded project (OPP 1425989 and OPP 1936222) to instrument the Southern Ocean and make data publicly available.  SOCCOM has deployed nearly 200 robotic profiling floats in the Southern Ocean (south of 30°S). These floats are part of the international Argo network and collect physical, chemical, and biological sensor data from the upper 2000 m of the water column every 10 days. The data are transmitted to shore via the Iridium satellite system. The data are then passed through a series of institutional servers, where the data are fully processed and quality controlled. The resulting science quality data and the raw observations are made available within 24 hours with no restrictions. The data set has been used in more than 100 publications to assess physical, chemical, and biological processes in the Southern Ocean. 

The biogeochemical float array in the Southern Ocean is now expanding to the world ocean with a new NSF sponsored project, the Global Ocean Biogeochemistry (GO-BGC) Array (OCE  1946578).  GO-BGC will deploy 500 robotic profiling floats throughout the ocean.  GO-BGC is funded by a $52.9 million grant from the Mid-scale Research Infrastructure-2 program.  Institutional float operators expand from the University of Washington (UW) in SOCCOM to include Scripps Institution of Oceanography (SIO) and Woods Hole Oceanographic Institution (WHOI).  The Monterey Bay Aquarium Research Institute (MBARI) will maintain the biogeochemical data processing center for both programs.

SOCCOM and GO-BGC staff first used Trusted CI's "Securing Commodity IT in Scientific CI Projects" spreadsheet to evaluate four of their participating institutions, MBARI, UW, SIO, and WHOI. SOCCOM and GO-BGC staff next completed Trusted CI's "Information Security Program Evaluation" questionnaire. This document was used to capture the current state of each of the participant’s information security programs as well as find potential security policy gaps. The output from these two documents will be used by SOCCOM and GO-BGC to better secure their project. In addition to the CyberCheckup, Trusted CI staff walked project members through the use of Trusted CI’s guide to developing cybersecurity programs and the upcoming Trusted CI framework for putting together a comprehensive cybersecurity program.

The SOCCOM data system includes servers at UW, which handle float communications through the Iridium system, data processing for the physical variables (temperature, salinity, and pressure), and transmission of the physical data to the Argo Data Assembly Center in Miami, which is maintained by NOAA.  The UW system also links to the network at MBARI, where all of the biogeochemical data is processed and then transmitted to the Argo Data Assembly Center, where it is merged with the physical data.  The GO-BGC data system (including float communications, raw data acquisitions, data processing and quality control, and data dissemination and archiving) is more complicated with networks at UW, WHOI, and SIO communicating with floats and distributing data to MBARI for processing.   SOCCOM and GO-BGC performed a Trusted CI CyberCheckup to look at their needs for a comprehensive cybersecurity program.  The Cybercheckup is an engagee-driven, self-evaluation of a project’s cybersecurity readiness.  Trusted CI staff provided templates to be used for the CyberCheckup as well as assistance in reviewing the templates. 

The multi-institutional SOCCOM and GO-BGC projects create a cybersecurity challenge because of the mix of institutional assets, policies, and infrastructure.  To accommodate the multi-institutional nature of the project, a two-tiered approach to cybersecurity will be implemented, which incorporates the practices outlined in the Trusted CI review.  A project level CyberSecurity Team will encompass representatives of each institution.  This team will be led by a CyberSecurity Coordinator from the science staff.   

Each of the institutional members directly involved in the flow of project data will then implement a local team.  These local teams will include a cyber security professional from the information systems group at each location, a SOCCOM or GO-BGC science team representative, and a member from the SOCCOM or GO-BGC technical staff at the location.  The diverse membership of the local teams has the objective of ensuring professional cybersecurity capabilities, a vision of the scientific requirements for data availability and protection, and a code-level view of the project infrastructure.  The local CyberSecurity Teams are responsible for developing a cybersecurity plan that is adapted to their local infrastructure and policies.  

The Project CyberSecurity Team coordinates communications between the local teams and ensures that a system-wide review of security and vulnerabilities is conducted.  They ensure that the project-wide data system is functional, meets the broader community needs, and is capable of rapid recovery from a cyber attack. The Project CyberSecurity Team will conduct periodic reviews and tests (“fire drills”) of the local plans.  

As noted by Ken Johnson, the GO-BGC PI at MBARI, “The Trusted CI CyberCheckUp has been a really important mechanism for us to review a critical path that often gets overlooked.  Our program will be a lot stronger as a result of the review.”

Now available: An “early look” at three additional chapters from the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

Following the earlier release of the Must 15 v0.9, Trusted CI has released additional v0.9 chapters from the forthcoming Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators (RCOs). The chapters are:

Must 3: Organizations must establish and maintain documentation of information assets. 


Must 4: Organizations must establish and implement a structure for classifying information assets as it relates to the organization’s mission. 


Must 16: Organizations must select and deploy additional and alternate controls as warranted. 

These chapters provide RCOs with roadmaps and advice on addressing fundamental steps toward establishing a mature cybersecurity program. The chapters are the result of Trusted CI’s years of accumulated experience conducting research, training, assessments, consultations, and collaborating closely with the research community. They have been reviewed and vetted by the Framework Advisory Board. 

Trusted CI will publish v1.0 of the complete FIG on March 1, 2021.

Read on to learn more. For the latest information about the Framework, please see and consider subscribing to Trusted CI’s announce email list. For inquiries, please contact

About the Trusted CI Framework

The Trusted CI Framework is a tool to help organizations establish cybersecurity programs. In response to an abundance of guidance focused narrowly on cybersecurity controls, Trusted CI set out to develop a framework that would empower organizations to confront their own cybersecurity challenges from a mission-oriented and full organizational lifecycle perspective. Within Trusted CI’s mission is to lead the development of an NSF Cybersecurity Ecosystem that enables trustworthy science: the Framework fills a gap in emphasizing programmatic fundamentals.

The Trusted CI Framework is structured around 4 “Pillars” which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls

Within these pillars are 16 “Musts” that identify the concrete, critical elements required for running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the “Framework Core,” which is designed to be applicable in any environment and for any organization and which is unlikely to change significantly over time.

About the forthcoming Framework Implementation Guide

A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.

This Framework Implementation Guide is designed for direct use by research cyberinfrastructure operators. We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing.

About the Framework Advisory Board (FAB)

As a product ultimately designed for use in the Research and Higher Education communities, this Framework Implementation Guide is being developed with significant input from stakeholders that represent a cross-section of the target audience. The Framework Advisory Board (FAB) includes 19 stakeholders with diverse interests and roles in the research and education communities. Over the course of 2020, Trusted CI’s Framework project team is engaging the FAB on a monthly basis, and the group is providing substantial inputs on the draft material. 

The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)

Tuesday, December 8, 2020

Report on the Trusted CI 2020 NSF Cybersecurity Summit is now available

The Report of the 2020 NSF Cybersecurity Summit for Cyberinfrastructure and Large Facilities is now available at The report summarizes the eighth annual Summit, the first to be held entirely online, which took place September 22-24, 2020. The annual Summit provides a valuable opportunity for cybersecurity training and information exchange among members of the cybersecurity, cyberinfrastructure, and research communities who support NSF science projects. This sharing of challenges and experiences raises the level of cybersecurity awareness and gives Trusted CI important insights into current and evolving issues within the constituent communities.
This year’s Summit training and plenary sessions reiterated some observations from previous years such as the high value of community member interaction and knowledge share. Several presentations again noted the value of federated identity management in facilitating project collaboration. Also emphasized was the importance of workforce development but with a new highlight on the strength that diversity brings to teams. Other emerging trends that were noted among this year’s presentations included the threat presented by the rapid spread of misinformation and disinformation and a broadening of the focus on data confidentiality to include the value of data integrity 
Day 1 of the Summit was dedicated to half-day and full-day training sessions. Days 2 and 3 comprised plenary presentations, panels, and keynotes that focused on the security of cyberinfrastructure projects and NSF Large Facilities. Recordings of many of the Summit sessions are available on YouTube. Slides from a subset of the presentations are also available.
With 2020’s no-cost virtual format, this year’s attendance totaled 287 (up from 143 in-person attendees in 2019), representing 142 NSF projects and 16 of the 20 NSF Large Facilities. The total attendance includes a significant increase in student participation, with 27 students attending, up from ten in 2019. For more information on the 2020 Summit student attendees, please see the Trusted CI blog post Student Program at the 2020 NSF Cybersecurity Summit. Evaluation and feedback on the 2020 Summit were very positive, with many requests to continue offering a virtual attendance option in the future. As we begin planning for the 2021 Summit, we will be mindful of the conditions and options to determine meeting formats that we think will best serve the community’s needs at that time.

Monday, December 7, 2020

Trusted CI Webinar Series: Planning for 2021, review of 2020

The 2020 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in the next year.

The following topics and have been booked in 2021:

  • January: SciTokens
  • February: Cyberattacks & the social sciences
  • March:  REED+ ecosystem
  • April: OSN and MGHPCC
  • May: Identifying Vulnerable GitHub Repositories
  • June: Trusted CI annual challenge - Software Assurance
  • July: Open Science Grid
  • August: NCSA's SOC Type 2 certification
  • September: Q-Factor project
  • October: Legal insights with Scott Russell
  • December: Trusted CI annual challenge - Software Assurance

In case you missed them, here are the webinars from 2020:

  • January ’20: REN-ISAC for Research Facilities & Projects with Kim Milford (Video)(Slides)
  • February ’20: FABRIC: Adaptive programmaBle networked Research Infrastructure for Computer science with Anita Nikolich (Video)(Slides)
  • March ’20: OnTimeURB: Multi-cloud Broker Framework for Creation of Secure and High-performance Science Gateways with Prasad Calyam (Video)(Slides)
  • April ’20: Trustworthy Decision Making and Artificial Intelligence with Arjan Durresi (Video)(Slides)
  • May ’20: Is your code safe from attack? with Barton Miller and Elisa Heymann (Video)(Slides)
  • June ’20: The ResearchSOC with Susan Sons (Video)(Slides)
  • July ’20: Whose line is it anyway? - Problem solving in complex networks with Doug Southworth (EPOC) (Video)(Slides)
  • August ’20: Transitioning Cybersecurity Research to Practice - Success stories and tools you can use,” with Patrick Traynor, Florence Hudson, and Ryan Kiser (Video)(Slides)
  • September ’20: Trusted CI Webinar: ACCORD: Integrating CI policy and mechanism to support research on sensitive data; with Ron Hutchinson, Tho Nguyen, Neal Magee (Video)(Slides)
  • October ’20: RDP: Enforcing Security and Privacy Policies to Protect Research Data with Yuan Tian (Video)(Slides)
  • October ’20: Cybersecurity Maturity Model Certification (CMMC) with Scott Russell (Video)(Slides)
  • December ’20: Trustworthy Data panel (Video)(Slides)
 Join Trusted CI''s announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel.