Announcing the 2021 Trusted CI Annual Challenge on Software Assurance

The Trusted CI “Annual Challenge” is a year-long project focusing on a particular topic of importance to cybersecurity in scientific computing environments.  In its first year, the Trusted CI Annual Challenge focused on issues in trustworthy data.  Now, in its second year, the Annual Challenge is focusing on software assurance in scientific computing.

The scientific computing community develops large amounts of software.  At the largest scale, projects can have millions of lines of code.  And indeed, the software used in scientific computing and the vulnerabilities present in scientific computing can be similar to that used in other domains.  At the same time, the software developers have usually come from traditional scientific focused domains rather than traditional software engineering backgrounds.  And, in comparison to other domains, there's often less emphasis on software assurance.

Trusted CI has a long history in addressing the software assurance of scientific software, both through engagements with individual scientific software teams, as well as through courses and tutorials frequently taught at conferences and workshops by Elisa Heyman and Barton Miller, from University of Wisconsin-Madison.  This year’s Annual Challenge seeks to complement those existing efforts in a focused way, and leveraging a larger team.  Specifically, this year’s Annual Challenge seeks to broadly improve the robustness of software used in scientific computing with respect to security.  It will do this by spending the March–June  2021 timeframe engaging with developers of scientific software to understand the range of software development practices being used and identifying opportunities to improve practices and code implementation to minimize the risk of vulnerabilities.  In the second half of 2021, we will leverage our insights to develop a guide specifically aimed at the scientific software community that covers software assurance in a way most appropriate to that community,.  

We seek to optimize the impact of our efforts in 2021 by focusing our effort on software that is widely used, is situated in vulnerable locations, and is developed mostly by individuals who do not have traditional software engineering backgrounds and training.

This year’s Annual Challenge is supported by a stellar team of Trusted CI staff, including Andrew Adams (Pittsburgh Supercomputing Center), Kay Avila (National Center for Supercomputing Applications), Ritvik Bhawnani (University of Wisconsin-Madison), Elisa Heyman (University of Wisconsin-Madison), Mark Krenz (Indiana University), Jason Lee (Berkeley Lab/ NERSC), Barton Miller (University of Wisconsin-Madison), and Sean Peisert (Berkeley Lab; 2021 Annual Challenge Project Lead).

Trusted CI and the CI CoE Pilot Complete Identity Management Engagement with GAGE

 

The Geodetic Facility for the Advancement of Geoscience (GAGE), is operated by UNAVCO and funded by the NSF and NASA. The GAGE project’s mission is to provide support to the larger NSF investigator community for geodesy, earth sciences research, education, and workforce development. During the second half of 2020, GAGE and the Trusted CI/CI CoE Identity Management working group collaborated on an engagement to design a working proof of concept for integrating federated identity into GAGE’s researcher data portal.

The Cyberinfrastructure Center of Excellence Pilot (CI CoE) is a Trusted CI partner, specializing in providing expertise and active support to CI practitioners at the NSF major facilities in order to accelerate the data lifecycle and ensure the integrity and effectiveness of the CI upon which research and discovery depends. The Identity Management working group is a joint effort between the CI CoE and Trusted CI to provide subject matter expertise and advice to major facilities on trust and identity issues, best practices and implementation. The working group's target audience is NSF funded major facilities, but participation in the working group is open to anyone in higher education and IAM.

The engagement began in July 2020 with a month long series of interviews between working group members and GAGE department leadership. GAGE came into the engagement with a series of needs that had arisen from practice and with a request from NSF to collect information on how their research data was being used. The working group used the interviews to identify key systems and areas of impact in order to present GAGE with a design for integrating federated identity into their data portal using elements of InCommon’s Trusted Access Platform.

Over the next three months, the engagement team met with members of GAGE’s software development team, CILogon, and COmanage to finalize and implement the proof of concept design. This design used CILogon to consume federated identities from other InCommon member institutions and then used COmanage registry to store GAGE specific attributes for those identities to grant permission for accessing various data groups, membership in research projects, and home institutions. Identities and attributes stored in COmanage could then be passed to the GAGE data portal using OIDC claim tokens; granting permissions appropriately at the time of access and allowing GAGE to track which identities were requesting what permissions for their data.

The engagement culminated with a 15-page report delivered to GAGE in February 2021 containing detailed observations from interviews, alternate design configurations and tools for the proof of concept, lessons learned through the implementation process, and identification of future opportunities for investment and collaboration in IAM. Additionally, findings from this engagement will be included in an IAM cookbook that the working group plans to release in 2022. The Identity Management working group meets monthly on the second Monday at 2pm Eastern time. For more information about the Identity Management working group, please see the Trusted CI IAM page, the CI CoE working group directory, or join our mailing list to receive updates on working group meetings and products.

GAGE is funded by an NSF award managed by the Division of Earth Sciences (Award #1724794) and is operated by UNAVCO. The CI CoE Pilot is supported by a grant managed by the NSF Office of Advanced Cyberinfrastructure (Award #1842042) and is a collaboration between the University of Southern California, University of North Carolina at Chapel Hill, University of Notre Dame, University of Utah, and Indiana University. The working group would like to thank the following institutions and organizations for the collaboration and contributions to the engagement: Internet2 and InCommon, the CILogon team, the COmanage team, and the Globus team.

Announcing the 2021 NSF Community Cybersecurity Benchmarking Survey

It's time again for the NSF Community Cybersecurity Benchmarking Survey (“Community Survey”). We’ve appreciated all the great participation in the past and look forward to seeing your responses again this year. The Community Survey, started in 2016, is a key tool used by Trusted CI to gauge the cybersecurity posture of the NSF science community. The twin goals of the Community Survey are: 1) To collect and aggregate information about the state of cybersecurity for NSF projects and facilities; and 2) To produce a report analyzing the results, which will help the community level-set and provide Trusted CI and other stakeholders a richer understanding of the community’s cybersecurity posture. (To view the previous years’ reports, see 2019 Report, 2017 Report, and 2016 Report.) To ensure the survey report is of maximum utility, we want to encourage a high level of participation, particularly from NSF Major Facilities. Please note that we are aggregating responses and minimizing the amount of project-identifying information we’re collecting, and any data that is released will be anonymized.

Survey Link: https://docs.google.com/forms/d/e/1FAIpQLSeooNKQdKx-W5kRol0vTYq0oLogBaT5Sy0G2tG6LwGWSoLc3g/viewform?usp=sf_link

Each NSF project or facility should submit only a single response to this survey. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond to or are unable to answer a particular question, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason.

The response period closes June 30, 2021.

Thank you.

Trusted CI’s Large Facilities Security Team Update Spring 2021

Trusted CI continues to address the cybersecurity needs of NSF’s Large Facilities (LFs) by coordinating the Large Facilities Security Team (LFST). The LFST comprises representatives from each of the LFs who are responsible for cybersecurity at their sites. The primary goal of the LFST is to encourage sharing of best practices, policies, and technologies among the team members to further cybersecurity at each of the LFs.

Communication among LFST participants is via a dedicated email list and monthly calls. Call format is either facilitated discussion of a pre-selected topic or a presentation followed by Q. and A. Topics during the past year included COVID-19 pandemic-related cybersecurity issues and response, a ResearchSOC overview, cybersecurity policy development, risk assessment, asset categorization, and supply chain vulnerability. The Trusted CI facilitators actively encourage input from all LFST members during these monthly calls, often producing informative insights on similarities and differences among site priorities and practices.

In service to the broader NSF cybersecurity community, input from the LFST was valuable to development of Trusted CI’s recently released Framework Implementation Guide for Research Cyberinfrastructure Operators. The team is reviewing NSF’s proposed revision to the Major Facilities Guide, which is currently open for comment.

We look forward to another year of learning and active cybersecurity collaboration among NSF’s Large Facilities!

For more information, or to join the LFST, email benninger@psc.edu or info@trustedci.org.

Trusted CI Begins Engagement with PATh

The Partnership to Advance Throughput and Computing (PATh) is a project funded by NSF’s OAC Campus Cyberinfrastructure (CC*) program and brings together the Center for High Throughput Computing (CHTC) and the Open Science Grid (OSG) in order to advance the nation’s campuses and science communities through the use of distributed High Throughput Computing. The PATh project offers technologies and services that enable researchers to harness through a single interface, and from the comfort of their “home directory”, computing capacity offered by a global and diverse collection of resources.

PATh is collaborating with Trusted CI on adapting and rewriting PATh’s security program. Through a pre-kickoff meeting and their proposed security program plan submitted to the NSF, we have prioritized their needs using a subset of tasks to outline the goals of the engagement, specifically:

• Work on Trusted CI Information Security Program Evaluation in order to evaluate PATh’s understanding on their system
• Assessing the existing security plan and current OSG policies
• Revising relevant policies and superseding outdated policies with new documents reflecting the current and planned future operations of OSG and PATh
• Alignment with the Trusted CI Framework 
• Additional focus and emphasis on resiliency and availability of services, including; monitoring, backups, disaster recovery, and operational upgrades and redundancy

The engagement began in January 2021 and will run until the end of June 2021.

PEARC21: Trusted CI Call For Proposals at the 5th Workshop on Trustworthy Scientific Cyberinfrastructure

Trusted CI has opened a call for proposals for its Fifth Workshop on Trustworthy Scientific Cyberinfrastructure at PEARC21.

The workshop represents an opportunity for sharing experiences, recommendations, and solutions for addressing cybersecurity challenges in research computing.

The half-day (3 hour) workshop provides a forum for information sharing and discussion among a broad range of attendees, including cyberinfrastructure operators, developers, and users.

The workshop is organized according to the following goals:

• Increase awareness of activities and resources that support the research computing community's cybersecurity needs.
• Share information about cybersecurity challenges, opportunities, and solutions among a broad range of participants in the research computing community.
• Identify shared cybersecurity approaches and priorities among workshop participants through interactive discussions.
  

Implementing cybersecurity for open science across the diversity of scientific research projects presents a significant challenge. There is no one-size-fits-all approach to cybersecurity for open science that the research community can adopt. Even NSF Major Facilities, the largest of the NSF projects, struggle to develop effective cybersecurity programs. To address this challenge, practical approaches are needed to manage risks while providing both flexibility for project-specific adaptations and access to the necessary knowledge and human resources for implementation. This workshop brings community members together to further develop a cybersecurity ecosystem, formed of people, practical knowledge, processes, and cyberinfrastructure, that enables research projects to both manage cybersecurity risks and produce trustworthy science.

Submissions

Program content for the workshop is driven by the community. We invite submissions of proposals for a series of 30-minute workshop presentations (a 20 minute presentation followed by 10 minutes of discussion for each topic) in the form of one-page abstracts submitted by email to workshop-cfp@trustedci.org. Submissions should include name, affiliation, and email for the presenter(s) along with the title and short description of the topic to be presented.

Presentations will be selected by the program committee based on technical quality, novelty, and relevance to PEARC21 attendees. Presentation materials will be published at https://trustedci.org/pearc21-workshop for dissemination beyond the workshop attendees. Permission will be requested from all presenters to allow redistribution of slides and allow sharing of photos from the event. By submitting a proposal, presenters agree to allow redistribution of slides and allow sharing of photos from the event, if their proposal is accepted.

Presentations may be submitted to both this workshop and the NSF Cybersecurity Summit (https://trustedci.org/summit) for broader information sharing to attendees of both events.

Topics of interest for the workshop include but are not limited to:

• cybersecurity program development for NSF projects and facilities
• risk assessment results from NSF projects and facilities
• identity and access management solutions for NSF projects and facilities
• security challenges/experiences/solutions for science gateways
• transition to practice of cybersecurity research
• secure software development practices/experiences for research computing
• developing compliance programs for research on campus
• incident response lessons learned in the research computing community
• new or emerging cybersecurity technologies applicable to research computing
• cybersecurity outreach, education, and training in the research computing community
• cybersecurity workforce development in the research computing community

Important Dates

Submission Deadline: Monday June 14th, 2021
Notification of Acceptance: Wednesday June 30th, 2021

Program Committee

Jim Basney (NCSA)
Kathy Benninger (PSC)
Dana Brunson (Internet2)
Barton Miller (UW-Madison)
Sean Peisert (LBNL)
Von Welch (Indiana University)

About the Workshop Series

This is the fifth workshop in the series. The workshop has been held previously at PEARC17 through PEARC20. There were 52 attendees at the workshop last year. Please visit https://trustedci.org/workshops for materials from prior workshops.

Trusted CI TTP Playbook v1.0 Released

We have published version 1.0 of the Trusted CI Transition to Practice Playbook at https://trustedci.org/ttp. The purpose of the playbook is to provide guidance on the use of tools and techniques (the “plays”) to enable researchers to advance their research for practical cybersecurity applications. The tools currently included in the playbook include:

• The Transition to Practice TRL Assessment Tool, which is used to assess the maturity of a research prototype or product.
• The Transition to Practice Canvas, which is a brainstorming tool which can be used to describe a model for developing and sustaining the technology.
• A set of activity planning examples which can be used as a reference when filling out a canvas.

We will continue to work with the Trusted CI TTP cohort members to develop additional plays and to make refinements to existing plays. If you are a researcher who would like to be involved in the cohort or a security practitioner who is interested in the application of research to your security challenges, you can contact Ryan Kiser at rlkiser@iu.edu.

Trusted CI webinar: REED+ Purdue's Evolution From a CUI Environment to an Ecosystem to a Community, Mon Mar 29 @11am Eastern

Members of Purdue University are presenting the talk, REED+ Purdue's Evolution From a CUI Environment to an Ecosystem to a Community, on Monday March 29th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.

Purdue has made giant leaps in the growth of their Regulated Research Program (REED+) in the past several years. Quite possibility the most bold, was the transition from a widely described NIST 800-171 AWS-GovCloud environment to an On-Prem HPC cluster. We’ll share what lead to this noteworthy redesign, and what lessons have been learned in the year since this transition.

The REED+ framework integrates NIST SP 800-171 and other related NIST publications as the foundation of the framework. This framework serves as a standard for campus IT to align with security regulations and best practices, and create a single process for intake, contracting, and facilitate easy mapping of controlled research to CI resources for the sponsored programs office, human subjects office, and export control office. The framework allows researchers to experience faster intake of new funded projects and be more competitive for research dollars. We’ll share our best practices and processes.

Looking beyond a single institution, Purdue REED+ has been leading a facilitated regulated research series of six small workshops. These have gathered expertise from around the country to discuss the challenges and successes within their Institution’s regulated research program. We’ll share how we’ve structured these workshops that are bringing together experience that largely still exists hidden at the institution.

Note: This presentation is a return visit for the REED+ team. Their 2019 presentation is available on YouTube.

Speaker Bios:

Carolyn Ellis is a Program Manager at Purdue University focusing in strengthening their Regulated Research Program. Over the last four years she grown the program from a single project to a thriving ecosystem handling various regulations such as HIPAA and NIST 800-171. Carolyn is passionate about efforts growing future leaders within CUI Community Development, and mentoring with both EDUCAUSE Women in IT and  WiCys (Women in Cybersecurity).

Dr. Baijian “Justin” Yang is currently an Associate Professor at the Department of Computer and Information Technology, Purdue University, West Lafayette. He served as a steering member of IEEE Cybersecurity Initiative from 2015 to 2017 and was a board director ATMAE from 2014-2016. His research interests include applied machine learning, big data and cybersecurity. He also holds several industry certifications, such as CISSP, MCSE, and Six Sigma Black Belt.

Preston Smith is the Executive Director of Research Computing at Purdue University. Supporting over 180 HPC faculty, and 550 labs using research data systems, Purdue's Community Cluster program is a pioneering program for delivering "condo-style" HPC. At Purdue, his organization designs, builds, and operates compute systems, and delivers advanced research support to the campus community.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

 

Continuing Professional Education opportunities with Trusted CI

This year we began a project to distribute documentation of participation in Trusted CI activities to help community members manage their continuing professional education (often referred to as CPE or CPEs). This documentation may qualify for credit toward a security certification, course requirement, or professional development plan with an employer.

Trusted CI activities that may qualify for credit include:

• Attending the Trusted CI NSF Cybersecurity Summit
• Attending Trusted CI training events
• Attending Trusted CI webinars
• Collaboration with Trusted CI on a published report
• Acceptance and participation in the Trusted CI Fellows program
  

Note: Trusted CI advises community members to seek approval from appropriate officials when submitting documentation to satisfy any certification, course requirement, or professional development program. For questions, contact cpe@trustedci.org.

What certifications are community members pursuing?

Based on a recent survey, community members are seeking certification in the following programs:

• GIAC (SANS) certification
• CISSP or other (ISC)² certification
• ISACA Certified Information Security manager (CISM)
• CompTIA Security+ certification
• AACE International CCP certification
• Any certifications we missed? Contact us at cpe@trustedci.org.

How do I receive credit for participating in Trusted CI activities?

Trusted CI uses Badgr to distribute badges to community members. These badges can be downloaded, exported as a certificate, or shared on social and professional media platforms. To view the badges that have been issued thus far, see Trusted CI’s Badgr page. For more information about Badgr, see the Badgr Knowledge Base. For questions about Trusted CI badges, contact us at cpe@trustedci.org.

We welcome your feedback.

This is a new project and we are learning as it progresses. If you have any questions or suggestions, contact us at cpe@trustedci.org. Updates to the program will be posted to our CPE webpage.
 

Published: The Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

On the behalf of Trusted CI, we are pleased and excited to announce the release of version 1.0 of the Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators (RCOs). This guide is the culmination of many years of accumulated experience conducting cybersecurity research, training, assessments, consultations, and collaborating closely with the research community. It has been reviewed and vetted by our Framework Advisory Board, a diverse collection of stakeholders from the research community. This launch of the first FIG represents a major step forward in advancing Trusted CI’s mission to enable trustworthy science through cybersecurity guidance, templates, and tools, empowering those projects to focus on their science endeavors. [1]

We also published a new Cybersecurity Program Strategic Plan template along with releasing significantly updated versions of the Incident Response Policy and Master Information Security Policy & Procedures templates.

Learn more about the Framework, download FIG v1.0, explore our templates and tools, offer feedback, and share your experiences by visiting https://www.trustedci.org/framework. [2]

About the Trusted CI Framework

The Trusted CI Framework is a tool to help organizations establish and refine their cybersecurity programs. In response to an abundance of guidance focused narrowly on cybersecurity controls, Trusted CI set out to develop a new framework that would empower organizations to confront cybersecurity from a mission-oriented, programmatic, and full organizational lifecycle perspective.

The Trusted CI Framework is structured around 4 Pillars which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls. 

Composing these pillars are 16 Musts that identify the concrete, critical requirements for establishing and running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the Framework Core, which is designed to be applicable in any environment and useful for any organization.

About the Framework Implementation Guide for Research Cyberinfrastructure Operators (RCOs)

This Framework Implementation Guide is designed for use by research cyberinfrastructure operators (RCOs). We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, scientific instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing. The chapters in this FIG provide RCOs with roadmaps for establishing mature cybersecurity programs, pointers to resources, and advice on overcoming potential challenges.

About the Framework Advisory Board (FAB)

As a product ultimately designed for use in the research and higher education communities, this Framework Implementation Guide was developed with significant input from stakeholders that represent a cross section of the target audience. This Framework Advisory Board (FAB) is a collection of 19 volunteers with diverse interests and roles in the research and education communities. From January 2020 through January 2021, Trusted CI’s Framework project team engaged the FAB on a monthly basis, conducting two meetings per month to accommodate the broad geographic distribution of all its members. The FAB provided substantial input, suggestions, questions, and critiques during the drafting of the FIG content. Based on this input from the FAB, the authors refined and published version 1.0.

 

The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)

Thank you for your interest. We look forward to your feedback and hearing about your experiences with the Framework and FIG.

***

[1] A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.

[2] This page now includes templates and tools from the “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects” webpage. Visitors accessing the old “Guide” page will be redirected to the Framework webpage going forward. Finally, we are leveraging the Zenodo.org Trusted CI Community to archive FIG v1.0. Zenodo.org is a catch-all repository for open science and is funded by the European Commission via OpenAIRE (https://www.openaire.eu/about) and CERN (https://home.cern/about).