Monday, March 1, 2021

Published: The Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

On the behalf of Trusted CI, we are pleased and excited to announce the release of version 1.0 of the Trusted CI Framework Implementation Guide (FIG) for Research Cyberinfrastructure Operators (RCOs). This guide is the culmination of many years of accumulated experience conducting cybersecurity research, training, assessments, consultations, and collaborating closely with the research community. It has been reviewed and vetted by our Framework Advisory Board, a diverse collection of stakeholders from the research community. This launch of the first FIG represents a major step forward in advancing Trusted CI’s mission to enable trustworthy science through cybersecurity guidance, templates, and tools, empowering those projects to focus on their science endeavors. [1]

We also published a new Cybersecurity Program Strategic Plan template along with releasing significantly updated versions of the Incident Response Policy and Master Information Security Policy & Procedures templates.

Learn more about the Framework, download FIG v1.0, explore our templates and tools, offer feedback, and share your experiences by visiting [2]

About the Trusted CI Framework

The Trusted CI Framework is a tool to help organizations establish and refine their cybersecurity programs. In response to an abundance of guidance focused narrowly on cybersecurity controls, Trusted CI set out to develop a new framework that would empower organizations to confront cybersecurity from a mission-oriented, programmatic, and full organizational lifecycle perspective.

The Trusted CI Framework is structured around 4 Pillars which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls. 

Composing these pillars are 16 Musts that identify the concrete, critical requirements for establishing and running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the Framework Core, which is designed to be applicable in any environment and useful for any organization.

About the Framework Implementation Guide for Research Cyberinfrastructure Operators (RCOs)

This Framework Implementation Guide is designed for use by research cyberinfrastructure operators (RCOs). We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, scientific instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing. The chapters in this FIG provide RCOs with roadmaps for establishing mature cybersecurity programs, pointers to resources, and advice on overcoming potential challenges.

About the Framework Advisory Board (FAB)

As a product ultimately designed for use in the research and higher education communities, this Framework Implementation Guide was developed with significant input from stakeholders that represent a cross section of the target audience. This Framework Advisory Board (FAB) is a collection of 19 volunteers with diverse interests and roles in the research and education communities. From January 2020 through January 2021, Trusted CI’s Framework project team engaged the FAB on a monthly basis, conducting two meetings per month to accommodate the broad geographic distribution of all its members. The FAB provided substantial input, suggestions, questions, and critiques during the drafting of the FIG content. Based on this input from the FAB, the authors refined and published version 1.0.
The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)

Thank you for your interest. We look forward to your feedback and hearing about your experiences with the Framework and FIG.


[1] A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.

[2] This page now includes templates and tools from the “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects” webpage. Visitors accessing the old “Guide” page will be redirected to the Framework webpage going forward. Finally, we are leveraging the Trusted CI Community to archive FIG v1.0. is a catch-all repository for open science and is funded by the European Commission via OpenAIRE ( and CERN (