Trusted CI Blog: 2022

Thursday, December 15, 2022

Trusted CI Webinar Series: Planning for 2023, review of 2022

The 2022 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in the next year.

The following topics and speakers have been booked in 2023 so far:

January: Real-Time Operating System and Network Security for Scientific Middleware with Gedare Bloom (NSF Award #2001789)
February: Security Program for the NIH’s Common Fund Data Ecosystem with Rick Wagner
March: Mutually Agreed Norms for Routing Security (MANRS) with Steven Wallace
April: Advanced Cyberinfrastructure Coordination Ecosystem: Services and Support (ACCESS) with Derek Simmel and Alex Withers (NSF Award #2138296)
May: Deception Awareness and Resilience Training (DART) with Anita Nikolich (NSF Award #2230494)
September: Improving the Privacy and Security of Data for Wastewater-based Epidemiology with Stephanie Forrest and Ni Trieu (NSF Award #2115075)
October: Enhancing Integrity and Confidentiality for Secure Distributed Data Sharing (Open Science Chain) with Subhashini Sivagnanam (NSF Award #2114202)

In case you missed them, here are the webinars from 2022:

January ‘22: EDUCAUSE HECVAT v3 and OSC engagement with Kyle Early and Charles Escue (Video)(Slides)
February ‘22: The Results of the Trusted CI Annual Challenge on Software with Sean Peisert, Elisa Heymann, and Barton Miller (Video)(Slides)
April ’22: Updates from the Trusted CI Framework Cohort with Scott Russell (Video)(Slides)
June ‘22: Ransomware with REN-ISAC’s Sarah Bigham and Krysten Stevens (Video)(Slides)
August ‘22: CIS Controls with Trusted CI (Video)(Slides)
September ‘22: Lowering the Barrier to Entry for Regulated Research Through Community Building with Carolyn Ellis and Erik Deumens (Video)(Slides)
December 5th: Science DMZ Engagement with University of Arkansas (Video)(Slides)

Join Trusted CI's announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel. See our call for presentations to submit a request to present. For questions or feedback, email us at webinars@trustedci.org.

2022 NSF Cybersecurity Summit Report now available

NSF scientists, researchers, cybersecurity, and cyberinfrastructure professionals and stakeholders gathered once again for the 2022 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. Trusted CI, NSF’s Cybersecurity Center of Excellence, celebrated the 10th anniversary of hosting the Summit.

The 2022 Summit was held October 18-20 in person in Bloomington, IN with a virtual option available for Plenary 1 and 2. The 2022 Summit hosted 224 attendees, including 17 students, and 12 of 17 NSF Large Facilities. Framework adoption, Operational Technology, and preparing for AI were important themes at the Summit.

The Trusted CI team looks forward to an in-person Summit in Berkeley, CA, October 23-27, 2023, along with a virtual attendance option, so we can continue to advance the mission of the NSF science community.

Click here to see the 2022 Summit report.

Sunday, November 20, 2022

Trusted CI Webinar: Science DMZ Engagement with University of Arkansas, December 5th @11am EST

Mark Krenz and Don DuRousseau will be presenting the talk, Science DMZ Engagement with University of Arkansas, December 5th at 11am (Eastern).

Please register here.

A Science DMZ is a special network architecture designed to improve the speed at which large science data transfers can be made over the Internet while maintaining security of the assets. This webinar will provide an overview of the Science DMZ architecture, how to secure it, and cover use cases such as the statewide science network in Arkansas.

Speaker Bios:

Mark Krenz: Mark Krenz is the Chief Security Analyst at the Indiana University Center for Applied Cybersecurity Research and the Deputy CISO of Trusted CI. He is focused on cybersecurity operations, research and education. He has more than two decades of experience in system and network administration and has spent the last decade focused on cybersecurity.

Don DuRousseau: Don is Director of Research Technology at the University of Arkansas. He has over 20 years leadership experience in research technologies, cyberinfrastructures, cybersecurity, and informatics. He is an active researcher and contributor in areas of programmable networking, advanced computing, bioinformatics, and human systems engineering. He leads the NSF CC* CIRA: Shared Arkansas Research Plan for Community Cyberinfrastructure (SHARP) project in planning the statewide research cyberinfrastructure (RCI) operations and researcher training and support strategy for providing HPC and other research resources and services to all the universities and colleges in Arkansas.

Don was responsible for the operation and growth of the 100-G R&E Network (CAAREN) Capital Area Advanced Research and Education Network in Washington D.C. In addition, he led the operations of the HPC resources and distributed support services on campus and built the Capital Region Advanced Cyber Range (CRACR) through the NSF CICI: Regional: Substrate for Cybersecurity Education; a Path to Training, Research and Experimentation project carried out at The George Washington University.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, November 18, 2022

Deadline extended until Friday Dec. 2- Trusted CI 2023 Fellows Program Application

We are now pleased to announce the call for applications for our 2023 Trusted CI Fellows.

Another cohort of six Fellows will receive training from and work closely with Trusted CI to expand their own understanding of trustworthy science and further empower the NSF community to secure its own research.

Applications are now open for the 5th round of Trusted CI Fellows! You can learn more about our Fellows program by visiting our website..

The deadline for applications is Friday, Dec 2. Click here to apply for the program.
Trusted CI’s first three cohorts of Fellows have been an amazing success with twenty Fellows from various fields, including:

Research technologies

Astrophysics

Criminal justice

Network and combinatorial optimization

and computer engineering.

Click here to view our 2019, 2020, 2021, and 2022 Fellows

Thursday, November 17, 2022

Student Program at the 2022 NSF Cybersecurity Summit

In October we hosted our annual NSF Cybersecurity Summit. This year’s Summit was a hybrid event hosted at the Monroe Convention Center in Bloomington, IN. It was our first Summit with a face-to-face component since 2019. Our student program welcomed ten students to attend the in-person training sessions, network with fellow attendees, and introduce themselves to our community. We also matched students with mentors to help facilitate networking opportunities.

We give special thanks to our mentors: Ishan Abhinit, Fatema Bannat Wala, Mark Krenz, and Jim Marsteller.

We asked the students to share their thoughts on their experiences at the Summit. Below is a selection of their responses. These statements have been lightly edited for clarity.

Jacob Abbott, Indiana University, PhD in Informatics

While at the 2022 NSF Cybersecurity Summit I attended the “Regulatory Compliance for Research,” and “Physical Security,” workshops that gave substantial information before the plenary sessions started. During the course of the event, I was able to meet Doug Ertz from UNAVCO and we realized that we have a mutual acquaintance in industry and we both have mentored students in partnership with the Center of Excellence for Women & Technology. Hearing discussions from professionals in different research areas and backgrounds, such as one presentation about all the facilities and requirements for high powered magnetic field generators, was very interesting and just shows how ubiquitous the issues of cybersecurity are for everyone.

Jessy Ayala, UC Irvine, PhD in Software engineering

At the 2022 NSF Cybersecurity Summit, I had the pleasure of networking with student peers from different universities, professors, and cybersecurity professionals. It was a great opportunity to have fruitful conversations with those who tackle security problems from a different perspective and overall learn about relevant issues we face today because of emerging, and pre-existing, technologies. I'm glad I can keep in touch with some of the people I met and look forward to any collaborations that may arise.

Tria Correll, Middle Georgia State U, Bachelor's in Information Technology

Besides the knowledge I gained from the pre-conference training, the biggest takeaway from attending the 2022 NSF Cybersecurity Summit was the opportunity to connect with fellow cybersecurity students and professionals. I learned a great deal about the importance of physical security and gained insight into why there are security risks when using a command line interface. I hope I'm able to attend next year's Summit in Berkeley, CA.

Xinyao Ma, Indiana University Bloomington, PhD in Security Informatics/Data Science

My research interests focus on usable security, and how to help people safely use the Internet from a user's angle. It was my first time attending such a great Summit and having the chance to meet so many people who are also working and researching in the cybersecurity field. I attended two very useful workshops, got to know many people that I haven't had a chance to meet, and learned a lot about what other cybersecurity people are doing. I'm a Ph.D. student in the usable security area, and most times, I have to work and study alone. Most connections come from my school and the lab. The Summit gave me a chance to get to know many other students and professors who also work in this area, and especially thanks to my mentor James Marsteller, who was really nice when I was afraid because I didn't know anyone before.

Rajvardhan Oak, UC Davis, PhD in Computer Science

The 2022 NSF Cybersecurity Summit was a great learning experience for me. It was an opportunity to learn cyber security skills through theory as well as hands-on exercises and keep up to speed with the latest in the field. It was also an excellent forum to network with industry professionals, fellow students and faculty. This has resulted in a fruitful collaboration for me; I am currently in touch with a fellow student and in the process of designing a research project in cyber security. I’m very fortunate that I was able to attend the Summit!

Harsh Parekh, Louisiana State University, PhD in Information Systems

2022 NSF Cybersecurity Summit's student program had an eclectic mix of students from diverse academic backgrounds. The Summit gave me immense networking opportunities with interdisciplinary researchers and practitioners in the cybersecurity space. I have already started some collaborative research projects through networking made possible through the Summit. Being a behavioral security researcher, I had a limited understanding of technical and developmental cybersecurity research which was rightly introduced through workshops such as log analysis and machine learning in cybersecurity. The student program was well planned with designated mentors, Summit events, social nights, and a tour of IU's massive data center. I really enjoyed my time in Bloomington and would like to be associated with the Summit in the future.

Mahmoud Shabana, NYU Tandon School of Engineering, MS Cybersecurity

The NSF Cybersecurity Summit was a great experience as my first in-person cybersecurity conference! I was fortunate to learn about how machine learning can be pivotal in implementing cyber defense tools, as well as new security techniques in log analysis. Outside of workshops, I got to meet professionals in all fields of security research and development. Connecting with current security researchers and practitioners has helped expand my network in security and learn from leading experts from around the world!

Joshua Thornburgh, University of Arkansas, MS in Computer Science

This Summit was the first of its kind for me to attend. Coming into it, I wasn’t sure what to expect or what the Trusted CI Framework was really about, not to mention a bit of imposter syndrome for even being invited. That was quickly dissolved once I began speaking with people. Everyone was extremely nice and had loads of wisdom to share. Having sat through the workshops for both machine learning in cybersecurity and the overview of the Framework, I can say with confidence that what I gained will really aid in my future paths. While the Trusted CI Framework is currently not something I can utilize as a student, that I have seen yet, I will carry it with me for when I do need it. Coming to the 2022 NSF Cybersecurity Summit was a true honor and I look forward to participating in this community in the future.

Alexs Wijoyo, Pace University, MS in Cybersecurity

The NSF Summit brought much clarity to the impact of cybersecurity at every scale no matter what industry you are in. Interacting with many of the individuals that were in charge of implementing the TrustedCI Framework and the mentors, I learned that there's always a place for security even at the lowest level. I learned many skills in the pre-conference workshops regarding command line security and log analysis with the use of ELK Stack as well as making many memories with the peers that I was able to spend my time with. My best moment is touring the University of Indiana data center and looking at the infrastructure that the school has built to support the endeavors of the staff and their students.

Alenna Zweiback, Indiana University, Bachelor's in Information Systems and Cybersecurity

I had an incredibly influential experience at the 2022 NSF Cybersecurity Summit. Prior to the conference, I was interested in learning more about how I can further my skills and career development in cybersecurity. By attending this conference, I was able to meet a variety of like-minded students, professors, researchers, consultants, and many other unique individuals. I became mindful of new internship opportunities. I envisioned long-term career paths. Throughout the conference, I absorbed just how necessary it is for more people to be aware and involved in cybersecurity. My biggest takeaway from this conference was from keynote speaker, Helen Patton. When discussing the evolution of cybersecurity she quoted Mikko Hyppon in saying, “We are no longer securing just computers - we are securing the society.” By attending this conference, I was able to take one more step in educating society.

We are so proud of our student attendees and look forward to what they do in the future.

Wednesday, November 16, 2022

Publication of the Trusted CI Roadmap for Securing Operational Technology in NSF Scientific Research

Trusted CI is pleased to announce the publication of its Roadmap for Securing Operational Technology in NSF Scientific Research.

In 2022, Trusted CI conducted a year-long effort examining the security of operational technology in science. Operational technology (OT) encompasses broad categories of computing and communication systems that in some way interact with the physical world. This includes devices that either have sensing elements or control elements, or some combination of the two, and can include both bespoke scientific instrumentation as well as commercially-produced OT. In both cases, networked sensors and control systems are increasingly important in the context of science as they are critical in operating Major Facilities.

Trusted CI’s approach to this effort was to spend the first half of 2022 engaging with NSF personnel and operators of OT at NSF Major Facilities to understand the range of operational practices and evaluate potential deficiencies that lead to vulnerabilities and compromises. In the second half of 2022, leveraged our insights from the first half to develop a roadmap of solutions to sustainably advance security of scientific operational technology. The audiences for this roadmap include NSF, NSF Major Facilities, and Trusted CI itself.

In July 2022, Trusted CI published its findings from its study of the security of operational technology in science, conducted in the first half of 2022.

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, andJohn Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675 https://doi.org/10.5281/zenodo.6828675

Now, with the publication of this roadmap, Trusted CI aims to help NSF operational technology in cyberinfrastructure advance toward solutions. The full citation for the solutions roadmap is as follows:

Andrew Adams, Emily K. Adams, Dan Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, and John Zage. “Roadmap for Securing Operational Technology in NSF Scientific Research,” November 16 2022. DOI: 10.5281/zenodo.7327987 https://doi.org/10.5281/zenodo.7327987

Trusted CI gratefully acknowledges the many individuals from NSF as well as the following NSF Major Facilities that contributed to the year-long effort that has led to this roadmap: IceCube Neutrino Observatory, NOIRLab, Ocean Observatories Initiative, United States Academic Research Fleet, and the United States Antarctic Program.

In 2023, Trusted CI will turn its focus toward working closely with several maritime-centric NSF Major Facilities and Major Research Equipment and Facilities Construction (MREFC) projects to offer guidance and recommendations for integrating operational technology security into those facilities for planning, design, and construction of new and refreshed facilities and instrumentation therein.

Tuesday, November 1, 2022

Open Science Cyber Risk Profile (OSCRP) Updated with Science DMZ, Software Assurance, Operational Technology, and Cloud Computing Elements

Trusted CI has released an updated version of the Open Science Cyber Risk Profile (OSCRP), with additions based on insights from its 2021 study of scientific software assurance:

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “The State of the Scientific Software World: Findings of the 2021 Trusted CI Software Assurance Annual Challenge Interviews,” September 2021. https://hdl.handle.net/2022/26799

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “Guide to Securing Scientific Software,” December 2021. DOI: 10.5281/zenodo.5777646

…and its 2022 study on scientific operational technology:

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675

A new section on risk profiling of cloud computing was also added. The full reference for the OSCRP is:

Sean Peisert, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. Open Science Cyber Risk Profile (OSCRP), Version 1.3.3. October 2022. DOI: 10.5281/zenodo.7268749

The OSCRP is a document, initially released in 2017, designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. The OSCRP was the culmination of extensive discussions with research and education community leaders, and has since become a widely-used resource, including numerous references in recent National Science Foundation (NSF) solicitations.

The OSCRP is a living document and will continue to be refreshed as technology and threats change, and as new insights are acquired.

Comments, questions, and suggestions about this post, and both documents are always welcome at info@trustedci.org.

Friday, October 21, 2022

Trusted CI 2023 Fellows Program Application is open

We are now pleased to announce the call for applications for our 2023 Trusted CI Fellows.

Another cohort of six Fellows will receive training from and work closely with Trusted CI to expand their own understanding of trustworthy science and further empower the NSF community to secure its own research.

Applications are now open for the 5th round of Trusted CI Fellows! You can learn more about our Fellows program by visiting our website..

The deadline for applications is Friday Nov 18^th . Click here to apply for the program.
Trusted CI’s first three cohorts of Fellows have been an amazing success with twenty Fellows from various fields, including:
Research technologies
Astrophysics
Criminal justice
Network and combinatorial optimization
and computer engineering.
Click here to view our 2019 , 2020, 2021 and 2022 Fellows

Friday, September 30, 2022

Trusted CI at 2022 NSF Research Infrastructure Workshop in Boulder

Earlier this month, members of Trusted CI presented a workshop at the NSF 2022 Research Infrastructure Workshop in Boulder, Colorado.

The Research Infrastructure Workshop was a four-day event on safety, cyberinfrastructure, cybersecurity, and science communication. The hybrid event included a poster session, social gatherings, site tours of NCAR’s Research Aviation Facility, GAGE, and NEON, and virtual ice breaker and speed dating sessions to facilitate networking opportunities for everyone. Several members of Trusted CI attended the multi-day event, making new connections with operational and senior leadership at major facilities, midscale facilities, and the NSF.

Our workshop on Friday targeted cyber security officers and focused on the JASON advisory report on Cybersecurity at NSF Major Facilities, cybersecurity guidelines in the Research Infrastructure Guide (RIG), a panel on building a cybersecurity program using the Trusted CI Framework, ransomware, and how the ResearchSOC supports NSF major facilities.

Representatives from the NSF, NRAO, OOI, GAGE, and the ResearchSOC presented and participated during the workshop. We thank Craig Risien (OOI), Wade Craig (NRAO), and Doug Ertz (GAGE) for participating in the Framework panel.

Trusted CI’s partner, CI Compass, led a cyberinfrastructure workshop earlier in the day that included panels on data management and workforce development.

We are grateful to the event organizers for giving us the opportunity to present, as well as meeting with our community members, both online and in-person.

Slides and videos from the event will be posted to the NSF Research Infrastructure Knowledge Sharing Gateway when they become available.

Trusted CI's Jim Basney and NSF's Jim Ulvestad

Monday, September 19, 2022

Trusted CI Presenting at CENIC 2022, Streaming Option Available

Trusted CI Deputy Director and Co-PI Sean Peisert is presenting the talk, “Experiences with Adoption and Implementation of the Trusted CI Framework,” at the 2022 CENIC Annual Conference on Monday September 26th at 11:50 a.m. (Pacific) in the Main Ballroom. This talk will be available for streaming (click here for streaming instructions).

CENIC is the Corporation for Education Network Initiatives in California. It is a non-profit corporation formed to provide high-performance, high-bandwidth networking services to California universities and research institutions. CENIC 2022, “brings together CENIC’s richly diverse community, with participants from all education segments, including public and private research universities; public libraries; scientific, cultural, and performing arts institutions; private sector technology businesses; public policy and government; healthcare; and R&E partners from across the country and around the world.”

Presentation abstract:

Trusted CI, the NSF Cybersecurity Center of Excellence, has existed for the past ten years with the goal of creating high-quality, trustworthy cyberinfrastructure to support high-quality, trustworthy science. The Trusted CI Framework, a product of Trusted CI, is a tool to help organizations establish cybersecurity programs. In response to an abundance of cybersecurity, guidance focused narrowly on security controls, Trusted CI set out to develop a framework that would empower organizations to confront their cybersecurity challenges from a mission-oriented and full organizational lifecycle perspective. Within Trusted CI’s mission is to lead the development of an NSF Cybersecurity Ecosystem that enables trustworthy science, the Framework fills a gap in emphasizing these programmatic fundamentals. The Trusted CI Framework is a resource to help organizations establish and refine their cybersecurity programs. It is the product of Trusted CI’s many years of accumulated experience conducting cybersecurity research, training, assessments, consultations, and collaborating closely with the research community.

Tuesday, September 13, 2022

Trusted CI Webinar: Regulated Communities of Practice, September 26th @11am EST

Carolyn Ellis and Erik Deumens will be presenting the talk, Lowering the barrier to entry for Regulated Research through community building, September 26th at 11am (Eastern).

Please register here.

Keeping up on the newest Federal regulations or supporting it appropriately is a full time job even though it is rarely able to be a dedicated position. We will share how a new community of practice on the block is lowering the barrier to entry by elevating the entire community’s regulated research programs through: 1) Building relationships 2) Collecting best practices 3) Opening the dialogue on challenges by broadly sharing lessons learned 4) Aligning with other communities 5) Simplifying compliance 6) Advocating for the community

Regulated Research Community of Practice (RRCoP) is a partner of Trusted CI looking to extend the reach towards research compliance and advocacy of the special circumstances that make research in academic institutions different from industry.

Join us for glimpse of RRCoP roots, recent contributions, lessons learned, and what the future holds.

Speaker Bios:

Carolyn Ellis is the CMMC Program Manager at University of California, San Diego, where she builds and leads sustainable regulated research programs. Carolyn has significant experience in grants, research, and implementing the security enclaves for DOD contracts. As leadership of NSF award # 2201028, Building a Community of Practice for Supporting Regulated Research, Carolyn is passionate about growing future leaders within the research compliance community. Her community building efforts also include mentoring within various women in STEM communities such as WiCys (Women in Cybersecurity).

Erik Deumens has a PhD in computational nuclear and chemical physics and has done research in modeling of chemical reactions and designed complex computational software. Since 2011, he is the full time director of the department of Research Computing in UFIT at the University of Florida. Starting 2015, he and his staff have been in charge of a FISMA 800-53 moderate computing environment for research. During 2018 a second generation system was completed to meet both FISMA and CUI 800-171 requirements. The new system has the advantage that it is more cost effective for research budgets. The system was assessed for compliance by a 3PAO. See https:///www.rc.ufl.edu for details on UFIT RC.

---

Monday, August 8, 2022

New Trusted CI Software Security Training Materials for the Community

In a world of continuous cyber attacks, cybersecurity is a responsibility of every person involved in the software development life cycle: managers, designers, developers, and testers. Trusted CI offers an evolving collection of training materials on software security covering topics such as secure design, secure implementation, testing, code auditing, dependency tools, static analysis tools, and fuzz testing.

The materials are freely available at https://www.cs.wisc.edu/mist/SoftwareSecurityCourse. Apart from videos and corresponding book chapters, they include hands-on exercises and quizzes for many of the topics. Classroom exercises and the solutions to the hands-on exercises and quizzes are provided to instructors by request. Most of the videos now have captions in both English and Spanish.

These materials are being continuously updated, as we develop new modules. The latest additions are modules on address space layout optimization (ASLR), memory safety checks, fuzz testing and using AFL, and dependency analysis tools.

These materials have been used at conferences, workshops, and government agencies to train CI professionals in secure coding, design, and testing. They are also used at the University of Wisconsin-Madison to teach CS542, Introduction to Software Security.

Trusted CI Webinar: CIS Controls, August 22nd @11am EST

Trusted CI's Shane Filus and Mark Krenz will be giving a presentation on CIS Controls on Monday, August 22nd at 11am (Eastern).

Please register here.

The Trusted CI Information Security Office (ISO) team will be presenting a webinar on the CIS Controls. This will include background and information on the CIS controls, our recent experiences using the controls to assess Trusted CI’s own cybersecurity program and operations, and how that can be applied to your own project.

Topics include:
Who Trusted CI is and why we have a cybersecurity program.
Background on the CIS controls and what an assessment is.
What led us to perform a CIS assessment.
Overview and discussion of our results.
Differences between control versions 7.1 and 8.
Discussion on methodology and tools that can be used in assessments.

Speaker Bios:

Shane Filus serves as a Senior Security Engineer at the Pittsburgh Supercomputer Center, and works with Trusted CI, XSEDE/ACCESS, and HuBMAP projects on all aspects of cybersecurity; from operations, to incident response, to policy, and everything in between.

Mark Krenz serves as Chief Security Analyst at Indiana University’s Center for Applied Cybersecurity Research. Mark’s focus is on cybersecurity operations, research and education. He has more than two decades of experience in system and network administration and has spent the last decade focused on cybersecurity. He serves as the CISO of the ResearchSOC and the Deputy CISO of Trusted CI.

---

Monday, August 1, 2022

Analysis of NSPM-33: Cybersecurity Requirements for Federally Funded Research Organizations

By: Anurag Shankar and Scott Russell

This blog post provides research organizations a summary of the National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) and the recent Office of Science and Technology Policy (OSTP) / National Science and Technology Council (NSTC) guidance, along with analysis of the requirements.

Summary

In January 2021, then President Trump issued a directive “National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) to all federal agencies to: 1) standardize disclosure requirements and 2) mandate a research security program for all institutions receiving a total of $50 million or more in federally-funded research. In January 2022, the Office of Science and Technology Policy (OSTP) released further guidance on these requirements, including details on four elements specified in NSPM-33: cybersecurity, foreign travel security, research security training, and export control training. The cybersecurity guidance identifies 14 controls that it recommends as requirements for federal agencies to flow down to organizations receiving federal research funding. Twelve of these controls are included in the 17 “basic hygiene” controls specified by CMMC Level 1 and the 15 “minimum security controls” specified by FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” The rest are NSPM-33 specific, addressing training and ransomware/data integrity.

The OSTP guidance also includes a number of additional recommendations for federal agencies to flow down to research organizations, summarized below:

Documentation: Research organizations should be required to document their research security program and provide this documentation within 30 days of a request from a research agency that is funding an award or considering an application for award funding.
Certification: Research organizations should be required to provide certification of compliance with the research security program requirement. OSTP, in consultation with the NSTC Subcommittee on Research Security and OMB, plans to develop a single certification standard and process that will apply across all research agencies.
Timeline: Research organizations should establish a research security program as soon as possible, but given one year from the date of issuance of the formal requirement to comply. Organizations that become subject to the requirement in subsequent years are supposed to be similarly provided one additional year to comply.
Assistance: The Federal Government should provide technical assistance to support development of training content and program guidelines, tools, and best practices for research organizations to incorporate at their discretion. Agencies represented on the National Counterintelligence Task Force, in conjunction with the National Counterintelligence and Security Center, should jointly develop content that research organizations can leverage to meet requirements for research security programs and training. The Federal Government should consider supporting the formation of a community consortium to develop and maintain research security program information and implementation resources for research organizations, to include resources suitable for use within research security programs. The development of program content should be a collaborative effort between the government and organizations.
Discretion: Research organizations should be provided flexibility to structure the organization’s research security program to best serve its particular needs, and to leverage existing programs and activities where relevant, provided that the organization implements all required program components. Research organizations should be given flexibility in how they choose to integrate research security requirements into existing programs, such as existing cybersecurity programs. Research organizations should be strongly encouraged to integrate some or all elements into a coherent research security program, where applicable and feasible.
Funding agencies should consider integrating the research security program requirement into the Compliance Supplement’s Research and Development Cluster audit guidance as part of the single audit of Federal grant and assistance programs (2 C.F.R. Part 200, Appendix XI).

Analysis

The primary questions raised by NSPM-33 and the NTSC/OSTP guidance are 1) How will these requirements be flowed down to research organizations; 2) To what extent will funding agencies follow the guidance put forth by the NTSC; and 3) What is the scope of the requirements?

Regarding the first question, NSPM-33 only directly impacts federal funding agencies (e.g., NSF, DOE): the NSPM does not impose any requirements directly on research institutions. Instead, it instructs federal funding agencies to impose these requirements on research institutions receiving federal research funding. While the NTSC/OSTP guidance specifies January 2023 as the deadline for eligible institutions to comply, it does not specify how the requirements should be imposed. Moreover, the provision of NSPM-33 that specifically mentions cybersecurity is only intended to apply to research institutions receiving over $50 million in federal research funding, without clarifying how these institutions should be identified.

Practically speaking, the funding agencies may impose these requirements on all *new* grants. So although existing grants are technically unaffected, research institutions that wish to continue to get funding will be forced to implement the requirements regardless.

Moreover, it is also unclear to what extent federal funding agencies are bound by the NTSC guidance. NSPM-33 only instructs OSTP to “promulgate guidelines for research institutions to mitigate risks to research security and integrity”: it is not empowered to dictate what requirements federal funding agencies impose. Indeed, neither OSTP nor NTSC were mentioned in the subsection referencing research security programs and cybersecurity.

Scope is another issue. The guidance does not clarify whether the security program requirements apply only to researchers receiving federal funding or every researcher within the organization. It specifies controls for programs to implement but does not explicitly state if every system used by researchers (e.g, their workstations) is in scope or institutional systems only. Since this has financial repercussions, clarity is needed on what the requirements cover.

A research security program clearly requires controls to secure projects. However, prescribing a set of controls which research systems must implement can be problematic, as research systems have unique needs that may not function using traditional controls (instead requiring alternate controls to achieve their mission.) Moreover, the focus on system-centric controls is not well suited for securing research workflows, which require more than technical controls alone. The uniqueness of research systems (telescopes, sensors, microscopes, etc.) requires different approaches than controls designed to secure “systems.” For example, the Trusted CI Framework is a more appropriate fit for research programs. It includes controls, but provides the institution flexibility in choosing a baseline control set that is tailored to the institution’s mission. Additionally, this baseline control set is supplemented with additional and alternate controls that are particularly important in the research context, as research infrastructure often requires specialized protections. Securing research ultimately requires flexibility.

Applying the same level of security to all research is also unwise. How research is protected is currently scoped to data by sensitivity and regulatory requirements. This is done for a reason, namely to apply security proportionally to risk to contain cost. Expanding it indiscriminately will be wasteful and unnecessary. For instance, public data does not need the same level of security as patient data.

The guidance asks agencies to allow flexibility on which program components institutions choose to implement but also directs them to “strongly encourage” choosing them all. With a documentation submission requirement, it is unclear how the program will be judged and what the impact of a “less than perfect choice” might be (e.g., of not having all of the controls in place).

The certification requirement also is likely to present challenges. As the CMMC rollout shows, designing a certification process for compliance at this scale is extremely challenging. And whereas CMMC is limited in scope, NSPM-33 is potentially much broader. With CMMC compliance, most organizations can design isolated environments for controlled data CUI to limit scope, certifying compliance for research will be much more challenging, given the variety and complexity of research infrastructure.