In the first half of 2021, Trusted CI conducted an assessment of NOIRLab’s cybersecurity program using the Trusted CI Framework. The assessment culminated in the delivery of an Assessment Report [1] describing NOIRLab’s cybersecurity program and recommendations to improve. The report also included an “implementation rating” for each of the 16 Trusted CI Framework Musts.
In the second half of 2021, NOIRLab and Trusted CI continued the engagement with a series of monthly workshops designed to aid NOIRLab in implementing the highest priority recommendations from the Assessment Report. These workshops allowed Trusted CI to continue to provide input and guidance while NOIRLab tackled the most pressing changes needed to its cybersecurity program.
Engagement Outcomes
- NOIRLab is among the first Major Facilities to formally adopt the Trusted CI Framework. NOIRLab’s adoption is formalized in policy.
- NOIRLab received an Assessment Report detailing Strengths and Opportunities, Challenges and Barriers, and discrete recommendations to improve their cybersecurity program.
- NOIRLab developed an updated Master Information Security Policy and Procedures document, aligning with Trusted CI’s updated template.
- NOIRLab adopted and began using the CIS Controls as its baseline control set.
- NOIRLab developed a Cybersecurity Program Strategic Plan (CPSP). The CPSP described NOIRLab’s mission, how NOIRLab’s cybersecurity program supports its mission, a cybersecurity strategy, and a timeline detailing the strategic outcomes the cybersecurity program will plan to achieve over the next three years.
- NORILab’s strategic planning efforts dramatically helped Trusted CI refine its cybersecurity strategic planning approach and will lead to updates to the CPSP template.
- The success of the monthly workshops led to the development of a new Trusted CI “cohort” engagement approach to support scaling Framework adoption and implementation.
John Maclean, the Director of Center Operations Services for NOIRLab, said the following of the engagement:
“Trusted CI has given us a Framework, appropriate to our environment, with which to build our cybersecurity program. It allows us to do this in a manner that balances scientific productivity against organizational risk in a cost effective manner.”
Chris Morrison, the engagement lead for NOIRLab, said the following of the engagement:
“As we continue to merge technologies and processes throughout our constituent programs, the Framework assessment helped us focus our cybersecurity effort and think strategically. The programmatic focus on the initiatives is helping us make cybersecurity visible and understandable across the organization. The follow-on activities will unquestionably support this systematic deployment and facilitate communication and decision-making with NOIRLab’s senior leadership. We are incredibly pleased with the process and outcome of the engagement with Trusted CI, and we now have a clear and prioritized path forward.”
[1] This assessment was based on the PACT cybersecurity assessment methodology. PACT was developed by the Center for Applied Cybersecurity Research in collaboration with the US Navy. For more information about PACT, see https://cacr.iu.edu/pact/index.html.