In 2021, the NSF "commissioned a study by the JASON advisory group to assess and make recommendations regarding cybersecurity at NSF’s major facilities.” In December, NSF publicly released the seven recommendations from the JASON group and NSF’s response to those recommendations. Given Trusted CI’s role over the past 10 years in providing leadership and guidance to NSF Major Facilities, we welcomed the opportunity to contribute to the JASON group’s study and the dialogue it spurred. The following text consists of each of the JASON group’s recommendations, followed by the response from NSF, and Trusted CI’s response, which is the unique contribution of this document. We provide our responses to help the community understand how Trusted CI can help them as they consider these recommendations and their impact within their own projects.
- JASON recommendation: “NSF should maintain its current approach of supporting major facilities to enhance cybersecurity through assessments of risk, and development and implementation of mitigation plans. A prescriptive approach to cybersecurity should be avoided because it would be a poor fit to the diversity of facilities, would inefficiently use resources, and would not evolve quickly enough to keep up with changing threats.” NSF response: “NSF intends to maintain its current philosophy of performing oversight of awardee plans that are tailored to the unique natures of the individual major facilities. Through its review processes, NSF will ensure that these plans are consistent with best practices for cybersecurity that are in common between major research facilities and other types of infrastructure.”
2. JASON recommendation: “An executive position for cybersecurity strategy and coordination for major facilities should be created at NSF. This executive should have authorities that allow them to continually support the balancing of cybersecurity, scientific progress, and cost in the distinct ways that will be appropriate for each facility.”
NSF response: “NSF notes and agrees with the emphasis on such a position on strategy and coordination. NSF will explore different options for initiating the position and plans to create such a position within the next six months."
Trusted CI response: We strongly endorse this foundational recommendation and we look forward to collaborating with the new executive to fulfill our aligned missions. In Trusted CI’s experience, cybersecurity frequently proves ineffective or counterproductive when cybersecurity leadership lacks an understanding of the organization’s mission. An executive at NSF with expertise in both cybersecurity and the research mission would bring valuable additional perspective and leadership to NSF.
3. JASON recommendation: “Using annual reporting and review processes, NSF should ensure major facilities implement robust cybersecurity programs that remain consistent with current best practice.”
NSF response: “NSF plans to review the elements of a good facility cybersecurity program, currently described in Section 6.3 of the NSF Major Facilities Guide, to ensure that this section is up to date. NSF will add cybersecurity as a required element of annual reports and program plans and conduct any additional specialized reviews based on perceived risk.”
Trusted CI response: Trusted CI helps facilities develop cybersecurity programs that help ensure productive, trustworthy science. The Trusted CI Framework is a tool to help organizations establish and refine their cybersecurity programs. In March 2021, we released the Framework Implementation Guide for Research Cyberinfrastructure Operators, which contains detailed guidance that can help major facilities implement effective cybersecurity programs and thereby addresses Section 6.3 of the Research Infrastructure Guide.
4. JASON recommendation: “NSF should develop a procedure for response to major cybersecurity incidents at its major research facilities, encompassing public relations, coordination mechanisms, and a pre-ordained chain of authority for emergency decisions. Each major facility should also have their own response plan that is both specific to its needs and consistent with NSF's plan.”
NSF response: “NSF has charged a working group to develop a more robust response plan that integrates with both the agency's overall crisis communications plan and the response plans at the individual major facilities.”
Trusted CI response: Through our ongoing engagement activities with NSF Major Facilities and our mission "to lead in the development of an NSF Cybersecurity Ecosystem," we are uniquely positioned to provide guidance to this working group. During the past decade, we have built our understanding of cybersecurity challenges faced by the Major Facilities by hosting the annual Cybersecurity Summit, establishing and facilitating monthly meetings of the Large Facilities Security Team, and conducting 13 direct one-on-one engagements with the 10 of the Major Facilities. We look forward to bringing that experience, along with our ever-increasing understanding of the threat landscape faced by research facilities, to a productive collaboration with the working group and the executive identified in recommendation #2.
5. JASON recommendation: “NSF and the major facilities must be adequately resourced for their cyberinfrastructure and cybersecurity needs. What is appropriate will depend on each facility's unique characteristics and specific needs. The cybersecurity budget should be commensurate with perceived risk of an event, which may be unrelated to the cost of constructing or operating the facility.”
NSF response: “NSF will work with each awardee to develop a cybersecurity risk register for each major facility and will then integrate those risk registers in order to determine the highest NSF risks and implement any needed mitigations.”
Trusted CI response: We agree with the JASON group’s assertion that Major Facilities must be adequately resourced for their cybersecurity needs. Cybersecurity spending is a necessary focus area in the expanding dialogue among Major Facilities, NSF, and other relevant stakeholders. Adequate resourcing to address unacceptable cybersecurity risk is precisely the subject of the Trusted CI Framework’s Must 11. Cybersecurity risk registers may be a helpful tool assessing whether cybersecurity spending is commensurate with the threats posed by unmitigated risk. However, the need for the allocation of cybersecurity resources is fundamental.
6. JASON recommendation: “NSF should refine facility proposal and design review processes to ensure that new major facilities plan cybersecurity as an integral part of the information technology infrastructure. NSF should regularly review the cybersecurity plans and efforts of both new and existing major facilities. Shifts to cloud-based cyberinfrastructure and to a wider range of partners will impact cybersecurity planning and need to be considered at proposal time.”
NSF response: “NSF believes that the cybersecurity review process at the time of awards should be risk-based. NSF will work to ensure that cybersecurity is a specified element and review criterion of each call for proposals in a major facility competition. For a renewal proposal, NSF will include a requirement for submission of a cybersecurity plan. For a new construction award, or a project in the Design Stage, the cybersecurity plan will be required to be integrated with the Project Execution Plan. NSF will assure that appropriate expertise is present on review panels to assess the adequacy of the cybersecurity plan.”
Trusted CI response: We support the recommendation to require cybersecurity planning as part of facility proposal and design and would extend that recommendation to include the construction phase as well. For renewal proposals, we recommend expanding the requirement such that facilities must submit evidence of an active cybersecurity program (not just a plan). Trusted CI’s guidance provides facilities with the means to both plan and assess their programs. Prioritized, mission-based cybersecurity planning is central to the Trusted CI Framework, and we have demonstrated experience supporting NSF Major Facilities with cybersecurity strategic planning, through activities like the LFST, regular engagements, the NSF Summit and our 2022 Framework cohort.
7. JASON recommendation: “NSF should remain aware of national security concerns regarding its facilities and continue to facilitate coordination with appropriate agencies.”
NSF response: “NSF will conduct an assessment of national security concerns that may be associated with its major research facilities.”
Trusted CI response: Several members of the Trusted CI team have experience working at the intersection of cybersecurity and national security, and we are happy to be a resource to facilities in this area. Trusted CI has a long and successful history providing tailored, actionable guidance and expertise to NSF Major Facilities. The JASON working group’s recommendations are a strong endorsement of NSF’s direction, Trusted CI’s contribution, and if followed, represent a step forward in ensuring the security of our nation’s science. Collaborating with NSF and Major Facilities to enable trustworthy science is central to Trusted CI’s mission.