Trusted CI: Relaunching and Expanding the Student Program

As cybersecurity continues to grow in importance across the scientific community, the need to cultivate the next generation of cybersecurity leaders is more critical than ever. Trusted CI is proud to announce the relaunch and expansion of its Student Program, designed to provide students with very useful insights, mentorship, and hands-on experiences in cybersecurity while fostering a cybersecurity workforce for all. Applications for the 2025 cohort open on February 3, 2025.

Why the Student Program Matters

For over a decade, Trusted CI has significantly impacted the NSF community by equipping researchers and institutions with comprehensive cybersecurity knowledge and resources. Our analysis revealed opportunities to extend this impact by engaging students from a wider range of academic fields, such as those in the NSF Education and Human Resources (EHR) and Biological Sciences (BIO) Directorates, as well as reaching out to new institutions not currently engaged in cybersecurity programs. The Student Program aims to ensure that perspectives from across all disciplines and institutions contribute to shaping the future of cybersecurity.

Alumni Insights: Mentorship and Impactful Experiences in Cybersecurity

On the Mentor Program

Sandra Darkson - University of New Haven, MS in Cybersecurity and Networks
“My mentor (Carolyn Ellis) is really one of a kind; she is among those few individuals who sees the potential in me and, at the same time, believes so much in me that this belief drives me to work harder, and strive for excellence. I am so fortunate enough to have her as my guide and mentor on my path.”

On the Poster Session

Nana Sarfo Dwomoh - Sam Houston State University, MS Information Assurance & Cybersecurity
“The 2024 NSF Cybersecurity Summit was a big, unforgettable platform for me as a Cybercorp  Scholar, where I presented my poster, "Defending Electoral Integrity in the Age of Cyber Warfare,"  which gave me the chance to share my research on how digital disinformation, botnets, and deepfakes are impacting elections.”

On Networking

Konstantin Metz - University of Central Florida, MS Cybersecurity and Privacy
“The event is unlike any other in the industry! It brings together industry professionals, faculty, and students from across the globe to learn, network, and collaborate on current and emerging cybersecurity issues. It gives students an unparalleled opportunity to learn and grow while showcasing some of their own work. I am honored to have been selected to present and cannot wait for next year!”

Abigail Whittle - Oregon State University, BS in Computer Science
“I had the opportunity to meet some incredibly interesting individuals. Overall, I would highly recommend this experience to other students in the future, as it was beneficial both professionally and educationally, and I took away a lot from it.”

On Capture the Flag

Dignora Castillo-Soto - Bay Path University, MS in Cyber Security
“The CTF session provided a hands-on experience that challenged my problem-solving skills. It was refreshing to participate in a group project, as collaboration helped me gain new insights that I wouldn’t have achieved working solo.”

On Summit Courses

Owen Seltzer - Northeastern University, MS Cybersecurity
“The talks and panel discussions were not only engaging but also thought-provoking, covering topics ranging from emerging threats to innovative protection strategies. As someone still exploring career paths in cybersecurity, I found the presentations particularly enlightening.”

Goals of the Program

The Trusted CI Student Program is committed to:

• Providing Foundational Knowledge: Selected students will gain practical insights into cybersecurity through workshops, mentorship, and participation in the annual NSF Cybersecurity Summit.
• Fostering Community: By actively recruiting students from a wide range of backgrounds, the program aims to create a supportive environment that values a variety of perspectives.
• Empowering Advocacy: Students will serve as cybersecurity ambassadors in their communities, equipping their peers with knowledge and connecting them with Trusted CI for more complex challenges.
• Building Long-Term Connections: Participants will join a growing network of Trusted CI alumni, opening doors to mentorship, networking, and career opportunities in the cybersecurity field.

What’s New in the Trusted CI Student Program for 2025?

The Trusted CI Student Program continues to evolve, and we are excited to share the enhancements coming in 2025! Designed to nurture the next generation of cybersecurity researchers, this program has been refined based on past participant feedback and our commitment to providing a more impactful experience. These changes reflect our goal to improve the program from what it has been and make it more valuable for the entire Trusted CI community, not just prospective students.

Larger Cohorts Over Time
While the program currently welcomes five students annually, our goal is to expand participation to 15 students in future cycles as resources allow. This growth ensures more students benefit from Trusted CI’s expertise.

Alumni Engagement
We recognize the value of long-term connections, which is why past participants will now retain access to valuable program resources and opportunities to attend the Trusted CI Summit. This fosters an ongoing learning community and professional network.

Focused Workshops and Mentorship
Students will gain deeper insights through tailored workshops and dedicated one-on-one mentorship sessions. These sessions will be led by Trusted CI staff and esteemed industry experts, ensuring a well-rounded educational experience.

Streamlined Application Process
To provide a holistic evaluation of applicants, the revised application process will require a personal statement, a professional biosketch, and letters of support. This approach ensures we select students who are not only qualified but also deeply passionate about cybersecurity.

These enhancements are part of our commitment to continually improving the program, ensuring that both new and returning members of the Trusted CI community benefit from its evolution. We look forward to welcoming the 2025 cohort and continuing to build a thriving community of cybersecurity professionals!

What Students Can Expect

The Trusted CI Student Program will run from May to November 2025, featuring webinars and workshops twice a month to foster growth and prepare students for careers in cybersecurity.

From their first day in the program, Students will:

• Attend workshops on cybersecurity fundamentals, career development, and emerging trends.

• Network with top professionals and researchers at the NSF Cybersecurity Summit, an annual conference dedicated to advancing cybersecurity in research and education. This event provides a unique opportunity to learn from experts, engage in discussions on emerging cybersecurity challenges, and build valuable connections within the field.

• Work closely with mentors who will guide their growth and help them navigate the cybersecurity landscape.

• Share their experiences through blog posts, presentations, and outreach activities, inspiring others to explore careers in cybersecurity.

Join a Community of Innovators: Apply for the Trusted CI Student Program

The Trusted CI Student  Program is not just about equipping students with technical skills; it’s about creating a community that values collaboration, and innovation. If you are a student passionate about cybersecurity or know someone who is, we encourage you to apply and join us in shaping a safer, more secure future for science and beyond.

Applications for the 2025 cohort open on February 3, 2025. For more information on how to apply, visit Trusted CI’s website or reach out to students@trustedci.org. Let’s build a stronger cybersecurity community together!

Trusted CI members help Indiana local governments prevent cyber attacks

Trusted CI’s Craig Jackson and Ranson Ricks are leading an effort, called Cybertrack, to help local Indiana governments prevent cyber attacks. Cybertrack was initiated by the Indiana Office of Technology in partnership with cybersecurity experts from Indiana University and Purdue.

To accomplish this, they are relying on the Trusted CI Framework, which has been adopted by the state as part of its standard for local government cybersecurity. The Cybertrack team is expected to complete more than 300 assessments by 2026.

Read the full article published by Indiana University

Analysis of NSPM-33: Cybersecurity Requirements for Federally Funded Research Organizations

By: Anurag Shankar and Scott Russell

This blog post provides research organizations a summary of the National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) and the recent Office of Science and Technology Policy (OSTP) / National Science and Technology Council (NSTC) guidance, along with analysis of the requirements. 

Summary

In January 2021, then President Trump issued a directive “National Security Presidential Memorandum on United States Government-Supported Research and Development National Security Policy” (NSPM-33) to all federal agencies to: 1) standardize disclosure requirements and 2) mandate a research security program for all institutions receiving a total of $50 million or more in federally-funded research. In January 2022, the Office of Science and Technology Policy (OSTP) released further guidance on these requirements, including details on four elements specified in NSPM-33: cybersecurity, foreign travel security, research security training, and export control training. The cybersecurity guidance identifies 14 controls that it recommends as requirements for federal agencies to flow down to organizations receiving federal research funding. Twelve of these controls are included in the 17 “basic hygiene” controls specified by CMMC Level 1 and the 15 “minimum security controls” specified by FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems.” The rest are NSPM-33 specific, addressing training and ransomware/data integrity.

The OSTP guidance also includes a number of additional recommendations for federal agencies to flow down to research organizations, summarized below:

1. Documentation: Research organizations should be required to document their research security program and provide this documentation within 30 days of a request from a research agency that is funding an award or considering an application for award funding.

2. Certification: Research organizations should be required to provide certification of compliance with the research security program requirement. OSTP, in consultation with the NSTC Subcommittee on Research Security and OMB, plans to develop a single certification standard and process that will apply across all research agencies.

3. Timeline: Research organizations should establish a research security program as soon as possible, but given one year from the date of issuance of the formal requirement to comply. Organizations that become subject to the requirement in subsequent years are supposed to be similarly provided one additional year to comply.

4. Assistance: The Federal Government should provide technical assistance to support development of training content and program guidelines, tools, and best practices for research organizations to incorporate at their discretion. Agencies represented on the National Counterintelligence Task Force, in conjunction with the National Counterintelligence and Security Center, should jointly develop content that research organizations can leverage to meet requirements for research security programs and training. The Federal Government should consider supporting the formation of a community consortium to develop and maintain research security program information and implementation resources for research organizations, to include resources suitable for use within research security programs. The development of program content should be a collaborative effort between the government and organizations.

5. Discretion: Research organizations should be provided flexibility to structure the organization’s research security program to best serve its particular needs, and to leverage existing programs and activities where relevant, provided that the organization implements all required program components. Research organizations should be given flexibility in how they choose to integrate research security requirements into existing programs, such as existing cybersecurity programs. Research organizations should be strongly encouraged to integrate some or all elements into a coherent research security program, where applicable and feasible.

6. Funding agencies should consider integrating the research security program requirement into the Compliance Supplement’s Research and Development Cluster audit guidance as part of the single audit of Federal grant and assistance programs (2 C.F.R. Part 200, Appendix XI).

Analysis

The primary questions raised by NSPM-33 and the NTSC/OSTP guidance are 1) How will these requirements be flowed down to research organizations; 2) To what extent will funding agencies follow the guidance put forth by the NTSC; and 3) What is the scope of the requirements? 

Regarding the first question, NSPM-33 only directly impacts federal funding agencies (e.g., NSF, DOE): the NSPM does not impose any requirements directly on research institutions. Instead, it instructs federal funding agencies to impose these requirements on research institutions receiving federal research funding. While the NTSC/OSTP guidance specifies January 2023 as the deadline for eligible institutions to comply, it does not specify how the requirements should be imposed. Moreover, the provision of NSPM-33 that specifically mentions cybersecurity is only intended to apply to research institutions receiving over $50 million in federal research funding, without clarifying how these institutions should be identified.

Practically speaking, the funding agencies may impose these requirements on all *new* grants. So although existing grants are technically unaffected, research institutions that wish to continue to get funding will be forced to implement the requirements regardless. 

Moreover, it is also unclear to what extent federal funding agencies are bound by the NTSC guidance. NSPM-33 only instructs OSTP to “promulgate guidelines for research institutions to mitigate risks to research security and integrity”: it is not empowered to dictate what requirements federal funding agencies impose. Indeed, neither OSTP nor NTSC were mentioned in the subsection referencing research security programs and cybersecurity.

Scope is another issue. The guidance does not clarify whether the security program requirements apply only to researchers receiving federal funding or every researcher within the organization. It specifies controls for programs to implement but does not explicitly state if every system used by researchers (e.g, their workstations) is in scope or institutional systems only. Since this has financial repercussions, clarity is needed on what the requirements cover.

A research security program clearly requires controls to secure projects. However, prescribing a set of controls which research systems must implement can be problematic, as research systems have unique needs that may not function using traditional controls (instead requiring alternate controls to achieve their mission.) Moreover, the focus on system-centric controls is not well suited for securing research workflows, which require more than technical controls alone. The uniqueness of research systems (telescopes, sensors, microscopes, etc.) requires different approaches than controls designed to secure “systems.” For example, the Trusted CI Framework is a more appropriate fit for research programs. It includes controls, but provides the institution flexibility in choosing a baseline control set that is tailored to the institution’s mission. Additionally, this baseline control set is supplemented with additional and alternate controls that are particularly important in the research context, as research infrastructure often requires specialized protections. Securing research ultimately requires flexibility.

Applying the same level of security to all research is also unwise. How research is protected is currently scoped to data by sensitivity and regulatory requirements. This is done for a reason, namely to apply security proportionally to risk to contain cost. Expanding it indiscriminately will be wasteful and unnecessary. For instance, public data does not need the same level of security as patient data.

The guidance asks agencies to allow flexibility on which program components institutions choose to implement but also directs them to “strongly encourage” choosing them all. With a documentation submission requirement, it is unclear how the program will be judged and what the impact of a “less than perfect choice” might be (e.g., of not having all of the controls in place).

The certification requirement also is likely to present challenges. As the CMMC rollout shows, designing a certification process for compliance at this scale is extremely challenging. And whereas CMMC is limited in scope, NSPM-33 is potentially much broader. With CMMC compliance, most organizations can design isolated environments for controlled data CUI to limit scope, certifying compliance for research will be much more challenging, given the variety and complexity of research infrastructure.

2022 NSF Cybersecurity Summit- Call for Participation is now open- Submission deadline June 10th

We are pleased to announce that the 2022 NSF Cybersecurity Summit is taking place the week of October 17th with the training and workshops occurring on Tuesday, October 18th, and plenary sessions occurring on Wednesday, October 19th, and Thursday, October 20th. 

The final program is still evolving, but we will maintain our mission of providing a format designed to increase the NSF community’s understanding of cybersecurity strategies that strengthen trustworthy science: what data, processes, and systems are crucial to the scientific mission, what risks they face, and how to protect them. 

Call for Participation (CFP)

Program content for the Summit is driven by our community. We invite proposals for plenary presentations & workshops. The deadline for CFP submissions is July 8th. To learn more about the CFP, please visit: www.trustedci.org/2022-summit-cfp

Student Program

 To support workforce development, the Summit organizers invite several students to attend the Summit at no cost every year. Both undergraduate and graduate students may apply, and no specific major or course of study is required, as long as the student is interested in learning and applying cybersecurity innovations to scientific endeavors. To learn more about the student program, visit our website: https://www.trustedci.org/summit2022/students

On behalf of the 2022 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in October.

More information can be found at: https://www.trustedci.org/2022-cybersecurity-summit

 

Higher Education Regulated Research Workshop Series: A Collective Perspective

Regulated research data is a growing challenge for NSF funded organizations in research and academia, with little guidance on how to tackle regulated research institutionally. Trusted CI would like to bring the community’s attention to an important report released today by the organizers of a recent, NSF-sponsored* Higher Education Regulated Research Workshop Series that distills the input of 155 participants from 84 Higher Education institutions. Motivated by the Higher Ed community’s desire to standardize strategies and practices, the facilitated** workshop sought to find efficient ways for institutions large and small to manage regulated research data and smooth the path to compliance. It identified six main pillars of a successful research cybersecurity compliance program, namely Ownership and Roles, Financials and Cost, Training and Education, Auditing, Clarity of Controls, and Scoping. The report presents each pillar as a chapter, complete with best practices, challenges, and recommendations for research enablers on campus. While it focuses on Department of Defense (DOD) funded research, Controlled Unclassified Information (CUI), and health research, the report offers ideas and guidance on how to stand up a well managed campus program that applies to all regulated research data. It represents a depth and breadth of community collaboration and institutional experience never before compiled in a single place.

Organized by Purdue University with co-organizers from Duke University, University of Florida, and Indiana University, the workshop comprised six virtual sessions between November 2020 and June 2021. Participants ranged from research computing directors, information security officers, compliance professionals, research administration officers, and personnel who support and train researchers.

The full report is available at the EDUCAUSE Cybersecurity Resources page at https://library.educause.edu/resources/2021/7/higher-education-regulated-research-workshop-series-a-collective-perspective. It was co-authored by contributors from Purdue University, Duke University, University of Florida, Indiana University, Case Western Reserve University, University of Central Florida, Clemson University, Georgia Institute of Technology, and University of South Carolina.

See https://www.trustedci.org/compliance-programs for additional materials from Trusted CI on the topic of compliance programs.

* NSF Grant #1840043, “Supporting Controlled Unclassified Information with a Campus Awareness and Risk Management Framework”, awarded to Purdue University
** by Knowinnovation

Don't Miss Trusted CI at EDUCAUSE CPP Conference

Members of Trusted CI and partner projects will be presenting at the The 2021 EDUCAUSE Cybersecurity and Privacy Professionals Conference (formerly known as the Security Professionals Conference), to be held Tuesday June 8th - Thursday June 10th. The conference "will focus on restoring, evolving, and transforming cybersecurity and privacy in higher education."

Below is a list of presentations that include Trusted CI team members and partners:
 

Regulated Research Community Workshops

Tuesday, June 08 | 12:15p.m. - 12:35p.m. ET

• Anurag Shankar - Senior Security Analyst, Indiana University
• Erik Deumens - Director UF Research Computing, University of Florida
• Carolyn Ellis - Program Manager, Purdue University
• Jay Gallman - Security IT Analyst, Duke University

Supporting institutional regulated research comes with a wide range of challenges impacting units that haven't commonly worked together. Until recently, most institutions have looked internally to develop their regulated research programs. Since November 2020, 30 institutions have been gathering for six workshops to share their experience and challenges working establishing regulated research programs. This session will share the process involved in making these workshops successful and initial findings of this very specialized group.

Big Security on Small Budgets: Stories from Building a Fractional CISO Program

Thursday, June 10 | 2:00p.m. - 2:45p.m. ET

• Susan Sons - Chief Security Analyst, Indiana University Bloomington

No one in cybersecurity has an infinite budget. However, those booting up cybersecurity programs in organizations whose leadership haven't fully bought in to the value of cybersecurity operations, bolting security on to an organization that has been operating without it for too long, or leading cybersecurity for a small or medium-sized institution often have even less to work with: smaller budgets, less training, fewer personnel, less of every resource. Meanwhile, the mandate can seem infinite. In this talk, Susan Sons, Deputy Director of ResearchSOC and architect of the fractional CISO programs at ResearchSOC, OmniSOC, and IU's Center for Applied Cybersecurity Research, discusses approaches to right-sizing cybersecurity programs and getting the most out of limited resources for small and medium-sized organizations. This talk covers strategies for prioritizing security needs, selecting controls, and using out-of-the-box approaches to reduce costs while ensuring the right things get done. Bring your note pad: we'll refer to a number of outside references and resources you can use as you continue your journey.

SecureMyResearch at Indiana University

Thursday, June 10 | 1:00p.m. - 1:20p.m. ET

• William Drake - Senior Security Analyst, Indiana University
• Anurag Shankar - Senior Security Analyst, Indiana University

Cybersecurity in academia has achieved significant success in securing the enterprise and the campus community at large through effective use of technology, governance, and education. It has not been as successful in securing the research mission, however, owing to the diversity of the research enterprise, and of the time and other constraints under which researchers must operate. In 2019, Indiana University began developing a new approach to research cybersecurity based on its long experience in securing biomedical research. This resulted in the launch of SecureMyResearch, a first-of-its-kind service to provide cybersecurity and compliance assistance to researchers and stakeholders who support research. It was created not only to be a commonly available resource on campus but also to act as a crucible to test new ideas that depart from or are beyond enterprise cybersecurity practice. Those include baking security into workflows, use case analysis, risk acceptance, researcher-focused messaging, etc. A year later, we have much to share that is encouraging, including use cases, results, metrics, challenges, and stories that are likely to be of interest to those who are beginning to tackle research cybersecurity. We also will be sharing information and advice on a method of communicating the need for cybersecurity to researchers that proved to be highly successful, and other fresh ideas to take home and leverage on your own campus.

Lessons from a Real-World Ransomware Attack on Research

Thursday, June 10 | 12:25p.m. - 12:45p.m. ET

• Andrew Adams - Security Manager / CISO, Carnegie Mellon University
• Von Welch - Director, CACR, Indiana University
• Tom Siu - CISO, Michigan State University
  

In this talk, co-presented by the Michigan State University (MSU) Information Security Office and Trusted CI, the NSF Cybersecurity Center of Excellence, we will describe the impact and lessons learned from a real-world ransomware attack on MSU researchers in 2020, and what researchers and information security professionals can do to prevent and mitigate such attacks. Ransomware attackers have expanded their pool of potential victims beyond those with economically valuable data. In the context of higher ed, this insidious development means researchers, who used to be uninteresting to cybercriminals, are now targets. During the first part of the presentation, we will explain the MSU ransomware incident and how it hurt research. During the second part, we will elaborate on mitigation strategies and techniques that could protect current and future academic researchers. Finally, we will conclude with a question-and-answer session in which audience members are encouraged to ask Trusted CI staff about how to engage researchers on information security. Trusted CI has unique expertise in building trust with the research community and in framing the cybersecurity information for them. Trusted CI regularly engages with researchers, rarely security professionals, and has a track record of success in communicating with researchers about cybersecurity risks.

Until We Can't Get It Wrong: Using Security Exercises to Improve Incident Response

Wednesday, June 09 | 2:00p.m. - 2:20p.m. ET

• Josh Drake - Senior Security Analyst, Indiana University Bloomington
• Zalak Shah - Senior Security Analyst, Indiana University

Incident response can be challenging at the best of times, and when one is responding to a major incident, it is rarely the best of times. A rigorous program of security exercises is the best way to ensure than any organization is prepared to meet the challenges that may come. The best cybersecurity teams have learned not just to practice until they can get it right, but to practice until they can't get it wrong. They use a regular program of security exercises coupled with pastmortem analysis and follow-up to ensure that the whole team, and all of the technologists and organizational support they work with, get better at handling incidents over time. This session will teach you how to build a security exercise program from the ground up and use it to ensure that your incident response capabilities can be relied on no matter what happens.

Google Drive, the Unknown Unknowns

Wednesday, June 09 | 12:00p.m. - 12:45p.m. ET

• Ishan Abhinit - Senior Security Analyst, Indiana University Bloomington
• Mark Krenz - Chief Security Analyst, Indiana University

Every day countless thousands of students and staff around the world use cloud storage systems such as Google Drive to store their data. This data may be classified public, internal, and even confidential or restricted. Although Google Drive provides users with ways to control access to their data, my experiences have shown that users often aren't aware that they are exposing their data beyond their expected trust boundary. In this talk I will briefly introduce the audience to Google Drive, sharing some of my own experiences dealing with security concerns. Then I will provide an overview of the issues that academic and research institutions face when using it. I'll highlight the security threats to your data and how to deal with various situations, such as when someone leaves a project, when data is accidentally deleted, or when data is shared and you don't know it. In the second half of the presentation I'll provide the audience with some solutions to these security issues that are useful to a variety of institutions large and small as well as individual projects and people. Some of these solutions were developed by me and my team to solve our own issues, and so now I'll be sharing these solutions and tools with the community at large.

The full agenda, including the on-demand program, is available online.

Announcing the 2021 NSF Community Cybersecurity Benchmarking Survey

It's time again for the NSF Community Cybersecurity Benchmarking Survey (“Community Survey”). We’ve appreciated all the great participation in the past and look forward to seeing your responses again this year. The Community Survey, started in 2016, is a key tool used by Trusted CI to gauge the cybersecurity posture of the NSF science community. The twin goals of the Community Survey are: 1) To collect and aggregate information about the state of cybersecurity for NSF projects and facilities; and 2) To produce a report analyzing the results, which will help the community level-set and provide Trusted CI and other stakeholders a richer understanding of the community’s cybersecurity posture. (To view the previous years’ reports, see 2019 Report, 2017 Report, and 2016 Report.) To ensure the survey report is of maximum utility, we want to encourage a high level of participation, particularly from NSF Major Facilities. Please note that we are aggregating responses and minimizing the amount of project-identifying information we’re collecting, and any data that is released will be anonymized.

Survey Link: https://docs.google.com/forms/d/e/1FAIpQLSeooNKQdKx-W5kRol0vTYq0oLogBaT5Sy0G2tG6LwGWSoLc3g/viewform?usp=sf_link

Each NSF project or facility should submit only a single response to this survey. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond to or are unable to answer a particular question, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason.

The response period closes June 30, 2021.

Thank you.