Trusted CI Adopts Framework for its own Security Program

Trusted CI, the NSF Cybersecurity Center of Excellence, is pleased to announce that it has completed its adoption of the Trusted CI Framework for its own security program.  The previous security program, based off of Trusted CI’s Guide for Cybersecurity Programs for NSF Science and Engineering Projects, provided Trusted CI with a usable but basic security program. As Trusted CI has matured and its impact on the community expanded, we found our program was no longer adequate for our growing cybersecurity needs.  Thus, we began the process of rebuilding our program in order to strengthen our security posture.  

The release of Trusted CI’s Framework was independent of our effort to redress our security program, but serendipitously timed nonetheless.  We leveraged the Framework Implementation Guide (or FIG) -- instructions for cyberinfrastructure research operators -- to rebuild our security program based on the 4 Pillars and 16 Musts constituting the Trusted CI Framework.

The documents that form Trusted CI’s updated security program include the top-level Master Information Security Policies and Procedures (or MISPP), along with the support policies: Access Control Policy, Collaborator Information Policy, Document Labeling Policy, Incident Response Policy & Procedures, Information Classification Policy, Infrastructure Change Policy, and Onboarding / Offboarding Policy & Procedures.  Moreover, to track critical assets, asset owners for incident response, associated controls, and granted privilege escalations, the following “Asset Specific Access and Privilege Specifications”, or ASAPS were included: Apple (Podcasts), Badgr, Backup System (for G-Drive), Blogger, CloudPerm (G-Drive tool), DNS Registrar, GitHub, Group Service Account, IDEALS (@Illinois), Mailing Lists @Indiana), Slack, Twitter, YouTube, Website (SquareSpace), Zenodo, and Zoom.

The effort to adopt the Trusted CI Framework took ½ FTE over four months. 

Trusted CI Completes Engagement with the Polar Geospatial Center

The Polar Geospatial Center (PGC) (NSF 1559691, NSF 1614673, NSF 1810976, NASA NNX16AK90G, and NASA 80NSSC18K1370) at the University of Minnesota provides geospatial support, mapping, and GIS/remote sensing solutions to researchers and logistics groups in the polar science community. The PGC supports U.S. polar scientists to complete their research goals in a safe, timely, and efficient manner by providing a service which most groups do not have the resources or expertise to complete. The mission of the PGC is to introduce new, state-of-the-art techniques from the geospatial field to effectively solve problems in the least mapped places on Earth. Trusted CI's engagement with PGC began in January 2019 and concluded in June 2019.

The primary goals for this engagement were to rapidly mature PGC’s cybersecurity program and develop a roadmap for future cybersecurity efforts at PGC. Trusted CI and PGC conducted a risk assessment of cyberinfrastructure assets, and then, driven by the results of the assessment, worked to build upon these results to improve PGC’s security program. The Trusted CI Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects and related materials were used to facilitate the effort.

An Open Science Cybersecurity Program Framework

In 2014, Trusted CI published a “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects,” also known simply as “the Guide”. Since its creation, Trusted CI has received tremendous community feedback attesting to its usefulness, including half of the respondents in the most recent Community Survey adopting it as a form of guidance for shaping their cybersecurity programs. As we observed the open science community’s interaction with the original document, it became apparent that improvements and revisions could make it more maintainable and thus more readily kept up-to-date, more applicable to a wider range of science projects, and more approachable to scientists and PIs, all without losing any of its technical value.

Based on our experience interacting with engagements, lively training sessions, the Summit, and the benchmarking survey, we knew we needed to spell out the basic realities of building a cyber program in a way that addressed the variability we’ve observed in the community. During a substantial revision of the training on the Guide for PEARC’18, it became clear that what was needed was not just a guide, but a framework for establishing and maintaining an open science cybersecurity program at any project scale and stage in a project’s lifecycle. Such a framework would be useful even for projects having significant compliance requirements (e.g., FISMA, HIPAA, NIST SP 800-171) in that it provides a starting point for evolving a cybersecurity program rather than hundreds of pages dense with unprioritized requirements. Work on revising the Guide into a framework and addressing the above goals began in earnest earlier this year and builds on efforts assisting NSF in drafting a cybersecurity section for the Large Facilities Manual. The current schedule calls for a first draft to be available in November 2018, and version 0.9 to be available in January 2019, with the publication of version 1.0 in March 2019. An additional blog posting and announcement will be made at those milestones and community feedback is strongly encouraged. We need your feedback to help us get this right!

Preview of the Framework

Trusted CI’s framework is built around four pillars: Mission Alignment, Governance, Resources, and Controls. Like the pillars supporting any structure, all are vital and required for an efficient and effective cybersecurity program.

Mission Alignment:

Cybersecurity programs ultimately exist to improve productivity by protecting the interests of the project’s mission. The program must center on appropriate protection for the information assets vital to the project’s mission. The information assets that are critical will change over a project’s life cycle, so the accuracy of the information asset inventory is a basic requirement. To simplify understanding the protection requirements of the information assets, an information classification scheme allows for conceptually grouping assets by the kind of protection required. External requirements may also play a role in the level and type of protection.

Governance:

Cybersecurity is not just the responsibility of a few but involves project leadership, administrators responsible for information assets, project personnel, and external users. Policies must clearly define the roles and responsibilities for all these contributors to the cybersecurity program. Additional policies are required to address a range of issues from appropriate use to incident handling. Periodic evaluation of the cybersecurity program is necessary to validate that the allocation of resources to controls is effective and efficient for the appropriate protection of project information resources.

Resources:

People, budgets, tools, and services are all required to operate a cybersecurity program. Finding and retaining people with cybersecurity expertise can be challenging. In addition to technical skills, important traits include the abilities to teach, communicate, and negotiate. Smaller, stand-alone projects without a supporting infrastructure typically spend a higher percentage of the IT budget on cybersecurity due to economies of scale. The actual money might be in a separate cybersecurity budget, but often it is part of some other organizational budget (e.g., the IT budget). Tools and third-party services can help fill gaps in the program but have to be used with care since they can easily place additional strain on both the budget and the need for experienced personnel to effectively use them.

Controls:

Controls are the safeguards and countermeasures to ensure the appropriate protection of an information asset according to the asset’s information classification. Control selection and implementation are ongoing processes in any cybersecurity program due to technical or organizational changes and the dynamic nature of threats and vulnerabilities. The Center for Information Security (CIS) Controls are widely regarded as an authoritative, reasonable, and prioritized. The first six of these controls are the basic, minimal set that each project must either provide or ensure are provided by a supporting infrastructure. Additional controls enhance the protection for mission-critical systems and data, and systems or data requiring specialized controls (e.g., SCADA systems, software repositories, critical or high-speed scientific data flows).

New CTSC Cybersecurity Plan published

About a year ago, CTSC published it's own cybersecurity plan. As part of that plan, the plan itself receives an annual review. That review has been completed and version 2.0 of the plan and supporting documents have been published on CTSC's website. The supporting documents include an analysis via Attack Trees, a System Characterization, and a Threat Assessment.

While all these document receives some updates, the updates in the main version 2.9 Policies and Procedures document were:

• Minor changes for clarity.
• Added clause that Google accounts used to access Google drive are used exclusively by a CTSC staff member.
• Added Section 6 on Revocation of Access
• Changed “private” information to “engagement-related” information.
• Labeling of sensitive information only required “whenever feasible.”
• Removed requirement for encryption of sensitive data at rest due to complexity of implementation in a group setting.
• Added annual review of Google account and domain in which CTSC documents reside.

We've learned a lot about developing cybersecurity plans for NSF CI projects over the past two years and when we revise the plan again in 2015, we will use our Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects as the basis.

V1 of “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects” released by CTSC

At the 2013 NSF Cybersecurity Summit Bret Goodrich, Senior Software Engineer of the Daniel K Inouye Solar Telescope(DKIST)/National Solar Observatory(NSO) approached CTSC to discuss how to develop a cybersecurity program for cyberinfrastructure projects.
He was aware of the NIST special publications on conducting risk assessments, applying controls but asked if there was a framework designed to address the unique needs of NSF funded cyberinfrastructure (CI).

At the time, no such framework existed.  After further discussions, CTSC and DKIST began a six month process to create a guide for developing cybersecurity programs crafted to the NSF cyberinfrastructure community. At the completion of this effort the collaboration produced the most comprehensive set of security resources tailored specifically for the CI community.  The guide includes over 18 supporting documents that can be used to kickstart policy development, assisting with risk assessments, data classification and more. A shared goal is to establish a framework that can be adopted by all CI projects.

The latest version of this guide and supporting documents are available on a CTSC managed Google Drive directory, and are available at trustedci.org/guide.

We’re encouraging CI projects to review and support the cybersecurity planning guide by applying the framework to NSF funded projects.

CTSC is seeking comments, suggestions and other feedback to improve the development of these documents for future revisions.

More information about the cybersecurity planning guide or comments to provide feedback can be directed to ‘info@trustedci.org'.

Developing a Cybersecurity Plan for NSF Science and Engineering Projects: First Unit Released

A number of NSF projects have a requirement to develop a cybersecurity plan as part of their cooperative agreement with NSF [1]. Other want to do so because they consider it a best practice worth following.

As apart of CTSC's ongoing engagement with the Daniel K. Inouye Solar Telescope (DKIST) we are developing a guide for creating such a cybersecurity program. Our first unit in this guide is now available for comment. We are using the TrustedCI Forum to disseminate this unit and solicit feedback from the community. We encourage all members of the community to join the conversation and provide their insights into this important work.

[1] http://www.nsf.gov/pubs/policydocs/cafatc/cafatc_lf212.pdf (see item 56 on page 6)