The Trusted CI Framework will be a cybersecurity framework appropriate for scientific cyberinfrastructure that balances risk reduction with scientific productivity, and has the necessary flexibility for the NSF’s diverse community.
View the June 24 2019 webinar about the Trusted CI Framework.
The advisory group for the Trusted CI Framework is forming in Summer 2019. Please contact us if you’d like to participate.
See the latest blog posts about the Trusted CI Framework.
May 2019: A Practical Cybersecurity Framework for Open Science Projects and Facilities. Presented to the 2019 Great Plains Network All Hands Meeting. By Kay Avila, Bob Cowles, and Craig Jackson. (Slides)
The Trusted CI Framework is built around four pillars: Mission Alignment, Governance, Resources, and Controls. Like the pillars supporting any structure, all are vital and required for an efficient and effective cybersecurity program.
Cybersecurity programs ultimately exist to improve productivity by protecting the interests of the project’s mission. The program must center on appropriate protection for the information assets vital to the project’s mission. The information assets that are critical will change over a project’s life cycle, so accuracy of the information asset inventory is a basic requirement. To simplify understanding the protection requirements of the information assets, an information classification scheme allows for conceptually grouping assets by the kind of protection required. External requirements may also play a role in the level and type of protection.
Cybersecurity is not just the responsibility of a few, but involves project leadership, administrators responsible for information assets, project personnel, and external users. Policies must clearly define the roles and responsibilities for all these contributors to the cybersecurity program. Additional policies are required to address a range of issues from appropriate use to incident handling. Periodic evaluation of the cybersecurity program is necessary to validate that the allocation of resources to controls is effective and efficient for the appropriate protection of project information resources.
People, budgets, tools and services are all required to operate a cybersecurity program. Finding and retaining people with cybersecurity expertise can be challenging. In addition to technical skills, important traits include the abilities to teach, communicate, and negotiate. Smaller, stand-alone projects without a supporting infrastructure typically spend a higher percentage of the IT budget on cybersecurity due to economies of scale. The actual money might be in a separate cybersecurity budget, but often it is part of some other organizational budget (e.g., the IT budget). Tools and third party services can help fill gaps in the program but have to be used with care since they can easily place additional strain on both the budget and the need for experienced personnel to effectively use them.
Controls are the safeguards and countermeasures to ensure the appropriate protection of an information asset according to the asset’s information classification. Control selection and implementation are ongoing processes in any cybersecurity program due to technical or organizational changes and the dynamic nature of threats and vulnerabilities. The Center for Information Security (CIS) Controls are widely regarded as an authoritative, reasonable, and prioritized. The first six of these controls are the basic, minimal set that each project must either provide or ensure are provided by a supporting infrastructure. Additional controls enhance the protection for mission critical systems and data, and systems or data requiring specialized controls (e.g., SCADA systems, software repositories, critical or high speed scientific data flows).