Trusted CI’s HECVAT Guidance

The Higher Education Community Vendor Assessment Toolkit (HECVAT) can be a useful tool for NSF research projects that are using external services and/or are providing services to others. For projects that are using external services, the HECVAT can help to evaluate and understand the external service providers’ security practices, to ensure that the NSF project’s cybersecurity program includes these external services. Likewise, for projects that provide services to others, the HECVAT can provide a structured method of disclosure of security practices to consumers of those services, tailored to the concerns and needs of the higher education community. Quoting from “Must 8: Comprehensive Application” in the Trusted CI Framework Implementation Guide (FIG):

Research cyberinfrastructure operators (RCOs) provide services to third parties, rely on third party services and technology, and collaborate in myriad ways to accomplish their missions. In addition to accounting for traditional organizational personnel and units, RCOs need to consider these more complex third parties. The cybersecurity program should cover these services.

This page provides Trusted CI guidance on applying the HECVAT for NSF research projects. The guidance was developed in part through Trusted CI’s Fall 2021 engagement with the Ohio Supercomputer Center (OSC). If you find this useful or have feedback, we'd enjoy hearing from you at info@trustedci.org.

Relevance to Research Projects and Research Services

While the HECVAT was initially developed as a tool for universities to evaluate commercial cloud service providers, in our experience HECVAT-Lite Version 3 applies equally well for academic research projects evaluating academic service providers, such as NSF HPC centers and campus NSF CC*/CICI awardees. For example, during our Fall 2021 engagement, OSC successfully completed the HECVAT-Lite Version 3 questionnaire on request by a research project at another university that planned to use OSC HPC services. Since the HECVAT is widely accepted in the higher education community, this enables OSC to maintain a single set of standard questionnaire responses to share with multiple user groups regarding their cybersecurity practices.

Mapping to the Trusted CI Framework

As illustrated by the quote above about “Must 8: Comprehensive Application” from the Trusted CI Framework, a research project’s cybersecurity program should encompass external services. The HECVAT provides a standard questionnaire for sharing information between service providers and service consumers about their security programs and needs, which can help with meeting this requirement for comprehensive application.

The HECVAT-Lite Version 3 includes a “Standards Crosswalk” tab with references to corresponding “Must” sections of the Trusted CI Framework Implementation Guide (FIG), to aid projects that have adopted the Trusted CI Framework with using the HECVAT. The “Standards Crosswalk” table also includes a mapping to the CIS Critical Security Controls, which is the baseline control set recommended in the Trusted CI FIG (“Must 15”):

Trusted CI recommends adoption of the CIS Controls unless another baseline control set is legally or contractually required for selected information asset categories.

Additional mappings in the HECVAT-Lite Version 3 (to HIPAA, ISO 27002, NIST Cybersecurity Framework, NIST SP 800-171, NIST SP 800-53, and PCI DSS) are also available for research projects that have adopted those standards.

Guidance on Selected HECVAT-Lite Questions

In addition to the Trusted CI Framework mapping provided as part of HECVAT-Lite Version 3 itself, we provide more detailed guidance below when applying the HECVAT in a research project context, taken from the Trusted CI Framework Implementation Guide (FIG).

COMP-01

Cybersecurity is not undertaken as an end unto itself: the ultimate goal of a cybersecurity program is to support the organization’s mission. “The mission” is the foundational motivating force driving decision making: it is made up of the task(s), purpose(s), and related action(s) that the organization treats as most important or essential. The program’s implementation must account for the positive and negative impacts security can have on the organization’s mission. Organizations must identify and account for cybersecurity stakeholders and obligations (which include parent and subsidiary relationships).

Cybersecurity stakeholders are people or entities with interest in or affected by an organization’s cybersecurity. Cybersecurity obligations are any internally or externally imposed processes or practices that impact the operation of the organization’s cybersecurity program. Accounting for these stakeholders and obligations involves making and following through on conscious, documented decisions with regard to them."

Framework Must(s) - 1: Mission Focus, 2: Stakeholders and obligations

COMP-02

Programmatic evaluations are how the organization determines whether the cybersecurity program is achieving its purpose. Refinements are any changes designed to improve the program’s efficiency or effectiveness. Among these refinements are internal self-evaluations following an incident.

Framework Must(s) - 10: Evaluation and Refinement

COMP-03

Due to the complexity and breadth of cybersecurity issues and the need for coordinated decision making, organizations require an individual role to lead cybersecurity. This position, often referred to as the Chief Information Security Officer (CISO), ensures the program educates and advises decision makers on cybersecurity matters, including risk identification and mitigation, and policy development. The position also provides leadership for services like incident response coordination, and cybersecurity control selection and monitoring. Organizations must allocate personnel resources to cybersecurity. Personnel resources are commitments made by an organization to assign human effort to particular activities on behalf of the organization. Personnel resources allocated to cybersecurity include both full-time cybersecurity employees and employees with partial cybersecurity responsibilities.

Framework Must(s) - 7: Cybersecurity Lead, 13: Personnel

COMP-05

Organizations may be subject to specific data use agreements or statutory, regulatory, contractual, or other legal requirements. These obligations set expectations for the cybersecurity control implementation or programmatics. Regulations may be international, national, state, or local and might be specific to a particular type of information asset.

Framework Must(s) - 2: Stakeholders & Obligations

DOCU-01

Evaluations can take many forms, with different types of evaluations offering different strengths and weaknesses. The most important distinction is between evaluations conducted internally and evaluations carried out by an external organization. External evaluations are more costly and time-consuming, but offer a more objective perspective and allow external experts to provide valuable input into the cybersecurity program’s workings. Trusted CI recommends a comprehensive external assessment of the cybersecurity program every three to five years

Framework Must(s) - 10: Evaluation & Refinement

DOCU-02

Due to the complexity and uncertainties involved, organizations in general do not have sufficient expertise, personnel time, or funding to develop and maintain an effective cybersecurity program entirely in house. Organizations which have specialized in cybersecurity services often have well-developed specialist knowledge and expertise in the domain they serve and are capable of providing services of a higher quality than would be possible for other organizations to achieve by developing an in-house solution. In addition, making use of applicable external resources allows an RCO to avoid duplication of effort. By leveraging existing solutions offered by third-parties, an organization can avoid retreading the same path where others have already done the work.

Framework Must(s) - 10: Evaluation & Refinement, 14 external resources

DOCU-04

A baseline control set is a predetermined set of controls used as a default when selecting security controls for information assets. The baseline control set does not determine what security controls an organization must implement; rather, it provides a foundation from which an organization tailors control selection based on the needs of its mission. Baseline control sets vary in the number, specificity, and goals of the controls it describes. Baseline control sets may be legally imposed when handling specific types of data. In other cases, organizations can select a well-maintained control set that is based on evidence of what works to reduce cybersecurity risk

Framework Must(s) - 15: Baseline Control Set

DOCU-09 & DOCU-10

Organizations should undertake preplanned, periodic “comprehensive” evaluations, where the efficacy of the entire cybersecurity program is considered and where the strategic plan is reaffirmed or modified. This is because both the organization and the organization’s environment change, and the cybersecurity program needs to change with it. Finally, cybersecurity programs are complex and challenging to get right, and organizations will need to iterate and make refinements based on lessons learned.

Framework Must(s) - 6: Risk Acceptance, 9: Policy, 10: Evaluation & Refinement

HLAP-01

In more complex organization's environments, there may be different governance structures that affect the categorization of assets. Differences in the manner concerns and consequences are viewed, differences in the research projects supported, or differences in stakeholder requirements can all result in distinct categories for parts of the organization. The categories exist to aid in managing the information assets and should be used where they make sense in the organizational structure and to the people involved. Access control is often based off of these categories.

Framework Must(s) - 4: Asset Classification, 8: Comprehensive Application, 15: Baseline Control Set

HLAP-03

If the cybersecurity program fails to reach and appropriately cover all entities with access to and authority over information assets, the organization is vulnerable to compromise. Organizations increasingly have highly distributed user bases, customers, and stakeholders. Remote environments need their own strategy for securing information assets as opposed to a traditional corporate environment.

Framework Must(s) - 8: Comprehensive Application, 15: Baseline Control Set

HLAA-02

Internal resources alone are insufficient to support a competent cybersecurity program. Organizations should not “go it alone” when developing a cybersecurity program. External cybersecurity resources help prevent “reinventing the wheel” and help the organization to utilize available resources more efficiently. External cybersecurity resources include parent and peer organizations, consortia that provide services, security consultants, and commercial vendors as they can provide both general programmatic recommendations or specific services and expertise, as needed.

Framework Must(s) - 14: External Resources, 15: Baseline Control Set

HLSY-04

Industry-specific organizations such as Trusted CI or REN-ISAC perform external, third-party reviews. These organizations may have a broader perspective than peer organizations and have a great deal of experience performing comprehensive reviews of cybersecurity programs.

Framework Must(s) - 10: Evaluation and Refinement

HLIR-01 & HLPP-03

Trusted CI recommends that RCOs at a minimum prioritize 1) a master policy that defines the major structures and governance functions of the cybersecurity program, 2) an incident response policy and procedural guidance, and 3) acceptable use or related policy/agreement that sets expectations for the researchers’ use of the RCO’s information assets.

Framework Must(s) - 9: Policy