How We Help NSF Projects
Two recent workshops, which included representatives of 35 major NSF-funded cyberinfrastructure projects, determined that the NSF cyberinfrastructure community faces serious challenges in obtaining access to cybersecurity expertise. Projects are forced to divert their resources to develop that expertise, address risks haphazardly, unknowingly reinvent basic cybersecurity solutions, and struggle with interoperability. All of these activities can divert critical time and resources from projects’ primary mission of scientific research.
Cybersecurity in computational science encompasses keeping data and infrastructure trustworthy and private, allowing for interoperability between projects and sites, enabling collaboration, evaluating and selecting software based on needs, and operational plans and policies. If you have cybersecurity challenges with your NSF-funded research or project, be they simple questions or complex problems, please contact us.
For simple questions and issues, we can usually provide a quick answer. For more complicated engagements, we will work to define an engagement between your project and CTSC. (We strongly believe these activities must be collaborative to deliver sustained value.)
The following are examples of activities we are doing or have done to help. This is not exhaustive list and we are constantly expanding our knowledge base and resources, so please ask if your need is not represented here.
Cybersecurity Operational Planning
We assist projects in the development of operational cybersecurity plans, the evaluation of existing plans, or updates in plans, which are often required at key milestones, such as transitioning from deployment to operations.
We collaborate with projects developing new infrastructure or software, with regard to the cybersecurity of their CI. This can take the form of evaluating existing designs, helping with redesigns, or new development.
We work collaboratively with projects to assist with integration and deployment of software and services to meet the project’s cybersecurity needs. Examples include integration between project CI and an authentication system such as InCommon, or configuration of an authorization system to best serve a project. This also can include patching vulnerabilities when the software’s developer is unavailable or providing expertise to a project in addressing their vulnerabilities.
We will work with software developers or those relying on software to assess that software for flaws that could compromise the cybersecurity of users of the software. For third party software, this activity includes working with the developers, in a responsible disclosure manner, to get critical flaws fixed.
We commonly encounter projects needing to select among multiple technologies or services, and struggling to understand the cybersecurity ramifications those choices have on their risk posture, interoperability, usability, etc. We will provide guidance and recommendations to those projects, either working from our prior experience, or performing hands-on assessment.
We will provide training with audiences that include investigators and managers of cyberinfrastructure projects, developers and integrators, and those focusing in cybersecurity. In addition to open training in venues where we expect
broad impact (schedule to come), we accept requests for training at a specific time and venue
convenient to projects. We also seek suggestions on topics that would be of use to the NSF community.