Apr 07, 2023

Get Your Cybersecurity Program Up and Running with the Trusted CI Framework

Many project management sources state that a sobering 70% of projects will fail, and the statistics for IT-related projects are even worse. However, when the project in question is getting a research facility’s cybersecurity program up and running, failure is not an option. A clear understanding of obstacles is critical, and having a trusted framework for implementing such a program—designed and tested by members of the cyberinfrastructure-enabled research community—is even better.

Members of this community inhabit complex and rapidly evolving environments and advanced technology, such as particle colliders, large telescopes, sensor arrays, and mobile platforms like ships and drones—all of which impact the establishment of a cybersecurity program. However, according to Scott Russell, Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research, the primary obstacles are nontechnical: lack of money, governance issues, leadership involvement, and mission alignment. Furthermore, organizations may lack guidance on addressing these nontechnical obstacles.

The Trusted CI Framework, developed by the NSF Cybersecurity Center of Excellence, was created to help organizations overcome these obstacles. It focuses on NSF Major Facilities and thus has a special awareness of the unique needs of scientific research cyberinfrastructure. And as Russell explained in his presentation at the 2022 CENIC Annual Conference in Monterey last year, approaching compliance requirements make this framework even more timely.

Russell was also careful to emphasize that while planning and implementing a cybersecurity program counts as a classic project – something of finite duration with a well-defined end goal that hasn’t been done before – the operationalized program does not, as it has no endpoint and instead lives as part of the organization for its entire life. “You’re never done with cybersecurity,” Russell said. “It’s an ongoing part of your organization’s life.”

The Trusted CI Framework establishes a minimum standard for cybersecurity programs in complex scientific research environments and rests on the four pillars of Mission Alignment, Governance, Resources, and Controls. The framework underscores sixteen clear, concise “Musts”—based on best practices and the previously mentioned nontechnical obstacles to project success—as opposed to a list of technical requirements. Examples include:

• Organizations must involve leadership in cybersecurity decision-making. Those in leadership positions can be detached from specific projects and highly overscheduled, but their involvement is critical, as they have the power to control resources and perspectives outside the organization.

• Organizations must establish a lead role with responsibility to advise and provide services to the organization on cybersecurity matters. It may seem obvious that someone must be in charge of such a complex effort, but that very complexity can lead to a dilution of leadership on the project.

• Organizations must establish and maintain a cybersecurity budget. Often, organizations either have no cybersecurity budget or have relegated it to their IT budget. This can impede decision-making, transparency and rigor, and organizational commitment.

• Organizations must adopt and use a baseline control set. While not requiring a specific set of baseline controls, this “Must” ensures a common language and structure that helps keep everyone on the same page.

To aid organizations in implementing a cybersecurity program using the Trusted CI Framework, the NSF Cybersecurity Center of Excellence created an onboarding program. The Trusted CI Framework Cohort is a six-month group engagement aimed at facilitating the adoption and implementation of the Trusted CI Framework among NSF Major Facilities, Mid-scales, and research cyberinfrastructure (CI) providers. During the engagement, members of the cohort will work closely with Trusted CI with the aim of implementing the Trusted CI Framework at their facilities. Afterward, they will have a validated assessment of their cybersecurity program and a strategic plan detailing their path to fully implementing each framework “Must.”

To learn more about Trusted CI, watch the presentation video online, download the presentation slides, or visit the website at trustedci.org.

Related blog posts

From the Ground to the Stars: Critical Big-Data Research in Africa

Learn about critical data-dependent research collaborations currently taking place in the nations of Africa, all of which require integration into the global high-performance network and cyberinfrastructure environments.

Solving Network Connections for USC on Catalina Island

CalREN connection and resiliency for USC's Wrigley Institute for Environmental Studies and its Marine Science Center on Catalina Island