JASON Report on Facilities Cybersecurity
The National Science Foundation (NSF) operates 18 major research facilities for the benefit of the scientific research community. Typically, these are one-of-a-kind facilities ranging from telescopes and gravitational wave detectors to oceangoing research vessels and networks of distributed sensors. These facilities operate with the purpose of supplying scientific data openly to the broad community of scientific users. At the same time, the data integrity and the continued operation of these unique NSF-funded scientific assets must be assured. NSF commissioned a study by the JASON advisory group to assess and make recommendations regarding cybersecurity at NSF's major facilities so as to sustain their ability to provide high-quality data to the research community while mitigating potential cybersecurity threats. NSF received the JASON report (Executive Summary here) containing 13 findings and 7 recommendations. NSF agrees with all the recommendations in the report; responses by NSF may be found below.
- Recommendation: NSF should maintain its current approach of supporting major facilities to enhance cybersecurity through assessments of risk, and development and implementation of mitigation plans. A prescriptive approach to cybersecurity should be avoided because it would be a poor fit to the diversity of facilities, would inefficiently use resources, and would not evolve quickly enough to keep up with changing threats.
NSF response: NSF intends to maintain its current philosophy of performing oversight of awardee plans that are tailored to the unique natures of the individual major facilities. Through its review processes, NSF will ensure that these plans are consistent with best practices for cybersecurity that are in common between major research facilities and other types of infrastructure.
- Recommendation: An executive position for cybersecurity strategy and coordination for major facilities should be created at NSF. This executive should have authorities that allow them to continually support the balancing of cybersecurity, scientific progress, and cost in the distinct ways that will be appropriate for each facility.
NSF response: NSF notes and agrees with the emphasis on such a position on strategy and coordination. NSF will explore different options for initiating the position and plans to create such a position within the next six months.
- Recommendation: Using annual reporting and review processes, NSF should ensure major facilities implement robust cybersecurity programs that remain consistent with current best practice.
NSF response: NSF plans to review the elements of a good facility cybersecurity program, currently described in Section 6.3 of the NSF Major Facilities Guide, to ensure that this section is up to date. NSF will add cybersecurity as a required element of annual reports and program plans and conduct any additional specialized reviews based on perceived risk.
- Recommendation: NSF should develop a procedure for response to major cybersecurity incidents at its major research facilities, encompassing public relations, coordination mechanisms, and a pre-ordained chain of authority for emergency decisions. Each major facility should also have their own response plan that is both specific to its needs and consistent with NSF's plan.
NSF response: NSF has charged a working group to develop a more robust response plan that integrates with both the agency's overall crisis communications plan and the response plans at the individual major facilities.
- Recommendation: NSF and the major facilities must be adequately resourced for their cyberinfrastructure and cybersecurity needs. What is appropriate will depend on each facility's unique characteristics and specific needs. The cybersecurity budget should be commensurate with perceived risk of an event, which may be unrelated to the cost of constructing or operating the facility.
NSF response: NSF will work with each awardee to develop a cybersecurity risk register for each major facility and will then integrate those risk registers in order to determine the highest NSF risks and implement any needed mitigations.
- Recommendation: NSF should refine facility proposal and design review processes to ensure that new major facilities plan cybersecurity as an integral part of the information technology infrastructure. NSF should regularly review the cybersecurity plans and efforts of both new and existing major facilities. Shifts to cloud-based cyberinfrastructure and to a wider range of partners will impact cybersecurity planning and need to be considered at proposal time.
NSF response: NSF believes that the cybersecurity review process at the time of awards should be risk-based. NSF will work to ensure that cybersecurity is a specified element and review criterion of each call for proposals in a major facility competition. For a renewal proposal, NSF will include a requirement for submission of a cybersecurity plan. For a new construction award, or a project in the Design Stage, the cybersecurity plan will be required to be integrated with the Project Execution Plan. NSF will assure that appropriate expertise is present on review panels to assess the adequacy of the cybersecurity plan.
- Recommendation: NSF should remain aware of national security concerns regarding its facilities and continue to facilitate coordination with appropriate agencies.
NSF response: NSF will conduct an assessment of national security concerns that may be associated with its major research facilities.
Media Affairs, NSF, (703) 292-7090, firstname.lastname@example.org