February 07, 2005

February 06, 2006

First Monday in February

annually thereafter

Cyber Trust (CT)

Networked computers reside at the heart of systems on which people now rely, both in critical national infrastructures and in their homes, cars, and offices. Today, many of these systems are far too vulnerable to cyber attacks that can inhibit their operation, corrupt valuable data, or expose private information. 

Cyber Trust promotes a vision of a society in which networked computer systems are:

• more predictable, more accountable, and less vulnerable to attack and abuse;
• developed, configured, operated and evaluated by a well-trained and diverse workforce; and
• used by a public educated in their secure and ethical operation. 

To improve national cyber security and achieve the Cyber Trust vision, NSF will support a collection of projects that together:

• advance the relevant knowledge base;
• creatively integrate research and education for the benefit of technical specialists and the general populace; and
• integrate the study of technology with the policy, economic, institutional and usability factors that often determine its deployment and use.

Proposals funded will support single and multiple-investigator projects within the broad range of disciplines contributing to the Cyber Trust vision.  Projects will be supported in three categories:  Single Investigator or Small Group projects, Team projects, and Center-Scale projects.  The resulting Cyber Trust award portfolio will: advance the cyber security research frontier; build national education and workforce capacity (including undergraduate, graduate, and faculty development and training); and ensure that new knowledge can be put into practice.

All awards made are subject to the requirements of P.L. 107-305, the Cyber Security Research and Development Act.

Today’s computing systems comprise a broad range of processors, communication networks, and information repositories.  They are increasingly ubiquitous, and consequently they are increasingly subject to attack, misuse, and abuse.  Computing systems are vulnerable to these threats due to technical and economic factors and to policy decisions.   For example, it is exceedingly difficult to reason precisely about the behavior of a complex digital system.  It is an art to design usable control interfaces for complex systems.   Specifications and designs often neglect privacy concerns.  It is hard to find security policies that are simple and flexible enough for users to tolerate, yet clear enough to guide system design and implementation.  Power and bandwidth limitations constrain the security features in lightweight wireless devices. Cost and time-to-market considerations limit the use of high assurance implementation methods.   Economics dictates having bundled software distributions that include vulnerable functions many users may not need.  The data needed to understand the range and severity of security problems and to evaluate the effectiveness of alternative solutions are lacking or closely held.  Finally, the consequences of insecure system designs are borne by individuals and organizations who use them rather than those who produce them.

The Cyber Trust program supports research and education activities that will lead to trustworthy computing systems.  The Cyber Trust vision is of a society in which:

• People can justifiably rely on computer-based systems to perform critical functions securely. These systems include not only critical national-scale infrastructures—such as the computer and communication networks, the electric power grid, gas lines, water systems, and air traffic control systems—but also more localized systems that perform safety-critical functions in aircraft, automobiles, and even home appliances.  These systems must be dependable even in the face of cyber attacks.

• People can justifiably rely on systems to process, store, and communicate sensitive information securely.  Increasing volumes of information flow on our financial networks, health networks, and even our library systems, not to mention our conventional communication systems and our networked systems of personal and corporate computers.  Confidence that these systems conform to policy (and that the policy is understood) even in the face of cyber attacks will permit people to make informed and rational decisions.

• People can justifiably rely on a well-trained and diverse workforce to develop, configure, modify, and operate essential computer-based systems. Educational systems must not only be able to graduate qualified technical specialists who can design, develop, and operate critical systems and investigate attacks on them, but they must also be able to educate the general public in secure and ethical use of technology.

Trustworthiness is a system property, and many factors influence how systems are put together.  Consequently, Cyber Trust covers both the full spectrum of information processing technologies and the social, legal, organizational, and economic factors surrounding the use of those technologies. To make progress towards the Cyber Trust vision requires:

1. Advances in knowledge and technology. This need motivates basic research on ways to make computing systems more secure.

2. Improved understanding of the human, organizational, legal, and economic contexts in which trusted systems are developed and operated. This need motivates multi-disciplinary research to identify overall effects of technical developments.

3. Improved education both of those who will produce systems using new technology and those who will configure, operate, investigate, and use the systems produced. This need motivates activities to develop a diverse and robust workforce.

Research is needed in a wide range of areas, addressing trustworthiness at all levels of system design, implementation, and use.  It is difficult enough to design and build digital systems that work properly in a benign environment. It is far harder to build systems that can withstand attack or abuse. To achieve the Cyber Trust vision, the science and technology of trustworthy systems must be developed, and it must be developed taking account of the social, economic, policy, and legal factors that determine whether and at what rate technology is deployed.  Application domains span the scale from global networks and large-scale computing to the ever smaller processing and network elements finding their way into cars, buildings, and infrastructure systems of all types.  Better abstractions are needed for reasoning about system behavior and attributing responsibility for system actions.  Better means are needed for benchmarking, measurement, and data collection to build the empirical underpinnings of the field.

Innovative approaches are needed in education, so that capable students participate in research and research results are quickly integrated into the educational process. System trustworthiness considerations must be included throughout the computer and information science and engineering curriculum, not just in courses for specialists. The concepts of proper system operation and ethical use of technology must have even broader reach, to touch students throughout the academic enterprise and beyond.

Research Areas

Research is warranted in aspects of the entire system life cycle:  development of security and privacy policies; definition of requirements; construction, validation and verification of components and systems; operation, monitoring, maintenance, and recovery after failures or incidents; and forensics, sanitization, and disposal.  Research that spans the technical areas affecting integrated information technologies is strongly encouraged.  This includes projects to advance or apply combinations of technologies to solve particularly challenging problems, to understand engineering tradeoffs among competing or complementary technical approaches, and to explore synergies among technologies.

Multi-disciplinary research that includes behavioral and social science disciplines is also strongly encouraged. System engineering tradeoffs are rarely based solely on technical issues. Social, organizational, economic, regulatory, and legal factors often play a major role in determining which technologies are developed, which ones are applied, and how they are used. These choices can have a major influence on overall system trustworthiness.  Many technologies that hold great potential for increasing system trustworthiness have seen little use in practice because, for example, they are seen as too time-consuming or as imposing too great a performance penalty in relation to any expected market advantage.  Through multi-disciplinary Cyber Trust projects, NSF seeks to increase understanding both of the technical implications and the role of social, economic and other factors in developing trustworthy systems.

The following paragraphs elaborate some areas that require investigation to achieve the Cyber Trust vision. They should be considered representative, not exhaustive.

The breadth of application of computers and communications continues to expand as computing and communication continues to become faster and cheaper. The needs and policies of applications—whether for computation, information processing, or real-time sensing and control—drive the trustworthiness requirements on lower system layers.  However, lower system layers cannot provide all the needed protection, because they lack knowledge of application semantics. At the same time, information systems and applications cannot stand alone:   they need to be integrated securely with middleware, operating systems, and networks.  A better understanding is needed of how to make engineering tradeoffs among these layers to achieve desired application security at acceptable cost and performance.  Sample research areas include:

• authentication, access control, and privacy protection;
• technologies for policy specification, trust negotiation, collaboration;
• application information flow certification;
• audit and application forensics;
• security and privacy in databases and high interest applications (e.g., voting, healthcare, data mining, semantic web, digital libraries); and
• comprehensible user interfaces for trust and security management.

Systems software provides the basis on which future applications will be built, and it governs system behavior, yet cost, power, weight, and response-time constraints—as well as the complexity of the task—often inhibit the development of controls that might prevent misuse or abuse. Security mechanisms are needed that can protect both conventional computers and increasingly pervasive embedded systems at all scales, from lightweight protection for tiny embedded sensors to complex controls for systems that require end-to-end protection.  Broadly applicable research results are always desired, but progress in this area may sometimes come through detailed work in a particular platform or system context.  Sample research areas include:

• trustworthy operating system architectures;
• secure hierarchical control and trustworthy transaction processing for infrastructure systems;
• long-lived data archiving mechanisms;
• access control for real-time operating systems;
• combined software/hardware approaches to trustworthiness; and
• middleware for trustworthy software-controlled real-time systems.

The increasing scale and diversity of communication networks amplifies their vulnerability by expanding the number of possible failures and providing more points of access to attackers.  Research to improve the trustworthiness of networks at all scales and to explore the evolving nature of the security protocols and policies in communications networks is of interest.  Sample research areas include:

• design principles for secure network services and protocols;
• network security architectures for both wired and wireless systems;
• denial of service prevention and avoidance;
• security for collaborative environments and grid computing;
• anonymity and accountability in networks;
• network forensics; and
• deployment, testing and validation of network security tools and mechanisms, including evaluation in testbed environments (e.g., the NSF/DHS DETER/EMIST testbed).

The Cyber Trust program is also interested in research that establishes a sound scientific foundation and technological basis for computing and communications in a world that may include malicious actors. Results of fundamental research are expected to have broad application and not be limited to a particular platform or operating system.  Sample research areas include:

• methods for specifying, reasoning about, and developing trustworthy components and networks, including novel hardware/firmware designs;
• composition methods;
• methods to assure that information flow in complex systems complies with security and privacy policies;
• evaluation and certification methods;
• maintaining trustworthiness as systems change and adapt;
• quantifying engineering trade-offs in trustworthy systems; and
• measuring, modeling, analyzing, and validating system trust properties.

Education and Workforce Development

Education to develop and maintain both a highly skilled Cyber Trust workforce and an informed populace is essential to the Nation.  Capacity-building activities are essential to educate the experts who will design and develop future trusted systems, to provide a thorough background in cyber trust for those who will manage, configure, and operate such systems, and to provide fundamental cyber security education for all citizens to secure systems of the future.  The Cyber Trust program supports projects to produce innovative curricula or educational materials that can help prepare the next generation of computing professionals to build systems with enhanced trustworthiness.

To develop, maintain, and enhance this critical educational infrastructure, all proposals must include an educational and workforce component.  Proposals must specifically describe their education and workforce development contributions, including the planned benefits and impact of the activities described.  Appropriate goals for these activities include integration of research and education, promotion of knowledge transfer, reaching diverse populations and promoting diversity in the cyber security workforce, building capacity within educational institutions for cyber security education, faculty development, and building academic and/or industrial partnerships.  Sample activities include:

• developing materials to integrate trustworthiness considerations into existing courses;
• disseminating best practices and models to the general public;
• having graduate students work with staff in K-12 institutions;
• offering summer industry internships for faculty and students;
• developing online resources for faculty; and
• developing student competitions to encourage more trustworthy programming practices.

Cyber Trust also supports projects that develop innovative curricular materials and that have the potential to improve higher education on topics related to system trustworthiness.  These may be stand-alone projects or part of broader research and education projects; stand-alone education projects can only be proposed in the Single Investigator or Small Team category of Cyber Trust.  All PIs who propose to develop curricular materials must provide strong justification for the need for the materials, and should include in their proposals plans for both evaluating their effectiveness and for disseminating them to the community.

Award Categories

Single or multiple-investigator projects will be supported within the broad range of relevant disciplines contributing to the Cyber Trust vision.  

Awards will be made in three categories:  Single Investigator or Small Group awards, Team awards, and Center-Scale awards.  Single Investigator and Small Group awards are expected to be small scale, focused, and intensive.  Of particular interest are fresh starts that aim at developing new expertise or formulating new research and education directions.  Stand-alone education projects must fall within this category.  Team awards support intensive research and education activities undertaken by teams of researchers and educators.  Teams will focus on challenging Cyber Trust problems that may cross disciplinary boundaries.  Center-Scale awards promote synergy among academic, industrial and other partners.  They address the combined needs for in-depth or multidisciplinary research investigations, education and workforce development, and incorporation of research results into deployed products and systems.  Single Investigator projects and Team projects will be supported as standard or continuing grants.  Center-Scale projects will be supported as continuing grants or cooperative agreements.

Proposal preparation guidance for projects in each of these categories is elaborated in Section V.  Proposal Preparation and Submission Instructions of this solicitation.

Organization Limit: Proposals may only be submitted by U.S. institutions or non-profit research institutions with a strong educational component. For-profit organizations and government laboratories of other agencies may not apply directly; they may receive subcontracts, but such subcontracts should be justified by explaining what unique capability is being made accessible.

Limit on Number of Proposals: An individual may appear as PI, co-PI or Senior Personnel on no more than two proposals submitted to each annual Cyber Trust competition.

Awards will support projects working within a broad range of disciplines contributing to the Cyber Trust vision, including those that address, for example, usability, economics, or policy aspects in combination with technological aspects of Cyber Trust.  There are three types of awards.

1. Single Investigator and Small Group awards last up to 3 years and do not exceed $500,000 total.

2. Team awards last up to 3 years and do not exceed $2,000,000 total. 

3. Center-scale awards range from $1 million to $2 million per year for 5 years and do not exceed $10,000,000 total. 

Estimated program budget, number of awards, and average award size/duration are subject to the availability of funds.

In unusual circumstances, the Cyber Trust program will entertain proposals that are beyond the scope and funding levels noted elsewhere in this solicitation.  Such proposals would be expected to explore groundbreaking or paradigm-changing ideas or to pursue a grand challenge requiring the work of a substantial number of researchers.  Projects of this type might well include multidisciplinary investigators and cross CISE divisions.  PIs who have in mind such a project must first brief the appropriate Cyber Trust program officers and CISE Division Directors.  PIs may submit a full proposal only after being given permission to do so.  The briefing must take place before the program solicitation deadline so the program can plan for the receipt and review of this kind of proposal. 

The following instructions deviate from the GPG guidelines:

To assist NSF staff in sorting proposals for review, proposal titles should begin with an acronym that identifies the category of proposal being submitted.  Use the following acronyms:

• Cyber Trust Individual or Small Group proposal = CT-ISG
• Cyber Trust Team proposal = CT-T
• Cyber Trust Center-Scale proposal = CT-CS

For example, a Cyber Trust Team proposal might have a title such as "CT-T: New Methods for Assuring Privacy-Compliant Information Flow."

Individual Investigator and Small Group Proposals

Proposals in this size class must specifically describe their integrated research and education and workforce development contributions or their stand-alone education activities, including the planned benefits and impact of the activities described.

Team Proposals

Proposals in this size class must describe substantial and ambitious research and education projects, either to focus a team of researchers and educators on a particularly challenging technical area or to create a multi-disciplinary team to address important cross-disciplinary challenges that will contribute to realization of the Cyber Trust vision.

Proposals for these projects should describe plans for distributing the research results and should strive to assist scientists and engineers to use their results in ways that go beyond traditional academic publications. They must also creatively address education and workforce development contributions, including the planned benefits and impact of the activities described. 

The project description should explain why a budget of the requested size is required to carry out the proposed activities and why the work needs to be conducted as a team effort.  Midterm external reviews and/or site visits may be expected at NSF's discretion.

Center-Scale Proposals

Center-scale projects promote synergy among academic, industrial and other partners.  Proposals must address the combined needs for in-depth or multi-disciplinary research investigations, education and workforce development, and incorporation of research results into deployed products and systems that lead to the realization of the Cyber Trust vision.

Project descriptions for center-scale projects are limited to 15 pages, except for the Management and Evaluation plans, which may take up to three additional pages, total. The project description for a center-scale proposal must incorporate five main elements:

• Research Plan—Describe the research objectives of the project, objectives that bring diverse scientific, engineering, and other disciplines together to address fundamental research issues crucial to achieving the Cyber Trust vision.  Provide a detailed research plan with a timeline for the activities proposed.
• Education and Outreach—Describe activities designed to (1) create a culture in which graduate and undergraduate students of diverse backgrounds work in cross-disciplinary teams, in close collaboration with external partners; (2) integrate education and research and expose students to the integrative aspects of Cyber Trust-related systems and industrial practice to build competence for their future careers; (3) develop curriculum innovations derived from the activity’s goals; and/or (4) produce graduates with the depth and breadth of education needed to sustain leadership throughout their careers.  Center-Scale Activities will include one or more community-extending concepts such as creative undergraduate education activities; programs to address the under-representation of women and minorities in the Cyber Trust workforce; links to institutions with strong traditions of teaching, mentoring, and workforce development; or participation by institutions in EPSCoR states.
• Effective Partnership and Technology Transfer—Describe activities designed to develop and sustain strong partnerships between academic and other partners. Activities may involve collaboration with partners in industry, including service industries, public agencies, or government laboratories. Partners may be involved through integral activities such as participation in strategic planning, joint research, mentoring students, and supporting proof-of-concept testbeds—­all modes that strengthen the partnership and speed technology transfer. Describe the intellectual foundation for partners to collaborate with faculty and students to address both long-range and shorter-term challenges, producing the knowledge needed to ensure steady advances in technology and to speed their transition to the marketplace, while training graduates who are more effective in their subsequent careers.
• Management Plan—Describe the management and coordination of the proposed activities.  The plan must identify the Project Director responsible for leading the activity and administering the award in accordance with the terms and conditions of the Award Letter issued by the NSF in the event of an award.  In addition, it should address the following needs:
  • A central point of communication with NSF,
  • Management of project activities,
  • Coordination of technology transfer activities,
  • Fulfillment of educational and workforce development responsibilities, and
  • An Advisory Board of outside experts to advise the Director.
• Evaluation Plan—Specify evaluation methods that will support assessment of both research results and the effectiveness of education and workforce development activities.

February 07, 2005

February 06, 2006

First Monday in February
annually thereafter

To comply with section 16 of the Cyber Security Research and Development Act (15 U.S.C.A. 7410), the grantee will ensure that no grant funds go to:

1. any individual who is in violation of the terms of his or her status as a nonimmigrant; or

2. any alien from a country determined by the Secretary of State to be a state sponsor of international terrorism unless that individual has a visa permitting him or her to enter and remain in the United States.

The grantee must immediately notify NSF if its ability to receive nonimmigrant students or exchange visitor program participants has been suspended or terminated.

Center-scale awards may be site-visited one or more times at NSF's discretion.

CAREER proposals that address Cyber Trust research and education issues are encouraged; please see the CAREER announcement and contact one of the Cyber Trust Program Directors listed herein to confirm specific CAREER application procedures for Cyber Trust.  Investigators also are encouraged to integrate Cyber Trust education in proposals submitted to other NSF programs that have an education or workforce focus, such as ADVANCE, REU sites, ITWF, IGERT, and GK-12.