Init0

The National Science Foundation (NSF) operates 18 major research facilities for the benefit of the scientific research community. Typically, these are one-of-a-kind facilities ranging from telescopes and gravitational wave detectors to oceangoing research vessels and networks of distributed sensors. These facilities operate with the purpose of supplying scientific data openly to the broad community of scientific users. At the same time, the data integrity and the continued operation of these unique NSF-funded scientific assets must be assured. NSF commissioned a study by the JASON advisory group to assess and make recommendations regarding cybersecurity at NSF’s major facilities so as to sustain their ability to provide high-quality data to the research community while mitigating potential cybersecurity threats. NSF received the JASON report containing 13 findings and 7 recommendations. NSF agrees with all the recommendations in the report; responses by NSF may be found below.

1. Recommendation: NSF should maintain its current approach of supporting major facilities to enhance cybersecurity through assessments of risk, and development and implementation of mitigation plans. A prescriptive approach to cybersecurity should be avoided because it would be a poor fit to the diversity of facilities, would inefficiently use resources, and would not evolve quickly enough to keep up with changing threats.

   NSF response: NSF intends to maintain its current philosophy of performing oversight of awardee plans that are tailored to the unique natures of the individual major facilities. Through its review processes, NSF will ensure that these plans are consistent with best practices for cybersecurity that are in common between major research facilities and other types of infrastructure.

2. Recommendation: An executive position for cybersecurity strategy and coordination for major facilities should be created at NSF. This executive should have authorities that allow them to continually support the balancing of cybersecurity, scientific progress, and cost in the distinct ways that will be appropriate for each facility.

   NSF response: NSF notes and agrees with the emphasis on such a position on strategy and coordination. NSF will explore different options for initiating the position and plans to create such a position within the next six months.

3. Recommendation: Using annual reporting and review processes, NSF should ensure major facilities implement robust cybersecurity programs that remain consistent with current best practice.

   NSF response: NSF plans to review the elements of a good facility cybersecurity program, currently described in Section 6.3 of the NSF Major Facilities Guide, to ensure that this section is up to date. NSF will add cybersecurity as a required element of annual reports and program plans and conduct any …….

   Source: https://www.nsf.gov/news/special_reports/jasonreportcybersecurity/index.jsp