FISMA documentation
One of the foundational documents for implementing FISMA, NIST Special Publication 800-53 R4. This document describes the security controls that must be implemented to achieve FISMA compliance levels of Low, Moderate, or High.

UCAR manages and maintains a large and diverse set of compute, data, email, web, and network servers that form the core information technology (IT) within the institution. Not only are these systems valuable monetarily, they comprise vital scientific research tools and business continuation systems used throughout UCAR and the university communities. To pursue the scientific mission of the organization without hindering the free exchange of information, CISL is committed to maintaining a security posture that appropriately balances usability with the security of the systems.

Providing secure information technology systems within CISL and across UCAR supports CISL’s computing imperatives to provision hardware and software cyberinfrastructure for the atmospheric and related sciences. Cybersecurity is also critical to CISL’s computing imperative for data curation and to its computing frontier of center virtualization. The security strategy we employ must be balanced by the goals of openness and ease of access. CISL proactively strives for zero security incidents on its systems, and CISL responds and reports an incident analysis if one occurs.

It is vital to the organization that we take appropriate measures to ensure the confidentiality, integrity, and availability of intellectual property, data, and systems. Appropriate measures balance the needs for availability and usability with those for integrity and confidentiality.

In FY2015, changes in contractual arrangements with some UCAR sponsors (particularly federal and other government agencies) required the organization to begin implementing measures to comply with FISMA, the Federal Information Security Management Act of 2002. In support of that effort, funds were identified to support new staff and contract staff to develop the required controls and documentation to achieve compliance.

Beginning in FY2015 and continuing into FY2016, CISL Security Engineering Group (SEG) and compliance staff are assisting COSMIC staff in developing and implementing the System Security Plan for the COSMIC-P/GD system, which will support a new constellation of satellites scheduled for launch in 2016. That system is required to implement the Moderate level of FISMA controls. The experience gained during that effort will be leveraged to support a UCAR-wide FISMA compliance level of Low, expected to be achievable in the FY2016-FY2017 timeframe. Any required higher-security network segments will also be addressed.

Another major effort underway with SEG involvement is implementation of a new Identity and Access Management (IAM) infrastructure. This will support better control of access to UCAR resources by providing a more comprehensive source of authentication and authorization information for UCAR staff and collaborators. Background investigation and architecture efforts took place during FY2015, with initial implementation coming in FY2016.

At the same time, SEG continues its historical work of providing guidance to the organization in the maintenance and monitoring of a secure networked computing environment.

Cybersecurity at NCAR is supported by a combination of NSF Core funding and UCAR Communications Pool indirect funds.