Formalize and enhance UCAR’s cybersecurity capabilities

UCAR’s information technology (IT) environment is a large and diverse set of compute, data, web, and network servers. These systems comprise vital scientific research platforms as well as business application systems. Over the next five years CISL will introduce new security practices aligned with community best practices, such as those defined by the Federal Information Security Modernization Act (FISMA).

The CISL Director has been delegated the role of Security Chief Information Officer (SCIO) by the UCAR President’s Council and as defined in Corporate Policy 1-7. While managed by CISL, the Office of SCIO oversees and manages information security and privacy for the UCAR/NCAR/UCP enterprise. The SCIO inventories all UCAR systems and related information and manages security controls using federal information-processing standards and guidelines adopted by the National Institute of Standards and Technology (NIST) in accordance with the FISMA. The Cybersecurity, Risk, and Compliance (CRC) team oversees alignment to regulatory requirements and IT audit functions.

The SCIO delegated responsibility for implementing a security strategy with prevention, detection, and response components to the Security Engineering Group (SEG). Working with the SEG is the Computer Security Advisory Committee (CSAC) – senior system administrators from across the organization – to balance the organization’s collective cybersecurity needs with those of the divisions and programs.

Providing secure IT systems within CISL and across UCAR supports CISL’s computing imperatives to provide supercomputing resources, Big Data services, and enterprise information technology for UCAR, NCAR, and the Earth System sciences. Formalizing and enhancing cybersecurity capabilities is also an action item in CISL's strategic plan. The security strategy we employ must be balanced by the goals of openness and ease of access. CISL proactively strives for zero security incidents on its systems, and CISL responds and reports an incident analysis if one occurs.

It is vital to the organization that we take appropriate measures to ensure the confidentiality, integrity, and availability of intellectual property, data, and systems. Appropriate measures balance the needs for availability and usability with those for integrity and confidentiality.

In FY2016, UCAR formed the Office of the CIO’s Cybersecurity Risk and Compliance (CRC) team that revised and is implementing the UCAR Strategic Security Plan for NSF. This founding plan guides our cybersecurity efforts and becomes the baseline strategy that the rest of UCAR can leverage. The plan is organized around a set of guiding principles intended to balance UCAR’s mission-critical needs for unfettered processing power and stability in the computing environment with the need to address modern cybersecurity challenges including external malicious attacks and internal resource constraints. The plan is aligned to the top 10 cybersecurity objectives identified by the Office of Management and Budget to Congress of the Federal Information Security Modernization Act (FISMA II).

Cybersecuity accomplishments in FY2016 include:

  • Established a formal governance model with authority and roles clearly identified through new UCAR corporate policy 1-7 that created the enterprise-wide Office of Chief Information Officer for Security.

  • Adopted industry best practices with appropriate examinations of assumptions and revision to fit with UCAR’s open scientific mission, as reflected in 17 UCAR security standards with associated procedures based on NIST Special Publication 800-53, Revision 4.

  • Mitigated new or expanded risks based on our professional judgment in comparison to risks we currently accept or for which we provide compensating controls.

  • Resolved to build in security early in the process of planning and implementing projects and programs. As projects move forward, continual effort is devoted to a comprehensive and proactive security component.

  • Established review processes in coordination with UCAR Contracts for procuring cloud services.

  • Managed the first third-party IT audit of security and privacy practices funded by a NOAA contract for FISMA compliance.

Cybersecurity at NCAR is supported by a combination of NSF Core funding and UCAR Communications Pool indirect funds. Portions of the effort for the COSMIC II program were funded by project-specific funds from NOAA.

Security compliance timeline
This compliance timeline illustrates planned activities and portions of the organization that will be working with the compliance team to implement security best practices. Risk assessment and continuous monitoring of activities will become a cornerstone of the cybersecurity approach consistent with the security plan.