Formalize and enhance UCAR’s cybersecurity capabilities

UCAR’s information technology environment is a large and diverse set of computers, data, web servers, and network services. These systems comprise vital scientific research platforms as well as business applications. The Office of the Security Chief Information Officer (SCIO) oversees and manages information security and privacy for UCAR/NCAR/UCP, which includes sponsoring secure computing initiatives to provide supercomputing resources, Big Data services, and enterprise information technology. The CISL Director serves as the enterprise-wide SCIO, as defined in Corporate Policy 1-7. In FY2017, the SCIO consolidated the IT security and compliance teams into the Cybersecurity Program Office.

UCAR’s 2017 Cybersecurity Strategic Plan adopted the National Institute of Standards and Technology Risk Management Framework and Cybersecurity Risk Model. These constructs conform to the Federal Information Security Modernization Act (FISMA), industry best practices, Federal Acquisition Regulations, and the Controlled Unclassified Information Program.

Risk Management Framework
This model illustrates the Risk Management Framework. The CPO engages in a repeating cycle of control implementation, assessment, and continuous monitoring to ensure the security of UCAR information systems.

The Cybersecurity Program Office (CPO) oversees alignment to regulatory requirements and promotes a variety of security initiatives and IT audit functions. The SCIO has delegated responsibility for implementing a security strategy with identification, prevention, detection, response, and recovery components to the CPO. The Computer Security Advisory Committee – a group of senior system administrators from across the organization – works with the CPO to balance the organization’s collective cybersecurity needs with those of the divisions and programs. Ensuring the confidentiality, integrity, and availability of intellectual property, data, and systems is vital to the organization and its mission.

Here is a summary of the SCIO CPO team’s FY2017 activities and accomplishments:

  • Adopted industry best practices with appropriate examinations of assumptions and revisions to fit with UCAR’s open scientific mission, as reflected in 17 UCAR security standards with associated procedures based on NIST Special Publication 800-53, Revision 4.

  • Mitigated new or expanded vulnerabilities based on our professional judgment compared to risks we currently accept, or for which we provide compensating controls.

  • Established review processes in coordination with UCAR Contracts for procuring cloud services.

  • Designed and installed a next-generation firewall solution for NCAR and UCAR, replacing multiple older solutions.

  • Acted as consultants for new and existing software / hosting purchases within the organization, resulting in approval of several applications and the modification of the process for installation of the new credit card system to meet PCI requirements.

  • Updated and approved a new Incident Response Plan based on the requirements defined in the NIST SP 800-53 guidelines.

  • Provided targeted training and awareness for all employees as well as for lab systems administrators.

  • Managed annual third-party IT audit of security and privacy practices funded by a NOAA contract for FISMA compliance, obtaining a recommendation for granting “Authority to Operate” from the auditor.

  • Developed a framework for an enterprise Services and System Risk Assessment Report and conducted the resultant assessments.

  • Supported development of strategic privacy guidelines.

  • Initiated a centralized Audit Logging and Correlation improvement project.

  • Initiated a Vulnerability Management improvement project that included the adoption of continuous monitoring tools.

  • Initiated a Network Security Monitoring improvement project.

  • Planned and hosted our first Cybersecurity Partnership Initiative two-day event during National Cybersecurity Awareness Month that involved over 40 research universities and FFRDCs.

Cybersecurity at NCAR is supported by UCAR Communications Pool indirect funds. Portions of the effort for the COSMIC II program were funded by project-specific funds from NOAA.