Many research facilities are using the Center for Internet Security (CIS): Top 20 Critical Security Controls (CIS Top 20) as a basis for their cybersecurity programs. ResearchSOC can provide services that address several key elements of these control sets.
ResearchSOC enables our clients to jump start their security program by providing or supporting adoption of nearly all CIS Top 20 Implementation Group 1 controls at the end of initial onboarding. ResearchSOC basic and premium services further allow clients to implement the majority of Implementation Group 2 controls, while the proposed Security Intrusion Modeling for Scientific CyberInfrastructure (SIMSCI) project operated by ResearchSOC aims to provide advanced red-team capabilities for organizations focused on meeting regulatory or compliance requirements in Implementation Group 3.
Many colleges are using the National Institute of Standards and Technology (NIST) SP 800-171 framework and related controls in their schools or working towards doing so. While we do not recommend NIST for science facilities, we can help those who are required to use it.
ResearchSOC services can be a key component of a cybersecurity program that addresses the requirements of SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). Meeting regulatory requirements in grants and contracts is becoming increasingly challenging as research institutions face new types of regulated data such as Controlled Unclassified Information (CUI).
Susan Sons, deputy director of ResearchSOC, said, “We’re seeing campuses and NSF facilities more and more being asked to align with these different regulatory standards and baseline best practice lists.
“Some of them are appropriate to what we’re doing. Some of them are not, so there can be a lot of complexity. Figuring out what is a useful tool for people who don’t do this can be hard. And that’s where we can help.
“We recognize that everyone needs a baseline control set and to understand it and to understand how much they need to do themselves and how much they can get help with. That’s our approach to the CIS materials.
“When it comes to NIST, that is a really tangled standard. It doesn’t map easily to what campuses are doing, or especially to what science is doing. We have documentation to help people understand where a particular service will cover a need under NIST or under the CIS controls. But we also try to let you know what we can give you in the way of more information to leverage. How can we make this easier for you? Because NIST especially is not an easy lift for any of the organizations that we serve.”
Leave a Reply