The National Institute of Standards and Technology (NIST) requested public input on the research cybersecurity resources it might develop for colleges and universities. EDUCAUSE submitted comments that encouraged NIST to curate existing resources and develop new ones to support the research cybersecurity profession.
As a result of last year's CHIPS and Science Act, the National Institute of Standards and Technology (NIST) has been tasked with considering the resources it could produce to help colleges and universities with research cybersecurity. NIST released a request for comment (RFC) this spring seeking public input to help it better understand the issues and opportunities in research cybersecurity that it might pursue.
EDUCAUSE responded to the RFC on June 27 after working with member representatives to better understand how our cybersecurity community could best engage with NIST on its Cybersecurity for R&D project. To that end, EDUCAUSE submitted a cover letter along with the template that NIST provided for submitting comments. We requested that NIST supplement the RFC process by conducting a series of dialogue sessions with EDUCAUSE member representatives who predominantly work in research cybersecurity.Footnote1 This request stemmed from the feedback of the member representatives who contributed directly to the EDUCAUSE comments. They generally agreed that engaging in conversations with the NIST officials working on the project would give them a clearer view of what NIST might see as possible in this space and therefore allow them to provide even more effective recommendations on what NIST could do to support research cybersecurity in higher education.
Regarding the written EDUCAUSE response to the RFC, EDUCAUSE encouraged NIST to work with the higher education research cybersecurity entities already in place to host a centralized online repository of information about those entities and the existing events and resources they offer. A website of this kind would make it much easier for those looking for information about and support for research cybersecurity to access the array of knowledge and community in the space. Examples of groups the proposed site might highlight include Trusted CI: The NSF Cybersecurity Center of Excellence, the Regulated Research Community of Practice (RRCoP) (which is also supported by the National Science Foundation [NSF]), the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), and the EDUCAUSE Higher Education Information Security Council (HEISC) 800-171 Compliance Community Group.
EDUCAUSE also proposed that NIST develop cybersecurity resources for academic researchers and their teams to tailor important process and practice guidance to non-cybersecurity audiences. In sharing their perspectives on research cybersecurity concerns, member representatives stressed that research assistants or researchers often serve as frontline technology and cybersecurity support for their federally funded projects. However, while they may be experts in their disciplines, they may lack sufficient knowledge about cybersecurity to ensure that basic protections are in place to limit risks to their data and activities. NIST could help fill a significant need in the research space by producing a common set of cybersecurity resources for non-cybersecurity researchers that could help them to establish a baseline level of cybersecurity in their research environments.
Another key area of opportunity for NIST from the perspective of EDUCAUSE member representatives involves working with research cybersecurity leaders and professionals to create guidelines, frameworks, and other resources to help advance research cybersecurity as a profession. The significant unmet demand for cybersecurity professionals is well known. However, the unique characteristics of academic research contexts make the gap between the demand for and supply of research cybersecurity professionals much more acute. Thus, EDUCAUSE argued that NIST could and should leverage its status as a major federal scientific research agency to highlight and support pathways to professional development in research cybersecurity that would help grow the field.
NIST has not yet released a timeline or roadmap for its research cybersecurity resources effort. However, NIST officials have reached out to EDUCAUSE member representatives to discuss this topic. We hope that NIST will hold additional discussion sessions in the near future, and EDUCAUSE will continue to encourage NIST officials to provide research cybersecurity leaders and professionals with as many opportunities as possible to contribute their knowledge and experience to the project.
Note
- Jarret Cummings letter to Connie LaSalle, Senior Technology Policy Advisor, U.S. Department of Commerce, NIST; and Gemma Howell, IT Security Engineer, U.S. Department of Commerce, NIST, "Regarding Cybersecurity for R&D Request for Comment," June 27, 2023. Jump back to footnote 1 in the text.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2023 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.