EDUCAUSE responded to the National Science Foundation (NSF) request for comment on the formation of a research security and integrity information sharing and analysis organization. Among other recommendations, EDUCAUSE called for NSF to collaborate fully with REN-ISAC.
Earlier this year, the National Science Foundation (NSF) issued a "Dear Colleague Letter," requesting public input on the possible development of a research security and integrity information sharing and analysis organization (RSI-ISAO).Footnote1 Members of the EDUCAUSE community may be more familiar with the concept of a cyber incident information sharing and analysis center (ISAC), given the long-established ISAC for the higher education community, the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC). Many member institutions also participate in the Multi-State Information Sharing and Analysis Center (MS-ISAC), which serves state, local, tribal, and territorial government entities throughout the United States. ISAOs are intended to allow entities from across industry sectors, or those within particular geographic regions, to share and track cyber incident and response information in the same way that ISACs facilitate sharing within specific sectors.Footnote2
The CHIPS and Science Act, signed into law by President Biden in August 2022, tasked NSF with laying the groundwork for an RSI-ISAO. The NSF request for public comments on considerations for that process was the first public step in the RSI-ISAO planning process.Footnote3 However, neither the legislative provision charging NSF with developing such an organization nor the request for comment (RFC) derived from it reflect the established understanding of what an ISAO is and does. Rather than discussing the cybersecurity functions that an ISAO normally conducts, the CHIPS-related concept of an ISAO in the research context focuses on sharing information and developing resources to support general research security, which largely relates to matters like faculty conflicts of interest or conflicts of commitment, foreign government-related talent recruitment programs, and other "malign foreign influence" mechanisms.Footnote4
As a result, EDUCAUSE began its response by encouraging NSF not to lose sight of the traditional role and functions of an ISAO, even as it works to address the unique interpretation of the ISAO concept presented in CHIPS. EDUCAUSE argued that NSF should connect with the Cybersecurity and Infrastructure Security Agency (CISA) and the ISAO Standards Organization to gain a better understanding of what ISAOs are and how the core cybersecurity elements of an ISAO can be integrated into the RSI-ISAO as it takes shape.Footnote5 Along the same lines, EDUCAUSE proposed that NSF work closely with relevant, sector-specific cyber incident information sharing and analysis entities, such as REN-ISAC and MS-ISAC, to leverage their existing capabilities and resources to enable information sharing about incidents and responses to them across sectors, which is the traditional mission of an ISAO.
Recognizing the more programmatic emphasis for the RSI-ISAO that CHIPS presented, EDUCAUSE also suggested that the RSI-ISAO could play an important role in growing the relationships between the research and cybersecurity communities—both in number and depth—as well as within and across institutions and sectors. Furthermore, the EDUCAUSE response highlighted the potential for the RSI-ISAO to help develop research/research cybersecurity relationships between institutions at the local and regional levels and foster collaboration across RSI-ISAO participants on grants and projects.Footnote6 Among other proposals, EDUCAUSE identified an additional opportunity for the RSI-ISAO as a possible hub for developing shared, risk-based cybersecurity policies and practices across the participating organizations and sectors. Serving as a hub for policy and practice collaboration would involve the RSI-ISAO in looking for ways to standardize or align relevant models, processes, and guidelines and better adapt those elements to the research context.
NSF will likely need time to evaluate the input received from its RFC before it releases its next steps for developing the RSI-ISAO. It hasn't yet indicated when further information about the process will be available. EDUCAUSE will continue to monitor the RSI-ISAO project and work with research-oriented higher education organizations to inform the formation of the RSI-ISAO to the extent possible.
- Rebecca Spyke Keiser, "Dear Colleague Letter: A Request for Input on the Development of the U.S. Research Security and Integrity Information Sharing Analysis Organization," May 4, 2023. Jump back to footnote 1 in the text.
- For more information about ISAOs, please see the Cybersecurity and Infrastructure Security Agency web page, "Protecting Critical Infrastructure," as well as the ISAO Standards Organization. Jump back to footnote 2 in the text.
- Keiser, "Dear Colleague Letter," May 4, 2023. Jump back to footnote 3 in the text.
- See Jarret Cummings, "EDUCAUSE Responds to Draft OSTP Research Cybersecurity Provisions," EDUCAUSE Review, July 19, 2023, for more background on research security concerns. Jump back to footnote 4 in the text.
- EDUCAUSE letter to Stacy Murphy, Deputy Chief Operations Officer/Security Officer, Office of Science and Technology Policy, "Regarding Comment on Research Security Programs," June 5, 2023. Jump back to footnote 5 in the text.
- Ibid. Jump back to footnote 6 in the text.
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2023 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.