 Welcome everybody I'm Cliff Lynch and I am here with Jake Almond from Duke University, and we're going to talk about his work on the education cause NIST SP 800 toolkit. And we're going to just do this as kind of a conversation for a change of pace. So thank you so much for being with us, Jay. And thank you also for your great work on this toolkit, which I think is going to be really helpful for a lot of institutions. And maybe to get started, you could just very briefly remind us what NIST special publication 800 covers, and why it's important now for higher ed and particularly why it's suddenly, you know, showing up more in the context of research data management. Sure, so I think is a bit of that background. I'll focus where this initially showed up was using the Department of Defense. And in the contracts that we get around research and higher ed, there are always terms and things and a couple of the terms that get referenced a lot or federal acquisition regulations which are known as far as and then specifically the defense federal acquisition regulation supplement or a DeFars clause. And in 2017, a DeFars clause 252204-7012 commonly referred to as DeFars 7012 went into effect that basically started affecting contracts which had something called controlled unclassified information and controlled unclassified information itself was defined around 2010 and covers a broad range of unclassified information across the federal government, not just within the Department of Defense. But the Department of Defense looking to better secure their controlled unclassified information and do it in a uniform way rather than leaving it out to each granting agency within the department to specify what the terms were for securing the data said, let's get NIST to define a set of controls that we can then apply to securing this data. And so NIST developed 8171, which is a special publication so it's actually NIST SP 8171 to define a set of controls across a broad number of families and controls to say, here's how we can secure this stuff and do it in a uniform manner and it can be applied across everything and people can follow it as guidance on how to do the security of these things. So this rolled around in 2017, folks started realizing that they were going to need to deal with it because it was going to become a requirement in the DOD's contracts that had controlled unclassified information. It was initially designed to be a self-assessment, self-reporting sort of a situation. Unfortunately, it unfolded in a couple of instances where some spot assessments and audits were done by the government that folks weren't necessarily reporting the accurate truth around their programs. And so out of that came another acronym which was the Cyber Security Maturity Model Certification or CMMC. And the whole auspices of CMMC was that someone else would come into your environment and assess whether or not you had done the controls in 8171 satisfactorily and therefore could go ahead and do this research in a secure manner. So now we're having to prepare for this audit process. This has gone under a couple of revisions and as it stands today, CMMC is not expected to be up and running in a manner that would result in assessments on campus until sometime in 2024. So that's one piece of the puzzle that we're working with. The other thing that comes out of this is that in December of 2020, there was an announcement from federal student aid that they were going to have some things around the fact that they have a secondary in the federal student aid system and that it has to be complied with and GLBA and in the first paragraph was a letter that they put out in December of 2020, it basically said, we are committed to fully advancing and encouraging all post secondary institutions to implement the 7171 controls. So in a nutshell, we now have 871 showing up in a certain section of funded research for the DID. We've got a heads up from federal student aid, they're going to be looking at putting it around systems handling federal student aid on campus. So that brings us down to where in the early part of first quarter of 2021, EDUCAUSE had had enough questions about 871 to go ahead and create a community group, whose entire focus was going to be on discussing 871 on campus and how to handle it. So that's kind of the background of where the group got started and what 871 is all about. It's really helpful as a refresher for how we landed here. And I gather there is discussion about having the same kinds of criteria, potentially apply to data from other federal funders going forward. I think we'll touch on that in a little bit because there are other things as you know that are coming up and have come up in the past couple of years that just kind of sneak their way into the discussion. Most of it of course through through the government. We started meeting as a group. And right today we have almost 600 members in that EDUCAUSE community group so there's a lot of interest in what's going on in the space. And as we started meeting on a monthly basis what we discovered was, there's a broad range of what people were there for some of us had been dealing with this and looking at it for a while and starting to get our heads around it. Others were, I'm brand new to this. I just heard this as a thing. And where do I get started and so the whole idea of the first version of the tool kits which is what's actually released and is in one of the links that I'll provide that you all will post it. When this goes on to the website was a set of resources to try and address what people had expressed needing the most and so in the tool kits. We start off and we've kind of got an an overview of 831 is kind of a recap of what I just previously talked about. And that's a great way for the people who are in this group so the group itself is largely cybersecurity it practitioners. There are some people who are more in the assessment field, but what it's not are the people who handle the contracts. The people on campus who direct the research programs and so this becomes talking points that you can start having a dialogue with the parties on campus who need to be involved. There then was some efforts to look at evaluating individual controls and to develop some spreadsheets around that a lot of this was if some of us have already developed templates and tools that we're using. Can we go through as a smaller working group and look at these and generalize these to the point where they can be used by a broader audience. So that's part of what was in there. Another thing that you'll find in there is seven things to know about CMMC and the reason it's the seven things you should know about is that edge of cause has a standing series of communications they put together that are basically seven things that you should know about topic. And so, hey, this would be a great thing to have and you put together seven things that you know about we need to know about CMMC, though a couple of folks went forth and did that. I think the last major piece that's in that first release of the toolkit was a project phase planning, and this is where a bunch of us who've been involved in this started to evolve an understanding of. There are certain things you have to do in specific order to kind of get the ball rolling. One of those efforts was a workshop that we had had outside of a due cause NSF it funded where these ran through. June of 2021 with a paper that was produced in July of 2021 and basically we said, here are six things that are important in getting this all put together and we tried to look at it in terms of who had to be involved on campus. And one of the things that kind of came out of that was leadership and ownership of this initiative, be it 8171 or other regulatory things that were coming in needed to be owned in the appropriate place on campus it had to be owned by people who could really make decisions and then you have to have people who understood what the finance needs were going to be to say whether or not you were going to be able to move forward so what we were trying to do with some of that part of the toolkit was to hand these IT security people some information that was basically here's what other universities who were a little bit further along in this process are doing. So this is the sort of thing that they have said hey, this is how you can be successful in getting things started. So that was kind of what we had in mind with the first toolkit release and that was actually released and made public on the slide that was website last fall. So we took a breather and we said, okay, that's very nice and very good. This gets us started and I think you know the question is. Okay, what next. So, we bring ourselves into into beginning of this year we said, okay. What are we going to do what do you need next. We went into the large community group and said, what do you need. And there was a sense that more was needed around the system security plan itself and so I'll explain a little bit about what that is, so that we have an understanding. We've got those 110 controls, and we've got requirements around each control. And basically you have to put together a document for a system that's going to be handling controlled unclassified information. And what the government says about coey and I've got some links about that to the DOD, there's largely a concept I think that coey was documents being passed around at the federal government level that had to be labeled with a cover sheet, in a certain and you will see that that is pervasive in the training that they offer around coey, the discussions that they have around coey, they're thinking documents centric in a lot of the things that they've made available. The problem is that research is not document centric it is data centric. It is often laboratory based and not something you can do in a in an enclave and so we're faced with, you know, system security plans for a number of types of an environment and environments and so one of the efforts that we undertook with one of our other groups. So there's a regulated research community of practice group. This is funded by an NSF grant. And many of us that are in the edge of cause community are also members of this regulator research community of practice group. And we were, you know, we're trying to come up with things and divide and conquer, you know, keep resources here, keep resources at edge of cause. And NSF provided funding to do to our cup to do a workshop at edge of causes cybersecurity privacy professionals conference in May of this year. And six of us from a number of universities got together for a one day workshop before the conference started and sat down with a system security plan template to find a system for this particular exercise and so in this case, we looked at a computer enclave, so protected enclave on a campus. And we had to make the decision was it going to be on the campus. Would it be something you might do in the cloud, because that's a possibility. We pulled it back and said we'll do it on the campus and we'll deal with that. And we'll take a subset of the controls and divvy them up and work through what the group consensus is on how you might achieve those controls, and you might look at the best practices around that so that's 42 out of 110 controls. Some of them, we could eliminate because they didn't apply in that particular model in an enclave model. And we said, you know, these aren't security controls and so there are controls in the 800 171 framework that deal with things like background checks, or they deal with training needs, and they're not specifically cybersecurity so we set those aside and then we said, you know, they're not going to be enough time to get to all of them but we did at least come out with 42 controls that had a lot more insight and group think behind them. And that subsequently got published and is one of the links that were provided that kind of was not really version two of the toolkits but some of those same people. Product that came out of a whole day of 60 people sitting in a room and having a lot of discussion and so one of the things was, well, what next, what are you going to be doing next and there was a lot of folks who said, Well, we've done 42 of the controls, we'd like to go through and, you know, find another 40. I think the challenge there is finding the format to do that because you can't really get what you need in a zoom meeting. And we don't feel that you can carve it up and say well you six people go work on on this one and you six, it's time constraints, it's, you know, that sort of thing so those are the challenges. One of the other challenges that we're facing is that we are now up against the revision cycles and, and new things coming in. We're just revisions in the NIST standard right so so model. So, with NIST released draft one of revision three of that standard in I don't remember what the date was but it had a request for comment period that recently closed. So, in the large EDUCAUSE group, we basically said, Well, how many of you as individual universities think that you're going to be able to put forth the effort to make a response to the request for comment and the general consensus was not many. So, because EDUCAUSE generally does respond on these things we felt as a group that our efforts would probably be better if a handful of us that were prepared to help put together a response. Did so and EDUCAUSE just last Friday, which was the deadline made a response based on input from members of that community so you've got the same sort of thing of efforts of doing that but you're looking at okay. Here's what's coming what are we concerned about and that's one of the challenges that we face in in all of this is it's kind of a moving target. Controls change new things come up. And you have to be careful in making your decisions because some of these things may require large investment and changes in how you do things today and I think that's one of the major challenges we face is it's one thing to go into a very tightly aligned. Business that's a part of the defense industrial base which has to face these same requirements to do their things. But if you look at a university, a university is like a city. We've got police department we've got stores we've got restaurants, and we've got the teaching mission and we have library where patrons are coming in and using those resources and are on the network. And we have buildings or research is taking place. But sensitive research isn't over here in a special building that has the special networks and all of that sort of thing. It's wherever that particular contract and the researcher who is interested in doing that work reside and so the challenge becomes. How do we do this very secure initiative where we really tighten down the environment in an environment that is by its very nature, designed to be open, collaborative and available. So, in fact, we have I've been on campuses where new buildings designed within the last 10 to 15 years. The whole design in some of the research space has been around being collaborative being open, not having barriers and not having doors. And so that's that in and of itself is the challenge that we face. That's really interesting. And I think, you know, really captures the dynamic of it very accurately. So, this is, this is a wonderful resource, I think for institutions who are just, you know, coming to grapple with this, and also for institutions that need to explain this to new new sectors of the institution as the, as the rules change and as the government invokes this for additional data. And I think that's that that becomes one of the things that we're going to get to one of the things that I envisioned will start coming of this is if we can get to a point where institutions are actually going through an assessment process and we start to learn what is and isn't being accepted for specific controls. And people can say definitively, we did X and it satisfied this control and we can then start curating that. So I think, down the road, one of the things that I would be for the tool kits is a is a way to to reiterate that information about what does work, and what doesn't work, and why it doesn't work, so that we can have a better way of bringing in that information, gathering it, and then putting it into a resource that others can can access it. And so against one of the things that that we're looking at that kind of came in from the side is that the late in the Trump administration, a national security presidential memorandum 33 SPM 33 was released. The Biden administration picked it up and approved it. The impact of NS PM 33 is more than just cybersecurity there are a lot of pieces in that and there are things around ethics and and foreign nationals and those sorts of things a lot of things that. are somewhat troubling, right and somewhat troubling for for universities as, as they're written, if we don't have an explanation, but the cybersecurity piece of it was interesting because it will affect any university that has more than $50 million in annual from the federal government across all the research platforms so not just NIH or DoD any of the government funding agencies you reach the threshold of 50 million your university is necessarily going to be impacted and so there is a concern that if this isn't aligned right that you can start finding yourself, one, having to juggle multiple research frameworks for security that you're having to meet, potentially multiple assessment. And it becomes a bit of a nightmare in terms of staffing, you know, potential for conflict between well this one says it needs this but this one says it needs this. I can't do both of them in the same place. Let's go back to the business about it applies where that sensitive data is. And the government envisions that at some point, the way they want this model to work is you are CMMC certified, prior to being able to put in a request for a grant. There's no way that any university is ever going to be able to say that as a whole, the entirety of the university is CMMC certified. You know, you wouldn't be able to, you wouldn't be able to function if that if that were the case. You also can't say well, I'll just do everything that's in research and somehow figure out how to make that work and so the challenge becomes. You can do an enclave, and maybe that'll take care of 80% but what do I'm what am I going to do for laboratories that suddenly hey I want to do this research and how do I get it. CMMC certified CMMC program itself doesn't have very many certifiers or certified people to do the assessment. That's a concern so there's a lot of wait and see involved in this at the same time the government has shown no indication that they are going to slow down in terms of turning out new things. This week though we have one final piece that I'll mention that I think may actually be beneficial and that is that they have released if I can find here in my, in my notes. Yeah, they released something called a fact sheet office of the national cybersecurity director request public comment on harmonizing cybersecurity regulations. This was released middle of the week and I came across it through my colleagues who are involved in the regulator research community of practice, the large slack presence, a lot of us are there. And when we find these things we say hey did you see this and hey did you see that that was mentioned earlier. And so I think the government themselves realize is that there is this potential for collision and a need to mediate where that's going to lead. I don't know I'm hopeful it starts a dialogue that many of us are having which is. There's nothing wrong at all with the goals of better securing the research that we're talking about. It's imperative, but the question is how do we go about it and do we tailor the security around the actual research and the research environment to best fit it, or do we take this long lengthy checklist and say, we've checked all the boxes. And that's that security and I think we're struggling I think the struggle is to try and shift with thinking at the government level that there's probably a better way to do this and be a little bit more understanding that the research environment is a little bit different than moving paper documents around. I think it's a really, really helpful set of insights for understanding what's going on. Certainly, you see that thread of things that started with the national security memorandum. In 1933, continuing on through a lot of the stuff coming out of the Office of Science and Technology Policy about research integrity and about research data sharing their their directives to the various funding agencies. So that that call for comments that you just mentioned does does sound like it is opening up a very useful conversation. Yeah, it'll be interesting to see. Fortunately, that one's got a little bit I think the deadline if I remember from looking at this morning I think the deadline for that one is. I will have that link to that particular one in the same so people can verify that but that gives it a little bit more time but not a lot of time that that's kind of been the way these things are and with so many of them, it's it's very difficult for universities to try and say okay we need to respond to this and we need to respond to this one and so it's been a bit of a divided and conquer between educause Cogar and and some of the other larger entities that universities are involved with to try and make sure that the concerns are heard and gotten in front of the right folks. One last thing I'll mention that came up as an opportunity was that NIST themselves have been funded to generate some cybersecurity tools and offerings training that sort of thing to the higher education community into that and they offered us we were able between regulator research community of practice and educause. They gave a presentation we said hey could you set up a discussion group for us to come in and and have a dialogue and so week before last I think it was. They opened it up for an hour and a half and we had a really good discussion with them and talked about what some of our concerns were some of our needs were I think it's really it's it's it's very interesting having been a community group lead for the 871 group in my day to day job unfortunate to work in an R one university that's got a staff of 14 doing cybersecurity and separate privacy and and all of that. I've got peers in that 871 group it's smaller colleges that are having to deal with some aspect of 871 that may have an IT security staff of two or three. And so it's a challenge just and that's where we're trying to not only help these folks to the best that we can in terms of the awareness to you know if you're. IT staff of two but your peers have four and five. You know that's something you can take back into later leadership as a benchmark that sets another effort we're kind of looking at trying to do in there is can we benchmark. What others are doing so that you have something to take to leadership because. They all want metrics, you know, well sure. Who's who's something else so hopefully we can continue to work as a community I think that's the key to this is when we work together and divide and conquer we're not all sitting around trying to invent some version of the wheel and hope that it rolls us forward. Okay, well thank you very much I've got kept you a long time on this, but this update I think an overview is very, very helpful, and we look forward to hearing about, you know, future work as you continue on with this project. So thanks again. Thanks much for the opportunity and we'll talk again in the future. We will take care. My.