CACTI notes of Wednesday, October 11, 2023
Attending: Rob Carter, Les LaCroix, Margaret Cullen, Chris Phillips, Gareth Wood, Derek Owens, Michael Grady, John Bradley, Kevin Mackie
With: Rob Gorrell (eAC rep to CACTI), Steve Zoppi, David Walker, Ananya Ravipat, Steve Premeau (TAC)
Regrets: Nicole Roy, Kevin Hickey
Pre-Read Materials:
Agenda
- Administrivia
- Volunteer(s) to scribe
- Agenda bash
- Announcements
- Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
- Main Business
- NISTIR-8481 feedback discussion
- Call for patent claims - I don’t think that’s what we are focused on
- Looking specifically for comments on Section 3.1
- Les: Everything about the awareness section also applies to value judgment of the faculty.
- Gareth: challenges telling researchers on what they should be doing: more carrots than sticks
- Compliance vs Risk mitigation - Encouraging targeted mitigation is a good idea/ better approach
- NIST is almost calling compliance stuff negatively - it seems ironic since they are complicit in creating it
- Researchers have bias towards compliance - risk management is easy for them
- NIST highlighted the obvious
- "Rapid pace of innovation" is similar to but very different from "staying current". Staying current with security expectations still has a rapid pace.
- Supply chain is critical. Have strings attached on funding - have policy to influence certain remediations for securing infrastructure
- Somewhere there should be a mention to the HECVAT as a resource. (Already mentioned on line 571).
Chris Phillips to Everyone (Oct 11, 2023, 1:57 PM)
- hecvat; https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
- https://owasp.org/www-project-top-ten/ Recently updated 2021. Broken access control is the #1
- What we are delivering with edugain, InCommon, AARC blueprint isn’t sufficient then we still have work to do
- Margaret: Should CACTI and Internet2 be mentioned as a resource?
- Rob: no mention of Identity and/or Federation.
- Les: Great to have concrete recommendations for each point in here. We have to be much more specific
- MikeG: need to be mindful about some of the challenges for custom systems that the vendors need to keep current and they don’t always do as speedy a job of updating – drives a different way to have an enclave/shell around the service (scribe chris: do researchers even know this and how can we assist?)
- Observation from MikeG: missing the role of the library and research data management?
- Line 483: Call out existing federation infrastructure as a one of those mechanisms to be identified
- How to build capacity is a big one. We could do that if there is financial funding capacity associated with it
- Margaret: There is no general documentation for cultivating knowledge on how to do security at many higher ed institutions include we I2 don’t have a great way to do that
- Chris : action item: IDPro could want to reply to this. He will talk to Heather
- Are we poised to help with training on Trust and Identity piece? We probably can’t with all aspects of cybersecurity
- It’s a challenge for NIST to reach the audience they are targeting. They could compile the material but challenge will be in reaching the right audience
- Some of these dialogues could happen at IAM online with NIST.
- Steve Z : This is an opportunity for CACTI to get the recognition as the authoritative body
- Feedback wanted by Oct 31; Internet2 review before then. Need someone from Internet2 to put the IPD comment template spreadsheet in the place where we can then fill it out.
- Margaret is taking the lead to make sure the final response is in the form of a letter. Target of 10/25 to get it to Internet2 for review. 10/18 for a call for discussion for specifics.
- TechEx review and next steps
- Check out ACAMP notes if you were unable to attend. https://spaces.at.internet2.edu/display/ACAMP/ACAMP+Unconference+2023+Home
- What can I2 and InCommon do to help with workforce issues
- Improving documentation - purpose focused documentation. Review of "Does it have to be this hard? Eduroam, etc." session.
- Documentation is going to be the number 1 priority for 2024 and possible 2025 for the Component Architects group. Grouper project has already solicited community feedback for documentation.
- Eduroam Advisory Committee session: two main discussions: RADsec and "baseline expectations."
Next meeting: Wednesday, November 8, 2023 1:30 p.m. ET