CACTI notes of Wednesday, October 11, 2023

Attending: Rob Carter, Les LaCroix, Margaret Cullen, Chris Phillips, Gareth Wood, Derek Owens, Michael Grady, John Bradley, Kevin Mackie

With: Rob Gorrell (eAC rep to CACTI), Steve Zoppi, David Walker, Ananya Ravipat, Steve Premeau (TAC)

Regrets: Nicole Roy, Kevin Hickey

Pre-Read Materials: 

  1. NISTIR-8481

Agenda

  1. Administrivia
    1. Volunteer(s) to scribe
    2. Agenda bash
  2. Announcements
    1. Working Group Updates (email only) - Please share via email on the CACTI list ahead of time
  3. Main Business
    1. NISTIR-8481 feedback discussion
      1. Call for patent claims - I don’t think that’s what we are focused on
      2. Looking specifically for comments on Section 3.1
      3. Les: Everything about the awareness section also applies to value judgment of the faculty. 
      4. Gareth: challenges telling researchers on what they should be doing: more carrots than sticks
      5. Compliance vs Risk mitigation - Encouraging targeted mitigation is a good idea/ better approach
      6. NIST is almost calling compliance stuff negatively - it seems ironic since they are complicit in creating it
      7. Researchers have bias towards compliance - risk management is easy for them
      8. NIST highlighted the obvious 
      9. "Rapid pace of innovation" is similar to but very different from "staying current".  Staying current with security expectations still has a rapid pace.
      10. Supply chain is critical. Have strings attached on funding - have policy to influence certain remediations for securing infrastructure
      11. Somewhere there should be a mention to the HECVAT as a resource.  (Already mentioned on line 571).  

Chris Phillips to Everyone (Oct 11, 2023, 1:57 PM)

  1. hecvat; https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
  2. https://owasp.org/www-project-top-ten/ Recently updated 2021. Broken access control is the #1 
  3. What we are delivering with edugain, InCommon, AARC blueprint isn’t sufficient then we still have work to do 
  4. Margaret: Should CACTI and Internet2 be mentioned as a resource?
  5. Rob: no mention of Identity and/or Federation.
  6. Les: Great to have concrete recommendations for each point in here. We have to be much more specific
  7. MikeG: need to be mindful about some of the challenges for custom systems that the vendors need to keep current and they don’t always do as speedy a job of updating – drives a different way to have an enclave/shell around the service (scribe chris: do researchers even know this and how can we assist?)
  8. Observation from MikeG: missing the role of the library and research data management?
  9. Line 483: Call out existing federation infrastructure as a one of those mechanisms to be identified
  10. How to build capacity is a big one. We could do that if there is financial funding capacity associated with it
  11. Margaret: There is no general documentation for cultivating knowledge on how to do security at many higher ed institutions include we I2 don’t have a great way to do that
  12. Chris : action item: IDPro could want to reply to this. He will talk to Heather 
  13. Are we poised to help with training on Trust and Identity piece? We probably can’t with all aspects of cybersecurity
  14. It’s a challenge for NIST to reach the audience they are targeting. They could compile the material but challenge will be in reaching the right audience
  15. Some of these dialogues could happen at IAM online with NIST. 
  16. Steve Z : This is an opportunity for CACTI to get the recognition as the authoritative body
  17. Feedback wanted by Oct 31; Internet2 review before then.  Need someone from Internet2 to put the IPD comment template spreadsheet in the place where we can then fill it out.
  18. Margaret is taking the lead to make sure the final response is in the form of a letter.  Target of 10/25 to get it to Internet2 for review.  10/18 for a call for discussion for specifics.
  1. TechEx review and next steps
    1. Check out ACAMP notes if you were unable to attend. https://spaces.at.internet2.edu/display/ACAMP/ACAMP+Unconference+2023+Home
    2. What can I2 and InCommon do to help with workforce issues 
    3. Improving documentation - purpose focused documentation.  Review of "Does it have to be this hard? Eduroam, etc." session.
    4. Documentation is going to be the number 1 priority for 2024 and possible 2025 for the Component Architects group.  Grouper project has already solicited community feedback for documentation.
    5. Eduroam Advisory Committee session: two main discussions: RADsec and "baseline expectations." 

Next meeting: Wednesday, November 8, 2023 1:30 p.m. ET

  • No labels