Through a series of direct engagements with higher education cybersecurity and research security communities, as well as through comments received in response to NIST’s April 2023 RFC, several takeaways have emerged regarding the status of research cybersecurity across higher education.
While institutions of higher education face many of the same cybersecurity challenges and risks as other communities, various factors make this community and their research practices unique. In particular, the top-down, command-and-control model of cybersecurity risk management that works for many enterprises in the public and private sectors does not translate well to the complex, highly distributed, and diverse web of functions, missions, and cultures that constitute the higher education community. Beyond the common challenges that plague the cybersecurity field as a whole (e.g., budget constraints, workforce shortages, and the ongoing need to keep up with a rapidly evolving technology landscape), cybersecurity professionals in higher education must also be prepared to address a heterogeneous set of risks across distinctive contexts of research, from neural psychology to space research. Despite these and other challenges, institutions report some early successes in operationalizing cybersecurity risk management strategies in partnership with researchers and offered specific recommendations to advance the state of cybersecurity across the research community.
The following subsections describe the risks, challenges, current cybersecurity risk management methods, and recommendations provided to NIST from institutions of higher education, including members of this community with specialized experience in securing research activities.