Charter, Vision, Mission, Governance, and Validation

iJC3 Cyber R&D Charter, Vision, Mission, Governance, and Validation

Last Modified: August 10, 2016 

iJC3 Cyber R&D Vision

The Department of Energy (DOE) is responsible for ensuring America's security and prosperity by addressing its energy, environmental, and nuclear challenges through transformative science and technology solutions. DOE has a singular and unique national security mission and set of program requirements. These diverse set of responsibilities range from the need to protect highly sensitive data, to providing an open environment for advancing basic scientific research with minimal downtime, all while simultaneously securing the nation's high-performance computing assets, such as ALCF, OLCF, and NERSC, the DOE high-performance network, ESnet, and a highly-diverse collection of network-connected scientific instruments. These important but highly unique missions and assets make DOE a target for sophisticated nation-state adversaries. However, currently available commercial-off-the-shelf (COTS) and government-off-the-shelf (GOTS) security solutions are unable to provide the level of cybersecurity protection uniquely demanded by DOE's key missions. Since it is anticipated this state of affairs will exist for the foreseeable future, DOE will continue to be unable to rely upon untrusted COTS products, or on outside contractors, universities, or other Federal agencies, to secure its mission-essential functions.

As part of the iJC3, the iJC3 Cyber R&D ECC will pursue R&D activities and programs that seek to ultimately result in measurable improvements to cyber (encompassing both cybersecurity and information sharing) in support of the DOE mission, in order to provide what COTS/GOTS solutions cannot and may never be able to.

In order to achieve its desired research and development outcomes, the iJC3 Cyber R&D ECC will engage in collaborative scientific research, and develop technologies necessary to enhance the security of DOE systems and networks. More specifically, the iJC3 Cyber R&D will experiment with and produce outcomes likely to have broad applicability to DOE the protection of the DOE information and enterprise infrastructure (via the other ECCs).

iJC3 Cyber R&D Detailed Scope

All iJC3 Cyber R&D projects should focus on the needs of the DOE, and in particular, should focus on distinctive and possibly even unique needs of the DOE, such that those needs are unlikely to be satisfactorily met in the near future by other COTS/GOTS solutions.

The iJC3 Cyber R&D ECC will contain a portfolio of research & development efforts that have roughly equal amounts of short, medium, and long-term foci. Efforts should address "hard" enough problems and enough research that they merit funding via iJC3 rather than the small, single-lab solutions provided via regular budgets of National Lab CIOs and/or Lab Directed Research and Development (LDRD) funding.

iJC3 Cyber R&D efforts will be informed by other iJC3 ECCs, and additional stakeholders both within the DOE as well as within other agencies.

The iJC3 Cyber R&D ECC will interface with other iJC3 ECCs not only for conceptual ideas, but also as part of a process of real-world deployment, testing, and obtaining feedback. 
iJC3 Cyber R&D ECC projects will generally develop "prototypes" and/or experimental evidence, but not production-quality "products," as R&D source code – even source code resulting from development-centric projects is generally not considered "production quality" nor is there a support structure assumed to be set up. It is assumed that the iJC3 will establish a mechanism in the future to transition products from research prototypes to production use by other ECCs.

iJC3 Cyber R&D projects should be mostly (but not exclusively) collaborative between two or more National Laboratories.

iJC3 Cyber R&D does not perform classified research and development. It is understood that R&D can be developed for and tested in unclassified environments and may well later be applied to classified environments by individual labs or other ECCs, but iJC3 Cyber R&D does not fund projects that require classified work. This is both due the recognition that it is not required for R&D, given the existence of the other ECCs, and to be inclusive to the National Labs whose charters prohibit classified work.

iJC3 Cyber R&D Governance and Processes

iJC3 Cyber R&D Lead, Partners, and Collaborators

The iJC3 Cyber R&D ECC is composed of National Lab participants that participate at one of three levels: "lead," "partner," or "collaborator."

There is a single lead at any given time, who is responsible for reporting, who serves as an external coordinator between the iJC3 Cyber R&D ECC and other iJC3 ECCs, as who serves as an internal coordinator, gathering material for reporting, and convening other workshops and meetings as needed. The iJC3 ECC lead also makes recommendations on R&D directions, and, following quarterly meetings, is responsible for conferring with other ECC leads to determine key gaps that could potentially be addressed by Cyber R&D. 
Other labs are designated by the DOE CIO's office as either "partners" or "collaborators" depending on the level of interest and capability of that lab, and the determination of the DOE CIO's office.

The iJC3 Cyber R&D ECC Lead is primarily a coordinator. Actual governance decisions are issued by the iJC3 Cyber R&D Governance Board.

iJC3 Cyber R&D Advisory Group

A standing iJC3 Cyber R&D Advisory Group will provide strategic and technical review by federal officials and others independent reviewers free from conflict of interest regarding funding allocations between sites. The AG will provide external guidance to the iJC3 Cyber R&D Governance Board on other government programs, needs, and capabilities. The AG will also work with the iJC3 Cyber R&D Governance Board to assess outcome in terms of process, balance of portfolio and projects, and other performance metrics established by the iJC3 Cyber R&D Governance Board. AG members will be elected by the iJC3 Cyber R&D Governance Board and serve two-year renewable appointments. AG membership should represent a broad array of federal interests such as DOE itself (including mission stakeholders from the ASCR facilities and other network-connected scientific facilities, as well as various NNSA programs, and energy infrastructure) and other government agencies and programs as well as scientific leaders in the field.

iJC3 Cyber R&D Governance Board

The primary organizing body for iJC3 Cyber R&D is the iJC3 Cyber R&D Governance Board.

The Governance Board is composed of one person per "lead" or "partner" National Lab (although there can be primary and alternate representatives). Each "lead" or "partner" National Lab has one vote per National Lab. "Collaborator" labs serve an advisory role on the Governance Board.

Each participating national laboratory will provide primary and alternate named site representatives to the iJC3 Cyber R&D Governance Board. In order to successfully perform this task, the Governance Board delegates are expected to be roughly at the seniority level of Division Directors, who are used to serving this role for other major R&D efforts as well. In general, Governance Board delegates are not technical leads / principal investigators.

Governance Board representatives will be replaced at the will of the Lab or when requested by a two-thirds vote of the iJC3 Cyber R&D Governance Board.

The iJC3 Cyber R&D Governance Board is to:

  1. Define organizing principles
  2. Manage a transparent governance process
  3. Approve site proposal for use of any "base" funding to ensure sufficient collaboration and relevancy to the iJC3 Cyber R&D scope and vision
  4. Manage the competitive process for awarding "non-base" funding
  5. Recommend funding distributions to DOE
  6. Conduct internal and external review and assessment
  7. Set the research agenda for iJC3 Cyber R&D
  8. Recommending changes in roles of National Labs between "lead," "partner," and "collaborator" status to DOE
  9. Nominate individuals to working groups and the Strategic Advisory Group
  10. Appoint/elect a chairperson who will schedule Governance Board activities.

iJC3 Cyber R&D Funding and Project Selection

Initially, given very modest funding levels, funding will be roughly equal across "partner" labs, with slightly more for the "lead" (for management, reporting, and running workshops) and a somewhat less for "collaborator" labs.

If funding increases substantially in future years, it is expected that there will be a certain level of "base" funding for each lab to maintain a core amount of non-competitive funding for each "lead" and "partner" National Lab to participate in R&D in a meaningful, and for "collaborator" National Labs to participate in advisory and smaller-scale collaborative functions; and there will also be a competitive process to select projects.

For base funding, labs may largely self-direct their own project directions within the stated framework, subject to approval of the iJC3 Cyber R&D Governance Board.

For competitive funding, the competitive process is not intended to be a competition between National Labs, but is intended to be a competition of ideas. Regardless of whether or not a particular National Lab is one that comes up with an idea that is approved, should a National Lab have interest and have (or be able to have) relevant capabilities, a National Lab should be able to indicate interest and participate in a project, pending approval of the iJC3 Cyber R&D Governance Board. 

The process for establishing projects is:

  1. iJC3 Cyber R&D technical leads come up with project ideas
    1. Research projects should be…
      1. Mostly (but not exclusively) collaborative (2+ labs)
      2. Hard enough problems, w/ enough "R" that they merit something like iJC3
      3. Result in prototypes and/or experimental and/or analytical evidence, not products
      4. Somewhere on the short, medium, and long term spectrum, but not finished production-ready projects
      5. Target future benefits to other iJC3 ECCs
      6. Reflect input from a variety of stakeholders, including the iJC3 Cyber ECCs and the External Advisory Group (AG)
  2. The iJC3 Cyber R&D Governance Board
    1. Votes on governance and strategy decisions,
    2. Reviews research project portfolio/plans,
    3. Helps prioritize projects within the portfolio,
    4. Obtains feedback from the External Advisory Group
    5. Makes funding recommendations to DOE (one vote per "lead" or "partner" National Lab, as described earlier in this document)
  3. The DOE Information Management Governance Board (IMGB) reviews the project portfolio and approves it or requests changes.
    1. Should changes be requested, the Governance Board decides how best to remediate the changes, possibly involving technical leads, as necessary.

Working Groups

The iJC3 Cyber R&D Governance Board will create working groups to address specific issues such as new threats, development of R&D agendas, and to be responsive to dialogues with specific sponsors. Working groups will normally be open to every lab, but individual labs may opt-out of certain groups (for example, due to security requirements or lack of capability in a focused area). Working groups will self-organize based on a charter approved by the iJC3 Cyber R&D Governance Board. The charter will outline purpose, scope, expected outcomes and schedule, and leadership. The Lab Governance Board will resolve any disputes regarding working group leadership, composition, or charter.

Governance Principles

The decision-making process for iJC3 Cyber R&D is based on consensus. The chair of the Governance Board or of a working group is responsible for facilitating decision making and determining if and when consensus is reached. This charter document can be amended by consensus of the Governance Board.

Validation & Success

The DOE is structurally and organizationally unique given that it has its own R&D organizations, specialized manufacturing facilities, extensive test and evaluation capabilities at DOE National Laboratories, and an operational mission. Acting as a single organization, DOE can generate needs and requirements, conduct scientific research, develop technologies to solve needs and requirements, test and evaluate technologies in all types of environments, and deploy technologies into DOE operational systems and networks. Within DOE's unique organizational structure, the iJC3 Cyber R&D ECC is designed to perform R&D that seeks to produce novel research results, as well as demonstrable, measurable, and meaningful cybersecurity technologies.

The iJC3 Cyber R&D ECC will use both self-assessment and external assessment (coordinated by the Strategic Advisory Group) to maintain awareness of its success in the following areas:

  1. Is a broad cross-section of Labs and capabilities being engaged, with participation from both the classified and unclassified scientific communities?
  2. Is a sustainable mix of long-term and shorter-term R&D being supported?
  3. Do all partners perceive positive value in this ECC?
  4. Is this ECC having a positive impact on DOE cybersecurity?