Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HPC STX Overview - NIST Workshop

HPC STX Overview - NIST Workshop

This talk provides an overview of the events of the HPC Security Technical Exchange meetings from December 2023 and August 2024, and lays foundational context for those that might be considering joining for the 2025 event when that happens. This will provide a high level (unclassified) overview of the topics covered and insights gained in those meetings.

Avatar for Ian Lee

Ian Lee

May 06, 2025
Tweet

More Decks by Ian Lee

Other Decks in Technology

Transcript

  1. 6/26/2025 © 2025 ShorePoint, Inc 3 WHAT IS THE STX?

    “An event to bring together experts, practitioners, and enthusiasts in government high-performance computing (HPC) security to share insights, discuss challenges, and explore innovative solutions.”
  2. 6/26/2025 © 2025 ShorePoint, Inc 4 GOALS ▪ Establish a

    Government-wide Community of Interest around HPC Security ▪ Build lasting connections between government organizations committed to HPC security ▪ Find areas of shared interest to collaborate on into the future apart from this event ▪ Present a unified force to those writing requirements / policy ▪ Establish best practices and guidance for security strategies based on shared lessons learned
  3. 6/26/2025 © 2025 ShorePoint, Inc 5 HISTORY ▪ 2018 June

    – 2023 June ▪ LLNL, SNL, LANL HPC ISSO / security meetups at Livermore or New Mexico ▪ 2023 November – Supercomputing Gov User Group Meeting ▪ Approximately 80 attendees ▪ “This is the Denver convention center, find us a better venue and we’ll talk” ▪ 2023 December – “First” HPC STX ▪ LLNL, SNL, LANL + ORNL, NASA, DoD ▪ 2024 August – Second HPC STX ▪ Invite list greatly expanded
  4. 6/26/2025 © 2025 ShorePoint, Inc 6 STX 2024 ▪ 80

    registrants from across government, contractors, foreign partners, academia ▪ ~ 25 high level topics for discussion ▪ HPC stack surveys ▪ Compliance and baselines ▪ Assessments, incident handling, threat hunting ▪ Challenges with procurement, staffing ▪ And more! ▪ Meeting notes / write-ups available (low side, and high side)
  5. 6/26/2025 © 2025 ShorePoint, Inc 7 STX 2024: MAJOR TOPICS

    INCLUDED ▪ Site Overviews ▪ Lots of similarities, but also some differences ▪ Security Compliance and Baselines ▪ STIGs, NIST, Audits, etc. ▪ Technology and Tools ▪ HPC software stacks, configuration management, security tooling ▪ Identity Management and Account Provisioning ▪ Software Approvals and User Software ▪ Logging and Monitoring ▪ User, system, and network monitoring ▪ Vulnerability Management ▪ Scanning tools and threat hunting ▪ Incident Handling and Disaster Recovery ▪ Incident sharing, backup policies ▪ Challenges ▪ Vendors, staffing, training ▪ Future Directions ▪ HPC Security Working Group, NIST HPC Overlay
  6. 6/26/2025 © 2025 ShorePoint, Inc 8 STX 2024: OUTCOMES ▪

    First large-scale meeting, certain amount of “what are we doing, and what should we be talking about?” ▪ ~ 40 pages of CUI notes from unclassified and collateral Secret sessions (posted to NIPR Intellipedia) ▪ Fantastic feedback, some adjustments coming in 2025 ▪ “We should bring X other people to hear this information!” ▪ Sharing of TOSS (https://hpc.llnl.gov/toss) with DoD sites ▪ Meeting to demo / discuss sharing of DoD RADIX tool with DOE ▪ Expand invitation to include more senior decision makers and risk executives ▪ Better sense of what to discuss so more can participate next time
  7. 6/26/2025 © 2025 ShorePoint, Inc 9 STX 2024: LESSONS LEARNED

    / FUTURE WORK ▪ Program needs tell a story of the impact that authorization delays ▪ Example from day 4 ▪ How can we leverage these stories to improve authorization timelines? ▪ How can we connect these stories to the appropriate parties (senior leadership, AOs, ISSMs, ISSOs, etc.) ? ▪ Supply chain issues around developer software: a challenge and an opportunity ▪ NIST SP 800-234.ipd > section 3.8 User-developed Software > CM-11 User Installed Software ▪ “Users may be allowed to install and develop software that is necessary for their mission.” ▪ It would be incredibly valuable for there to be an “approved” repository of software for use by users, how? ▪ Many of us are working on the same or similar problems ▪ How can we coordinate better in an ongoing fashion? (NIST, OpenCHAMI, other?)
  8. 6/26/2025 © 2025 ShorePoint, Inc 10 STX 2025 ▪ Originally

    planned for April 1 - 4, 2025 at LLNL ▪ Had ~ 100 registrants from ~ 20 different organizations ▪ Government travel restrictions ended up causing us to lose ½ of our attendees ▪ Decision made in March 2025 to postpone ▪ Officially, we have a tentative save the date for September 16 – 19, 2025 ▪ Plan is to still be held at Lawrence Livermore National Laboratory, Livermore, CA USA ▪ Organizers will discuss “go/no-go” over the next month ▪ Feedback from this group would be greatly appreciated!