HPC STX Overview - NIST Workshop

Transcript

1. NIST HPC Security Workshop 2025-05-06 HPC STX OVERVIEW

2. What is HPC Security Technical Exchange (STX) ?

3. 6/26/2025 © 2025 ShorePoint, Inc 3 WHAT IS THE STX?

   “An event to bring together experts, practitioners, and enthusiasts in government high-performance computing (HPC) security to share insights, discuss challenges, and explore innovative solutions.”

4. 6/26/2025 © 2025 ShorePoint, Inc 4 GOALS ▪ Establish a

   Government-wide Community of Interest around HPC Security ▪ Build lasting connections between government organizations committed to HPC security ▪ Find areas of shared interest to collaborate on into the future apart from this event ▪ Present a unified force to those writing requirements / policy ▪ Establish best practices and guidance for security strategies based on shared lessons learned

5. 6/26/2025 © 2025 ShorePoint, Inc 5 HISTORY ▪ 2018 June

   – 2023 June ▪ LLNL, SNL, LANL HPC ISSO / security meetups at Livermore or New Mexico ▪ 2023 November – Supercomputing Gov User Group Meeting ▪ Approximately 80 attendees ▪ “This is the Denver convention center, find us a better venue and we’ll talk” ▪ 2023 December – “First” HPC STX ▪ LLNL, SNL, LANL + ORNL, NASA, DoD ▪ 2024 August – Second HPC STX ▪ Invite list greatly expanded

6. 6/26/2025 © 2025 ShorePoint, Inc 6 STX 2024 ▪ 80

   registrants from across government, contractors, foreign partners, academia ▪ ~ 25 high level topics for discussion ▪ HPC stack surveys ▪ Compliance and baselines ▪ Assessments, incident handling, threat hunting ▪ Challenges with procurement, staffing ▪ And more! ▪ Meeting notes / write-ups available (low side, and high side)

7. 6/26/2025 © 2025 ShorePoint, Inc 7 STX 2024: MAJOR TOPICS

   INCLUDED ▪ Site Overviews ▪ Lots of similarities, but also some differences ▪ Security Compliance and Baselines ▪ STIGs, NIST, Audits, etc. ▪ Technology and Tools ▪ HPC software stacks, configuration management, security tooling ▪ Identity Management and Account Provisioning ▪ Software Approvals and User Software ▪ Logging and Monitoring ▪ User, system, and network monitoring ▪ Vulnerability Management ▪ Scanning tools and threat hunting ▪ Incident Handling and Disaster Recovery ▪ Incident sharing, backup policies ▪ Challenges ▪ Vendors, staffing, training ▪ Future Directions ▪ HPC Security Working Group, NIST HPC Overlay

8. 6/26/2025 © 2025 ShorePoint, Inc 8 STX 2024: OUTCOMES ▪

   First large-scale meeting, certain amount of “what are we doing, and what should we be talking about?” ▪ ~ 40 pages of CUI notes from unclassified and collateral Secret sessions (posted to NIPR Intellipedia) ▪ Fantastic feedback, some adjustments coming in 2025 ▪ “We should bring X other people to hear this information!” ▪ Sharing of TOSS (https://hpc.llnl.gov/toss) with DoD sites ▪ Meeting to demo / discuss sharing of DoD RADIX tool with DOE ▪ Expand invitation to include more senior decision makers and risk executives ▪ Better sense of what to discuss so more can participate next time

9. 6/26/2025 © 2025 ShorePoint, Inc 9 STX 2024: LESSONS LEARNED

   / FUTURE WORK ▪ Program needs tell a story of the impact that authorization delays ▪ Example from day 4 ▪ How can we leverage these stories to improve authorization timelines? ▪ How can we connect these stories to the appropriate parties (senior leadership, AOs, ISSMs, ISSOs, etc.) ? ▪ Supply chain issues around developer software: a challenge and an opportunity ▪ NIST SP 800-234.ipd > section 3.8 User-developed Software > CM-11 User Installed Software ▪ “Users may be allowed to install and develop software that is necessary for their mission.” ▪ It would be incredibly valuable for there to be an “approved” repository of software for use by users, how? ▪ Many of us are working on the same or similar problems ▪ How can we coordinate better in an ongoing fashion? (NIST, OpenCHAMI, other?)

10. 6/26/2025 © 2025 ShorePoint, Inc 10 STX 2025 ▪ Originally

    planned for April 1 - 4, 2025 at LLNL ▪ Had ~ 100 registrants from ~ 20 different organizations ▪ Government travel restrictions ended up causing us to lose ½ of our attendees ▪ Decision made in March 2025 to postpone ▪ Officially, we have a tentative save the date for September 16 – 19, 2025 ▪ Plan is to still be held at Lawrence Livermore National Laboratory, Livermore, CA USA ▪ Organizers will discuss “go/no-go” over the next month ▪ Feedback from this group would be greatly appreciated!

11. Thank You Ian Lee Director, Advanced Computing Solutions ShorePoint, Inc.

    ian.lee@shorepointinc.com M 203.695.1244