NIST HPC Security Workshop 2025-05-06 HPC STX OVERVIEW 

What is HPC Security Technical Exchange (STX) ? 

6/26/2025 © 2025 ShorePoint, Inc 3 WHAT IS THE STX? “An event to bring together experts, practitioners, and enthusiasts in government high-performance computing (HPC) security to share insights, discuss challenges, and explore innovative solutions.” 

6/26/2025 © 2025 ShorePoint, Inc 4 GOALS ▪ Establish a Government-wide Community of Interest around HPC Security ▪ Build lasting connections between government organizations committed to HPC security ▪ Find areas of shared interest to collaborate on into the future apart from this event ▪ Present a unified force to those writing requirements / policy ▪ Establish best practices and guidance for security strategies based on shared lessons learned 

6/26/2025 © 2025 ShorePoint, Inc 5 HISTORY ▪ 2018 June – 2023 June ▪ LLNL, SNL, LANL HPC ISSO / security meetups at Livermore or New Mexico ▪ 2023 November – Supercomputing Gov User Group Meeting ▪ Approximately 80 attendees ▪ “This is the Denver convention center, find us a better venue and we’ll talk” ▪ 2023 December – “First” HPC STX ▪ LLNL, SNL, LANL + ORNL, NASA, DoD ▪ 2024 August – Second HPC STX ▪ Invite list greatly expanded 

6/26/2025 © 2025 ShorePoint, Inc 6 STX 2024 ▪ 80 registrants from across government, contractors, foreign partners, academia ▪ ~ 25 high level topics for discussion ▪ HPC stack surveys ▪ Compliance and baselines ▪ Assessments, incident handling, threat hunting ▪ Challenges with procurement, staffing ▪ And more! ▪ Meeting notes / write-ups available (low side, and high side) 

6/26/2025 © 2025 ShorePoint, Inc 7 STX 2024: MAJOR TOPICS INCLUDED ▪ Site Overviews ▪ Lots of similarities, but also some differences ▪ Security Compliance and Baselines ▪ STIGs, NIST, Audits, etc. ▪ Technology and Tools ▪ HPC software stacks, configuration management, security tooling ▪ Identity Management and Account Provisioning ▪ Software Approvals and User Software ▪ Logging and Monitoring ▪ User, system, and network monitoring ▪ Vulnerability Management ▪ Scanning tools and threat hunting ▪ Incident Handling and Disaster Recovery ▪ Incident sharing, backup policies ▪ Challenges ▪ Vendors, staffing, training ▪ Future Directions ▪ HPC Security Working Group, NIST HPC Overlay 

6/26/2025 © 2025 ShorePoint, Inc 8 STX 2024: OUTCOMES ▪ First large-scale meeting, certain amount of “what are we doing, and what should we be talking about?” ▪ ~ 40 pages of CUI notes from unclassified and collateral Secret sessions (posted to NIPR Intellipedia) ▪ Fantastic feedback, some adjustments coming in 2025 ▪ “We should bring X other people to hear this information!” ▪ Sharing of TOSS (https://hpc.llnl.gov/toss) with DoD sites ▪ Meeting to demo / discuss sharing of DoD RADIX tool with DOE ▪ Expand invitation to include more senior decision makers and risk executives ▪ Better sense of what to discuss so more can participate next time 

6/26/2025 © 2025 ShorePoint, Inc 9 STX 2024: LESSONS LEARNED / FUTURE WORK ▪ Program needs tell a story of the impact that authorization delays ▪ Example from day 4 ▪ How can we leverage these stories to improve authorization timelines? ▪ How can we connect these stories to the appropriate parties (senior leadership, AOs, ISSMs, ISSOs, etc.) ? ▪ Supply chain issues around developer software: a challenge and an opportunity ▪ NIST SP 800-234.ipd > section 3.8 User-developed Software > CM-11 User Installed Software ▪ “Users may be allowed to install and develop software that is necessary for their mission.” ▪ It would be incredibly valuable for there to be an “approved” repository of software for use by users, how? ▪ Many of us are working on the same or similar problems ▪ How can we coordinate better in an ongoing fashion? (NIST, OpenCHAMI, other?) 

6/26/2025 © 2025 ShorePoint, Inc 10 STX 2025 ▪ Originally planned for April 1 - 4, 2025 at LLNL ▪ Had ~ 100 registrants from ~ 20 different organizations ▪ Government travel restrictions ended up causing us to lose ½ of our attendees ▪ Decision made in March 2025 to postpone ▪ Officially, we have a tentative save the date for September 16 – 19, 2025 ▪ Plan is to still be held at Lawrence Livermore National Laboratory, Livermore, CA USA ▪ Organizers will discuss “go/no-go” over the next month ▪ Feedback from this group would be greatly appreciated! 

Thank You Ian Lee Director, Advanced Computing Solutions ShorePoint, Inc. [email protected] M 203.695.1244