6
Crosscutting Findings
This chapter summarizes findings that apply across multiple divisions NIST’s Information Technology Laboratory (ITL). These findings are in the areas of staffing and recruitment, technical planning, and conferences and publications.
STAFFING AND RECRUITMENT
In most cases staffing is currently adequate to perform the assigned work. There are current and projected exceptions.
The Applied and Computational Mathematics Division (ACMD) is experiencing staffing stresses that may have an impact on its ability to meet its goal of providing comprehensive mathematical expertise for NIST. There is more demand for such expertise than can be met by the current ACMD staffing, both in their core areas of expertise and in new areas that require mathematical support, such as biomedical applications, machine learning, and the Internet of Things (IoT). There is also an anticipation of substantial turnover due to the potential retirement of a significant fraction of staff in the near future. Recruiting new staff is difficult due to salary constraints and the requirement for U.S. citizenship. Responding to these stresses may require a more top-down level of strategic planning and deployment of resources than is currently employed by ACMD.
RECOMMENDATION: The ACMD should evaluate its organizational and recruiting practices in order to better meet the challenges it faces. Ideas that should be considered include the use of contractors to broaden the pool of potential participants in the ACMD mission; the use of sabbatical opportunities for career staff to broaden the range of skills in response to new areas for ACMD; and development of a more effective pipeline for graduate students into the ACMD through, for example, a broad-based university affiliates program.
There is opportunity to increase the core full-time Advanced Network Technologies Division (ANTD) staff to address new areas of research such as IoT, machine learning, and 5G wireless and to expand existing areas of activity such as formal verification and model checking.
RECOMMENDATION: The ANTD should build up and grow expertise in new and emerging areas such as the Internet of Things, machine learning, and 5G wireless.
The Computer Security Division (CSD)’s Lightweight Cryptography project promises good potential application if it receives greater visibility and resources.
RECOMMENDATION: The CSD should consider adding staff to the Lightweight Cryptography project.
Another project whose impact could be amplified by additional resourcing and community outreach is the Combinatorial Methods in Software Testing project. The project currently has only two staff members.
RECOMMENDATION: The CSD should consider adding staff to the Combinatorial Methods in Software Testing project to accelerate adoption of the project’s tools and techniques by the software development community.
The Vulnerability Metrics project has a critical short-term need for supplemental staff. The project has among its responsibilities the scoring of Common Vulnerabilities and Exposures (CVE) submissions to the National Vulnerability Database (NVD). A recent change in the methodology for submission of CVEs has resulted in an increased volume of submissions, which has in turn resulted in a backlog of unscored CVEs at the CSD. The CSD is working on automation technology that should eliminate this problem in the medium term, but since the NVD is a strategic national cybersecurity resource, a short-term backlog has likely negative implications both for the state of U.S. cybersecurity and for NIST’s reputation as a trusted provider of this information. Recent changes in CVE submission have resulted in a Common Vulnerability Scoring System (CVSS) backlog at CSD. The CVSS backlog is a reputation risk to NIST and a security risk to the community.
RECOMMENDATION: The CSD should devote additional short-term resources to Common Vulnerabilities and Exposures scoring until the backlog can be remediated.
The CSD is in essence performing the functions of a national laboratory, in its strategic national cybersecurity programs (the Cryptography program and the National Vulnerability Database). However, CSD does not have academic outreach and recruiting initiatives like those of the national laboratories, especially for mid-career staff, to attract researchers to these strategic programs. For strategic projects, the CSD may need to engage more deeply with mid-career Ph.D. professionals in order to recruit required technical talent going forward.
RECOMMENDATION: The CSD should emphasize the recruiting of mid-career staff.
Should the Cybersecurity Framework project move ahead with an effort to improve the understandability and consumability of the framework, the ACD may require additional staff or staff members with backgrounds in communicating technical results rather than development and documentation of cybersecurity practices.
NIST is limited to hiring U.S. citizens as permanent staff, but it also maintains a foreign guest researcher program that supports visiting scientists and students under NIST-sponsored J1 visas. Recently the Professional Research Experience Program (PREP)1 has been proposed by NIST to provide another source of student appointment. Unfortunately, ANTD staff reported that the PREP has not yet been initiated.
NIST’s PREP needs to be kicked off the ground urgently and grown in the coming years. This offers a prime opportunity to tap into the large pool of international graduate students who are already at
___________________
1 “The new NIST-wide Professional Research Experience Program (PREP) is designed to provide valuable laboratory experience and financial assistance to undergraduate, graduate and post-graduate students.” See https://www.nist.gov/iaao/academic-affairs-office/nist-professional-research-experience-program-prep, accessed August 20, 2018.
U.S. universities, as guest researchers but also as future full-time staff. The PREP also promises to offer increased interaction with universities.
RECOMMENDATION: The ITL should expedite and grow the Professional Research Experience Program to hire more international graduate students from among those already at U.S. universities (e.g., as interns or cooperative researchers).
Recruiting, retention, and mentoring of women and minorities has been a major issue in science, technology, engineering, and mathematics programs in organizations generally. Creation of a diversity plan that is clear and flexible, and a conscious set of steps to implement the plan, are needed.
ANTD managers expressed a desire to recruit more women and minorities; supporting data on demographics were not provided. While a plan for mentoring women and minority staff was mentioned, the panel did not interact with a sufficient number of women to form an impression of its status or impact. Some ANTD managers reported that there are women only among the guest researchers and very few (or none, in some divisions) among the permanent Information Technology Library staff. Recruiting women and minorities could be assisted by the development of a concrete plan for recruiting, retention, and mentoring of women and minority staff. Such a plan could be revised and revisited for improvement after each recruiting year.
RECOMMENDATION: The ITL should assess the effectiveness of its efforts to improve recruiting, retention, and mentoring of women and minorities.
TECHNICAL PLANNING
The technical work at the ACMD is driven by collaborations between ACMD staff and scientists from other disciplines, largely from other units within NIST. These researchers are mostly chosen in a bottom-up fashion, with some informal guidance from the division leader, so that there is little overt strategic organization of the scientific work done. Many of the collaborations involve one or two members of the ACMD, often at a part-time level of effort. There is no comprehensive strategic plan to set priorities and allocate resources. The most recent comprehensive strategic planning exercise for the ACMD was performed a decade ago. This is particularly problematic in light of the fact that the demand for mathematical expertise in NIST far exceeds the resources available to the ACMD, both in the areas of traditional strength and in emerging areas such as machine learning and the IoT, which have been identified as important by ITL management.
Several of the ANTD projects had timelines and roadmaps, both short and long term. At the same time, these plans differ in their formats, making them hard to contrast with one another and evaluate thoroughly. A standard format template completed for each project could provide answers to a set of questions describing aspects of the project. This will help articulate the project to others, but if not overly prescriptive, would leave room for creativity and pivoting during the execution of each project. The template could include questions such as the following:
- What is the problem statement? (What is this project attempting to do?)
- Who is the ultimate customer? (Who will benefit if this project is successful?)
- Why should NIST use its resources to do this work? Why ANTD? Are adequate resources available?
- How does the proposed work build upon what already exists today in the external community?
- How will the results from the proposed work impact the external community?
- What are the measurable milestones that define the path toward success and completion?
- What is the execution plan? What resources will be used? What collaborations with other ITL/NIST organizations are needed to reach each milestone? What collaborations with industry or academia are needed to reach each milestone?
CONFERENCES AND PUBLICATIONS
All ITL divisions reported that their staff members attend professional conferences and author peer-reviewed publications. Conferences are among the best places to interact with the top graduate students from across the United States and the world. Aside from creating a direct impact on industry, presence and presentations at top conferences—some of which accept only a fraction of the submitted papers—create visibility to graduate students and communicate to these students that NIST is an exciting place to work. Anecdotal, but not systematic, data on conference attendance and publication, including the number of attendees, presenters, authors, and collaborative studies and the quality of the conferences and journals, were not made available to the panel.
RECOMMENDATION: The ITL should perform a systematic assessment of the conferences at which its staff members have presented their research or otherwise attended. The ITL should consider whether attendance has been sufficiently frequent and whether the conferences are of sufficiently high quality, and it should maintain or increase, as appropriate, conference attendance. A similar assessment should be performed for publications in scholarly journals.
