New (July 2026): Trusted CI mapped the NSF Critical Controls to CIS v8.1 — baseline control sets just got concrete. Get yours tracked

Frameworks · Trusted CI Framework · NSF Research Cyberinfrastructure

Protect the science.
Keep the grant.

NSF expects major facilities and mid-scale infrastructure to show a real cybersecurity program — the Research Infrastructure Guide aligns its guidance to the Trusted CI Framework by name. But most research organizations run security as a fraction of one person's job. Lionfish operationalizes the Framework's 4 pillars and 16 Musts in the Cyber Tackle Box™, so the program artifacts NSF reviewers look for exist, stay current, and don't consume your science.

4 Pillars · 16 MustsNSF RIG 6.3-alignedCIS v8.1 mappedUniversities & facilities

Research cybersecurity, by the numbers

0
"Musts" in the Trusted CI Framework across 4 pillars — Mission Alignment, Governance, Resources, Controls
0§
NSF's Research Infrastructure Guide Section 6.3 aligns major-facility cybersecurity guidance to the Framework
0
the year Trusted CI mapped NSF Critical Controls to CIS v8.1 — and expanded into research security (NSPM-33) and AI
0 FTEs
or fewer — the typical security staffing at research facilities, regardless of facility size

Sources: trustedci.org Framework core and 2026 program announcements; NSF Research Infrastructure Guide. Trusted CI's own cohorts are excellent — and rationed to a few facilities a year. We serve everyone who can't get a slot.

Who this is for

For the people who defend open science

Enterprise security templates don't fit organizations whose mission is openness. The Trusted CI Framework was built for research — and so is our delivery of it.

  • NSF major facilities and mid-scale projects whose proposals and reviews require a Cyberinfrastructure Plan spanning the facility life cycle — with cybersecurity competency named in the guide.
  • University research computing and HPC centers balancing open science against real threats, with a security 'team' that's one person's afternoon.
  • Research institutions facing NSPM-33 where research-security program requirements now threaten eligibility for all federal funding — not just one award.

Sound familiar?

The pain we hear on every first call

  • !Governance artifacts from thin air. Policy, budget, asset classification, evaluation cadence — the Musts demand documents research orgs have never had to produce, with no staff to produce them.
  • !Cohort capacity is rationed. Trusted CI's hands-on cohorts take a few facilities a year. Everyone else executes alone — or with us.
  • !Soft-money security. Grant-funded organizations struggle to justify recurring security spend. A weak CI Plan risks awards worth hundreds of times the program's cost.

The platform

How the Cyber Tackle Box™ runs your Trusted CI program

The July 2026 NSF-to-CIS v8.1 mapping made 'adopt a baseline control set' (Must 15) concrete — and the Tackle Box tracks CIS v8.1 natively.

Program Document Templates

Master information security policy, asset classification, risk-acceptance records — the governance artifacts the 16 Musts require, pre-structured for research organizations.

Musts as Milestones

All 16 Musts tracked with owners, status, and dates — a live program dashboard for facility leadership and NSF reviews alike.

Findings → POA&Ms

Assessment findings and residual risks become assigned action plans — evidence of a program that evaluates and refines itself (Must 10).

Evidence & the Intel Hub

One timestamped evidence library for cooperative-agreement reviews, plus threat intelligence tuned to research infrastructure.

CI Plan Playbooks

Runbooks for building and maintaining the Cyberinfrastructure Plan NSF proposals require — aligned to RIG Section 6.3.

Training for Researchers

Awareness training that respects how scientists actually work — tracked per person, from a team with deep university partnerships (Purdue CERIAS, Ball State).

Why Lionfish

A platform with humans attached

Practitioners, not just software

Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.

One system of record

Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.

Veteran-owned & battle-tested

SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.

Straight answers

Trusted CI questions we answer every week

What is the Trusted CI Framework?

It's the NSF Cybersecurity Center of Excellence's minimum standard for cybersecurity programs at research organizations — 4 pillars (Mission Alignment, Governance, Resources, Controls) containing 16 'Musts.' Unlike control checklists, it defines what a functioning program looks like: leadership involvement, a named security lead, a real budget, documented policy, and a baseline control set.

Does NSF actually require this?

NSF requires proposals for new major facilities and mid-scale research infrastructure to include a Cyberinfrastructure Plan, and its Research Infrastructure Guide aligns the cybersecurity guidance (Section 6.3) to the Trusted CI Framework — it even names the Framework's four pillars as a management competency. There's no certificate, but program adequacy is reviewed with your award — which makes it as real as requirements get.

What changed in 2026?

Three things: Trusted CI expanded into research security (NSPM-33) and AI security; it launched regional summits; and in July 2026 it published a mapping from the NSF Critical Controls to CIS Controls v8.1 — with NIST 800-171 mappings planned. That mapping means facilities can finally satisfy 'adopt a baseline control set' with a concrete, trackable control library — which the Cyber Tackle Box supports natively.

We're a university with CUI research too — can one program cover both?

Yes, and it should. Federally funded research increasingly brings NIST 800-171 obligations alongside Trusted CI expectations and GLBA coverage of financial-aid data. The Tackle Box maps one control implementation across all of them, so the half-FTE running security isn't maintaining three parallel programs. Our university partnerships mean we already speak your governance.

Get in touch

Build a program NSF can read

Tell us about your facility or center, your award timeline, and who currently 'does security.' You'll get a straight program assessment within one business day.

  • 1We reply within one business day — usually faster.
  • 2A 30-minute call with someone who can actually answer your questions.
  • 3A straight recommendation — even if it's that you don't need us yet.

Prefer to skip the form? Book a time directly or call 1-877-732-6772.

Book a Free Call