Frameworks · Trusted CI Framework · NSF Research Cyberinfrastructure
Protect the science.
Keep the grant.
NSF expects major facilities and mid-scale infrastructure to show a real cybersecurity program — the Research Infrastructure Guide aligns its guidance to the Trusted CI Framework by name. But most research organizations run security as a fraction of one person's job. Lionfish operationalizes the Framework's 4 pillars and 16 Musts in the Cyber Tackle Box™, so the program artifacts NSF reviewers look for exist, stay current, and don't consume your science.
Research cybersecurity, by the numbers
Sources: trustedci.org Framework core and 2026 program announcements; NSF Research Infrastructure Guide. Trusted CI's own cohorts are excellent — and rationed to a few facilities a year. We serve everyone who can't get a slot.
Who this is for
For the people who defend open science
Enterprise security templates don't fit organizations whose mission is openness. The Trusted CI Framework was built for research — and so is our delivery of it.
- ✓NSF major facilities and mid-scale projects whose proposals and reviews require a Cyberinfrastructure Plan spanning the facility life cycle — with cybersecurity competency named in the guide.
- ✓University research computing and HPC centers balancing open science against real threats, with a security 'team' that's one person's afternoon.
- ✓Research institutions facing NSPM-33 where research-security program requirements now threaten eligibility for all federal funding — not just one award.
Sound familiar?
The pain we hear on every first call
- !Governance artifacts from thin air. Policy, budget, asset classification, evaluation cadence — the Musts demand documents research orgs have never had to produce, with no staff to produce them.
- !Cohort capacity is rationed. Trusted CI's hands-on cohorts take a few facilities a year. Everyone else executes alone — or with us.
- !Soft-money security. Grant-funded organizations struggle to justify recurring security spend. A weak CI Plan risks awards worth hundreds of times the program's cost.
The platform
How the Cyber Tackle Box™ runs your Trusted CI program
The July 2026 NSF-to-CIS v8.1 mapping made 'adopt a baseline control set' (Must 15) concrete — and the Tackle Box tracks CIS v8.1 natively.
Program Document Templates
Master information security policy, asset classification, risk-acceptance records — the governance artifacts the 16 Musts require, pre-structured for research organizations.
Musts as Milestones
All 16 Musts tracked with owners, status, and dates — a live program dashboard for facility leadership and NSF reviews alike.
Findings → POA&Ms
Assessment findings and residual risks become assigned action plans — evidence of a program that evaluates and refines itself (Must 10).
Evidence & the Intel Hub
One timestamped evidence library for cooperative-agreement reviews, plus threat intelligence tuned to research infrastructure.
CI Plan Playbooks
Runbooks for building and maintaining the Cyberinfrastructure Plan NSF proposals require — aligned to RIG Section 6.3.
Training for Researchers
Awareness training that respects how scientists actually work — tracked per person, from a team with deep university partnerships (Purdue CERIAS, Ball State).
Why Lionfish
A platform with humans attached
Practitioners, not just software
Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.
One system of record
Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.
Veteran-owned & battle-tested
SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.
Straight answers
Trusted CI questions we answer every week
What is the Trusted CI Framework?
It's the NSF Cybersecurity Center of Excellence's minimum standard for cybersecurity programs at research organizations — 4 pillars (Mission Alignment, Governance, Resources, Controls) containing 16 'Musts.' Unlike control checklists, it defines what a functioning program looks like: leadership involvement, a named security lead, a real budget, documented policy, and a baseline control set.
Does NSF actually require this?
NSF requires proposals for new major facilities and mid-scale research infrastructure to include a Cyberinfrastructure Plan, and its Research Infrastructure Guide aligns the cybersecurity guidance (Section 6.3) to the Trusted CI Framework — it even names the Framework's four pillars as a management competency. There's no certificate, but program adequacy is reviewed with your award — which makes it as real as requirements get.
What changed in 2026?
Three things: Trusted CI expanded into research security (NSPM-33) and AI security; it launched regional summits; and in July 2026 it published a mapping from the NSF Critical Controls to CIS Controls v8.1 — with NIST 800-171 mappings planned. That mapping means facilities can finally satisfy 'adopt a baseline control set' with a concrete, trackable control library — which the Cyber Tackle Box supports natively.
We're a university with CUI research too — can one program cover both?
Yes, and it should. Federally funded research increasingly brings NIST 800-171 obligations alongside Trusted CI expectations and GLBA coverage of financial-aid data. The Tackle Box maps one control implementation across all of them, so the half-FTE running security isn't maintaining three parallel programs. Our university partnerships mean we already speak your governance.
Get in touch
Build a program NSF can read
Tell us about your facility or center, your award timeline, and who currently 'does security.' You'll get a straight program assessment within one business day.
- 1We reply within one business day — usually faster.
- 2A 30-minute call with someone who can actually answer your questions.
- 3A straight recommendation — even if it's that you don't need us yet.
Prefer to skip the form? Book a time directly or call 1-877-732-6772.