NSA SoS Research Initiative
The Science of Security (SoS) Initiative at the National Security Agency Research Directorate promotes foundational cybersecurity science that is needed to mature the cybersecurity discipline and to underpin advances in cyberdefense. Beginning in 2012, one part of the initiative was to fund foundational research at “Lablets.” With emphasis on building a community, each lablet created partnerships with other universities called “Sub-Lablets.” Science of Security researchers often freely collaborated with researchers in other institutions worldwide. The SURE project was founded to investigate cybersecurity in the cyber-physical systems (CPS) realm and ran from 2014 to 2018. In 2018, CPS research was folded into the Lablet Research. In Fall 2023, the "Lablet" model was replaced by the "Virtual Institutes" (VIs), which groups similarly focused, independent research projects from a small set of universities. The three initial VI's are: Trusted Systems, Defensive Mechanisms, and AI & Cybersecurity. The emphasis remains on building a community, this time within each respective VI and among all VI's. This model introduces a new level of flexibility, with the option to add or remove projects as the cyberdefense field advances.

Mission & Goals

Critical cyber systems must inspire trust and confidence, protect the privacy and integrity of data resources, and perform reliably. To tackle the ongoing challenges of securing tomorrow’s systems we must develop the scientific underpinnings of security to understand what is possible in that domain as well as develop a collaborative community of researchers from government, industry and academia. As part of that effort NSA began funding academic “Lablets” in 2012 and has shifted to the current Virtual Institutes (VI) model as of 2023 focused on the development of a Science of Security (SoS) and a broad, self-sustaining community effort to advance it. A major goal is the creation of a unified body of knowledge that can serve as the basis of a trust engineering discipline, curriculum, and rigorous design methodologies. The results of "Virtual Institutes" research will be extensively documented and widely distributed through the SoS Virtual Organization. Our intention is for the SoS VO to be our primary resource for describing VI research, and for creating a broad community effort to advance security science.i

Virtual Institutes

The National Security Agency Research Directorate sponsors the SoS Virtual Institutes (VI's) for advancing foundational research in the areas of: Trusted Systems, AI and Cybersecurity, and Defensive Mechanisms. The institutes are structured so that projects can be added or retired as the respective field advances. The VI model helps foster collaboration within and across topic areas between the academic institutions who are completing the projects and the assigned research liaisons.

Hard Problems

Resilient Architectures: Develop means to design and analyze system architectures that deliver required service in the face of compromised components.

Policy-Governed Secure Collaboration: Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains.

Scalability and Composability: Develop methods to enable the construction of secure systems with known security properties from components with known security properties, without a requirement to fully re-analyze the constituent components.

Understanding and Accounting for Human Behavior: Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties.

Security Metrics Driven Evaluation, Design, Development, and Deployment: Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.

Annual Reports

Previously Funded Research Lablets

  • Carnegie Mellon University
  • International Computer Science Institute
  • NC State University
  • University of Illinois at Urbana-Champaign
  • The University of Kansas
  • University of Maryland
  • Vanderbilt University

SURE Project

Mission and Goals  

The project on the System Science of SecUrity and REsilience for cyber-physical systems (SURE) ran from 2014 to 2018, with the goal of developing foundations and tools for designing, building, and assuring cyber-physical systems (CPS) that can maintain essential system properties in the presence of adversaries. The technology base of SURE will provide CPS designers and operators with models, methods, and tools that can be integrated with an end-to-end model-based design flow and tool chain.