Skip to content

Security & Compliance

The project Security Developer Guide covers the technical controls. This page summarizes the compliance posture of the prototype.

What we comply with

  • NSF PAPPG — current version (referenced in the PEP §1).
  • NSF Research Infrastructure Guide NSF 21-107 — applicable subset for prototype-scale work.
  • University of Arizona Information Security Policies — the prototype is deployed under UA institutional oversight.
  • TrustedCI prototype security review in Phase 2 (WBS 6.5).

What we do not comply with (during prototype)

  • HIPAA — no PHI may be uploaded to the prototype.
  • FedRAMP — the prototype is not FedRAMP-authorized; do not host data of record for federal agencies on the prototype.
  • ITAR / EAR — no controlled-export data may be uploaded.
  • CMMC — no CUI may be uploaded.

The follow-on production proposal will address the additional controls needed to expand into these regimes if there is community demand.

Incident response

The IT Architecture Manager (Skidmore) plus the PI follow the UA Information Security IR Plan. NSF program officer notification follows PAPPG within 24 hours if the incident is award-impacting.

Audit trail

Every tool call, AVU change, and authentication event is logged. Logs are retained for 90 days under default policy and longer for any incident under active investigation.

Vulnerability disclosure

See the Security Developer Guide for the disclosure process.

Open-source supply chain

  • SBOMs are generated in CI for every release of every MESA component.
  • Container image scans (Trivy) gate releases on critical findings.
  • Dependency updates are reviewed weekly by the Lead RSE.

License compliance

MESA components are released under permissive open-source licenses (Apache 2.0, MIT, BSD). See License & Attribution.