Collaborative Research: Planning: CROSS: Building a Community aROund Securing the Research Software Supply Chain

About This Grant

The conduct of nearly all modern scientific research depends on software, yet the systems through which research software is developed, shared, and deployed—its supply chain—remain vulnerable to cyber threats. These Research Software Supply Chains (RSSCs) are complex networks of tools, libraries, collaborators, and institutional processes, and they form a critical foundation for the U.S. research enterprise. However, there is no shared understanding of what these supply chains look like or how to protect them. This project will initiate a coordinated planning effort, called CROSS (Community around Securing the Research Software Supply Chain), to bring together researchers, research software engineers, and government stakeholders to identify and mitigate risks to RSSC security. Through community workshops, empirical studies, and a comprehensive review of existing knowledge, this effort will produce a roadmap for securing the RSSC—helping to safeguard the integrity of scientific knowledge, promote national security, and support the development of a resilient research ecosystem. The project will also engage undergraduate students at Purdue and Loyola, supporting workforce development in cybersecurity and research software engineering. This planning project will develop foundational knowledge to guide future efforts in securing the research software supply chain. The research team will (1) conduct a systematic literature review to synthesize current knowledge into a conceptual model of the RSSC and its security threats; (2) empirically measure the security posture of real-world research software projects and their dependencies, using datasets provided by national laboratory collaborators and applying a range of software and security metrics; and (3) convene workshops with research software engineers and scientific collaborators to capture practitioner insights and build community consensus. The findings will be integrated into a unified system model and threat model, guided by the STAMP (System-Theoretic Accident Model and Process) and TOE (Technology–Organization–Environment) frameworks, and will culminate in a strategic report for the NSF’s Research on Research Security (RoRS) program. This work will support the development of new security interventions and lay the groundwork for future collaborative research to protect the software that underpins scientific innovation. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.