NCCS and NAS Computing Resources Rules of Behavior
Section I: Introduction and Definitions
The Office of Management and Budget (OMB) Circular A-130, Appendix III,
Security of Federal Automated Information Resources
requires that
Rules of Behavior
be established for individual users of each interconnected set of
"information technology" (IT) computing resources under the same
direct management control which share common functionality.
This document outlines the
Rules of Behavior
for the use of the computing resources maintained and operated by the
NASA Center for Climate Simulation (NCCS) at the NASA Goddard
Space Flight Center (GSFC) and by the NASA Advanced Supercomputing (NAS)
Facility at the NASA Ames Research Center (ARC).
The purpose of this document is to increase awareness of security
issues and to ensure that all users use NCCS and NAS computing resources
in a secure, ethical, and lawful manner.
NCCS and NAS computing resources are U.S. Government resources and
are for authorized use only.
A user account is to be used only for the purpose for which it has
been authorized and is to be used only for NASA-related activities.
A user account is assigned to one individual user for use of
computing resources.
Use of a user account is permitted only by the user assigned the
user account.
Use of a user account by anyone other than the user assigned the
user account is considered unauthorized use and is not permitted.
Unauthorized use of a user account or of a computing resource
is a violation of Section 799, Title 18, of the U.S. Code, constitutes
theft and is punishable by law.
Computing resources are subject to monitoring, keystroke
recording and auditing.
Access to and use of computing resources constitutes implicit
consent to this monitoring, keystroke recording, and auditing.
Any non-compliance with the
Rules of Behavior
outlined in this document will constitute a security violation, will
be reported to the user's management, to NCCS and NAS management,
and will result in short-term or permanent loss of access to
computing resources.
Serious violations may also result in civil or criminal prosecution.
Users are responsible for providing a working e-mail address with which the NCCS
may contact them.
Users are also responsible for adhering to the provisions of the currently
posted version of the
Rules of Behavior,
which will be maintained on the NCCS Web-site at the following location:
https://www.nccs.nasa.gov/usradmin/usadcrua.provs.html
The NCCS is responsible for maintaining the currently posted version at this
location and for notifying the NCCS user community by e-mail when changes
are made to the
Rules of Behavior
at this location.
In the text of this document, the following definitions apply:
-
Computing Resource
refers to the disks, cartridges, tapes, computers, ancillary
equipment, systems, networks, facilities, and any other
information technology maintained and operated by the NCCS and NAS.
-
Information
refers to the datasets, scripts, programs, applications, utilities,
files, directories, filesystems, databases, and any other data
maintained in any medium on a computing resource.
-
User
refers to a person with non-privileged access to a computing
resource.
A user may use and access his or her own information and the
information available to all users on the computing resource (e.g.
commands like
passwd,
pwd
), but the user is restricted from the use of and access to the
privileged-level information on the computing resource.
A user can not alter or bypass the security controls on a
computing resource.
-
System Administrator
refers to a person with either limited or unlimited privileged access
to a computing resource.
A system administrator is also a user and may, therefore, use and
access his or her own information and the information available to all
users on the computing resource, but a system
administrator--unlike a user--may also use and access privileged-level
information on all or part of the computing resource.
A system administrator may alter or bypass some or all of the security
controls on a computing resource.
-
User Account
refers to the unique character string used in a computing
resource to identify a user (or system administrator).
Also known variously as an account, a login, a loginid, a loginname,
a memberid, a userid, a username, etc., a user account is used by a
user (or system administrator) in conjunction with a password to gain
access to a computing resource and to maintain the security of
the user's (or the system administrator's) information on a
computing resource.
-
Non-NCCS/NAS Issuing Entity
refers to an entity--other than the NCCS or NAS--(e.g. the Computational and
Information Sciences and Technology Office (CISTO)) through which the user
has requested and been granted access to a computing resource.
Section II: Rules of Behavior for Users
The following rules apply to users with non-privileged access and to
system administrators with either limited or unlimited privileged
access:
-
The user is responsible for using computing resources in a
secure, ethical, and lawful manner.
-
The user is responsible for protecting all information imported, used,
or stored on his or her user account.
(Contact your User Services Group or the Non-NCCS/NAS Issuing Entity
as appropriate for information concerning the standard protection
mechanisms on computing resources and for guidelines for protecting
user accounts.)
-
The user shall not import, use, or store any "classified" information
on a computing resource.
(NCCS and NAS computing resources are unclassified resources.
Information is considered "classified" if it has been designated
Confidential, Secret,
or
Top Secret
in accordance with Executive Order 12958 and which requires safeguarding in the
interest of National Security.)
-
There are different requirements with reference to Export Administration
Regulations (EAR) information and International Traffic in Arms Regulations
(ITAR) information for NCCS and NAS computing resources:
-
NCCS users only:
The NCCS user may only import, use or store EAR information or ITAR information
on an NCCS computing resource with the prior approval of the user's Principal
Investigator and of the NCCS Computer Security Official (CSO).
The user shall inform the NCCS of the requirement to import, use or store EAR or
ITAR information through either a userid addition request (for a new user) or a
userid modification request (for an existing user) using the
NCCS User Administration Request Form
(the paper form)
.
Once approval has been confirmed by the NCCS User Services Group for the
importation, use or storage of EAR or ITAR information, the following rules
also apply to the user:
-
The NCCS must establish specific controls to protect the EAR or ITAR
information.
These controls may include the creation of a special purpose file system,
a special purpose group or other file access controls that ensure
access to the EAR or ITAR information is restricted to a user who has been
approved for access.
-
The user must understand the nature and function of these controls and must
assist the NCCS to maintain the security, integrity and confidentiality of
the EAR or ITAR information.
The user is responsible to ensure that the EAR or ITAR information imported,
used or stored is adequately protected and that the controls established for
the EAR or ITAR information are securely maintained.
-
The user should only import, use and store the specific EAR or ITAR
information for which approval has been obtained.
-
The user should not attempt to give access to EAR or ITAR information to any
other user who has not been approved for access.
For additional information concerning EAR and ITAR infomration on NCCS computing
resources consult the NCCS User Services Group by telephone at
301-286-9120
or by e-mail at
support@nccs.nasa.gov
-
NAS users only:
For the policies and procedures concerning the requirements with reference to
EAR and ITAR information on NAS computing resources consult the NAS User
Services Group by telephone at
650-604-4444
or by e-mail at
support@nas.nasa.gov
-
The user shall not import, use, or store any security information
(e.g. password cracking programs) on a computing resource
that may be used to reveal security weaknesses of a computing
resource.
-
The user shall not import, use, or store any information (e.g.
free software) on a computing resource that is free only
for personal, not government, use.
(Only information that is free, not only for personal use, but also
for government use, can be imported, used, or stored on a
computing resource and only as permitted by the NCCS and NAS.)
-
The user shall not import, use, or store any fraudulent, harassing, or
obscene information on a computing resource nor send to or from
a computing resource such information.
-
The user shall not divulge access information (e.g. login procedures,
lists of user accounts) for a computing resource to any non-user,
except as permitted by the NCCS and NAS.
-
The user shall not make unauthorized copies of the configuration
information (e.g. the
/etc/passwd
file) on a computing resource, for unauthorized personal
use nor divulge this information to a non-user, except as permitted by
the NCCS and NAS.
-
The user shall not make unauthorized copies of copyrighted information
(e.g. copyrighted software), except as permitted by law or by
the owner of the copyright.
-
The user shall not post non-public Government information to external news
groups, bulletin boards, Web-sites, social media (e.g. Facebook, Twitter) or
to other public forums without authority to do so.
This prohibition includes any use, without prior approval or authority, that
could create the perception that the communication was made in an official
capacity.
-
The user shall not attempt to access information contained on
computing resources for which the user does not have explicit consent
of the owner of the information.
-
The user shall select and activate his or her own password(s), after
being issued an initial temporary password.
The user shall use a unique password on each computing resource
(or each single sign-on environment for a set of computing resources),
subject to the password restrictions of the computing resource
(or the single sign-on environment for a set of computing resources).
The user shall change his or her password(s) at least once in the
sixty-day period during which a password is valid.
The user is responsible for safeguarding his or her password(s) from
any form of disclosure.
The user shall not share his or her user account or the password(s) to
this user account with anyone.
(A non-user in need of a user account should contact their User
Services Group for information concerning and assistance requesting a
user account.)
-
If the user has any difficulties using his or her user account or the
password(s) to this user account, the user shall notify their User
Services Group or the Non-NCCS/NAS Issuing Entity as appropriate.
-
The user is responsible for all actions performed on his or her user
account while this user account is logged in to a computing
resource and for any actions subsequent to the running of cron or
batch jobs on the computing resource while this user account is
logged out.
The user shall not allow access to his or her user account by others
once he or she has logged in to a computing resource.
The user shall not leave an open login session unattended.
The user shall either log out of the computing resource or use a
password-enabled screen saver to protect his or her user account from
unauthorized use.
-
The user shall not purposely engage in activities to harass another
user, to deprive another user access to a computing resource to
which that user has been authorized, to gain access to a
computing resource to which he or she has not been authorized, to
degrade the performance of a computing resource, or to
circumvent the security measures on a computing resource.
-
In order for the NCCS and NAS to maintain accurate user information for
users, as required by NASA Procedural Requirements (NPR) 2810.1A,
Security of Information Technology,
the user is responsible for notifying both the NCCS or NAS User Services
Group and any Non-NCCS/NAS Issuing Entity of any changes in his or her
employer, office address, office telephone number, e-mail address,
citizenship information, or any other information required by the
NCCS and NAS.
-
An Authentication Key Token (AKT) is an electronic security device
(e.g. an RSA SecurID, a CryptoCard) used in conjunction with a
user account and password to maintain the security of a computing
resource.
If an AKT is issued for use with the user's user account,
the following rules also apply to the user:
-
The AKT issued to the user remains the property of the U.S. Government.
-
The user is responsible for protecting the AKT from physical damage.
-
The user shall not share the AKT with anyone.
-
If the AKT is lost or stolen, or if the user has any difficulties
using the AKT, the user shall notify their User Services Group
immediately.
-
The user shall return the AKT to their User Services Group either
in person--if possible--or via the U.S. Postal
Service--if necessary--when any of the following circumstances occur:
-
if the user no longer requires his or her user account,
-
when the AKT reaches its expiration date, or
-
if requested by a
bona fide
representative of their User Services Group to return the AKT.
If an AKT is issued by a Non-NCCS/NAS Issuing Entity for use with the
user's user account, the user shall adhere to the published standards
of practice for the Non-NCCS/NAS Issuing Entity for the AKT.
-
If the user discovers a weakness in the security of a computing
resource, an incident of possible unauthorized use of a computing
resource, or a violation of the
Rules of Behavior
as set forth in this document, or if the user believes that his or her
user account is involved in a security incident, the user shall notify
their User Services Group immediately, but only in person, by
telephone, or by encrypted e-mail.
(The user should resort to unencrypted e-mail only in a dire emergency.)
-
If the user no longer requires his or her user account, the user
is responsible for notifying both their User Services Group and any
Non-NCCS/NAS Issuing Entity and for ensuring that all of his or her
information is removed from computing resources or properly
transferred to another user account.
Section III: Rules of Behavior for System Administrators
In addition to the rules for users outlined in
Section II
above, the following rules apply to system administrators with either
limited or unlimited privileged access:
-
The system administrator shall read, understand, and enforce the
NCCS Security Controls
.
-
The system administrator shall ensure that the privacy information, also
known as "information in identifiable form" (IIF) or "personally
identifiable information" (PII), stored on computing resources is protected
from disclosure and managed according to NASA, GSFC, NCCS, ARC, and NAS
policies.
The system administrator shall adhere to IIF and PII processes for
responding to a user's complaint(s) with reference to his or her
information and for notifying a user when changes occur in how his or
her information is collected, stored, used, or managed and whether
this information has been disclosed and to whom.
(Reference control:
NCCS Security Controls, Planning, PL-5 Privacy Impact Assessment
.)
-
As required by NPR 1600.1,
NASA Security Program Procedural Requirements,
Section 5.24 and NPR 2810.1A,
Security of Information Technology,
Section 11.3.14.9, the system administrator shall restrict and
protect the distribution of "sensitive but unclassified" (SBU)
information and ensure that SBU information is encrypted when
transmitted outside the security perimeter.
(Examples of SBU information include
-
NASA IT internal systems information revealing the infrastructure
used for servers, desktops, and networks,
-
application name, version, and release information,
-
switching, router, and gateway information,
-
interconnections and access methods,
-
systems inventories and enterprise architecture models,
-
systems security information revealing the security posture of
systems (e.g. threat assessments, system security plans, contingency
plans, risk management plans, Business Impact Analysis studies, and
Certification and Accreditation documentation), and
-
reviews or reports illustrating or disclosing infrastructure or
security vulnerabilities.
For additional details consult NPR 1600.1, Section 5.24.)
-
To ensure the security of the computing faciliites, accountability and
responsibility, the NCCS prohibits the use of any personally-owned portable
storage devices as well as removeable media on its computing resources when
there is no identifiable owner of the device or media.
-
To ensure the security of the computing faciliites, accountability and
responsibility, the NCCS prohibits the use of any non-Government Furnished
Equipment (non-GFE) as endpoints for establishing connections to NCCS
systems during which sensitive NASA data is accessed (including but not
limited to SBU, ITAR, EAR or commercially licensed data) or during which
elevated privileges are obtained or used.
-
The system administrator shall adhere to the
Rules of Behavior
as outlined in
Section II
above, however, the system administrator may be exempt from certain of
these rules, due to the nature of his or her assigned tasks, but only
as permitted by the project (NCCS and NAS).
When a conflict appears to exist between a rule and the system
administrator's ability to perform an assigned task, the system
administrator shall consult with the project Information Systems Security
Official (ISSO) in order to determine a resolution of the conflict.
Section IV: NCCS and NAS User Services Group Contact Information
Users can contact the NCCS User Services Group by telephone at
301-286-9120
or by e-mail at
support@nccs.nasa.gov
Users can contact the NAS User Services Group by telephone at
650-604-4444
or by e-mail at
support@nas.nasa.gov
|