NCCS and NAS Computing Resources Rules of Behavior

The Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources requires that Rules of Behavior be established for individual users of each interconnected set of "information technology" (IT) computing resources under the same direct management control which share common functionality. This document outlines the Rules of Behavior for the use of the computing resources maintained and operated by the NASA Center for Climate Simulation (NCCS) at the NASA Goddard Space Flight Center (GSFC) and by the NASA Advanced Supercomputing (NAS) Facility at the NASA Ames Research Center (ARC). The purpose of this document is to increase awareness of security issues and to ensure that all users use NCCS and NAS computing resources in a secure, ethical, and lawful manner.

NCCS and NAS computing resources are U.S. Government resources and are for authorized use only. A user account is to be used only for the purpose for which it has been authorized and is to be used only for NASA-related activities. A user account is assigned to one individual user for use of computing resources. Use of a user account is permitted only by the user assigned the user account. Use of a user account by anyone other than the user assigned the user account is considered unauthorized use and is not permitted.

Unauthorized use of a user account or of a computing resource is a violation of Section 799, Title 18, of the U.S. Code, constitutes theft and is punishable by law. Computing resources are subject to monitoring, keystroke recording and auditing. Access to and use of computing resources constitutes implicit consent to this monitoring, keystroke recording, and auditing.

Any non-compliance with the Rules of Behavior outlined in this document will constitute a security violation, will be reported to the user's management, to NCCS and NAS management, and will result in short-term or permanent loss of access to computing resources. Serious violations may also result in civil or criminal prosecution.

Users are responsible for providing a working e-mail address with which the NCCS may contact them. Users are also responsible for adhering to the provisions of the currently posted version of the Rules of Behavior, which will be maintained on the NCCS Web-site at the following location:

          https://www.nccs.nasa.gov/usradmin/usadcrua.provs.html

The NCCS is responsible for maintaining the currently posted version at this location and for notifying the NCCS user community by e-mail when changes are made to the Rules of Behavior at this location.

In the text of this document, the following definitions apply:

• Computing Resource refers to the disks, cartridges, tapes, computers, ancillary equipment, systems, networks, facilities, and any other information technology maintained and operated by the NCCS and NAS.
• Information refers to the datasets, scripts, programs, applications, utilities, files, directories, filesystems, databases, and any other data maintained in any medium on a computing resource.
• User refers to a person with non-privileged access to a computing resource. A user may use and access his or her own information and the information available to all users on the computing resource (e.g. commands like passwd, pwd ), but the user is restricted from the use of and access to the privileged-level information on the computing resource. A user can not alter or bypass the security controls on a computing resource.
• System Administrator refers to a person with either limited or unlimited privileged access to a computing resource. A system administrator is also a user and may, therefore, use and access his or her own information and the information available to all users on the computing resource, but a system administrator--unlike a user--may also use and access privileged-level information on all or part of the computing resource. A system administrator may alter or bypass some or all of the security controls on a computing resource.
• User Account refers to the unique character string used in a computing resource to identify a user (or system administrator). Also known variously as an account, a login, a loginid, a loginname, a memberid, a userid, a username, etc., a user account is used by a user (or system administrator) in conjunction with a password to gain access to a computing resource and to maintain the security of the user's (or the system administrator's) information on a computing resource.
• Non-NCCS/NAS Issuing Entity refers to an entity--other than the NCCS or NAS--(e.g. the Computational and Information Sciences and Technology Office (CISTO)) through which the user has requested and been granted access to a computing resource.

The following rules apply to users with non-privileged access and to system administrators with either limited or unlimited privileged access:

1. The user is responsible for using computing resources in a secure, ethical, and lawful manner.
2. The user is responsible for protecting all information imported, used, or stored on his or her user account. (Contact your User Services Group or the Non-NCCS/NAS Issuing Entity as appropriate for information concerning the standard protection mechanisms on computing resources and for guidelines for protecting user accounts.)
3. The user shall not import, use, or store any "classified" information on a computing resource. (NCCS and NAS computing resources are unclassified resources. Information is considered "classified" if it has been designated Confidential, Secret, or Top Secret in accordance with Executive Order 12958 and which requires safeguarding in the interest of National Security.)
4. There are different requirements with reference to Export Administration Regulations (EAR) information and International Traffic in Arms Regulations (ITAR) information for NCCS and NAS computing resources:
   • NCCS users only: The NCCS user may only import, use or store EAR information or ITAR information on an NCCS computing resource with the prior approval of the user's Principal Investigator and of the NCCS Computer Security Official (CSO). The user shall inform the NCCS of the requirement to import, use or store EAR or ITAR information through either a userid addition request (for a new user) or a userid modification request (for an existing user) using the NCCS User Administration Request Form (the paper form) . Once approval has been confirmed by the NCCS User Services Group for the importation, use or storage of EAR or ITAR information, the following rules also apply to the user:
     • The NCCS must establish specific controls to protect the EAR or ITAR information. These controls may include the creation of a special purpose file system, a special purpose group or other file access controls that ensure access to the EAR or ITAR information is restricted to a user who has been approved for access.
     • The user must understand the nature and function of these controls and must assist the NCCS to maintain the security, integrity and confidentiality of the EAR or ITAR information. The user is responsible to ensure that the EAR or ITAR information imported, used or stored is adequately protected and that the controls established for the EAR or ITAR information are securely maintained.
     • The user should only import, use and store the specific EAR or ITAR information for which approval has been obtained.
     • The user should not attempt to give access to EAR or ITAR information to any other user who has not been approved for access.
     For additional information concerning EAR and ITAR infomration on NCCS computing resources consult the NCCS User Services Group by telephone at 301-286-9120 or by e-mail at support@nccs.nasa.gov
   • NAS users only: For the policies and procedures concerning the requirements with reference to EAR and ITAR information on NAS computing resources consult the NAS User Services Group by telephone at 650-604-4444 or by e-mail at support@nas.nasa.gov
5. The user shall not import, use, or store any security information (e.g. password cracking programs) on a computing resource that may be used to reveal security weaknesses of a computing resource.
6. The user shall not import, use, or store any information (e.g. free software) on a computing resource that is free only for personal, not government, use. (Only information that is free, not only for personal use, but also for government use, can be imported, used, or stored on a computing resource and only as permitted by the NCCS and NAS.)
7. The user shall not import, use, or store any fraudulent, harassing, or obscene information on a computing resource nor send to or from a computing resource such information.
8. The user shall not divulge access information (e.g. login procedures, lists of user accounts) for a computing resource to any non-user, except as permitted by the NCCS and NAS.
9. The user shall not make unauthorized copies of the configuration information (e.g. the /etc/passwd file) on a computing resource, for unauthorized personal use nor divulge this information to a non-user, except as permitted by the NCCS and NAS.
10. The user shall not make unauthorized copies of copyrighted information (e.g. copyrighted software), except as permitted by law or by the owner of the copyright.
11. The user shall not post non-public Government information to external news groups, bulletin boards, Web-sites, social media (e.g. Facebook, Twitter) or to other public forums without authority to do so. This prohibition includes any use, without prior approval or authority, that could create the perception that the communication was made in an official capacity.
12. The user shall not attempt to access information contained on computing resources for which the user does not have explicit consent of the owner of the information.
13. The user shall select and activate his or her own password(s), after being issued an initial temporary password. The user shall use a unique password on each computing resource (or each single sign-on environment for a set of computing resources), subject to the password restrictions of the computing resource (or the single sign-on environment for a set of computing resources). The user shall change his or her password(s) at least once in the sixty-day period during which a password is valid. The user is responsible for safeguarding his or her password(s) from any form of disclosure. The user shall not share his or her user account or the password(s) to this user account with anyone. (A non-user in need of a user account should contact their User Services Group for information concerning and assistance requesting a user account.)
14. If the user has any difficulties using his or her user account or the password(s) to this user account, the user shall notify their User Services Group or the Non-NCCS/NAS Issuing Entity as appropriate.
15. The user is responsible for all actions performed on his or her user account while this user account is logged in to a computing resource and for any actions subsequent to the running of cron or batch jobs on the computing resource while this user account is logged out. The user shall not allow access to his or her user account by others once he or she has logged in to a computing resource. The user shall not leave an open login session unattended. The user shall either log out of the computing resource or use a password-enabled screen saver to protect his or her user account from unauthorized use.
16. The user shall not purposely engage in activities to harass another user, to deprive another user access to a computing resource to which that user has been authorized, to gain access to a computing resource to which he or she has not been authorized, to degrade the performance of a computing resource, or to circumvent the security measures on a computing resource.
17. In order for the NCCS and NAS to maintain accurate user information for users, as required by NASA Procedural Requirements (NPR) 2810.1A, Security of Information Technology, the user is responsible for notifying both the NCCS or NAS User Services Group and any Non-NCCS/NAS Issuing Entity of any changes in his or her employer, office address, office telephone number, e-mail address, citizenship information, or any other information required by the NCCS and NAS.
18. An Authentication Key Token (AKT) is an electronic security device (e.g. an RSA SecurID, a CryptoCard) used in conjunction with a user account and password to maintain the security of a computing resource. If an AKT is issued for use with the user's user account, the following rules also apply to the user:
    • The AKT issued to the user remains the property of the U.S. Government.
    • The user is responsible for protecting the AKT from physical damage.
    • The user shall not share the AKT with anyone.
    • If the AKT is lost or stolen, or if the user has any difficulties using the AKT, the user shall notify their User Services Group immediately.
    • The user shall return the AKT to their User Services Group either in person--if possible--or via the U.S. Postal Service--if necessary--when any of the following circumstances occur:
      • if the user no longer requires his or her user account,
      • when the AKT reaches its expiration date, or
      • if requested by a bona fide representative of their User Services Group to return the AKT.
    If an AKT is issued by a Non-NCCS/NAS Issuing Entity for use with the user's user account, the user shall adhere to the published standards of practice for the Non-NCCS/NAS Issuing Entity for the AKT.
19. If the user discovers a weakness in the security of a computing resource, an incident of possible unauthorized use of a computing resource, or a violation of the Rules of Behavior as set forth in this document, or if the user believes that his or her user account is involved in a security incident, the user shall notify their User Services Group immediately, but only in person, by telephone, or by encrypted e-mail. (The user should resort to unencrypted e-mail only in a dire emergency.)
20. If the user no longer requires his or her user account, the user is responsible for notifying both their User Services Group and any Non-NCCS/NAS Issuing Entity and for ensuring that all of his or her information is removed from computing resources or properly transferred to another user account.

In addition to the rules for users outlined in Section II above, the following rules apply to system administrators with either limited or unlimited privileged access:

1. The system administrator shall read, understand, and enforce the NCCS Security Controls .
2. The system administrator shall ensure that the privacy information, also known as "information in identifiable form" (IIF) or "personally identifiable information" (PII), stored on computing resources is protected from disclosure and managed according to NASA, GSFC, NCCS, ARC, and NAS policies. The system administrator shall adhere to IIF and PII processes for responding to a user's complaint(s) with reference to his or her information and for notifying a user when changes occur in how his or her information is collected, stored, used, or managed and whether this information has been disclosed and to whom. (Reference control: NCCS Security Controls, Planning, PL-5 Privacy Impact Assessment .)
3. As required by NPR 1600.1, NASA Security Program Procedural Requirements, Section 5.24 and NPR 2810.1A, Security of Information Technology, Section 11.3.14.9, the system administrator shall restrict and protect the distribution of "sensitive but unclassified" (SBU) information and ensure that SBU information is encrypted when transmitted outside the security perimeter. (Examples of SBU information include
   • NASA IT internal systems information revealing the infrastructure used for servers, desktops, and networks,
   • application name, version, and release information,
   • switching, router, and gateway information,
   • interconnections and access methods,
   • systems inventories and enterprise architecture models,
   • systems security information revealing the security posture of systems (e.g. threat assessments, system security plans, contingency plans, risk management plans, Business Impact Analysis studies, and Certification and Accreditation documentation), and
   • reviews or reports illustrating or disclosing infrastructure or security vulnerabilities.
   For additional details consult NPR 1600.1, Section 5.24.)
4. To ensure the security of the computing faciliites, accountability and responsibility, the NCCS prohibits the use of any personally-owned portable storage devices as well as removeable media on its computing resources when there is no identifiable owner of the device or media.
5. To ensure the security of the computing faciliites, accountability and responsibility, the NCCS prohibits the use of any non-Government Furnished Equipment (non-GFE) as endpoints for establishing connections to NCCS systems during which sensitive NASA data is accessed (including but not limited to SBU, ITAR, EAR or commercially licensed data) or during which elevated privileges are obtained or used.
6. The system administrator shall adhere to the Rules of Behavior as outlined in Section II above, however, the system administrator may be exempt from certain of these rules, due to the nature of his or her assigned tasks, but only as permitted by the project (NCCS and NAS). When a conflict appears to exist between a rule and the system administrator's ability to perform an assigned task, the system administrator shall consult with the project Information Systems Security Official (ISSO) in order to determine a resolution of the conflict.

Users can contact the NCCS User Services Group by telephone at 301-286-9120 or by e-mail at support@nccs.nasa.gov
Users can contact the NAS User Services Group by telephone at 650-604-4444 or by e-mail at support@nas.nasa.gov