NCCS and NAS Computing Resources Rules of Behavior

header, see link

NCCS and NAS Computing Resources Rules of Behavior

Section I: Introduction and Definitions

The Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources requires that Rules of Behavior be established for individual users of each interconnected set of "information technology" (IT) computing resources under the same direct management control which share common functionality. This document outlines the Rules of Behavior for the use of the computing resources maintained and operated by the NASA Center for Computational Sciences (NCCS) at the NASA Goddard Space Flight Center and NASA Advanced Supercomputing (NAS) at NASA Ames Research Center. The purpose of this document is to increase awareness of security issues and to ensure that all users use NCCS and NAS computing resources in a secure, ethical, and lawful manner.

NCCS and NAS computing resources are U.S. Government resources and are for authorized use only. A user account is to be used only for the purpose for which it has been authorized and is to be used only for NASA-related activities. A user account is assigned to one individual user for use of computing resources. Use of a user account is permitted only by the user assigned the user account. Use of a user account by anyone other than the user assigned the user account is considered unauthorized use and is not permitted.

Unauthorized use of a user account or of a computing resource is a violation of Section 799, Title 18, of the U.S. Code, constitutes theft, and is punishable by law. Computing resources are subject to monitoring, keystroke recording, and auditing. Access to and use of computing resources constitutes implicit consent to this monitoring, keystroke recording, and auditing.

Any non-compliance with the Rules of Behavior outlined in this document will constitute a security violation, will be reported to the user's management, to NCCS and NAS management, and will result in short-term or permanent loss of access to computing resources. Serious violations may also result in civil or criminal prosecution.

In the text of this document, the following definitions apply:

  • Computing Resource refers to the disks, cartridges, tapes, computers, ancillary equipment, systems, networks, facilities, and any other information technology maintained and operated by the NCCS and NAS.
  • Information refers to the datasets, scripts, programs, applications, utilities, files, directories, filesystems, databases, and any other data maintained in any medium on a computing resource.
  • User refers to a person with non-privileged access to a computing resource. A user may use and access his or her own information and the information available to all users on the computing resource (e.g. commands like passwd, pwd, etc.), but the user is restricted from the use of and access to the privileged-level information on the computing resource. A user can not alter or bypass the security controls on a computing resource.
  • System Administrator refers to a person with either limited or unlimited privileged access to a computing resource. A system administrator is also a user and may, therefore, use and access his or her own information and the information available to all users on the computing resource, but a system administrator--unlike a user--may also use and access privileged-level information on all or part of the computing resource. A system administrator may alter or bypass some or all of the security controls on a computing resource.
  • User Account refers to the unique character string used in a computing resource to identify a user (or system administrator). Also known variously as an account, a login, a loginid, a loginname, a memberid, a userid, a username, etc., a user account is used by a user (or system administrator) in conjunction with a password to gain access to a computing resource and to maintain the security of the user's (or the system administrator's) information on a computing resource.
  • Non-NCCS/NAS Issuing Entity refers to an entity--other than NCCS or NAS--(e.g. CISTO, the Data Intensive Computer Environment (DICE) Program, etc.) through which the user has requested and been granted access to a computing resource.

Section II: Rules of Behavior for Users

The following rules apply to users with non-privileged access and to system administrators with either limited or unlimited privileged access:

  1. The user is responsible for using computing resources in a secure, ethical, and lawful manner.
  2. The user is responsible for protecting all information imported, used, or stored on his or her user account. (Contact your User Services Group or the Non-NCCS/NAS Issuing Entity as appropriate for information concerning the standard protection mechanisms on computing resources and for guidelines for protecting user accounts.)
  3. The user shall not import, use, or store any "classified" information on a computing resource. (NAS and NCCS computing resources are unclassified resources. Information is considered "classified" if it has been designated Confidential, Secret, or Top Secret in accordance with Executive Order 12958 and which requires safeguarding in the interest of National Security.)
  4. The user shall not import, use, or store any Export Administration Regulations (EAR) information or International Traffic in Arms Regulations (ITAR) information on an NCCS computing resource. (NCCS computing resources are not authorized to be repositories of EAR or ITAR information.)
  5. The user shall not import, use, or store any security information (e.g. password cracking programs, etc.) on a computing resource that may be used to reveal security weaknesses of a computing resource.
  6. The user shall not import, use, or store any information (e.g. free software, etc.) on a computing resource that is free only for personal, not government, use. (Only information that is free, not only for personal use, but also for government use, can be imported, used, or stored on a computing resource and only as permitted by the NCCS and NAS.)
  7. The user shall not import, use, or store any fraudulent, harassing, or obscene information on a computing resource nor send to or from a computing resource such information.
  8. The user shall not divulge access information (e.g. login procedures, lists of user accounts, etc.) for a computing resource to any non-user, except as permitted by the NCCS and NAS.
  9. The user shall not make unauthorized copies of the configuration information (e.g. the /etc/passwd file, etc.) on a computing resource, for unauthorized personal use nor divulge this information to a non-user, except as permitted by the NCCS and NAS.
  10. The user shall not make unauthorized copies of copyrighted information (e.g. copyrighted software, etc.), except as permitted by law or by the owner of the copyright.
  11. The user shall not attempt to access information contained on computing resources for which the user does not have explicit consent of the owner of the information.
  12. The user shall select and activate his or her own password(s), after being issued an initial temporary password. The user shall use a unique password on each computing resource (or each single sign-on environment for a set of computing resources), subject to the password restrictions of the computing resource (or the single sign-on environment for a set of computing resources). The user shall change his or her password(s) at least once in the ninety-day period during which a password is valid. The user is responsible for safeguarding his or her password(s) from any form of disclosure. The user shall not share his or her user account or the password(s) to this user account with anyone. (A non-user in need of a user account should contact their User Services Group for information concerning and assistance requesting a user account.)
  13. If the user has any difficulties using his or her user account or the password(s) to this user account, the user shall notify their User Services Group or the Non-NCCS/NAS Issuing Entity as appropriate.
  14. The user is responsible for all actions performed on his or her user account while this user account is logged in to a computing resource and for any actions subsequent to the running of cron or batch jobs on the computing resource while this user account is logged out. The user shall not allow access to his or her user account by others once he or she has logged in to a computing resource. The user shall not leave an open login session unattended. The user shall either log out of the computing resource or use a password-enabled screen saver to protect his or her user account from unauthorized use.
  15. The user shall not purposely engage in activities to harass another user, to deprive another user access to a computing resource to which that user has been authorized, to gain access to a computing resource to which he or she has not been authorized, to degrade the performance of a computing resource, or to circumvent the security measures on a computing resource.
  16. In order for the NCCS and NAS to maintain accurate user information for users, as required by NASA Procedural Requirements (NPR) 2810.1A, Security of Information Technology, the user is responsible for notifying both the NCCS or NAS User Services Group and any Non-NCCS/NAS Issuing Entity of any changes in his or her employer, office address, office telephone number, e-mail address, citizenship information, or any other information required by the NCCS and NAS.
  17. An Authentication Key Token (AKT) is an electronic security device (e.g. an RSA SecurID, a CrytoCard, etc.) used in conjunction with a user account and password to maintain the security of a computing resource. If an AKT is issued for use with the user's user account, the following rules also apply to the user:
    • The AKT issued to the user remains the property of the U.S. Government.
    • The user is responsible for protecting the AKT from physical damage.
    • The user shall not share the AKT with anyone.
    • If the AKT is lost or stolen, or if the user has any difficulties using the AKT, the user shall notify their User Services Group immediately.
    • The user shall return the AKT to their User Services Group either in person--if possible--or via the U.S. Postal Service--if necessary--when any of the following circumstances occur:
      • if the user no longer requires his or her user account,
      • when the AKT reaches its expiration date, or
      • if requested by a bona fide representative of their User Services Group to return the AKT.
    If an AKT is issued by a Non-NCCS/NAS Issuing Entity for use with the user's user account, the user shall adhere to the published standards of practice for the Non-NCCS/NAS Issuing Entity for the AKT.
  18. If the user discovers a weakness in the security of a computing resource, an incident of possible unauthorized use of a computing resource, or a violation of the Rules of Behavior as set forth in this document, or if the user believes that his or her user account is involved in a security incident, the user shall notify their User Services Group immediately, but only in person, by telephone, or by encrypted e-mail. (The user should resort to unencrypted e-mail only in a dire emergency.)
  19. If the user no longer requires his or her user account, the user is responsible for notifying both their User Services Group and any Non-NCCS/NAS Issuing Entity and for ensuring that all of his or her information is removed from computing resources or properly transferred to another user account.

Section III: Rules of Behavior for System Administrators

In addition to the rules for users outlined in Section II above, the following rules apply to system administrators with either limited or unlimited privileged access:

  1. The system administrator shall read, understand, and enforce the NCCS Security Controls .
  2. The system administrator shall ensure that the privacy information, also known as "information in identifiable form" (IIF), stored on computing resources is protected from disclosure and managed according to NASA, GSFC, NCCS, ARC, and NAS policy. The system administrator shall adhere to the IIF processes for responding to a user's complaint(s) with reference to his or her information and for notifying a user when changes occur in how his or her information is collected, stored, used, or managed and whether this information has been disclosed and to whom. (Reference control: NCCS Security Controls, 12.0 Security Planning, PL-5 Privacy Impact Assessment .)
  3. As required by NPR 1600.1, NASA Security Program Procedural Requirements, Section 5.24 and NPR 2810.1A, Security of Information Technology, Section 11.3.14.9, the system administrator shall restrict and protect the distribution of "sensitive but unclassified" (SBU) information and ensure that SBU information is encrypted when transmitted outside the security perimeter. (Examples of SBU information include
    • NASA IT internal systems information revealing the infrastructure used for servers, desktops, and networks,
    • application name, version, and release information,
    • switching, router, and gateway information,
    • interconnections and access methods,
    • systems inventories and enterprise architecture models,
    • systems security information revealing the security posture of systems (e.g. threat assessments, system security plans, contingency plans, risk management plans, Business Impact Analysis studies, and Certification and Accreditation documentation, etc.), and
    • reviews or reports illustrating or disclosing infrastructure or security vulnerabilities.
    For additional details consult NPR 1600.1, Section 5.24.)
  4. The system administrator shall adhere to the Rules of Behavior as outlined in Section II above, however, the system administrator may be exempt from certain of these rules, due to the nature of his or her assigned tasks, but only as permitted by the NCCS and NAS. When a conflict appears to exist between a rule and the system administrator's ability to perform an assigned task, the system administrator shall consult with the DPI-CSO in order to determine a resolution of the conflict.

Section IV: NCCS and NAS User Services Group Contact Information

Users can contact the NCCS User Services Group by telephone at 301-286-9120 or by e-mail at support@nccs.nasa.gov
Users can contact the NAS User Services Group by telephone at 650-604-4444 or by e-mail at support@nas.nasa.gov

Last Modified: Monday, 03-Dec-2007 13:08:59 EST
Reason for Modification: Re-organization and separation of rules into sections.

Return to the Top of the NCCS and NAS Computing Resources Rules of Behavior 


        

               FirstGov logo
                            + Privacy Policy and Important Notices

+ Sciences and Exploration Directorate

+ CISTO



                      
                      NASA
                      Curator: Mason Chang,

NCCS User Services Group (301-286-9120)

NASA Official: Phil Webster,
High-Performance 
 Computing Lead, GSFC Code 606.2