INFORMATION TECHNOLOGY SECURITY
Sections
11.02.01
PURPOSE
a. This subchapter specifies the NIST Information Technology
(IT) Security Program Policy. This policy defines the overall IT security
strategy and mission for NIST which includes defining (1) IT security requirements,
roles, and responsibilities; and (2) an IT security program to support
NIST IT security efforts and to ensure policy compliance. Additional IT
security issue-specific policies address each requirement in further detail.
These subordinate policies are maintained by the NIST Chief Information
Officer and are available at: http://www-i.nist.gov/its.
b. This policy and the related subordinate policies have four main goals:
(1) Ensure the availability, confidentiality, and integrity of NIST
data and IT resources;
(2) Ensure that IT security is implemented using a risk-based decision
process and in a cost-effective manner;
(3) Ensure management accountability for protecting NIST computing
resources and data; and
(4) Ensure user accountability for the secure use of computing resources
and data.
c. The policy in this subchapter is consistent with and supplements
policies contained in Office of Management and Budget (OMB) Circular A-130,
Appendix III; Federal Information Security Management Act of 2002; Clinger-Cohen
Act of 1996; Paperwork Reduction Act of 1995; and the Department of Commerce
Information Technology Security Program Policy.
11.02.02
SCOPE
The policy contained in this subchapter applies to all NIST facilities,
staff, associates, contractors, and all other IT resources used to support
NIST programs. The term "IT security" as used in this subchapter encompasses
the full range of management, operational, and technological safeguards,
including physical measures and administrative procedures applied to computing
facilities, electronic equipment, networks, software, data, operations
personnel, and users to ensure the protection of NIST assets.
11.02.03
BACKGROUND
IT is an essential resource on which all NIST programs depend.
For example, IT is a vehicle by which experiments are conducted, employees
communicate with one another, administrative processes are conducted finances
are tracked. In addition, it is an infrastructure within which virtually
all data is stored. With the increasing reliance on IT, including
the use of the Internet and its related information dissemination capabilities,
the potential loss, compromise, and misuse of NIST data and facilities
has grown tremendously. Thus, it is necessary that NIST ensure the security
of its IT resources.
11.02.04
POLICY
Specific elements of the NIST IT security policy follow:
a. IT Security Program - The NIST Chief Information Officer (CIO) is responsible for maintaining an IT security program that defines, implements, and manages the overall NIST IT security strategy. The program includes the development of policies, procedures, and guidance that define minimal acceptable security practices to standardize NIST’s approach to security. The program ensures a coordinated defense of the NIST IT resources. This involves implementing centralized security resources to provide an umbrella of protection for all NIST systems (such as firewalls, security training, intrusion detection, and incident response capabilities). In addition, it involves a formal authorization process for each IT system and routine periodic security evaluations. This includes verifying that the level of security is appropriate for each system and implementing corrections for identified weaknesses.
b. Establishing an Appropriate Level of Security - Security is applied to NIST IT resources using a risk-based approach. Vulnerabilities are mitigated where the estimated damage is greater than the cost of the security control. Vulnerabilities are not mitigated when the estimated damage is less than the cost of the security control. In such cases, vulnerabilities are documented in the system security plan and the risk formally accepted during the certification and accreditation process.
Security must be commensurate with the sensitivity level of the system and take into account existing threats, vulnerabilities, and value of the asset. All systems are assigned a sensitivity level rating of low, medium, or high using guidance provided by the NIST IT Security Officer (ITSO). System sensitivity levels are determined by the system owners with respect to the confidentiality, integrity, and availability requirements of the data processed by and/or stored within the system and are documented in system security plans. These sensitivity levels are used within NIST issue-specific policy to stratify security requirements and to prioritize security reviews.
c. IT Security Responsibilities - All employees are responsible for IT security at NIST. The NIST Director is responsible for ensuring the security of NIST IT systems. Operating Unit (OU) Directors are responsible for ensuring the security of IT systems within their operating unit. The NIST ITSO is responsible for coordinating the NIST IT security program. OU ITSOs are responsible for coordinating their OU IT security program. System security officers (SSOs) are responsible for the security of systems under their control. System administrators, database administrators, and application administrators are responsible for the secure maintenance of the IT resources under their control. IT data owners are responsible for ensuring the secure use of their data within NIST IT systems. Contract and procurement officers are responsible for ensuring that contracts and procurement comply with IT security policy. IT system users are responsible for helping to maintain security.
d. IT Security Roles - NIST maintains the following IT security roles to effectively manage and administer IT security. The NIST ITSO maintains a list of individuals serving within each role.
(1) The NIST CIO oversees and develops the NIST IT security program.
(2) The NIST ITSO coordinates the implementation of the NIST IT security
program.
(3) OU ITSOs assist in the implementation of the NIST IT security program
within their respective OU.
(4) System Owners are responsible for the security of their respective
system(s).
(5) SSOs implement and oversee the system level IT security controls
within their respective system(s).
(6) System Administrators implement and maintain technical and operational
security controls for their system(s).
e. Requirements for Security Roles - NIST IT security roles must be held by employees with sufficient experience, training, and educational qualifications as defined by the NIST CIO. In addition, background checks must be conducted on all personnel holding security roles at a level commensurate with their position sensitivity level.
f. IT Systems - All computing and networking resources (hardware, software, and data) must be assigned to a formally designated IT system (as defined by OMB circular A-130, Appendix III). This requirement includes classified as well as unclassified IT systems. Each IT system must be registered with the NIST CIO and must have a system security plan. Each IT system must also have the following positions designated and documented in the system security plan: a system owner; an SSO; and one or more system administrators.
g. Issue-Specific Policies, Procedures, and Guidance - The NIST CIO maintains issue-specific IT security policies, procedures, and guidance. These IT security documents are subordinate to this policy and will further refine or elaborate on the requirements in this policy. These documents are available at: http://www-i.nist.gov/its.
h. Security Documentation - System owners must maintain IT security documentation for each system under their purview. Documentation must follow the format provided by the NIST ITSO and must contain elements specified by the NIST ITSO. This documentation must include a system security plan, contingency plan, risk assessment, security self-assessment, policies, and procedures. NIST Special Publication 800-18 defines the requirements for creating system security plans. The NIST ITSO, as part of the certification and accreditation process, defines requirements for maintaining contingency plans, risk assessments, and security self-assessment documentation. Policies and procedures must be created by the system owner for security activities not covered by NIST-wide policy and procedures.
i. Planning and Budgeting for IT Security - All IT systems must be allocated sufficient resources to ensure an adequate level of security. These resources must be explicitly planned and budgeted within the system owner’s fiscal costs. Expenditures for IT security must be included in NIST's enterprise architecture and capital planning and investment control processes.
j. Certification and Accreditation - IT systems must be certified and accredited according to the process defined by the NIST CIO. Certification is an assertion by an evaluator that the system has attained a certain level of security. Accreditation is a formal approval to operate. Both the relevant OU Director and the NIST CIO must approve IT system accreditation. All IT systems must be accredited every three years or whenever they undergo a significant change (as defined by the NIST CIO).
k. Security Reviews and Testing - All IT systems must undergo an independent security review as part of the certification and accreditation process.
Systems will undergo additional periodic technical security reviews
and testing as determined by events (e.g., vulnerability notifications
and security incidents), system changes, and changes to the
system sensitivity level. The certification and accreditation process
also requires system owners to periodically
review and test their respective systems to ensure that security controls
are operating properly. The review process will be defined by the
NIST ITSO and will ensure that an appropriate level of security is maintained
for all NIST systems.
l. System Development Life Cycle (SDLC) - All IT systems must be developed in a secure manner through all phases of development as described in the NIST-CIO-maintained system development lifecycle. This lifecycle model will ensure that security is built into IT systems from the beginning and will ensure that security is maintained throughout the life of the system.
m. Security Awareness and Training - All NIST users must be made aware of the importance of IT security through periodic announcements from management and through the implementation of a continual awareness strategy (e.g., posters and newsletters). All NIST users must participate in annual IT security training to sustain access to NIST IT systems. In addition, some IT security roles may require IT security training that is appropriate to their IT security responsibilities. New users must participate in an IT security orientation briefing before being granted access to any NIST IT systems. The CIO or the NIST ITSO must approve all IT security orientation and training to ensure that all of the requirements are met.
n. Interconnected Systems - Some IT systems have direct connections to other IT systems through the use of dedicated lines, virtual private networks, or some other connection such that the security levels of the systems affect each other. This often happens when two distinct networks are joined together. This can also happen when two or more entities need to collaborate on a project by sharing network resources. Since a trust relationship exists between the two systems, a vulnerability in one system could create a security exposure in the other system. In these cases, the system owners must ensure that the interconnected systems have commensurate levels of security. The NIST ITSO must approve all interconnections with non-NIST systems and may require that an interconnection agreement be established between both organizations.
o. Jointly Owned Systems - It is not always possible to assign an IT resource to only one system. In some cases, the hardware and operating system is maintained by one organizational unit (e.g., the central computing facility) while the software and user access controls are maintained by another organizational unit. In these cases, both organizational units will jointly own the IT resource and system owners will apply security controls to their respective domains and ensure that the controls are properly integrated.
p. Technical and Operational IT Security Controls - NIST IT systems must make appropriate use of technical and operational IT security controls as defined by the NIST CIO. Such controls include, but are not limited to: firewalls; anti-virus; access control; strong authentication; encryption; file integrity checkers; password management; intrusion detection; audit trails; and security patches.
q. Classified and Sensitive Systems and Data - Classified systems (those holding national security information) must be secured in coordination with the NIST ITSO and the Department of Commerce Office of Security and require more stringent controls than those present in this policy. When the classifying authority for a system has more stringent requirements than Department or NIST policy, the classified systems must be secured according to the classifying authority's requirements.
Sensitive systems are those that contain individually identifiable information protected under the Privacy Act and proprietary information protected under the Trade Secrets Act. When an outside organization is responsible for data stored at NIST which is considered to be “sensitive information” by this definition, this data must be secured according to the responsible organizational unit’s requirements even if they are more stringent than those defined by Department or NIST policy.
NIST shall use encryption for electronic transmission of sensitive but unclassified information. This encryption shall be FIPS 140 compliant where possible.
r. Segregation of Duties - Duties must be separated among multiple employees whenever necessary and possible to prevent a single person from performing malicious or illegal activities undetected. When it is not possible to implement segregation of duties, compensatory controls must be established. Segregated duties and related compensatory controls must be documented within system security plans.
s. Security Monitoring - IT system technical and operational security controls must be periodically monitored to ensure the continued security of the system. This includes verifying that users are following security procedures, identifying new vulnerabilities, and looking for suspicious system activity. The amount and detail of monitoring should be commensurate with the sensitivity level of the system as defined in the system security plan. System owners are required to notify users (e.g., using a login banner) that systems will be monitored. Monitoring must only be performed by individuals with security responsibilities and only within the system(s) for which they are responsible. The NIST ITSO will perform centralized security monitoring of all IT systems. Monitoring activities that could be viewed as encroaching upon a user’s privacy must only be conducted with the approval of the NIST ITSO, NIST CIO, relevant OU Director, or NIST Director.
t. Security Incident Investigation and Reporting - All
IT security and related incidents, including suspicious, malicious, and
illegal IT activity must be reported to the system owner, OU ITSO, and
NIST ITSO. The NIST ITSO is responsible for investigating such activity
and will respond in such a way as to minimize the damage to NIST systems
and NIST's reputation.
11.02.05
RESPONSIBILITIES
Responsibilities for effective implementation of security policy and
procedures reside at all levels of the organization. The following
identifies specific security roles and responsibilities associated with
NIST management, staff, associates, and contractors. All NIST staff performance
plans should identify IT security criteria appropriate for their respective
roles.
a. NIST Director - The NIST Director’s responsibilities, with respect to IT security, are as follows:
(1) Ensure that appropriate levels of security are applied to all NIST
IT systems;
(2) Ensure that NIST has an established IT security program;
(3) Allocate sufficient resources necessary for the protection of NIST
IT systems;
(4) Hold NIST managers accountable for the security of the IT systems
under their control;
(5) Appoint a NIST CIO; and
(6) Ensure that staff, facilities, and IT processing systems with appropriate
national security clearances are available in the Office of the Director,
NIST.
b. NIST Chief Information Officer - The NIST CIO is appointed by the NIST Director. With respect to IT Security, the CIO’s responsibilities are as follows:
(1) Ensure that appropriate levels of security are applied to all NIST
IT systems (whether retained in-house or under the control of contractors);
and
(2) Oversee, define, plan, budget, and implement the NIST IT security
program; and
(3) Approve and issue NIST IT security program policy, procedures,
and guidance; and
(4) Ensure that the IT security program integrates fully into NIST’s
enterprise architecture and capital planning and investment control processes;
(5) Ensure that NIST IT systems are developed and operated in full
compliance with Department and NIST policies, as well as Federal IT security-related
directives;
(6) Ensure that all IT systems owned or operated by or for NIST are
accredited and that all IT assets are assigned to an IT system;
(7) Appoint the NIST ITSO and an alternate for when the primary NIST
ITSO is unavailable;
(8) Ensure that IT security is planned and implemented NIST-wide throughout
all phases of the NIST System Development Life Cycle;
(9) Serve as a co-accreditor of all IT systems. Operating Unit Directors
are the designated approving authority (accepting operating risk) for the
operating unit’s IT systems, but the CIO must co-accredit all IT systems;
(10) Ensure that positions with significant IT security responsibilities
are held by staff with sufficient training and education qualifications
as well as by staff who have had appropriate background checks;
(11) Provide a means for NIST staff to electronically identify all
IT users such that NIST staff will be able to easily differentiate between
government employees, contractors, foreign nationals with countries of
association, and other associates;
(12) Ensure that staff responsible for oversight of NIST classified
IT processing efforts receive extensive training from the agencies that
sponsor those efforts, including yearly refresher briefings presented by
those agencies;
(13) Ensure that all cleared staff receive an extensive briefing presented
by a qualified staff member relevant to their clearance level that describes
in detail all individual IT responsibilities prior to granting access to
any classified systems;
(14) Ensure that all cleared staff receive a comprehensive yearly awareness
briefing presented by a qualified staff member of individual IT responsibilities
relevant to their clearance level as a condition of continued access to
any classified systems;
(15) Provide an IT processing procedures manual for classified information
to all cleared staff; and
(16) Provide an IT processing procedures manual to all staff that includes
processing procedures for information commonly considered “sensitive information.”
c. NIST IT Security Officer - The NIST CIO appoints the NIST ITSO to perform the following:
(1) Coordinate implementation of the NIST IT security program;
(2) Develop NIST IT security program policy, procedures, standards,
and guidance consistent with Departmental and Federal requirements. Assist
with the development of IT system specific policy, procedures, and safeguards;
(3) Implement and manage an IT security awareness and training program;
(4) Assist with the planning and budgeting of IT security functions
for NIST;
(5) Establish and maintain an IT security certification and accreditation
program. This includes ensuring that all systems have completed and maintained
security plans, risk assessments, contingency plans, and security self-assessments;
(6) Ensure that an objective, independent review and approval process
exists for both security plans and procurement requests to validate the
adequacy of proposed security safeguards;
(7) Communicate security requirements to NIST management and staff
and serve as a resource on effective IT security practices;
(8) Act as a liaison between the Department and NIST on Department-wide
security initiatives, incident response activities, and on fulfilling IT
security reporting requirements;
(9) Conduct NIST-wide intrusion detection and vulnerability monitoring;
and
(10) Create and maintain an incident response capability.
d. Operating Unit Directors - OU Directors are directly responsible for the security of the systems under their purview. OU Directors have the following responsibilities:
(1) Ensure that appropriate levels of security are applied to all OU
IT systems and that sufficient resources are planned and assigned to maintain
this level of security;
(2) Work closely with and support the NIST Director and NIST CIO in
implementing the NIST IT security program;
(3) Ensure OU IT systems are developed and operated in full compliance
with Department and NIST policies (e.g., annual user training requirements)
as well as federal IT security-related directives and mandates;
(4) Account for IT security in capital investment plans which must
include all IT resources (e.g., labor, hardware, software, maintenance)
for procurement, maintenance, and replacement of all OU systems;
(5) Ensure IT security is planned and implemented throughout all phases
of the NIST System Development Life Cycle;
(6) Ensure that OU positions with significant security responsibilities
are held by staff with sufficient training and education qualifications
as well as by staff who have had appropriate background checks;
(7) Appoint an OU ITSO. In those cases where the OU is located
at different sites, an OU ITSO shall be appointed for each site.
Designate alternate OU ITSO(s) for when the primary OU ITSO(s) is unavailable;
(8) Assign ownership of IT resources such that all OU IT resources
are assigned to a particular system and such that all systems have a designated
system owner;
(9) Serve as the Designated Approving Authority (accepting operating
risk) for the Operating Unit’s IT systems along with the CIO who co-accredits
all IT systems;
(10) Ensure that staff responsible for oversight of NIST classified
IT processing efforts receive extensive training from the agencies that
sponsor those efforts, including yearly refresher briefings presented by
those agencies;
(11) Ensure that all cleared staff receive an extensive briefing presented
by a qualified staff member relevant to their clearance level that describes
in detail all individual IT responsibilities prior to granting access to
any classified systems; and
(12) Ensure that all cleared staff receive a comprehensive yearly awareness
briefing presented by a qualified staff member of individual IT responsibilities
relevant to their clearance level as a condition of continued access to
any classified systems.
e. OU IT Security Officers - OU ITSOs are appointed by the relevant OU Director and assist in the implementation of the NIST IT security program within their respective OU's. Specifically, OU ITSOs have the following responsibilities:
(1) Recommend to the OU Director how best to implement the NIST IT security
program and policy within their OU;
(2) Coordinate the implementation of the NIST IT security program within
their OU (e.g., coordinating certification and accreditation activities);
(3) Assist with the planning, budgeting, and implementation of IT security
for the OU;
(4) Assist IT system owners in developing security plans, risk assessments,
security self-assessments, contingency plans, security controls, and system
specific policies;
(5) Serve as contact points for all IT security related issues for
the OU and act as a liaison to the NIST ITSO;
(6) Participate in the development of IT security policies, procedures,
and guidance; and
(7) Communicate IT security requirements to NIST management and staff
and serve as a resource on effective IT security practices;
f. System Owners - System owners are employees with managerial, operational, technical, and often budget responsibility for all aspects of an IT system. They are appointed by the relevant OU Director and identified as such in the security plan associated with each NIST IT system. System owners are typically division chiefs or more senior managers and are directly responsible for ensuring that the correct level of IT security is implemented for each system for which they are responsible. Specifically, system owners have the following responsibilities:
(1) Ensure that appropriate levels of security are applied to the IT
system and that sufficient resources are planned and assigned to maintain
this level of security;
(2) Ensure the system is developed and operated in full compliance
with Department and NIST policies as well as federal IT security-related
directives and mandates;
(3) Determine the system sensitivity levels (high, medium, or low)
with respect to confidentiality, integrity, and availability concerns;
(4) Ensure IT security is planned and implemented throughout all phases
of the NIST System Development Life Cycle;
(5) Ensure that appropriate security requirements and disclosure agreements
are included in the specifications for the acquisition of IT and IT services
and certify that awarded contracts comply with security requirements;
(6) Ensure that the IT system is meeting all applicable certification
and accreditation requirements;
(7) Ensure that security breaches are reported in accordance with NIST
policy and procedure;.
(8) Ensure that IT system users receive appropriate security training;
(9) Determine the appropriate position sensitivity designations for
critical and sensitive employee positions (e.g., system administrators)
and ensure that staff and associates under their jurisdiction have undergone
appropriate background investigations. Inform staff and associates of the
level of security that must be maintained given their position sensitivity;
(10) Ensure system specific security responsibilities are properly
identified and documented. Ensure that duties are separated among
multiple employees whenever necessary to prevent a single person from performing
malicious or illegal activities undetected;
(11) Ensure that system positions with significant security responsibilities
are held by staff with sufficient training and education qualifications
as well as by staff who have had appropriate background checks;
(12) Designate a SSO for each system;
(13) Designate one or more system administrators for each system; and
(14) Ensure that interconnected systems have equivalent or greater
levels of security.
g. System Security Officers - SSOs are designated by the system owners and identified in the relevant system security plan as responsible for the security of the system. In some cases, the OU ITSO may act as the SSO for IT systems within the OU. When risk levels permit, SSOs can also be designated as system administrator for the same system. SSOs implement the system-level controls and maintain system documentation. SSOs are specifically to:
(1) Actively monitor the system to ensure adequate security levels are
properly maintained;
(2) Assist and advise the system owner and the OU ITSO on system security
issues throughout the system’s life cycle;
(3) Assist in the determination of an appropriate level of security
commensurate with the level of sensitivity;
(4) Participate in certification and accreditation activities for the
system. This includes assisting in the development and maintenance of system
security plans, risk assessments, security self-assessments, contingency
plans, policies, and procedures;
(5) Assist in handling and investigating incidents in cooperation with
and under direction of the system owner, the OU ITSO, and the NIST ITSO;
and
(6) Cooperate with the staff of other interconnected systems to ensure
consistent levels of security.
h. System Administrators - System administrators are those designated by a system owner to maintain the system or parts of the system. Each system will have one or more formally designated systems administrators responsible for the entire system and may have other systems administrators responsible for parts of the system. Each system administrator is responsible for the secure operation and maintenance of the IT elements under their control. Specifically, system administrators have the following responsibilities:
(1) Ensure that IT system technical and operational security controls
are being implemented and maintained according to the sensitivity level
of the system and the data being processed;
(2) Assist in the development and maintenance of required security
documentation and related activities (e.g., system administration and operational
procedures and manuals);
(3) Know which systems or parts of systems for which they are directly
responsible (e.g., network equipment, servers, and LANs); and
(4) Assist the SSO, the system owner, and the OU IT Security Officer
as necessary.
i. Database, Application, and Account Administrators - Database, application, and account administrators are those designated by a system owner to maintain databases, applications, or user accounts. Database, application, and account administrators have the following responsibilities:
(1) Coordinate with appropriate system administrators and SSOs to ensure
that their databases and applications are being adequately protected commensurate
with the sensitivity level of the data being processed;
(2) Operate databases and applications in a secure manner;
(3) Manage user accounts in a timely and secure manner (e.g.,
disabling accounts);
(4) Assist in the development and maintenance of required security
documentation and related activities (e.g., application administration
and operational procedures and manuals);
(5) Know which applications and databases for which they are directly
responsible; and
(6) Assist the SSO, the system owner, and the OU IT Security Officer,
as necessary.
j. Data Owners - Data owners are those staff that own data being stored in or used by a system. Data owners have the following responsibilities:
(1) Coordinate with appropriate system administrators and SSOs to ensure
that their data is being adequately protected commensurate with its sensitivity
level;
(2) Ensure that the data is being used and accessed in a secure manner.
Ensure the security of any applications that interface the data and that
are controlled by the data owner;
(3) Assist system owners in developing and maintaining required security
documentation as it pertains to how the data is accessed and used by the
data owner;
(4) Know the data for which they are directly responsible, which applications
use the data, and who administers those applications; and
(5) Assist the IT System Security Officer, the system owner, and the
OU ITSO, as necessary.
k. Contracting and Procurement Officers - Employees involved with contracts and procurements ensure that all contracts and procurements are compliant with NIST IT security policy.
l. All Authorized IT Users (employees and contractors) - The success of IT security programs ultimately depends on the commitment of each user. Users are to:
(1) Operate NIST IT systems in a secure and responsible manner;
(2) Know and abide by all applicable NIST policies and procedures.
This includes reading and understanding NIST and system-specific rules
of behavior regarding inappropriate use or abuse of NIST IT resources;
(3) Participate in IT security awareness and training activities;
(4) Know which systems or parts of systems for which they are directly
responsible (e.g., printer, desktop, or browser);
(5) Know the sensitivity of the data they handle and take appropriate
measures to protect it; and
(6) Report incidents to their OU ITSO and the NIST ITSO using the online
web form located on the NIST IT Security Web page: http://www-i.nist.gov/its.
11.02.06
ENFORCEMENT
a. The NIST CIO has the authority to change the operating status
of any IT system that is not being managed or operated according to NIST
IT security or related policy or in the event of an IT security- related
incident. This includes removing systems from the NIST network, revoking
their authorization to operate, or otherwise removing the system's ability
to process information. OU Directors have this authority with respect
to systems owned by their OU and system owners have this authority over
their own systems.
b. The NIST ITSO has the authority to remove any IT system, or a subcomponent thereof, from the NIST network in the event of a security incident or the discovery of a vulnerability. This will be done to mitigate possible damage to other IT systems (e.g., to stop the spreading of a computer worm/virus), to protect the system, or to preserve evidence on the system. OU Directors may delegate this authority in writing to their OU ITSOs.
c. Unauthorized use of any government equipment, material, or
resources including computer-related resources, is prohibited. Misuse
is punishable
by penalties as provided in the DOC Table of Offenses and Penalties
which is available at DAO 202-751 (http://dms.osec.doc.gov/cgi-bin/doit.cgi?204:112:e372fa640e1c91c71adb173ab597387581792de3d6f5fc75c3a21d45fab1e9c2:102).
Individuals involved with misuse will be subject to having all computer
account access suspended or terminated at the discretion of NIST management
and the NIST CIO.