Appropriate Use of NERSC Resources

NERSC: An Open Scientific Research Center

NERSC supports open research intended to be published in open scientific journals. The production of proprietary results and/or data is not permitted.

NERSC does not allow the use of the following:

• Classified Information
• Controlled Unclassified Information (CUI)
• Export controlled or ITAR codes or data
• Personally identifiable or protected health information
• Any other item listed in the Prohibited Data section

General Conditions

Resource Use

Use of NERSC resources is subject to review and approval by

• NERSC
• Project Principal Investigators (PI)
• University of California (UC)
• Lawrence Berkeley National Laboratory (LBNL)
• Funding agencies or other State and Federal Government agencies.

NERSC may provide account information to reviewers for this purpose. Users may be asked to provide additional supporting documentation to gain access.

Resources provided by NERSC are to be used only for activities authorized by

• the Department of Energy (DOE)
• the NERSC Director.

Government Rights

DOE funds support NERSC and the use of NERSC resources by users. Absent any applicable agreement with your institution, the Federal government or LBNL may have rights to your work product under the Bayh-Dole Act and other legislation and regulations.

• If you are funded by a federal research grant, cooperative agreement or contract, the intellectual property terms (if present) of that agreement will apply.
• If you are employed by a federal government agency or a National Laboratory, intellectual property rights covering your work apply.
• Otherwise, patent and intellectual property waivers may be available, but your host institution must make a specific application to LBNL.

Prohibited Use

Users are not allowed to deviate from the terms of this NERSC Appropriate Use Policy in any way, including, but not limited to, the following:

• Personal or Private Benefit: The use of NERSC resources for personal or private benefit is prohibited.
• Unauthorized Access: Users are prohibited from attempting to send or receive unintended messages or access information by unauthorized means, such as imitating another system, impersonating another user or other person, misuse of legitimate user credentials (usernames, passwords, etc.), or by causing some hardware or software functionality of the system to function incorrectly.
• Altering Authorized Access: Users are prohibited from changing or circumventing access controls, including MFA or the NERSC login process, that allow themselves or others to perform actions outside their intended authorized privileges.
• Reconstruction of Information or Software: Users are not allowed to reconstruct or recreate information or software for which they are not authorized.
• Data Modification or Destruction: Users are prohibited from taking actions that intentionally modify or delete information or programs for which they are not authorized.
• Malicious Software: Users must not intentionally introduce or use malicious software, including software that impacts the legitimate use of NERSC resources in an unauthorized manner.
• Prohibited Software: Some software may be prohibited on NERSC resources and users may not download, install, or use such software. NERSC keeps a list of software that is prohibited, which is subject to updates or changes.
• Denial of Service Actions: Users may not use NERSC resources in a manner that interferes with any service availability at NERSC or other sites; or use external resources in a manner that impacts service availability at NERSC.
• Penetration Testing: Berkeley Lab has a Vulnerability Disclosure Program, for which NERSC is in scope, and any testing against NERSC must adhere to the rules of the program. Testing that involves the use of NERSC accounts or any services requiring authentication is strictly prohibited without explicit written permission from NERSC. Users are prohibited from using any NERSC resources and/or NERSC accounts to perform penetration testing or vulnerability testing actions against other sites.

Prohibited Data

NERSC does not allow the use or storage of any of the following on our resources:

• Proprietary Information
• Classified Information
  • Secret (S)
  • Top Secret (TS)
  • National Security Information (NSI)
  • Secret Restricted Data (SRD)
  • Special Access Program(SAP) Data
• Controlled Technical Information
• Sensitive But Unclassified (SBU)
• Controlled Unclassified Information (CUI)
  • Official Use Only (OUO)
  • Export controlled codes or data
• ITAR codes or data
  • Unclassified Controlled Nuclear Information (UCNI)
  • Naval Nuclear Propulsion Information (NNPI)
• Personally Identifiable Information (PII)
• Protected Health Information (PHI)
• The Design Or Development Of Nuclear, Radiological, Biological, Or Chemical Weapons Or Of Any Weapons Of Mass Destruction.

Warranty

NERSC resources are provided to users without any warranty. NERSC will not be held liable in the event of any system failure or loss of data.

Termination

Failure to adhere to any part of this policy may result in termination.

Access to NERSC resources may be withheld or terminated for any reason at the sole discretion of NERSC.

User Responsibilities

NERSC personnel and users are required to address, safeguard against and report misuse, abuse and criminal activities. Misuse of NERSC resources can lead to temporary or permanent disabling of accounts, loss of DOE allocations, and administrative or legal actions.

User Accountability

All users are accountable for their own actions, and violations of policy may result in applicable administrative and/or legal sanctions.

Use by Foreign Nationals

Foreign nationals are generally permitted to access NERSC, provided they fully comply with applicable export control regulations, regardless of whether access occurs within the United States or abroad. However, access is strictly prohibited for individuals or entities in embargoed countries, listed on restricted party lists, or engaged in prohibited end-use activities.

Authentication & Authorization

Any user of NERSC resources will need to authenticate via an approved authentication provider to be authorized to access NERSC resources.

• Passwords must be changed at NERSC's request.
• All passwords must conform to NERSC guidelines, which are found in Getting Help/Passwords

Contact Information

Users should promptly inform NERSC of any changes in their contact information.

Account Compromise 

Users must notify NERSC immediately when they become aware that any of the accounts (including a FedID) used to access NERSC may have been compromised.

Loss or compromise of any credential or Secret used to access NERSC resources must be reported to the NERSC Help Desk promptly and directions for resetting of account credentials must be followed.

Account Sharing

Users are not allowed to share their individual accounts with others.

Users who need to share an account with project members must request a Collaboration Account specifically for this purpose.

Network Connectivity to and from NERSC Resources

NERSC system resources may be accessed by only the provided and approved methods from NERSC.

Users are prohibited from setting up alternative access, authentication or authorization mechanisms without explicit approval from NERSC. Approval for alternate access methods to and from NERSC resources may be requested through the NERSC Help Desk and is subject to regular review. Approval may be revoked if usage policies are violated or if the circumstances under which the approval was granted change.

NERSC maintains a known list of prohibited applications and use cases which are subject to change without notice.

Software and Data

All software used on NERSC computers must be appropriately acquired and used according to the appropriate licensing. Possession, use or transmission of illegally obtained software or data is prohibited. Likewise, users must not copy, store or transfer copyrighted software or data, except as permitted by the owner of the copyright.

The use of NERSC resources to store, manipulate, transmit, or remotely access information, software, or data that may affect the legal or security status of NERSC or LBNL, or require additional controls, requires prior written approval from NERSC.

Users are solely responsible for protecting data stored on NERSC resources. 

NERSC does not guarantee that your data is protected against destruction.

Relevance to an Active Project

All work done using NERSC resources, including the use of Workflow Services, must be directly relevant to an active NERSC project. The operation of Workflow Services shall not be allowed past the normal grace period provided at the end of a non-continuing project.

Data Retention

NERSC reserves the right to remove any data at any time and/or transfer data to other individuals (such as the Principal Investigator) working on the same project once a user account is deleted or a person no longer has a business association with NERSC.

In some cases, NERSC may make backup copies of some files. When backup copies are made, NERSC reserves the right to hold such copies indefinitely or to delete them at its discretion. If you have data which you do not want backed up, you may request NERSC to exclude specific directories from backup.

Monitoring and Privacy

Users have no explicit or implicit expectation of privacy. NERSC retains the right to and actively monitors the content of all activities on NERSC systems and networks and to access any computer file without prior knowledge or consent of users, senders or recipients.

NERSC may retain copies of any network traffic, computer files or messages indefinitely without users' prior knowledge or consent. NERSC may, at its discretion, share information gathered through monitoring with the Department of Energy, University of California, other incident response organizations, and local, state, federal, and international law enforcement organizations.

Principal Investigator (PI) Responsibilities

NERSC provides a variety of resources and services to support complex workflows and the exchange and dissemination of research data, such as  APIs, data transfer services, web systems, database systems, and others. Users of these resources and services agree to adhere to the additional requirements outlined in this section as well as relevant best practices in software development and security in order to prevent unauthorized use of computing and storage resources.

Primary Responsibility

Project PIs bear primary responsibility for

• Proper use of NERSC Resources within their project, including but not limited to
  • use of compute and storage allocations
  • networked or automated use via API
  • data transfer tools
  • EODF tools
• Authorizing users to join the project
• Ensuring that all code, scripting, automation, and components in their project are developed securely and maintained
• Workflow Services used in conjunction with their project
• Ensuring that project members are in compliance with the requirements in this policy document.
• Ensuring that an up-to-date Institutional User Agreement between their institution and Lawrence Berkeley National Laboratory is on file if required (see below section on Institutional User Agreements).

In addition, for projects that operate EODF Workflows or Workflow Services as defined in Definitions section), PIs also hold responsibility for

• Vetting and authorizing users and collaborators to access NERSC resources and/or project data
• Ensuring that indirect users of NERSC resources are in compliance with the requirements in this policy document.

Contact Information

Maintain on file with NERSC up-to-date contact information for the following people associated with the project:

• Principal Investigators (PI)
• PI Proxies (who may serve as alternate emergency contacts)
• Project Members
• Other contact information requested by NERSC

Service Approval

Obtain NERSC approval for the deployment of externally accessible systems or services that allow any of the following:

• Perform user authentication/authorization
• Writing data on NERSC systems
• Utilization of compute resources

Institutional User Agreement

An Institutional User Agreement between Berkeley Lab and the project's sponsoring organization (generally, the organization where the PI is employed) is required if the project is not federally (U.S.) funded, operates EODF workflows, or is involved in proprietary research (which is only permitted under exceptional circumstances and with written permission from the NERSC Director).

Documentation

Maintain up-to-date documentation of the project.

Documentation should include, at a minimum,

• How NERSC resources are used
• Procedures for ongoing software maintenance
• Description of vulnerability management procedures
• Description of the access controls for users and administrators
• Description of any user vetting and approval process
• Description of any authentication/authorization that is performed
• Description of audit logging procedures

This documentation shall be provided to NERSC as part of the approval process.

Vetting Process

Users of EODF workflow and/or Workflow Services must be vetted and approved by either

1. a DOE facility, or
2. an alternate process, approved by NERSC, which is coordinated by relevant project PIs.

Prevent Unauthorized Access

PIs must take necessary steps to ensure that unauthorized access does not occur in their use of Workflow Services and NERSC resources.

Encryption

Use of strong encryption is required for publicly accessible resources and communication between Workflow Services and NERSC resources.

Audit Logs

Authentication logs and other relevant auditing data on usage must be retained for a period not less than one (1) year and must be provided to NERSC staff on request.

Writing Data to NERSC Systems

All write access on NERSC systems must be performed by an authorized user in a project.

Users are prohibited from providing write access on NERSC systems to non-NERSC users unless they have been granted approval by NERSC. Periodic review of such approval will be required and may be revoked if usage policies are violated or if the circumstances under which the approval was granted change.

Critical and High Software Vulnerabilities

Systems or services based on Workflow Services that interact with NERSC resources must be kept free of Critical and High vulnerabilities as defined by the NIST Vulnerability Database (NVD), or as otherwise deemed an unacceptable risk by NERSC.

In the event that a security vulnerability is discovered:

• Remediation must proceed according to the timeline communicated by NERSC staff.
• NERSC reserves the right to shut down such systems and services without prior notice.

Annual Review

An annual review of approved systems or services may be required and access may be revoked if usage policies are violated or if the circumstances under which the approval was granted change.

Definitions

Collaboration Account - Collaboration Accounts are designed to facilitate collaborative computing by allowing multiple users to use the same account; see also https://docs.nersc.gov/accounts/collaboration_accounts/.

Credential - A credential is a verification of identity, qualification, or authorization typically used to grant access to systems, services, or information.

Experimental and Observational Data Facilities (EODF) Workflow - EODF workflows often use NERSC resources in specific and constrained ways on behalf of the facility end users they support. For example, science gateways or workflow managers often store or retrieve data in specific formats or submit compute jobs using specific codes with different data sets.

Federated Identity (FedID) - Federated identity is the means of linking a person's identity across multiple organizations; see also https://docs.nersc.gov/connect/federatedid/.

Multi-Factor Authentication (MFA) - Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication to verify a user's identity for a login or other transaction.

NERSC Resources - Any system, network, storage, software, tool, or service provided by NERSC.

Principal Investigator (PI) - The Principal Investigator, commonly referred to as the PI, is responsible for the project and for managing any resources awarded to the project.

Secrets - Items that store sensitive information such as passwords, access tokens, authorization keys, secret keys.

Username - A unique identifier for a user.

Workflow Services - Any network service, whether hosted inside or outside of NERSC, that operates in conjunction with NERSC compute or storage systems, including but not limited to services that provide callable APIs, automation, data management or movement, or web hosting.

 

NERSC Appropriate Use Policy, revision 4.0, date: January 1, 2025