Security Requirements
Minimum Security Requirements and Best Practices
Below are some of the important rules to remember:
- Computers, software, and communications systems provided by NERSC are to be used only for DOE-sponsored work (as determined by the PI's DOE Program Manager). Use of NERSC resources to store, manipulate, or remotely access any national security information is prohibited. This includes, but is not limited to, classified information, unclassified controlled nuclear information (UCNI), naval nuclear propulsion information (NNPI), the design or development of nuclear, biological, or chemical weapons or of any weapons of mass destruction. Personally identifiable information (PII) and HIPPA data are also prohibited from NERSC user systems.
- The use of NERSC resources for personal or non-work-related activity is prohibited. NERSC systems are provided to our users without any warranty. NERSC will not be held liable in the event of any system failure or loss of data.
- NERSC users are required to use Multi-Factor Authentication (MFA) for logging into NERSC resources.
- All passwords used on computer systems must meet the DOE and NERSC requirements.
- Passwords and usernames must NOT be shared under any circumstances. Users who share their passwords or usernames will have their access to NERSC disabled. Users should not leave clear-text passwords in a location accessible to others or secured in a location for which protection is less than that required for protecting the information that can be accessed using the password.
- Passwords must be changed:
- At least once every year.
- On direction from NERSC staff.
- Immediately after someone else has obtained your password (do NOT give your password to anyone else).
- As soon as possible, but at least within one business day after a password has been compromised or after you suspect that a password has been compromised.
- Exposure of passwords and suspected compromises must immediately be reported to NERSC at security@nersc.gov.
- Users must ensure that appropriate physical security measures are taken to protect their computers and any portable media from unauthorized access, manipulation, or theft.