Per the Federal Information Security Management Act and provisions of mandatory Federal Information Processing Standards (FIPS) 199 and NIST Security Plan 800-60, NORC’s Data Enclave system impact levels have been determined as follows:
|
Sensitivity Element |
Impact Rating |
Short Description of Basis for Rating |
|
Confidentiality |
Moderate |
The Data Enclave contains information of a proprietary nature. If this proprietary information were disclosed, it could result in serious loss of customer trust for NIST. |
- Employee Security Requirements. All NORC Data Enclave employees must undergo annual IT security awareness training in DOC IT policies, procedures, computer ethics, and best practices, in accordance with DOC IT Security Program Policy, section 3.13.
- Rules of Behavior Requirements. NORC is in compliance with DOC IT Security Program Policy, section 4.5 and the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system. Users must have received and signed the rules of behavior prior to receiving authorization to access this system. All NORC employees must sign a Confidentiality/Professional Ethics statement. NIST staff and all external researchers also must sign a confidentiality statement.
- Nondisclosure Agreements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Non-disclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions Against Disclosures.
- IT System Security Requirements. NORC is its 3rd year of operating under a NIST-approved System Certification and Accreditation (C & A) package, including IT Security Plan and a system certification test plan, as outlined in DOC IT Security Program Policy, Section 6.5.2. NORC's Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST's IT, data, system and physical security requirements.
- Applicable Laws and Regulations Affecting Data Enclave. The system is subject to the DOC IT Security Program Policy and Minimum Implementation Standards along with the IT security laws and federal regulations noted in Appendix A of that document including:
- Public Law 107-347 E-Government Act of 2002 (FISMA included)
- Public Law 200-253 Computer Security Act of 1987
- OMB Circular No. A-130 , Appendix III, Security of Automated Information Resources
- Department of Commerce Administrative Orders and
- NIST Administrative Manual Chapter 11.02 and the NIST IT Security Management Handbook.
- Public Law 107-347 E-Government Act of 2002, Title V: Confidentiality Information Protection and Statistical Efficiency Act (CIPSEA).