Policy on Computing
1. Purpose
The purpose of this policy is to ensure that Fermilab, as operated by Fermi Research Alliance, LLC (FRA), operates an effective and efficient computing and networking environment; maintains an open environment supporting global collaboration and innovation and free exchange of scientific information; guards Fermilab’s reputation and protects its computing systems, data, and operations against attacks and unauthorized use; and ensures compliance with all applicable mandates, directives, and legal requirements for computing.
2. Scope
This policy covers all Fermilab-owned computers and any device, regardless of ownership, when it is connected to our network (and/or showing a Fermilab address or representing Fermilab). Internet of Things and other discrete electronic devices that are not on the general network or devices used in safety instrumented systems are not governed by this policy.
3. Applicability
This policy applies to all individuals using a Fermilab-managed device and other devices when connected to the Fermilab network or when processing or accessing Fermilab data.
4. Effective Date and Date Reviewed/Updated
This policy went into effect on October 18, 2005, and its update was effective on July 19, 2023.
5. Policy
All individuals are responsible for the actions of any person whom they permit to use Fermilab computing or network resources through an account assigned to them or when processing or accessing Fermilab data.
a. Appropriate Use
All individuals are required to behave in a way that maintains the security of Fermilab’s computing environment. Unauthorized attempts to gain computer access, damage, alter, falsify, or delete data, falsify either email or network address information, or cause a denial of computing or network service, are forbidden. Fermilab computers should only be used for Fermilab business with exceptions made for limited incidental use consistent with this policy.
The following activities and uses are explicitly not permitted:
- Legally prohibited activities
- Activities that reasonably offend other FRA employees, users, affiliates, subcontractors, or outsiders or results in public embarrassment to Fermilab
- Activities in support of an ongoing private business
- Any activity involving sexually explicit material
- Resource usage that is not specifically approved and which consumes amounts of computer resources not commensurate with its benefit to Fermilab’s mission or which interferes with the performance of the device user’s assigned job responsibilities
- Downloads or use of unlicensed software or copyrighted works for which a license isn’t held for that device
- Violation of license, copyrights, and other computer-related contract provisions
More details about Fermilab’s appropriate use policy can be found in the Cybersecurity Acceptable Use Policy
b. Information Handling
All users must comply with Fermilab policies dealing with information categorization and protection. See the Information Categorization and Access Policy.
c. Data Integrity and Backup
Data owners are responsible for determining data protection and recovery needs and coordination of a backup plan.
d. System and node registration
All devices connected to the Fermilab network must be registered and have a registered system administrator with an up-to-date email address. The system administrator is the individual responsible for applying security patches to the device and choosing system configuration.
Individuals may temporarily register their non-Fermilab-owned devices when they first connect to the Fermilab guest Wi-Fi network.
e. Virus Protection, Patching and Configuration Management policy
All Fermilab-owned or network-attached systems must use appropriate endpoint protection (e.g., anti-malware, local packet filtering, removal of unnecessary network services) as specified in the Endpoint Protection Policy and the Site Anti-Virus Policy.
Computing systems should be running recent and supported versions of operating systems with the latest patches applied regardless of network connectivity. The applicable systems will be monitored for compliance.
In some circumstances, it may be necessary to continue to run an obsolete operating system. In such cases, the user of such systems must obtain a baseline variant and document the reasons why the system cannot be brought up to date and how the system is protected to provide the same level of security as provided in baseline configurations. Certain services, such as web servers, cannot be offered on such obsolete systems.
The Fermilab Computer Information Security Officer (CISO) may declare that a configuration requires updates because it has an FNAL Declared Vulnerability. The device owner or system administrator is required to take immediate action to remove FNAL Declared Vulnerabilities from systems under their control. Failure to comply will result in the system being blocked from network access. See the current list of FNAL Declared vulnerabilities.
f. Access Control
All applications must support appropriate levels of authentication and authorization. Any systems allowing arbitrary program execution or data transfer require authentication consistent with the Fermilab Authentication Policy. Use of certain applications may be restricted.
Computer or device users must use the “least privilege required” principle—only using administrative or root accounts for limited periods of time—when conducting activities that require such privileges.
Computer or device users must not allow anyone else to know or use their Fermilab passwords. Do not transmit passwords across the network, such as over email, without strong encryption.
Each of your Fermilab accounts should have a unique password that is not the same as a password used for any non-Fermilab service. If you utilize a password manager, the Cyber Office requires protecting that password manager with multi-factor authentication.
g. Restricted Central Services
Services that would create a significant security risk or would interfere with the operation of site computing or networking infrastructure can only be operated by the Information Technology Division (ITD), unless authorized by the CISO and the Fermilab Chief Information Officer (CIO).
For example, the following services may only be implemented by the Information Technology Division:
- Tunneling, except tunnels with a single source or destination for purposes of mobility or security
- Routing and bridging. This includes, but is not limited to, physical cabling to bridge multiple networks or configuring electronic devices (e.g., computers, laptops, Raspberry Pi’s, etc.) to act as a router.
- DHCP servers
- Wireless access points
- Assignment of IP host names and addresses. (Use of automatic configuration mechanisms provided by Fermilab networking, such as DHCP, is not restricted.)
- DNS zone mastering and all externally reachable DNS services
- NTP time service at stratum 1. (Stratum 2 server operation is discouraged.)
- NNTP
- Externally-reachable or onsite email servers, including SMTP, POP, and IMAP
- Kerberos key servers
- Active directory servers- Authentication services
Specific exemption from these restrictions must be requested through the Service Desk and may be granted only by the CISO and the CIO. Exemptions granted to device owners who are not FRA employees require concurrence of the CIO.
Furthermore, all externally visible web services must abide by the Information Categorization and Access Policy and should only be offered on one of the central Fermilab web servers. See article with detailed information about the Public Zone.
This will require up-to-date security scans demonstrating that the proposed web server runs on a secure device. Web traffic to other-than-registered servers will be blocked at the site border.
Externally visible Globus gateways must also be registered and approved before being put into operation and will normally be restricted to the Open Science Enclave.
h. Bypassing Information Technology Division Services
When performing Fermilab business, a user must use the central services offered. Attempts to use third-party services or applications that duplicate those offered by central services may result in the service or application being unavailable from proactive controls and may be blocked from the Fermilab network.
A current list of such external services and the actions resulting from attempted access can be found in the Fermilab Restricted Central Services Policy.
i. Encryption Standards
Encryption standards are covered in the Encryption Standards Policy
j. Policy Enforcement
Individuals who violate this policy will be denied access to the Fermilab computing and network facilities and may be subject to further disciplinary action depending on the severity of the offense.
Computing systems with FNAL Declared vulnerabilities, that exhibit unusual network behavior typical of hacking activity, or are otherwise in violation of this policy will be blocked from network access until the condition is mitigated.
k. Software Intellectual Property (Licenses)
It is Fermilab policy to respect the intellectual property rights of others. License provisions are to be followed.
l. Waiver of Privacy Rights
In using systems owned by Fermilab or attached to the Fermilab network, users waive their rights of privacy with respect to information on those systems and accept the possibility of loss, damage, or disclosure of any data, including their own, on those systems.
6. Definitions
Fermilab: Physical site and property that is the Fermi National Accelerator Laboratory.
Fermi Research Alliance, LLC: Operator and manager of the Fermi National Accelerator Laboratory under Department of Energy Prime Contract No. DE-AC02-07CH11359 and the principal employer of personnel working at Fermilab.
Fermilab network: Any network service managed by Fermilab.
Internet of Things: The collective network of non-computing devices connected to the Internet
7. Responsibilities
Data owner – is responsible for determining what data requires protection and how their data is to be recovered if the online copy is destroyed (either by accidental or malicious damage)
Device owner – is responsible for registering device attached to the Fermilab network
Device user – is responsible for following the Policy on Computing when using their computing device
System administrator - is the individual responsible for applying security patches to the device and choosing system configuration
8. Authorities
DOE Order on Cybersecurity 205.1c
9. Owner
The CIO is the owner of this policy.
10. Review Cycle
This policy shall be reviewed every three years.
11. Communication Plan
The requirements of this policy shall be communicated to all FRA employees, Fermilab users and affiliates, authorized guests, and subcontractors and their employees. This policy shall be available online in the Fermilab policy database. The CIO is responsible for the communication of this policy.