Skip to main content

Data Security Policy

You must understand and abide by NREL’s Data Security Policy to use its high-performance computing (HPC) systems.

NREL HPC systems are operated as research systems and may only contain data related to scientific research. These systems are categorized as low per FIPS-199 and protected to the NIST 800-53 low security control baseline.

Policy Terms

NREL HPC systems control data access via username and password authentication for network access, and UNIX directory and file permissions for data storage. Network and storage systems provide no explicit encryption. Users are responsible for protecting their data files and agree that NREL's HPC security control implementation is sufficient for their work. In addition, these systems may not store or process export controlled data.

As a data owner, you must determine the sensitivity and impact level of your data. That impact level can be either Low, Moderate, or High. Data may also be categorized as sensitive or non-sensitive. One example of sensitive data would be personally identifiable information (PII). For example, social security numbers are PII data. 

Principal investigators, data owners, users, or project delegates that use these systems—or are responsible for overseeing projects that use these systems—are strictly responsible for maintaining a "Low" categorization for any project data ingested or generated and for ensuring that none of the data or information falls under Export Control and are strictly responsible for knowing whether their project generates any of these prohibited data types. For questions, contact: hpc-help@nrel.gov.

Security Levels are described in the Federal Information Processing Standards Publication Series (FIPS) document titled, "Standards for Security Categorization of Federal Information and Information Systems". This document is commonly referred to as FIPS 199

NREL's HPC systems do not contain personally identifiable information (data that falls under the Privacy Act of 1974 5U.S.C. 552a). Use of these resources to store, manipulate, or remotely access any national security information is strictly prohibited. Authors/generators/owners of information are responsible for correct information categorization.

The categorization of your data is your responsibility. As mentioned before, guidelines on how to categorize information is outlined in the FIPS 199. A high-level brief of categorization comes from this excerpt from FIPS 199:

FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest.

The potential impact is LOW if

— The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. (Note: Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law.)

The potential impact is MODERATE if

— The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

The potential impact is HIGH if 

— The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.