Sample of a "Standard"
Security Safeguard Plan (SSP)
(Must be prepared on official letterhead of the end-user organization)
High Performance Computer (HPC) Security & Safeguard Plan
XYZ and Company
123 Under Water Blvd.
W100 Server with 16 processors with a APP of 0.80 WT
Underwater weather forecasting
This Security Safeguard Plan certifies that the end-user will not use the item subject to this license for any of the unauthorized activities listed below and will adhere to the safeguard conditions as they appear herein:
- The computer system will only be used for those activities approved by the U.S. Department of Commerce, Bureau of Industry and Security (BIS).
- No use of the item subject to this license is authorized for any of the activities listed below:
- National security work not authorized by the government of the exporting country.
- The design, development, production or use of:
- Any nuclear explosive device, including any component or subsystem specially designed for such a device.
- Complete rocket systems or unmanned air vehicle systems capable of delivering weapons of mass destruction, including any specially designed component or subsystem of such devices. A delivery system for weapons of mass destruction is defined to include any complete rocket system (including ballistic missiles, space launch vehicles, and sounding rockets) or unmanned air vehicle system (including cruise missile systems, target drones, and reconnaissance drones) that is intended to deliver nuclear, chemical, or biological weapons.
- The design, development, production, use or maintenance of:
- A nuclear fuel cycle facility (including facilities engaged in nuclear propulsion and related activities) or heavy water production plant in a country not party to the Nuclear Non-proliferation Treaty.
- Any facility for the production of chemical or biological weapons.
- There will be no reexport or intra-country transfer of the computer without prior written authorization from the U.S. Department of Commerce, Bureau of Industry and Security (BIS).
- No change (aggregation or upgrade) may be made to this equipment that would further increase the Weighted TeraFLOPS (WT) value without prior BIS authorization.
- The end-user will ensure that the appropriate security measures are implemented and the computer system will be housed in a secure facility and protected against theft and unauthorized entry at all times.
- The computer will run the necessary software to: permit access to authorized personnel only; detect attempts to gain unauthorized access; set and maintain limits on usage; establish accountability for usage; and generate logs and other records of usage. The software will also maintain the integrity of data and program files, the accounting and audit system, the password or computational access control system, and the operating system itself.
- The security personnel will undertake and be responsible for the following measures:
- Ensuring the establishment of a system to ensure round-the-clock monitoring for computer security;
- Ensuring the inspection, as necessary, of any program to determine whether the program conforms with the conditions of the license. If not, the security personnel shall remove the program from the system;
- Ensuring the inspection of usage logs to the extent necessary to ensure conformity with the conditions to the license [and the retention of records of these logs for at least two years.
- Establishing the acceptability of all users in conformity with authorized end-uses.
- Supervising the following key tasks:
- Establishment of new accounts and the assignment of passwords
- Changing the passwords for individuals frequently and at unpredictable intervals, and ensuring the right to deny passwords to anyone. ( Passwords will be denied to anyone whose activity does not conform to the conditions of the license. Misuse of passwords by users will result in denial of further access to the computer.)
- Maintaining the integrity and security of tapes and data files containing archived user files, log data, or system backups.
- Computers may not be accessed either physically or computationally without prior authorization by the U.S. Government by nationals of Cuba , Iran , Libya , N. Korea , Sudan , Syria . However, commercial consignees as described in Supplement 3 to Part 742 of the EAR are prohibited only from giving such nationals user-accessible programmability.
- "Remote Computational access" to the computer systems is not permitted unless authorized by the U.S. Department of Commerce, Bureau of Industry and Security (BIS). (Note: If "remote computational access" is permitted, the end-user must take appropriate steps to protect the computer system and to maintain audit trails of all users.)
"Computational access" is the ability to create, load, or execute a program. This function includes any system administration capabilities. Computational access does not include the ability to retrieve stored data or the ability to enter and receive transactional data to an approved program (e.g., banking transactions).
- The end-user must immediately report any security breaches or suspected security breaches to the exporter's representatives.
- The end-user will cooperate with any post-shipment inquiries or inspections by the U.S. Government or exporting company officials to verify the disposition and/or use of the computer. Security personnel will maintain data on the computational access usage of the computer (as required by provision 7c) and security related events. Such data will be retrievable and available for review by BIS and will contain data covering at least two years prior to the receipt of any review request.
- The end-user will cooperate with the U.S. Government concerning the physical inspection of the computer using facility on short notice and will provide access to all data relevant to computational access usage. This inspection will include:
- Analyzing any programs or software run on the computer to ensure that all usage complies with the authorized end-uses on the license;
- Checking current and archived computational access usage logs for conformity with the authorized end-uses and the restrictions imposed by the license; and
- Verifying the acceptability of all computer users in conformity with the authorized end-uses and the restrictions imposed by the license.
This is to certify that XYZ and Company and all the remote access end-users will not use the W100 Server for the unauthorized activities listed above, and will adhere to the safeguard conditions and perform the undertakings as prescribed in this security plan.
| | | | | | |