NOAA :: Acquisition & Grants Office
advanced search


Acquisition


Grants

CSTARS ORSI Registration Form







Only check the boxes if applicable







Warrant Status:

Please attach copy of warrant where applicable.






Click to automatically enter your outgoing IP address
. . .
Print the Rules of Behavior
Submitting this form states that you have read and agreed to the following Rules of Behavior:

Rules of Behavior
U.S. Department of Commerce
Commerce STandard Acquisition Reporting System
(CSTARS)
2005

Introduction

The following rules of behavior apply to all CSTARS clients. The rules clearly delineate responsibilities of and expectations for all individuals with CSTARS access. If you violate these rules, you may be subject to sanctions commensurate with the level of infraction. Actions may range from a verbal or written warning, loss of system access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation.

Responsibilities

The Director of Commerce Acquisition Systems Division is responsible for ensuring appropriate protection for CSTARS through a combination of technical, administrative and management controls. The Director develops policies and procedures, ensures the development and presentation of user and contractor awareness sessions, inspects, and spot-checks to determine that an adequate level of compliance with security requirements exists. The Director is responsible for periodically conducting vulnerability analyses to help determine if security controls are adequate. Special attention will be given to new and developing technologies, system components and application upgrades and revisions that may affect CSTARS security posture.

Policies and Procedures

These rules of behavior do not replace existing policy, rather they are intended to enhance and clarify specific rules each client must follow while accessing CSTARS. The rules are consistent with the policy and procedures described in the following directives:

  • DOC Guidance & Policy
    • Password Management Policy
    • Remote Access Security Policy and Minimum Implementation Standards
    • Internet Use Policy
    • Information Technology Management Handbook
    • Peer-to-Peer File Sharing Policy
    • Computer Security Incident Handling
  • NIST Guidance
    • Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems

Application Rules

Purpose and Scope: I understand I am being granted permission to access CSTARS and that my use of this access may be monitored by DOC for compliance with this policy. I have completed DOC or NOAA IT security training within the last 12 months, and I hereby attest that I have read and understand the DOC or NOAA IT Security policies for remote access and password management.

I am aware of my responsibility to comply with the following rules of behavior:

1. Use Strong passwords
Requirement: your CSTARS password should be at least 8 characters in length and contain at least one number and one special character to help prevent password guessing or cracking through brute force methods.
2. Turn off "Remember Password" function in Microsoft desktop operating system (Windows 98, Windows 2000, Windows XP)
Requirement: CSTARS Users must configure their computers to not "remember" or save DOC passwords.
3. Protect Usernames and Passwords
Requirement: You must not share or reveal CSTARS usernames and passwords to anyone (including family members) to prevent unauthorized access to DOC IT systems and data.
4. Prevent 'Shoulder-Surfing'
Requirement: You must shield entry of authentication information (userid and password) from "shoulder-surfers," as though shielding entry of a PIN at an ATM machine.
5. Use Password-Protected Screensavers
Requirement: You must protect your computer against unauthorized access by using password-protected screensavers when idle for duration of 15 minutes.

Remote Access

I understand this remote access may be allowed in conjunction with a separate approved request for teleworking.

I am aware of my responsibility to comply with the following rules of behavior:

1. Terminate Connections when not in use.
Requirement: You are required to terminate connections to DOC applications when not being used.
2. Clear Browser Cache
Requirement: You must clear browser history and cache and close browser when finished with remote access needs. [For example, with Internet Explorer, select the "Tools" menu, then select "Internet Options," under the "General" tab, select Temporary Internet Files > "Delete Files," and History > "Clear History," then click "OK" and close the browser.]
3. Save Government Information Appropriately
Requirement: You must not save Government information and applications to the local hard drive of the remote access computer.
4. Do Not Use Remote Access Computers as Servers
Requirement: You must not use remote access computers as servers (e.g., web servers, private e-mail servers, File Transfer Protocol (ftp) sites, or chat servers), or connect the computer to other networks, including wireless networks, while connected to the DOC network.
5. Do Not Use Public-Access Equipment
Requirement: Use of public access equipment is prohibited. Public-access equipment is defined as computers and other hardware devices owned by a party other than the Department of Commerce or the remote user, to which the unrestricted access by the public is allowed. For example, remote access from a pc located in a public library is prohibited.
6. Maintain Antivirus Software
Requirement: Install, regularly update (at least monthly), and run antivirus software on equipment that supports such software.
7. Maintain Security Patches
Requirement: Install and regularly update (at least monthly) security related patches on devices that can be patched. This includes
8. Maintain Personal Firewall
Requirement: Install personal firewalls on all remote access computers connected to the Internet

Telecommuting from Home

Each operating unit needs to evaluate several issues before granting CSTARS access from an employee's home:

  • The employee needs to address appropriate environment and safety considerations as indicated in the written and signed Telecommuting agreement between the employee and his or her operating unit. The operating unit may need to include an additional written agreement specific to proper use of CSTARS within the home office environment.
  • CSTARS access should only be accomplished through a computer configured and issued to the employee for this specific use. If the employee's operating unit permits use of an employee's computer to access CSTARS, the computer needs to have the appropriate firewall and virus detection software installed that is used consistently and updated regularly.
  • Each operating unit may require strengthening the authentication process to include two-factor processes such as tokens. This may be used for both web-based and dial-in access.

Dial-In Access - Individual operating units may, based upon their specific requirements, extend remote access to CSTARS through OCS facilities.

Connection to the Internet - DOC personnel may have privately acquired access to the Internet. Operating units should ensure that the user authentication required for access is adequate to protect CSTARS programs and data. If such access is allowed, the operating unit will document all external connections to ensure access to CSTARS is limited to authorized points of entry.

Protection Of Software Copyright Licenses All copyright licenses associated with the COTS CSTARS software (Comprizon.Buy) are complied with by DOC personnel, as well as by contractors responsible for developing and maintaining CSTARS. DOC requires that all copyright licenses for all PC-based and LAN-based software used by CSTARS program personnel and contractor personnel are understood and that these personnel comply with the license requirements. End users, supervisors, and function managers are ultimately responsible for this compliance.

Unofficial Use Of Government Equipment - Users should be aware that personal use of information resources is not authorized.

Protection of Data: I hereby affirm and acknowledge my responsibility to ensure the confidentiality, integrity, and availability of all forms of Government information in accordance with DOC IT Security Policy and the DOC Security Manual, in a manner consistent with its sensitivity.

Computer Incidents: I also acknowledge the possibility, however small, that such information could potentially be viewed or downloaded by others than myself because of my remote access. I fully understand that it is my duty to exercise due care in protecting this information and to immediately report an unauthorized disclosure or compromise to my supervisor and the DOC CIRT so that appropriate procedures may be initiated.

I further understand that, after proper coordination with law enforcement authorities, the Government may temporarily seize the device used to gain remote access for the purposes of forensic examination and sanitizing of compromised information. Additionally, during this process I understand there exists a risk that system files and programs may be erased or damaged, or that unintentional damage may occur to the computer hard drive. I hereby waive all claims against the Department of Commerce, the Federal Government, and individual officers, employees, agents and contractors thereof, arising out of necessary security procedures and actions with respect to personally owned IT equipment and any such damage to, or erasures of personal data.

National Oceanic and Atmospheric Administration
CBS / ORSI / CSTARS User Security Agreement
For Users of the NOAA Instance

Purpose and Scope: I understand I am being granted permission to access unclassified IT systems as specified below, and that my use of this access may be monitored by NOAA for compliance with this policy. I have completed DOC or NOAA IT security training within the last 12 months, and I hereby attest that I have read and understand the DOC or NOAA IT Security policies and the End User Responsibilities for these systems. I agree to comply with these policies. I understand that my failure to comply with these policies may result in termination of my access privileges and/or disciplinary action.

Protection of Data: I hereby affirm and acknowledge my responsibility to ensure the confidentiality, integrity and availability of all forms of Government information in accordance with DOC or NOAA IT Security Policy and the DOC or NOAA Security Manual, in a manner consistent with its sensitivity. I hereby affirm and acknowledge my responsibility to adhere to the CBS / ORSI / CSTARS End User Responsibilities.

End User Responsibilities: Information contained in CBS / ORSI / CSTARS is not to be accessed or released to other than authorized individuals within NOAA. Much of the information included in the C-Request Module (the requisitioning module) is acquisition sensitive and is not to be made available outside of NOAA, verbally or in writing, to any individual, organization or business, without the specific written concurrence of the Head of the Contracting Office servicing the requisitioner. Release of information contained in the C-Request Module within NOAA should be to appropriate individuals with a specific need to know (e.g., line/staff office management, NOAA budget personnel, NOAA senior management).

I acknowledge receipt of, understand my responsibilities pertaining to and will comply with the CSTARS rules of behavior.
By Submitting this Form I affirm that I have read, understand and accept the Rules of Behavior for accessing and using the web based requisitioning system, C.Request.

 

QUICK LINKS
Acquisition
Requisitioner
Public
Small Business
Acquisition Workforce
COR
Program Manager
Contractor
Field Delegate
 
Grants
Program Officer
Grantee