Applications can be for a user account or access to datasets and tools listed in the Data Catalog. The ICC reviews each application to ensure that it conforms to the submittal criteria, that all requested information has been provided and that all necessary signatures are properly affixed before starting the approval process.
If the application does not meet the submittal criteria, the ICC will return it to the requester, who may then revise it and resubmit.
Account requests are submitted using a form on the portal. Exhibit 1 shows the high-level process, including the international process, for reviewing and approving account requests.
Applications for accounts on the IMPACT system are reviewed by the ICC and, following a role-specific process and criteria. Applications for accounts default to the researcher role.
The process for each of the account request types is:
When an account request is submitted, the ICC will vet the researcher's organization to determine if it meets established acceptance criteria. (See also "Organizations") Once the organization has been validated, the ICC will email the researcher's Point of Contact (POC) to confirm the affiliation. If there is no response to the email after five days, the ICC will inform the researcher that the POC has not responded. If there is no response from the POC after three additional days, the ICC will call the researcher. If there continues to be no response after five days, the account request will be canceled. The entire account approval process could take up to 14 working days, depending on POC response time.
When an account request from a non-U.S. researcher is submitted from a DHS-approved international location, the IMPACT Approval Coordinator (IAC) for the location will vet the application to determine if the applicant meets established acceptance criteria before the ICC completes the account request process. If the applicant is not located in a DHS-approved location, the account request will be denied. (See also "International Organizations")
Data/tool Hosts will apply for an account on the portal, following the Researcher protocol. In conjunction with the account request, the ICC will work with the host to execute an MOA. After the account has been approved, the ICC will set an additional role for Host.
Data and tool providers will apply for an account on the portal, following theResearcher protocol. In conjunction with the account request, the ICC will work with the provider to execute an MOA. After the account has been approved, the ICC will set an additional role for Provider.
Other specialized roles are available, subject to ICC or DHS approval. These accounts are created by the ICC as administrator of the portal.
Requests may be submitted for each class of data/tool described in the Catalog.
Dataset requests are submitted for access to sub-categories of data using a form on the portal. If a request for access to a sub-category is approved, the researcher may also choose additional datasets in the approved sub-category at a later time without submitting a new dataset request.
Unrestricted (Commercial or Non-Commercial) Data/Tool
Quasi-restricted (Commercial or Non-Commercial) Data/Tools
Requests for quasi-restricted data/tools follow a path similar to the unrestricted applications but are only released if approved by the Provider. (Exhibit 3
Restricted data and tool requests are reviewed by the ICC and the relevant provider, which examines whether the requests are logical choices for the proposed research project. (Exhibit 4 ) The ICC and provider do not judge the merits of the research project itself. Requests for additional datasets in an approved sub-category are automatically approved by the ICC.
The review period for a request for all restricted or quasi-restricted data and tool classes is about 72 hours after the application is complete. The complete application will consist of a dataset/tool request form filled out online, a TOU (quasi-restricted) and an MOA (restricted) signed by the applicant.
Applications for any quasi-restricted or restricted datasets and tools may be fully or partially approved or rejected:
The relevant Providers review applications for any quasi-restricted data/tool. The ToU associated with an approved (either full or partial) quasi-restricted request is delivered to the Researcher with the approval email.
The ICC and relevant provider reviews requests for restricted data and tools. The MoA associated with an approved (either full or partial) application for restricted data/tool is executed by the ICC. The ICC notifies all relevant parties of the request decision.
Notifications of any approval are in the form of system emails that direct the parties to log into the portal to retrieve details of the application from the My IMPACT My Requests page.
In cases where the Provider rejects all or part of an application to use their dataset/tool, the ICC will notify the researcher. When a request is rejected, the notification will include the reason(s) for the rejection if it is available. (See also "Rejections") The researcher may then submit a new application for denied datasets/tools that satisfies the provider's concerns.
If all or part of the request is approved, the ICC notifies the researcher and provides contact information for the Data/Tool Host(s), with details of what has been approved. The ICC also notifies the Host(s) of details of the approved request. Access information may be a URL, contact information for a representative of the hosting site, etc.
The ICC will record and track the approval date, the date the researcher received access information from the ICC, and the date that the researcher accessed the datasets from the Host. The ICC will maintain records of all applications and their dispositions.
If a dataset/tool request is rejected, the Researcher will be notified by email and may be given the reason for the rejection, if available. The Researcher may revise the application based on those reasons and reapply for the dataset(s).
After an application for use of datasets/tools is finalized, the researcher has 12 months from the date the ToU is completed or the MoA is executed to access the datasets/tools and use them for the purpose described in the application. The Researcher may request all or part of the datasets in a sub-category; additional datasets from the approved sub-category may be requested at a later date within the 12-month access period. In the case of restricted data, these requests will be approved without ARB review.
Thirty (30) days before the expiration of this period, the ICC will email the researcher with a reminder that the expiration is approaching and offer an option to reapply for access to the data/tool.
Researchers may extend the use of the data/too for an additional 12 months past the original expiration date by submitting an extension request from the My IMPACT My Requests page. If no extension is requested, the researcher will be required to dispose of the data/tool within 30 days of the expiration date.
The researcher's organization is not an approved organization.
The verification email is not received within the required time period.
Initiate another request at a later date.
|3.||The researcher is not located in a DHS-approved location.||See also "DHS-Approved Locations"|
The Memorandum of Agreement is not received within the stated time period.
Initiate another request at a later date.
The Memorandum of Agreement is incomplete.
Revise the Memorandum of Agreement to include missing or incomplete information.
The proposed research does not justify a need for the data requested.
- Revise the proposal to reflect research that requires the requested data/tool
- Revise the proposal to include data/tool that is required by the research described
The Provider did not approve the request.
Data/tool provider rejection of a dataset request is absolute.
The requester lists persons who will use the datasets outside of an authorized research location.
Requestors must change the research team and/or research location to comply with IMPACT policy to make data available ONLY to approved researchers who are conducting cyber security research in DHS-approved locations, such as the 50 United States and for selected international governments and organizations.
The IMPACT system will notify the researcher and the Data/Tool Host(s) when a request has been approved, directing him/her to the appropriate Host to arrange for delivery or transmission of the datasets/tools requested. Both parties will be asked to verify that the items have been received and or delivered.
The ICC will track the delivery status of each dataset/tool request and intercede as needed to ensure the approved request has been fulfilled.
A Data/Tool Host is an organization that provides computing infrastructure to store IMPACT datasets/tools and coordinates the transmission of those items to approved researchers.
The hosting logistics are worked out between the Host and Provider.
A Host must execute an MoA with the ICC in which the Host provides any special terms and conditions for access to, transfer, handling and storage of the data/tool.
A Host lists terms for accessing the respective datasets/tools in the catalog. Methods of access include, but are not limited to:
Hosts are responsible for all of the Provider's data security and access control requirements to the data/tool.
Hosts must confirm delivery of approved datasets/tools via the My IMPACT Requests for My Hosted Datasets/Tools page on the portal.
Data and Tool Providers make datasets and tools that they own or control available to approved researchers through IMPACT.
Providers submit metadata to the data catalog that describe the datasets/tools in authorized categories and sub-categories. Upon review and approval by the ICC, the metadata describing the datasets/tools are made available in the catalog. There is no limit to the number of items that may be submitted in an available category or sub-category. A list of available data and tool categories and sub-categories, and their descriptions, is posted on the portal.
Before metadata can be submitted, a provider must hold a Provider account on the portal and execute a Provider Memorandum of Agreement with the ICC.
Metadata for datasets and tools are submitted through the IMPACT portal, either manually or by bulk upload following an XML schema provided on the portal.
Manual input of dataset/tool information requires filling out a form for each data/tool category and sub-category that is submitted to the catalog. Multiple listings for a category and sub-category may be uploaded at the same time.
Metadata uploaded to the catalog are reviewed by the ICC before being entered in the catalog. The ICC will make the metadata available after:
Once the metadata have been made available in the catalog, they can be viewed by researchers. If a provider updates its metadata, the newer information will supersede the earlier listing. If a provider withdraws or otherwise cancels a data/tool category, sub-category or dataset/tool, the ICC will remove the metadata from view in the catalog. Providers are responsible for keeping current the status of the dataset(s)/tool(s) they submit.
Providers review and approve or reject requests for access to their datasets/tools.
New or current Providers may offer new datasets/tools to the repository.
The new data/tools are described in a Dataset Submission Form and submitted to the ICC and DHS for consideration. The ICC and DHS, with the help of the IMPACT External Relations Council (PERC), will vet the item to determine if it meets criteria to be included in the repository. The ICC must also determine the category and sub-category of the proposed data/tool.
When the data/tool have been approved for inclusion, the ICC and a new provider will execute an MoA that includes descriptions of the category and sub-category. For established Providers, if these designations are not in the existing MoA, the MoA must be amended. Once the MoA is in place, the category and sub-category will appear in the data catalog and the provider can upload the metadata to the portal using the established schema.
All IMPACT researchers must be affiliated with an organization that is approved by the ICC. Users applying for an account must list an organization, its location and a contact information for an authorized representative who acts as a point of contact (POC) on the online account request form. The POC, on behalf of the organization, confirms that the person has a legitimate need for a IMPACT account.
If an organization has already been approved by the ICC, the account request is submitted for processing subject to the arrival of email verification from the POC. If an organization has not been approved by the ICC, the approval process will follow established acceptance criteria to review the organization. If the organization meets the criteria, it is added to the approved organizations list and the account request is submitted for processing. If the organization is not approved, the requester is notified and the account request is withdrawn.
The ICC may use a number of resources to verify Organizations, including but not limited to:
An organization must meet at least one of IMPACT's established criteria in order for it to be added to the list of approved organizations.
To be valid, an organization must:
Small organizations, which are defined as having 10 or fewer employees (as verified by Dunn & Bradstreet or national records), may be asked to provide up to three references to the ICC before being considered for approval. References must be from customers, contract holders or business partners who have done business with the organization within the past 12 months. In some instances, the references may be asked to provide answers to the following questions:
Small organizations also may be asked to provide the ICC with resumes or curricula vitae (CV) of the lead researcher and/or other researchers on the project.
All research and access to IMPACT data must be carried out in DHS-approved locations. The researcher's organization must be located in one of these locations.
Selected countries outside of the United States may be authorized to verify researchers for IMPACT. Each country will have a designated entity or office functioning as a IMPACT Approval Coordinator (IAC). An IAC is responsible for reviewing account requests and verifying the researcher's affiliation with an organization. All IACs are selected and approved by the U.S. Department of Homeland Security (DHS).
When a non-U.S. researcher from an approved location applies for a IMPACT account via the IMPACT portal, the ICC will provide information about the applicant to their IAC. The IAC will vet the organization according to the IMPACT Organization criteria and their own verification protocol.
The ICC supports the IMPACT data repository in a secure Web-based portal, located at , which is available to IMPACT users and the public (browsing public pages only). Currently the ICC is managed by Blackfire Technology, Inc.
The portal has a Secure Socket Layer (SSL) certificate to allow data to be encrypted.
Navigation to various sections of the portal will be specific to the role assigned the registered user; a limited number of public pages is available to non-registered users. Roles and responsibilities are spelled out in the Portal Users section.
Use of the portal by Researchers, Data Providers and Data Hosts will be strictly supervised by ICC staff and portal administrators. Account holders may not share their access with other persons and must abide by the site's Rules of Behavior.
IMPACT is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. This Statement of Privacy applies to the IMPACT website and governs data collection and usage of that site. By using the IMPACT website, you consent to the data practices described in this statement.
Collection of Your Personal Information
IMPACT collects personally identifiable information, such as your email address, name, home or work address or telephone number.
There is also information about your computer hardware and software that is automatically collected by IMPACT. This information can include: your IP address, user name, browser type, and access times. This information is used by IMPACT for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the IMPACT website.
IMPACT encourages you to review the privacy statements of websites that you may choose to link to from IMPACT so that you can understand how those websites collect, use and share your information. IMPACT is not responsible for the privacy statements or other content on websites outside of the IMPACT website.
Use of your Personal Information
IMPACT collects and uses your personal information to operate the IMPACT website and deliver the services you have requested. IMPACT may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.
IMPACT does not sell, rent or lease data it collects to third parties. IMPACT may share data with Hosts, Providers and review board members of the IMPACT community to help us deliver requested IMPACT services. These parties are prohibited from using your personal information except to provide these requested services, and they are required to maintain the confidentiality of your information.
IMPACT will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal processes served on IMPACT or the site; (b) protect and defend the rights or property of IMPACT; and, (c) act under exigent circumstances to protect the personal safety of users of IMPACT, or the public.
The IMPACT website requires the use of non-persistent (session-based) "cookies" during an active session for proper operation of pages for registered IMPACT users during that one session. The purpose of the cookies is to identify a user to the IMPACT web server only when accessing content within the IMPACT domain. IMPACT does not use "ad" cookies to track user activity. IMPACT does not retain any cookie data. You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the IMPACT services.
Security of Your Personal Information
IMPACT secures your personal information from unauthorized access, use or disclosure. IMPACT secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure.
Changes to this Statement
IMPACT will occasionally update this Statement of Privacy to reflect feedback or changes in operations or policy. IMPACT encourages you to periodically review this Statement to be informed of how IMPACT is protecting your information.
IMPACT welcomes your comments regarding this Statement of Privacy. If you believe that IMPACT has not adhered to this Statement, please contact IMPACT at Contact@ImpactCyberTrust.org. We will use commercially reasonable efforts to promptly determine and remedy the problem.
IMPACT datasets are available to approved researchers who are conducting cyber security research in DHS-approved locations, such as the 50 United States and selected international locations approved by DHS. Researchers approved for an account on the IMPACT portal may request access to any number of dataset(s) of interest in established sub-categories by filling out an online application form and listing the dataset(s) desired and members of the research team and providing a description of the proposed research.
Only Researchers holding IMPACT accounts may request data from the IMPACT data catalog.
There are two types of Researchers:
A Researcher is an individual or organization who has been identified by the ICC as having a legitimate need for the data. A researcher who is an individual also may be a Lead Researcher.
A Lead Researcher is the person who requests IMPACT data/tools, is the principal investigator or researcher leading the research project using the data, and is responsible for ensuring that all responsibilities for the receipt, security, oversight and handling of the data/tools are met.
Requestors are subject to different obligations for each class of data/tool requested. (See classes of data in the Data Catalog section.) A researcher must agree to all of the obligations and use criteria specified for each class requested.
For all unrestricted and quasi-restricted datasets/tools, these terms are specified in the ToU associated with the request.
In the case of restricted datasets/tools, the terms are specified in an MoA executed between the Researcher and the ICC which may include additional provider terms. If the researcher declines to agree to the terms, the application for use of that provider's restricted dataset/tool will not be processed. The Provider will have final approval for release of their data/tool.
In all cases, Researchers must notify the ICC if the data/tool are compromised once they receive access to datasets. Compromised is defined as confirmed access by an unauthorized person or data's being lost, disclosed, stolen or sabotaged.
Researchers who have been approved for some sub-categories but not others will only have access to the sub-categories for which they have been approved.
When requesting restricted data/tools, researchers must provide the names of the proposed research team, i.e., the researcher's colleagues who will also be working with the requested data/tool. Researchers must notify the ICC of all departures and additions to the research team and execute an amendment(s) to the restricted data/tool MOA. Email notice of additions or deletions to the research team list to the ICC. All new research team members must be approved prior to their gaining access to the data/tool.
Researchers may use dataset(s) from approved sub-categories subject to the terms and conditions associated with them for a 12-month period, which begins when (1) the ToU is submitted to and approved by the ICC for all classes of unrestricted data, (2) the ToU is submitted to and approved by the ICC and the Data Provider approves the request for all classes of quasi-restricted data, or (3) when the MoA for restricted data is fully executed.
Researchers may not transfer authorization to use approved datasets/tools to other persons or organizations.
Researchers are granted access based on their affiliation with an organization and must inform the ICC when they change affiliations or are no longer in charge of the research project on which the IMPACT data/tool is being used. Researchers who move to another organization may reapply for access to the data/tool through their new organization. The new organization must meet all requirements for organizational participation before access is granted.
If a Lead Researcher who is managing a research project using restricted data/tools leaves the organization or the project, the organization must notify the ICC and either propose a new lead researcher or terminate the MOA and the use of the IMPACT data/tool.
Users of the IMPACT portal expect information to be readily available, accurate and safeguarded from unauthorized access. The ICC has established management, operational and technical controls to protect the IMPACT information and the automated information systems within the portal. Controls for granting, changing and terminating access to the IMPACT portal are essential to the security of the portal. Password-protected role-based accounts are the foundation of these controls.
The IMPACT portal provides access to the content and functions of the portal via role-based accounts. The roles and associated portal access are described in Portal User Roles and Responsibilities. Users and their associated roles are identified by logging in with a valid user ID and password.
Passwords are used by the portal in conjunction with user IDs to uniquely identify individual users. Passwords may not be shared with, used by or disclosed to others. Generic or group passwords cannot be used. To preclude password guessing, an intruder lock-out feature will suspend accounts after five invalid attempts to log on. Manual action by the Portal Administrator is required to reactivate the account.
All user and system passwords, even temporary passwords set for new user accounts, have to meet the following criteria:
Users should follow these password suggestions:
Users are required to select a new password immediately after their initial log in.
Passwords must not be embedded in automated programs, utilities or applications, such as: autoexec.bat files, batch job files or terminal hot keys.
Passwords must not be visible on a screen, hard copy or in any other output device.
Administrative account passwords will be changed promptly upon the departure (voluntary or involuntary) of administrative personnel or the suspected compromise of the password. User accounts will be disabled promptly upon departure of personnel (voluntary or involuntary) and accounts will be terminated.
Users should immediately change their password if they suspect it has been compromised.
The IMPACT Portal restricts text inputs based on whether the user is authenticated. If the user is not authenticated, all input text is tested against a character white list:
All text inputs, regardless of authentication status, will be HTML decoded iteratively and checked for a number of SQL and HTML keywords.
All string fields read out of the database will be passed into the Microsoft.Security.Application.Encoder.HtmlEncode method (aka "Anti-XSS").
All IMPACT users are required to operate within the guidelines of portal security. Any violation of the security policy by a user will result in the immediate termination of that user's account on the portal and may affect their access to IMPACT data or participation in the IMPACT project.
The IMPACT Web Site is composed of various Web pages operated by IMPACT.
The IMPACT Web Site is offered to you conditioned on your acceptance without modification of the terms, conditions and notices contained herein. Your use of the IMPACT Web Site constitutes your agreement to all such terms, conditions, and notices.
IMPACT reserves the right to change the terms, conditions and notices under which the IMPACT Web Site is offered, including but not limited to the charges associated with the use of the IMPACT Web Site.
The IMPACT Web Site may contain links to other Web Sites ("Linked Sites"). The Linked Sites are not under the control of IMPACT and IMPACT is not responsible for the contents of any Linked Site, including without limitation any link contained in a Linked Site, or any changes or updates to a Linked Site. IMPACT is not responsible for webcasting or any other form of transmission received from any Linked Site. IMPACT is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by IMPACT of the site or any association with its operators.
As a condition of your use of the IMPACT Web Site, you warrant to IMPACT that you will not use the IMPACT Web Site for any purpose that is unlawful or prohibited by these terms, conditions and notices. You may not use the IMPACT Web Site in any manner that could damage, disable, overburden or impair the IMPACT Web Site or interfere with any other party's use and enjoyment of the IMPACT Web Site. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available or provided for through the IMPACT Web Sites.
IMPACT does not claim ownership of the materials you provide to IMPACT (including feedback and suggestions) or post, upload, input or submit through the IMPACT Web Site. (collectively "Submissions"). However, by posting, uploading, inputting, providing or submitting your Submissions, you are granting IMPACT permission to use your Submissions in connection with the operation of IMPACT operations, including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; and to publish your name in connection with your Submission.
No compensation will be paid with respect to the use of your Submission, as provided herein. IMPACT is under no obligation to post or use any Submission that you may provide and may remove any Submission at any time in IMPACT's sole discretion.
By posting, uploading, inputting, providing or submitting your Submission you warrant and represent that you own or otherwise control all of the rights to your Submission as described in this section including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the Submissions.
THE INFORMATION, SOFTWARE, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE IMPACT WEB SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. IMPACT MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE IMPACT WEB SITE AT ANY TIME.
IMPACT MAKES NO WARRANTY OR REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, SOFTWARE, SERVICES AND RELATED GRAPHICS CONTAINED ON THE IMPACT WEB SITE FOR ANY PURPOSE. IMPACT HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
SERVICE CONTACT: IMPACTfirstname.lastname@example.org.
IMPACT reserves the right, in its sole discretion, to terminate your access to the IMPACT Web Site and the related services or any portion thereof at any time, without notice. To the maximum extent permitted by law, this agreement is governed by the laws of the State of North Carolina U.S.A. You agree that no joint venture, partnership, employment, or agency relationship exists between you and IMPACT as a result of this agreement or use of the IMPACT Web Site. If any part of this agreement is determined to be invalid or unenforceable pursuant to applicable law including, but not limited to, the warranty disclaimers and liability limitations set forth above, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the agreement shall continue in effect. Unless otherwise specified herein, this agreement constitutes the entire agreement between the user and IMPACT with respect to the IMPACT Web Site. A printed version of this agreement and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to this agreement to the same extent an d subject to the same conditions as other business documents and records originally generated and maintained in printed form. It is the express wish to the parties that this agreement and all related documents be drawn up in English.
All contents of the IMPACT Web Site are: Copyright 2019 ImpactCyberTrust.org, with the exception of intellectual property rights associated with papers or documents available through the IMPACT Web Site that are owned by other parties. All rights reserved.