IMPACT is a distributed data and tool repository whose holdings are provided by multiple providers and stored and accessed from multiple hosting sites. The IMPACT Coordinating Center (ICC) manages the inclusion of data and tools in the repository and the review and approval of requests for data and tools from the repository. The ICC operates under protocols established to protect the confidentiality and integrity of data made available to cyber security researchers and ensure proper data and tool usage.
The IMPACT portal (www.ImpactCyberTrust.org) is the gateway to the IMPACT repository and it includes the IMPACT data and tool catalog, which describes the available datasets and tools. However, in order to request data/tools, a researcher must have an account. Once an account is established, a researcher can submit a request for items via the portal.
All requests for accounts are reviewed and approved by the ICC; however, for international researchers, the approval process also includes review and approval by a IMPACT Approval Coordinator (IAC) located in the country of origin of the request.
The following definitions are important:
Researcher: An individual or organization that has been identified by the ICC as having a legitimate need for the data/tool. A Researcher who is an individual also may be a Lead Researcher.
Lead Researcher: The person who (a) requests the desired IMPACT data/tool, (b) is the principal investigator or researcher leading the research project using the data/tool, and (c) is responsible for ensuring that all responsibilities for the receipt, security, oversight, and handling of the data/tool are met.
IMPACT Approval Coordinator (IAC): A government entity outside of the U.S. selected and approved by the U.S. Department of Homeland Security (DHS) for the purpose of vetting the legitimacy of cyber security researchers.
When the ICC receives an application for an account from a user located outside the U.S., the ICC refers this application to the IAC located in that researcher's country to review and approve. Referral is made via the IMPACT portal, which will email the IAC when a new account request is submitted from their country. The IAC will log into the portal to view information from the account request form that lists the researcher's contact information, and that of their point of contact at their organization.
The IAC will adjudicate the legitimacy of the researcher and record the findings using the My International Account Requests page:
First vet the organization to ensure it meets IMPACT criteria and any additional criteria you use in your process.
Second, request verification of the researcher by emailing the point of contact listed on the form. The email should at a minimum ask for verification that the researcher is associated with the organization, that they plan to work on a cyber security research project using IMPACT datasets/tools. Other questions can be included at the IAC's discretion.
Then, make a decision based on the results of the first two activities.
To support the international agreement with DHS, the IAC will establish country-specific processes for vetting the legitimacy of researchers, which will be provided to DHS, who in turn will provide them to the ICC. Upon request, the ICC will share the process it employs in the U.S. to provide the IAC a starting point for its own process.
Decisions made by a IAC will be communicated to the ICC using the My International Account Requests page and following the
Submit the decision to the ICC from this page. Then email information received from the point of contact and additional documentation (e.g., the IAC checklist) to the ICC at IMPACTfirstname.lastname@example.org. This will be stored in the IMPACT Portal for future reference.
After the ICC receives an adjudication from a IAC, it completes the account request process and notifies the researcher of the decision.
The International Account Requests page provides a central location for IMPACT Approval Coordinators to respond to account requests for researchers in their respective countries.
Your decision will follow these steps, which are described in the IMPACT International Protocol packet:
IAC users will see all requests for accounts from their countries, including those that have been finalized. The page contains the following information:
To review and respond to an account request from your country, click on the ID Number link. This will display account request details and allow you to record your decision.
International account request details display after you click the request ID Number. The information that displays is pulled directly from the Account Request form. Once you have recorded your decision, you can navigate back to the main International Account Requests page using the link at the top of the page.
If you need to record information incrementally, you may click Save to preserve your input. For example, if you need to change information on the page but are not ready to record a decision, you may save the change and return to the page when you are ready to record your decision.
The page displays the organization name, country and address. You must add the organization's URL, which you would have used to verify the organization during the vetting process.
The page displays the name and contact information for the user, including the address, phone numbers, email address and location of any research using IMPACT datasets/tools.
The page displays the name, phone and email address of the researcher's point of contact who will verify the researcher's position at the company.
The Authorized Representative must be someone at the organization who can verify the researcher's cyber-security research activities. A researcher must list someone other than himself as the Authorized Representative. If the researcher has listed himself, email the researcher to request contact information for a different point of contact.
The page provides radio buttons for you to record your decision. Click the appropriate button and click Submit to notify the ICC of your decision.
You must email any supporting documentation that you gather during your vetting process separately to the ICC. Email address is IMPACTemail@example.com.
The ICC email address also should be copied on all correspondence with the requester or his authorized representative.
Don't forget to click Submit to notify the ICC of your decision.