User notification
We have approval to store NIST Low data only in cloud applications like Box and Google Drive. To
monitor that, we’re using an application called SkyHigh which does a scan of the data inside of Box
and Google, and reports when it receives a potential violation of the policies we’ve
programmed. One of those policies focuses on server security information, since that data shows
the vulnerabilities that exist on potentially public systems. Inside your Google storage there is a
file named “reac-security.tgz” that kind of information. This is the kind of information that the NIST
ITSO has decided should not be stored in Google, because Google’s ability to store sensitive data in
a secure way has not been determined. Can you remove it and any similar files you have?
If you want to be able to store this information in Google, talk to your ITSO. I’m also happy to
come to talk to your group about our Google implementation, and how we’re hoping to see it used
at NIST, because I want to make sure it works well for what we’re trying to do at NIST.
Note that Gitlab.nist.gov was just approved to store moderate data like this, that would probably
be a better place to store this information.
-Justin