IMPACT consists of four components supporting core functional requirements for data sharing: metadata discovery (FIND), data and tool matchmaking (GET & USE), a social feedback loop (FORUM), and a rules broker that is the 'policy middleware' enabling the other three components.
The Research Data Repository supports the collection of data to make high quality, timely and relevant datasets available to the research community; development of systems for storing and processing large volumes of data; advancing tools and techniques for analyzing Internet datasets to extract useful information and represent that information; advancing the state of the art in data collection techniques, packet formats, new data types, storage techniques, data cataloging and annotation, and cross dataset analysis; investigating and highlighting legal and ethical issues in Internet data collection and analysis; and disseminating data with a streamlined legal framework that controls distribution while protecting researchers, data providers and data hosts.
IMPACT Procedures and Processes
IMPACT has established procedures and processes to enable the ICC to efficiently create and manage account requests and requests for access to all types of datasets. Processes for each user role are detailed in workflow maps to illustrate all the steps that must be taken to complete the process. Workflow maps for Researchers, Data Providers and Data Hosts are available on the portal and are incorporated by reference into this manual.
1 About Accounts
IMPACT accounts do not expire unless the user changes organizations. Users who have changed organizations must reapply for an account. Researchers must also submit a new dataset request to regain access to datasets that were in use at their previous organization. Their previous organization will also be asked to submit a certificate of disposal of any datasets that were delivered to that user before his or her departure.
Users whose accounts are disabled but who still have permission to use datasets will be denied access to any datasets that remain undelivered at the time of the deactivation. The appropriate Data Hosts will be notified of the deactivation.
Users who hold expired datasets but have neither extended the term of use nor certified that the data have been destroyed will not be able to obtain other IMPACT data until all requirements for dataset expiration have been met.
Users may at any time request a copy of their contact information collected by the ICC.
Applications can be for a user account or access to datasets listed in the Data Catalog. The ICC reviews each application to ensure that it conforms to the submittal criteria, that all requested information has been provided and that all necessary signatures are properly affixed before forwarding it for approval.
If the application does not meet the submittal criteria, the ICC will return it to the requestor, who may then revise it and resubmit.
2.1 Account Requests
Account requests are submitted using a form on the portal.
Applications for accounts on the IMPACT system are reviewed by the ICC, following a role-specific process. Applications for accounts default to the researcher role.
The process for each of the account request types is:
When an account request is submitted, the ICC will vet the organization to determine if it meets established acceptance criteria. (See "Organizations") Once the organization has been validated, the ICC will email the researcher's Point of Contact (POC) to confirm the affiliation. If there is no response to the email after five days, the ICC will email the researcher that the POC has not responded. If there is no response after three additional days, the ICC will call the researcher. If there continues to be no response after five days, the account request will be canceled.
When an account request from a non-U.S. researcher is submitted from a DHS-approved international location, the IMPACT Approval Coordinator (IAC) for the location will vet the application to determine if the applicant meets established acceptance criteria before the ICC completes the account request process. If the applicant is not located in a DHS-approved location, the account request will be denied. (See also "International Organizations")
Data Hosts will apply for an account on the portal, following the researcher protocol. In conjunction with the account request, the ICC will work with the host to execute an MOA. After the account has been approved, the ICC will set an additional role for Data Host.
Data Providers will apply for an account on the portal, following the researcher protocol. In conjunction with the account request, the ICC will work with the provider to execute an MOA. After the account has been approved, the ICC will set an additional role for Data Provider.
Other specialized roles are available, subject to ICC or DHS approval. (See "Portal Users") These accounts are created by the ICC as administrator of the portal.
2.2 Dataset Requests
Requests may be submitted for each class of data described in the Data Catalog.
Dataset requests are submitted for access to sub-categories of data using a form on the portal. If a request for access to a sub-category is approved, the researcher may also choose additional datasets in the approved sub-category at a later time without submitting a new dataset request.
Requests for quasi-restricted data (commercial and non-commercial) follow a path similar to the unrestricted dataset applications but are only released if approved by the Data Provider.
2.3 Review and Approval
The review period for a request for all restricted or quasi-restricted data classes is about 72 hours after the application is complete. The complete application will consist of a dataset request form filled out online, a TOU (quasi-restricted data) consented to via a click-thru agreement, and an MOA (restricted data) signed by the applicant.
Applications for any quasi-restricted or restricted datasets may be fully or partially approved or rejected:
- Data Providers have the unilateral authority to reject part or all of an application for use of their data.
- ICC must approve or reject the full request.
The relevant Data Providers review applications for any quasi-restricted data. The TOU associated with an approved (either full or partial) quasi-restricted request is delivered to the Researcher with the approval email.
The ICC reviews requests for restricted data. The MOA associated with an approved (either full or partial) application for restricted data is then forwarded the data providers for acceptance or rejection (no signature required) and then the Blackfire Legal Counsel for full execution. The ICC notifies all relevant parties of the decision.
Notifications of any approval are in the form of system emails that direct the parties to log into the portal to retrieve details of the application from the User Menu.
In cases where the Data Provider rejects all or part of an application to use their datasets, the ICC will notify the researcher. When a request is rejected, the notification will include the reasons for the rejection if they are available. (See also "Rejections") The researcher may then submit a new application for denied datasets that satisfies the provider's concerns.
If all or part of the request is approved, the ICC notifies the researcher and provides contact information for the Data Host(s), with details of what has been approved. The ICC also notifies the Data Host(s) of details of the approved request. Access information may be a URL, contact information for someone at the hosting site, etc.
The ICC will record and track the approval date, the date the researcher received access information from the ICC, and the date that the researcher accessed the datasets from the Data Host. The ICC will maintain records of all applications and their dispositions.
If a dataset request is rejected, the Researcher will be notified by email and may be given the reason for the rejection, if available. The Researcher may revise the application based on those reasons and reapply for the dataset(s).
After an application for use of datasets is finalized, the researcher has 12 months from the date the TOU is completed or the MOA is executed to access the datasets and use them for the purpose described in the application. Once a Researcher-MOA is executed, the Researcher may request additional restricted datasets at a later date within the 12-month access period without re-executing another MOA, only subject to data provider approval.
Thirty (30) days before the expiration of this period, the ICC will email the researcher with a reminder that the expiration is approaching and offer an option to reapply for access to the data.
Researchers may extend the use of the data for an additional 12 months past the original expiration date by submitting an extension request from the User dropdown menu. If no extension is requested, the researcher will be required to dispose of the data within 30 days of the expiration date.
If a dataset request is rejected, the ICC will provide a reason. Table 1 and Table 2 provide possible reasons for rejection and the users' recourse.
Table 1 Account Request Rejections.
|The researcher's organization is not an approved organization.||See also "Organizations"|
|The verification email is not received within the required time period.||Initiate another request at a later date.|
|The researcher is not located in a DHS-approved location.||See also "DHS-Approved Locations"|
Table 2 Dataset Request Rejections.
|The Memorandum of Agreement is not received within the stated time period.||Initiate another request at a later date.|
|The Memorandum of Agreement is incomplete.||Revise the Memorandum of Agreement to include missing or incomplete information.|
|The proposed research does not justify a need for the data requested.||- Revise the proposal to reflect research that requires the requested data
- Revise the proposal to include data that is required by the research described
|The Data Provider did not approve the request.||Data provider rejection of a dataset request is absolute.|
|The requestor lists persons who will use the datasets outside of an authorized research location.||Requestors must change the research team and/or research location to comply with IMPACT policy to make data available ONLY to approved researchers who are conducting cyber security research in DHS-approved locations, such as the 50 United States and for selected international governments and organizations.|
The IMPACT system will notify the researcher and the Data Host(s) when a request has been approved, directing him/her to the appropriate Data Host to arrange for delivery or transmission of the datasets requested. Both parties will be asked to verify that the dataset(s) have been received and or delivered.
The ICC will track the delivery status of each dataset request and intercede as needed to ensure the approved request has been fulfilled.