Hi, everyone. Hope you’re staying healthy.
In this new wonderful world of working from wherever we happened to be holed up, there’s a lot more teleconferencing going on. People are using the official Argonne apps, and some people are using others. Please bear in mind the following when choosing what you’re going to do and talk about during a teleconference. This is very important if you’re doing anything with Controlled Unclassified Information (CUI) (formerly known as Sensitive Information, including Official Use Only (OUO)).
- The only officially sanctioned options for use at Argonne for teleconferencing are Microsoft Teams and Bluejeans. CELS also maintains a Slack instance.
- Slack is not authorized for CUI.
- Platforms not listed above (including Zoom, Google, WebEx) are not sanctioned.
If you’re discussing anything that might be CUI, follow the guidelines below – this is a combination of information from cyber and my notes.
For any platform, the attendance should be VERIFIED. On a system like MS Teams, everyone is authenticated so names of all participants will show, unless it’s a call with dial-in numbers or external collaborators invited. Bluejeans can accept callers and guests so they would also need to be verified before CUI/OUO discussions can happen.
Teams (as long as it’s not a call with external collaborators) is configured for any CUI discussions by default (by the end of the month everyone at ANL will be MFA into the application). The only other thing people should be aware of in teams is file sharing. You could file share to a person who is on a personally owned system that does not meet LMS PROC 22 guidelines (which say MFA and encryption is required to protect CUI). So if a person shares a file that is CUI, they should verify the person receiving it has a system that can process it.
Box Plus is the officially sanctioned way to share and work with CUI. My recommendation is to keep CUI off any of the conferencing platforms and use Box.
Bluejeans is ONLY good for OUO and below data sensitivity. It still uses username/password and encryption is OFF by default, however can be turned on by the meeting moderator for an OUO discussion (BIS and Cyber are currently seeing if we can have this ON by default, but this change has not happened yet, they are still testing).
Zoom is not authorized at the lab and NO OUO or CUI discussions or files should be shared on that platform. Nor any other remote conference platform that has not been vetted by cyber. (This includes Slack.) If CUI discussions NEED to be made, we should be using Argonne’s vetted platforms. That is the whole point of having a vetted platform. Zoom’s been in the news a lot lately due to its security and privacy issues. It’s a fancy and alluring platform, but it’s not the panacea that some people thought it was.
I’m aware there are other DOE sources using Zoom, including DOE itself. Zoom’s federal tier is still OK however there is no way to detect that the person actually bought that tier of service without a cyber review. DOE owns the Federal tier of Zoom, so if it’s a DOE call THEY have the correct version. But otherwise, you must assume any other company is using the “free vulnerable tier”.