There are three levels of security that a Nimbis marketplace product may be deployed on: academic, commercial, and government. The academic level represents the lowest level of security and therefore the lowest overall cost to implement, manage, and maintain. The government level represents the highest level of security and therefore the highest overall cost to implement, manage, and maintain. The commercial level is a midrange price point offering the best overall value for the Nimbis target market comprising small to medium sized commercial businesses.
The same user security mechanisms described previously (user types, user roles, and user authentication) apply equally to all three levels of security. Differences come into play in the data security mechanisms. All three levels contain the same data types (personal, payment, technical, and social) and the security of these apply equally as well. It is the data storage and data transfer security mechanisms and the complexities required to implement, manage, and maintain them that vary.
Let’s start with the highest level of security, the government level. This level does not include US Department of Defense (DoD) classified information, for example “confidential”, “secret”, or “top secret”. Nimbis does not store, transfer, or process DoD classified information in its marketplace deployments. The government level is for users that have US federal government requirements to safeguard their technical data according to US export control regulations. The US federal government categorizes this information as Controlled Unclassified Information (CUI). For Nimbis marketplace deployments this includes both the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). EAR and ITAR export controlled technical data listed on the commerce control list (CCL) and the US munitions list (USML), respectively, requires that, without an export control license, only US persons (citizens or permanent residents) may have access to the data.
For government level security, Nimbis and the Nimbis partners offering their platforms and services at this level must maintain and follow a set of export control policies and procedures sufficient to ensure that EAR and ITAR regulations are met. The user authentication process requires the verification of US person status and confirmation that the person, or entity they represent, is not on any US denied parties lists and they must be operating from within the US. Data storage must be physically safeguarded against non US person access. Data transfers must be encrypted and secure. An export control administrator is identified at Nimbis and at the Nimbis partner. These administrators are responsible for executing and enforcing their respective export control policies and procedures. For Nimbis marketplace deployments requiring government level security, Nimbis utilizes AWS GovCloud (US).
In contrast to the government level, commercial level product deployments use SSH tunneling between the user’s desktop machine and the compute platform. This ensures that any commercial proprietary data transferred is encrypted. US person status is not required at the commercial level. Products deployed at the commercial level must be checked, according to the Nimbis and partner export control plans, to ensure they are not EAR or ITAR export controlled. If a product is or contains EAR or ITAR export controlled data, then it must be deployed at the government level.
Academic level product deployments do not require secure tunnels or encryption between the user’s desktop machine and the compute platform, although an academic level user may choose to do so. This level relies on the security mechanisms in place by the user on their local machine and by the compute platform datacenter’s normal security measures. US person status is not required at the academic level. Products deployed at the academic level must be checked, according to the Nimbis and partner export control plans, to ensure they are not EAR or ITAR export controlled. If a product is or contains EAR or ITAR export controlled data, then it must be deployed at the government level.