Safe Computing Environment Appendix C Appendix C to Part 85-Certification Regarding Safe Computing Environment Requirements Instructions for Certification 1. By signing and/or submitting this application or grant agreement, the grantee is providing the certification set out below. 2. The certification set out below is a material representation of fact upon which reliance is placed when the agency awards the grant. If it is later determined that the grantee knowingly rendered a false certification, the agency, in addition to any other remedies available to the Federal Government, may take action as defined under section 102.620. 3. For grantees other than individuals, Alternate I applies. 4. For grantees who are individuals, Alternate II applies. 5. Specific computing environments, for grantees other than individuals, need not be identified on the certification. If known, they may be identified in the grant application. If the grantee does not identify the environment at the time of application, or upon award, if there is no application, the grantee must keep the identity of the environment(s) on file in its office and make the information available for Federal inspection. Failure to identify all known computing environments constitutes a violation of the grantee's save computing environment requirements. 6. Computing environment identifications must include the actual IP address of each system or other network connected device used in support of the grant. Categorical descriptions may be used (e.g., all systems of a university department, State systems in each local unemployment office, systems used to support concert halls or radio studios). 7. If the environment identified to the agency changes during the performance of the grant, the grantee shall inform the agency of the change(s), if it previously identified the environment in question (see paragraph five). Certification Regarding Safe-Computing Requirements Alternate I. (Grantees Other Than Individuals) A. The grantee certifies that it will or will continue to provide a Safe Computing Environment by: (a) Publishing a statement notifying employees that (1) the unauthorized use of computing resources is prohibited and listing authorized uses of computing resources. (2) when an information technology system is used to attack other users ñ for purpose of harassment, unauthorized access, and/or denial of service, through a network, the system may be removed from the network immediately and may remain disconnected until the conditions leading to its use in such attacks have been eliminated. (3) any significant security event must be reported within three calendar days of its discovery, and specifying the actions that will be taken against employees for violation of such prohibition; (b) Making it a requirement that each employee to be engaged in the performance of the grant be given a copy of the statement required by paragraph (a); (c) Notifying the employee in the statement required by paragraph (a) that, as a condition of employment under the grant, the employee will abide by the terms of the statement. (d) Taking one of the following actions, within a reasonable time after learning of a significant computer security event that puts other systems on the network at risk: (1) remove the system from the network (2) place a firewall between the system and the network that adequately protects other system on the network. (g) Making a good faith effort to continue to maintain a safe computing environment through implementation of paragraphs (a), (b), (c) and (d). Alternate II. (Grantees Who Are Individuals) (a) The grantee certifies that, as a condition of the grant, he or she will not allow information technology resources to be used by unauthorized persons and will disconnect any system being so used from the Internet.