Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
17  A P P E N D I X B Implementation and Products of Research Findings B.1 Secure Collaboration Tool The secure collaboration tool was developed as a macro-enabled Excel spreadsheet using the algorithm content from Task 5. Excel was chosen for implementation to assist in ease of adoption, as shown in Table B-1. The two cons identified for using Excel were mitigated by (1) consulting Excel best practices for creating intuitive navigation and execution and (2) providing visual and textual information on protecting the data to ensure that only the appropriate modifications were made. Table B-1. Implementation choices. Technology Pro Con Custom software ⢠Robust ⢠Easier to design intuitive interface ⢠Must be installed for each user ⢠Need to have a data storage mechanism for data inputs ⢠May trigger security concerns Website ⢠Easier to design intuitive interface ⢠Does not need to be installed for each user ⢠Must be hosted by agency ⢠Needs data storage mechanism for data inputs ⢠May trigger security concerns Excel ⢠Data storage is built in ⢠Does not require installation of new software because most agencies already use Microsoft products ⢠Hard to design intuitive interface ⢠May become corrupted if edited incorrectly The secure collaboration tool includes the following content, which will be described in further detail in subsequent sections: ⢠Introduction ⢠⢠Overview Instructions for policy makers ⢠Instructions for agency users ⢠⢠⢠Select objectives Select methods Select operational needs ⢠Results ⢠Data The following sections provide supplemental technical information on tasks performed in order to (1) assist in industry acceptance of the guidance under this program and (2) provide suggestions on how best to put the research deliverables into practice.
18 Guidelines on Collaboration and Information Security for State DOTs This tab includes the project background, a list of the general best practices as described in Chapter 3, and a glossary of terms. The purpose of this tab is to provide a high-level view of best practices associated with collaboration and the sharing of knowledge and data. Instructions for Policy Makers This tab is intended as the starting point for agency policy makers to begin customization of the tool for their agency. The tool includes the requirements developed and refined in the algorithm content document delivered as part of Task 5 and provides placeholders for agencies to insert the appropriate policies and procedures for each requirement. This tab provides an overview of which data should be modified and which data should not be modified. The contents of the data tab are described and for each column an indication of whether the content should be modified is included, as shown in Table B-2. Navigation buttons on the sheet will direct the user to the data tab columns to be modified. Table B-2. Data tab columns. Column Description Editable? Applicable This will be set based on agency users' selections; do not edit. No Short Name Req A unique identifier for the requirement. No Requirement The name of the requirement. Yes; not normally required Description A textual description of the requirement. Yes; not normally required Guidance General guidance on this requirement, which may include other areas to consider. Yes; may edit for agency Examples High-level examples of the use cases for this requirement. Yes; may edit for agency Best Practices Best practices for this requirement including suggestions for what types of policies and procedures are needed. Yes; may edit for agency Applicable Policies, Procedures, Templates, and Forms Placeholder for an agency's policies and procedures. Place links for the appropriate places an agency user would go to access this information. Yes; may edit for agency Introduction This tab introduces the tool, defines the purpose, and includes links to each of the other tabs. Overview The steps for modification in the following list are clearly shown with screenshots within the tool; see figures B-1 and B-2 for examples: 1. Unprotect the data sheet 2. Enter links to policies and procedures 3. Modify any guidance or best practices, if desired 4. Change suggested requirements, if desired 5. Protect the data sheet 6. Provide to agency users
Implementation and Products of Research Findings 19  Instructions for Agency Users This tab is intended as the starting point for agency users to provide instructions for use of the tool. Using a list of defined steps and screenshots, the instructions guide the users on how to make choices on the Select Objectives, Select Methods, and Select Operational Needs tabs. The steps for usage in the following list are clearly shown with screenshots (see Figure B-1): 1. Select objectives 2. Select the methods to be used 3. Select operational and security needs 4. View personalized results, including links to the agency's policies and procedures Figure B-1. Screenshots provide the step number and instructions to guide users through the tool. Select Objectives This tab includes the functional requirements associated with goals and intended outputs. Users select the requirements applicable to their use case and click a button to move to the next tab. Requirements may be colored blue, as shown in Figure B-2, to suggest selections indicated by those that were previously selected. The toolâs indicators and graphics were augmented for compliance with the ADA. The blue is a darker value than the normal coloring of the column and is easily visible to individuals with color blindness. Where graphic buttons are used, alternative text that can be read aloud is defined. Figure B-2. Previously selected requirements recommend other requirements that may be selected by turning the fill color to blue. Select Methods This tab includes the functional requirements associated with methods and data characteristics. Users will select the appropriate requirements for their use case and click a button to move to the next tab. Select Operational Needs This tab includes the functional requirements associated with operational needs and security. Users will select the appropriate requirements for their use case and click a button to see the results.
20 Guidelines on Collaboration and Information Security for State DOTs Results This tab is populated after users select requirements and click to see the results, as shown in Figure B-3. The Policies and Procedures column will be populated once the tool is customized by agency policy makers. Figure B-3. The results tab contains the appropriate guidance, policies and procedures, and best practices for the selected requirements. Data This tab is the data storage for the tool. Data in the Select tabs is pulled directly from this tab, as is data shown in the Results tab. As described in the earlier Instructions for Policy Makers section, agency policy makers will populate the Policies and Procedures area with hyperlinks or with page references to the appropriate locations.
Implementation and Products of Research Findings 21  B.2 Secure Collaboration Tool Content This document is organized according to each of the steps a user would take while using the secure collaboration tool in order to generate applicable guidance as the output. The secure collaboration tool will contain discrete content for each of the 38 requirements, which were previously presented in IR2. Each requirement is contained on a single page of that document and contains the following elements: The name of the requirement in the secure collaboration tool that would be visible to users. Requirement Name Description Tool Output Agency Policies & Guidance Best Practices Applicable Requirements These requirements are coded as follows: FG: Functional Goals FO: Functional Outputs O: Operational S: Security TD: Technical Data Characteristics TM: Technical Methods The secure collaboration tool contains a field that serves as a placeholder for users to link the latest available documentation regarding their agenciesâ policies, procedures, mandates, or other applicable guidance. This feature will enable individual users to enhance the value of the secure collaboration tool to deliver this guidance as incremental output for each requirement and to make updates as needed over time. The IR2 document does not contain content for this section. Transportation agency staff will use the Instructional Guide on Collaboration and Information Sharing within the secure collaboration tool by selecting choices pertaining to their desired activities as inputs, which will then be provided with corresponding guidance as the toolâs output. The content contained in this document represents the data that the secure collaboration tool will use to provide guidance as outputs at each step. Users will only be provided with output content that is applicable to their inputs. The content in this document should be reviewed as a series of discrete sets of data to be supplied into the secure collaboration tool. The text is provided in document format for convenience in order to support review and modification prior to transferring text to the tool. A glossary is also provided as an appendix to assist in reviewing this content. A brief description under the requirement name about each of the requirements in order to facilitate a userâs selection of which to explore depending on their intended collaboration or information-sharing activities. A paragraph of guidance content that the secure collaboration tool will deliver as output for each applicable requirement as a result of the userâs input selections. As additional guidance, the secure collaboration tool will recommend other requirements that a user should consult and adhere to that apply to the collaboration or exchange activities specific to the userâs input. This list will include only requirements at the same level or downstream from the current requirement. The secure collaboration tool will provide summary guidance and recommended practices for the activities in the format of brief bullet points based on the input selections under each requirement. The tables that follow describe the data that are contained in the tool for each of the requirements. The information that is prepopulated in the tool includes general guidance, best practices, a description, and examples for each of the requirements. Agencies will add, at a minimum, links to the appropriate policies and procedures for each requirement.
Step 1. Define Objectives Users are instructed to select one or more business objectives to be achieved. Sharing Information (FG1) Description Examples FG1 is the supply or receipt of information or knowledge to or from another party to fulfill business and operational objectives. This requirement applies when your objective is to exchange information with or from another party in any media. Sharing data Presenting media of various types Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your objective involves the sharing or dissemination of records, reports, sets of official or unofficial data, and other content, multiple other requirements should be considered, including whether other objectives are applicable. The intended output is typically to deliver or acquire knowledge by one of the collaborative methods. Relevant data characteristics include the format and media, data restrictions, and integrity. As part of sharing information, operational and security considerations include consulting the policies and procedures and determining who is authorized and what tools are both applicable and permitted for use. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Select the appropriate requirements for data and information exchange details for methods, data characteristics, operational restrictions, and security. FG5 Documenting Collaboration FO1 Deliver or Acquire Knowledge TM5 Collaborative Efforts TD1 Data Format and Media TD5 Data Integrity O1 Outside Entity Collaboration Rules O2 Permission Procedures O3 Approved Collaboration Tools O4 Data Content Policies O7 Documentation S1 Authorization S2 Permission S3 Tools S4 Policies and Procedures
Communication (FG2) Description Examples FG2 is engaging in synchronous or asynchronous mutual exchange of knowledge or information with another party to fulfill business and operational objectives. This requirement applies when engaging in a mutual exchange of knowledge or information with another party using any media. Direct audio/visual communication Requests for information or data Engagement activities (e.g., polls, surveys, interactive whiteboards) Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your objective is to communicate directly with one or more third parties, whether official or unofficial, multiple other requirements should be considered, including whether other objectives are applicable. The intended output is typically to deliver or acquire knowledge by one of the collaborative methods. Relevant data characteristics include the format and media, data restrictions, and integrity. As part of communication, operational and security considerations include consulting the policies and procedures and determining who is authorized and what tools are both applicable and permitted for use. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Select the appropriate requirements for data and information exchange details for method(s), data characteristics, operational restrictions, and security. FG5 Documenting Collaboration FO1 Deliver or Acquire Knowledge TM1 Ad Hoc TM4 Collaborative Tools and Shared Media TM5 Collaborative Efforts TD1 Data Format and Media TD5 Data Integrity O1 Outside Entity Collaboration O2 Permission Procedures O3 Approved Collaboration Tools O4 Data Content Policies O7 Documentation S1 Authorization S2 Permission S3 Tools S4 Policies and Procedures
Project Collaboration and Coordination (FG3) Description Examples FG3 refers to times when two or more external parties mutually engage, whether synchronously or asynchronously, to fulfill business and operational objectives by participation in a common work task or working separately to produce a common output. This applies when the intention is to engage in collaborative activities with other parties. Ongoing project work (e.g., documents) Virtual or in-person working sessions Reporting and presenting Conduct studies Project with defined duration Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your objective is to collaborate or coordinate with one or more third parties to mutually engage in a common work task or to each separately produce a common output for the purpose of fulfilling business and operational objectives, multiple other requirements should be considered, including whether other objectives are applicable. The intended output is typically to achieve an objective or facilitate improvements. The type of project will determine if any data characteristics are applicable. As part of project coordination, operational and security considerations include consulting the policies and procedures and determining who is authorized and what tools are both applicable and permitted for use. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Select the appropriate requirements for data- and information- exchange details for method(s), data characteristics, operational restrictions, and security. FG1 Sharing Information FG2 Communication FG5 Documenting FO3 Achieve Desired Objective FO4 Improvements FO6 Update Notifications TM2 Scheduled Meetings TM3 Threaded Conversations TM4 Collaborative Tools and Shared Media TM5 Collaborative Efforts TM6 Structured Data Exchange TM7 File Sharing TM8 Records Management TM9 Content Access Controls O1 Outside Entity Collaboration Rules O3 Approved Collaboration Tools O5 Structured Data Sharing Workflow O6 Data Sharing Agreements O8 Lifecycle Management O9 Roles and Responsibilities S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Knowledge Sharing and Gaining (FG4) Description Examples FG4 is participation in activities with an external party to impart or receive specific knowledge to fulfill business and operational needs. This requirement applies when participating in activities with external parties to impart or receive knowledge. In-person or virtual briefings Training activities and team development Instructional material Workshops or symposia Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your objective is to teach or gain knowledge from one or more third parties, multiple other requirements should be considered, including whether other objectives are applicable. The intended output is typically to deliver or acquire knowledge. The type of activity will determine if any data characteristics are applicable. As part of knowledge sharing, operational and security considerations include consulting the policies and procedures and determining who is authorized and what tools are both applicable and permitted for use. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Select the appropriate requirements for data and information exchange, details for method(s), data characteristics, operational restrictions, and security. FG1 Sharing Information FG2 Communication FG5 Documenting FO1 Deliver or Acquire Knowledge TM2 Scheduled Meetings TM4 Collaborative Tools and Shared Media TM5 Collaborative Efforts O1 Outside Entity Collaboration Rules O2 Permission Procedures O3 Approved Collaboration Tools O4 Data Content Policies O7 Documentation S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Documenting Collaboration (FG5) Description Examples FG5 is the observation and documentation of activities with or between other parties engaged in a common work task or producing a common output to create a record of activities that is accessible for future use. This requirement applies if you intend to document activities with parties engaged in a common work task. Permissions from participants Recording of virtual meetings Screen sharing Document posting Inventory and record of shared data Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your objective involves the documentation of processes and activities pertaining to information sharing, collaboration, and coordination with one or more third parties, multiple other requirements should be considered, including whether other objectives are applicable. As part of documenting, operational and security considerations include consulting the policies and procedures and determining who is authorized and which tools are both applicable and permitted for use. The type of activity will determine if any data characteristics are applicable. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Use the following series of questions as an implementation checklist: â Who: Designate the party to be responsible for documenting and storing the records and for making the records available to authorized parties. Indicate what authorization or access requirements apply. â What: Determine what information should be collected: notes from meetings; a description of activities; their nature and objectives; participating parties; the time, duration, and completion; the media and tools; action items. â How: Determine in what tools or format the documentation will reside. â When: If documented records will be made available, indicate the time period and what technical or formatting requirements may apply to achieve access. Seek permission to document collaboration activities from participating parties. Inform all parties of how the documented information will be used and by whom. FG1 Sharing Information FG2 Communication FG3 Project Collaboration and Coordination FG4 Knowledge Sharing and Gaining TM8 Records Management TM9 Content Access Controls TD5 Data Integrity O4 Data Content Policies O7 Documentation O9 Roles and Responsibilities S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Step 2. Define Outputs In Step 2, users are instructed to define the outputs to be achieved from safe and secure collaboration, coordination, or the sharing of data, information, and knowledge. Deliver or Acquire Knowledge (FO1) Description Examples FO1 is the supplying or receiving knowledge to or from another party via a chosen media to fulfill business and operational objectives. This requirement applies if your objective is to exchange knowledge with another party. Training and instructional activities Receive, modify, or provide select data or media in desired format Receive or provide information or knowledge Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your objective is the delivery or acquisition of knowledge to or from another party via a chosen media, you should consider the authorization, proprietorship, usage limitations or privacy of the knowledge or information to be shared; its validity; the authenticity and validity of the source; the authorization of the parties to share or receive it; the compatibility of the format; and the security and authorization of the media used. You should consult agency guidelines for operational and security requirements to ensure any activities related to sharing or receiving knowledge and information is authorized, secure, safe, and in mutual compliance with agency requirements. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Document instances of when access to Knowledge Assets has been provided, by whom and to whom, for what purpose, and for what time period, to create an accessible and documented record of these activities for transparency and accountability. Select the appropriate methods and data characteristics for additional best practices. FO3 Achieve Desired Objective TM9 Content Access Controls O1 Outside Entity Collaboration Rules O2 Permission Procedures O4 Data Content Policies O7 Documentation O8 Lifecycle Management S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Access or Provide Access (FO2) Description Examples FO2 is enabling a party to receive, provide, and view Knowledge Assets, such as data, information, tools, or processes by removing restrictions and barriers to access and exchange, providing a mechanism to facilitate access and exchange, or both. This requirement applies if your objective is to obtain or provide access to an external party to view and use any type of Knowledge Asset. Access externally available information Allow external users access to agency information Gain insights and learning Protect or restrict access to proprietary information Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Obtaining or providing access to Knowledge Assets with another party involve temporarily or permanently reducing viewing and usage limitations on activities involving data, information, knowledge, content, tools, media, processes, and environments that is otherwise proprietary. When providing access to Knowledge Assets is your objective, you should consult operational and security requirements to ensure that all activities are in mutual compliance with the agency requirements that may apply. You should consider the authenticity and authorization of the parties with whom you are providing or gaining access to Knowledge Assets; the permissibility of their intended usage; the authorization, proprietorship, usage limitations and privacy; and the security, usage authorization of the parties and efficacy of the environment, format and media being used to provide or acquire access. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Determine the purpose of providing or acquiring access to Knowledge Assets to ensure the activity is permissible and authorized. Define the time period and duration for when the provision or receipt of access will be conducted. Ensure the media, tools and environments used are authorized for use by all parties and used in a way that is compliant, safe, secure, and permissible. Document instances of when access to Knowledge Assets has been provided, by whom and to whom, and for what purpose to create a record of these activities for transparency and accountability. Select the appropriate methods and data characteristics for additional best practices. FO3 Achieve Desired Objective FO4 Improvements TM4 Collaborative Tools and Shared Media TM7 File Sharing TM9 Content Access Controls TD4 Data Restrictions O2 Permission Procedures S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Achieve Desired Objective (FO3) Description Examples FO3 is defined as achieving a formally or informally defined outcome by engaging in specified business activities or operations. This requirement applies if your objective for collaboration, coordination, and data- and information-sharing activities is to achieve a defined outcome. Achieve the objectives related to the goals of the effort Finalize projects Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your intent is to achieve a specific, defined outcome, such activities as collaboration, coordination, or common usage and exchange of information or data with one or more parties, whether planned or ad hoc, or synchronous or asynchronous, offer substantial opportunity to mutually advance business objectives. You should consider the need to balance the opportunity for mutually productive activities with the need to follow safe and secure practices. All activities involving communication, collaboration, coordination, or exchange of information or data should consult the appropriate operational and security requirements to ensure compliance with agency requirements. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Define the desired outcome or objective to be achieved via collaboration and coordination activities, and via the usage or exchange of Knowledge Assets. Identify the parties required to participate, and ensure all are authorized and authenticated. Identify the permissible collaboration, coordination, usage, exchange, and other engagement activities required to fulfill objectives, and enforce any limitations or boundaries. Ensure participating parties agree to objectives to be fulfilled and the permissible activities, tools, resources, and Knowledge Assets to be used to fulfill them. Document outcomes and all instances of engagement activities involving external parties. FO1 Deliver or Acquire Knowledge FO2 Access or Provide Access TM5 Collaborative Efforts TM8 Records Management O1 Outside Entity Collaboration Rules O7 Documentation O9 Roles and Responsibilities S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Improvements (FO4) Description Examples FO4 is defined as enhancing performance of a process or achieving superior outcomes by engaging in specified business activities or operations. This requirement applies if you intend to achieve defined improvements. Improve operational efficiency Increase productivity Reduce time to completion Reduce costs Provide benefit to others Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your objective is to achieve a specific improvement or defined outcome, such activities as collaboration, coordination, or common usage and exchange of data or information with one or more parties offer substantial opportunity to mutually advance objectives. You should consider the extent to which improving a process or outcome requires engagement with one or more external parties. You can then determine the corresponding requirements for engagement activities with each individual internal or external party participating in collaborative activities, including whether the activities should be documented. Consult the appropriate methods, data, operational, and security requirements to ensure that participating parties, tools, environments, and formats are compliant with agency procedures. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Define the state of improvement or desired outcome to be achieved via collaboration and coordination activities and usage or exchange of Knowledge Assets. Quantify the desired outcome or improvement to be achieved using available metrics and data, and define the baseline measure from which progress will be ascertained. Identify the participating parties and obtain agreement to objectives to be fulfilled and the permissible activities, tools, resources, and Knowledge Assets to be used to fulfill them. Document outcomes and instances of engagement activities involving external parties. FO3 Achieve Desired Objective TM5 Collaborative Efforts TM6 Structured Data Exchange TM7 File Sharing TM9 Content Access Controls TD1 Data Format and Media TD4 Data Restrictions TD5 Data Integrity O1 Outside Entity Collaboration Rules O3 Approved Collaboration Tools O4 Data Content Policies O5 Structured Data Sharing Workflow O9 Roles and Responsibilities S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Ownership (FO5) Description Examples FO5 is defined as the designation of or claim by a party to own, control, or be responsible for a physical or virtual asset, such as data or information, knowledge, tools, processes, outcomes, or environments. This requirement applies if you intend to stake or clarify ownership or usage rights of a Knowledge Asset, such as data or information or a virtual tool. Define and maintain ownership Usage rights for shared data and media Usage rights for co-modified data and media Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When your desired output is the ownership or usage rights for a physical or virtual Knowledge Asset, such as data or information, knowledge, tools, processes, outcomes, or environments, data-sharing agreements or licensing are typical methods to gain access to data outside of your agency or to share data that you own. The owner has primary responsibility to ensure its safety and security, and to enforce its proper usage. As such, owners determine the rules and requirements for access, usage, or participation in activities and processes involving or affecting Knowledge Assets. As a user accessing another agencyâs data, you should ensure that you know what permissions are granted to access, use, modify, publish, or exchange the Knowledge Asset. Consult the appropriate methods and data, operational, and security requirements to ensure that participating parties, tools, environments, and formats are compliant with agency procedures. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify what parties own the Knowledge Asset, for what period of time, and what conditions are imposed for usage (e.g., license fees). Define the owned Knowledge Asset, its characteristics and functional utility. Determine requirements for acquiring, storing, accessing, utilizing, modifying, exchanging, or transferring the Knowledge Asset while sustaining its safety, security, and integrity. Define, adhere to, and enforce the practices to sustain the requirements for the safety, security, integrity, and use of the owned Knowledge Asset. Document instances of access and usage of a Knowledge Asset and of changes in ownership to provide a record of its uses and chain of custody. FO2 Access or Provide Access FO3 Achieve Desired Objective FO6 Update Notifications TM5 Collaborative Efforts TM6 Structured Data Exchange TM8 Records Management TM9 Content Access Controls TD1 Data Format and Media TD2 Data Detail Level TD3 Data Processing Level TD4 Data Restrictions TD5 Data Integrity O2 Permission Procedures O4 Data Content Policies O5 Structured Data Sharing Workflow O6 Data Sharing Agreements O7 Documentation S1 Authorization S2 Permission Procedures S4 Policies and Procedures
Update Notifications (FO6) Description Examples FO6 is defined as communicating information to another party when changes occur in status, value, or condition to a physical or virtual asset, such as data or information, knowledge, tools, processes, performance, outcomes, or environments, when the change affects a partyâs business and operational objectives, activities, or considerations. This requirement applies if you intend to receive or provide update notifications. Pushing or posting information Notification tools Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should consider when to send or request notification of changes in status to a physical or virtual asset, such as when there are modifications to data or information, knowledge, tools, processes, performance, outcomes, or environments, particularly when the change is relevant to a partyâs business and operational objectives or to its related activities. You should define and document the requirements around monitoring for change, what degree of change would warrant notifications, and the method and manner by which such notifications would be disseminated. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Define the Knowledge Assets to be monitored, the purpose for doing so, what changes should be communicated, and the method and frequency of updates. Define recipients of notifications and the tools, media, or other communication to be used. In cases where notification has consequences and importance, senders should confirm receipt and determine backup methods to ensure timely delivery. Participants should document instances of delivering and receiving notifications. FO2 Access or Provide Access FO5 Ownership TM4 Collaborative Tools and Shared Media TM6 Structured Data Exchange TM7 File Sharing TM8 Records Management TM9 Content Access Controls TD1 Data Format and Media TD4 Data Restrictions TD5 Data Integrity O1 Outside Entity Collaboration Rules O2 Permission Procedures O5 Structured Data Sharing Workflow O6 Data Sharing Agreements O7 Documentation O8 Lifecycle Management S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Step 3. Define Methods In Step 3, users are instructed to define the method by which Knowledge Assets will be utilized in collaboration, coordination, sharing, or work activities. Ad Hoc (TM1) Description Examples TM1 is defined as activities involving unplanned, synchronous communication, collaboration, or data- and information-sharing activities, which typically occur on a spontaneous or informal basis between parties to support business objectives. This requirement applies if you will engage in such spontaneous or informal activities with external parties. Unplanned meetings Conversations Conference attendance Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Unplanned, spontaneous collaboration and exchanges of information often arise when the needs and availability of two or more parties are aligned and offer a real-time opportunity to mutually advance objectives in productive ways. You should consider the need to balance the opportunity for productivity with the requirements to follow safe and secure practices. Any instance of collaboration or information and data exchange should only be engaged in compliance with agency policies and procedures. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Review policies and guidelines to ensure that ad hoc activities with external parties are authorized, permissible, and may be conducted in compliance with safety and security requirements. Determine the party or parties with whom you are engaging in ad hoc activities and ensure all are authorized. Select the tools, media, and other Knowledge Assets used to support ad hoc activities. Identify and observe restrictions on the use of Knowledge Assets used for ad hoc activities. Document instances of engaging in ad hoc activities with an external party. O1 Outside Entity Collaboration Rules O2 Permission Procedures O3 Approved Collaboration Tools O7 Documentation S1 Authorization S4 Policies and Procedures
Scheduled Meetings (TM2) Description Examples TM2 is defined as activities involving planned, synchronous face-to-face communication, collaboration, or data- and information-sharing activities to support business objectives that occur, whether formally or informally, at designated times between parties in person or via virtual media. This requirement applies if you intend to host or attend scheduled meetings. Work sessions Brainstorming Presentations Discussions Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Whether in person or using virtual media, scheduled meetings can facilitate productive communication, collaboration, or data- and information-sharing activities that advance business objectives. In addition to typical items such as meeting time, location or media, attendees, facilitator, and meeting agenda, you should consider parties in attendance and their level of authorization to share or receive information or data or participate in certain activities when content restrictions or security requirements might apply. Participants should also consider who will have access to the data or information produced as a result of the meeting. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Review policies and guidelines to ensure that scheduled meetings with external parties are authorized, permissible, and conducted in compliance with safety and security requirements. Determine the party or parties with whom you are meeting and ensure that all are authorized. Select the tools, media, and other Knowledge Assets used to support the meeting and ensure that all are authorized, safe, secure, and compliant for use. Identify and observe restrictions on the use of Knowledge Assets used for meeting activities. Identify what Knowledge Assets will be produced as a result of the meeting, if any, and which party will be responsible for their management. Document meetings with external parties. TM5 Collaborative Efforts O1 Outside Entity Collaboration Rules O2 Permission Procedures O3 Approved Collaboration Tools O7 Documentation S1 Authorization S2 Permission Procedures S4 Policies and Procedures
Threaded Conversations (TM3) Description Examples TM3 is defined as activities involving asynchronous communication, collaboration, or data- and information-sharing activities, whether formal, informal, planned, or ad hoc, which occur between parties through physical documents or over a common electronic media platform, and which dynamically produce a documented record of communication, information, and data exchanged that is accessible for future use. This requirement applies when you engage in threaded conversations. Email chains Structured exchange mechanisms (GitHub) Chat tools Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Threaded conversations result in a documented record of the information and data exchanged by two or more parties and can assist those who have access to the record for purposes of reference, monitoring progress, ensuring compliance, measuring performance, or holding responsible parties accountable. You should determine and designate an appropriate format for an electronic, analog, or physical file of data, information, or media content in order to enable its exchange with parties or to allow another party to access and use it. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the party or parties with whom you are communicating and ensure that all are authorized. Identify what Knowledge Assets will be produced as a result of the threaded conversations, if any, and which party will be responsible for their management. Document instances of communication with an external party. TM4 Collaborative Tools and Shared Media TM8 Records Management O1 Outside Entity Collaboration Rules O2 Permission Procedures O3 Approved Collaboration Tools O4 Data Content Policies O7 Documentation S1 Authorization S2 Permission Procedures S4 Policies and Procedures
Collaborative Tools and Shared Media (TM4) Description Examples TM4 is defined as tools used to facilitate synchronous (and sometimes asynchronous) communication, collaboration, or data- and information- sharing activities by parties to support business objectives (whether formal or informal, planned or ad hoc), which use a common platform and which can produce a documented record of communication, information, and data exchanged that is accessible for future use. This requirement applies when using collaborative tools. Specific tools selected by an agency (e.g., Google Workspace, SharePoint, Zoom, Slack, Microsoft Teams, WebEx, Jabber) Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Collaborative tools and shared media facilitate communication, collaboration, and data- and information-sharing activities to support business objectives by providing a common multi-media platform in which parties interact synchronously or asynchronously. These tools produce a documented multi-media record of all communication, information, data, or other Knowledge Assets produced or exchanged to be available for future use. The use of such tools requires caution because of potential cybersecurity vulnerabilities and the risk of exposing restricted Knowledge Assets to unauthorized parties. Agencies should consider the cost, availability, efficacy, utility, security, safety, authorization, and other requirements for the use of tools, media and methods that facilitate collaboration and exchanges of data and information between two or more parties to ensure that they are safe, secure, and in compliance with agency restrictions. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Define the party or parties with whom you are engaging via collaborative tools and shared media environments and ensure that all are authorized. Define the collaborative tools and shared media environments and methods being used to engage with other parties and ensure all are authorized, safe, secure, and compliant for use. Identify and observe restrictions on the use of Knowledge Assets used during collaboration activities facilitated via collaborative tools and shared media. Identify what Knowledge Assets will be produced as a result of the collaboration and engagement, if any, and which party will be responsible for their management. Document instances of using collaborative tools and shared media with an external party. O1 Outside Entity Collaboration Rules O2 Permission Procedures O3 Approved Collaboration Tools S1 Authorization S2 Permission Procedures S3 Tools
Collaborative Efforts (TM5) Description Examples TM5 is defined as activities involving communication, collaboration, or data- and information-sharing between parties to achieve a common objective such as a specific task, whether formal or informal and whether planned or ad hoc, which may occur both synchronously or asynchronously and in person or over electronic media. This requirement applies when engaging in collaborative efforts. Ongoing working groups and standing committees (e.g., AASHTO committees, standards committees) Short-term projects (e.g., construction planning, public outreach, events) Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Whether planned or ad hoc, synchronous or asynchronous, collaboration and exchanges of Knowledge Assets between two or more parties offer substantial opportunity to mutually advance objectives. You should consider the need to balance the opportunity for mutually productive activities with the need to follow safe and secure practices. All activities involving communication, collaboration, coordination, or exchange of Knowledge Assets should only be done by authorized and authenticated parties using safe, secure, and approved media and tools in ways that are also safe, secure and in compliance with agency requirements. Further, you should consider ownership, management, and access and usage rights of the assets that result from collaboration. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Define the party or parties with whom you are collaborating and ensure all are authorized. Define the time period, duration, and time limitations for when collaboration will occur. Define the tools, media, and method to be used to collaborate and ensure that all are authorized, safe, secure, and compliant for use. Define the Knowledge Assets to be used during collaboration. Document instances of collaborating with external parties. TM1 Ad Hoc TM2 Scheduled Meetings TM4 Collaborative Tools and Shared Media O1 Outside Entity Collaboration Rules O3 Approved Collaboration Tools O9 Roles and Responsibilities S1 Authorization
Structured Data Exchange (TM6) Description Examples TM6 is defined as planned, ongoing data-sharing activities between parties to support business objectives, which may occur both synchronously and asynchronously, for which the data resides in a predefined, mutually available format to facilitate controlled exchange. This requirement applies when engaging in structured data exchange. Center-to-center connections Traffic management and 911 data sharing Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements When engaging in structured data exchange, you should determine and designate an appropriate format, whether electronic or physical, for a structured exchange of data, information or media content using electronic media or another vehicle in order to enable its exchange with another party or to allow another party to access and use it. Such data exchanges should only occur with trusted, authenticated, and authorized parties due to the level of cyber risk and vulnerability inherent in electronic exchanges. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the structured data to be exchanged. Identify the parties with whom data will be exchanged. Identify the tools, media, and methods to be used to exchange data and ensure all are authorized, safe, secure, and compliant for use. Define the format and technical requirements for the structured data exchange (e.g., format, data structure, exchange and storage capacity, physical and cybersecurity requirements, environmental control, safety, power, and connectivity). Define the permissible and restricted uses of the structured data by the receiving party, such as its publication, modification, or exchange with additional parties. Users should document activities involving structured data exchange. TM7 File Sharing TM9 Content Access Controls TD1 Data Format and Media TD2 Data Detail Level TD3 Data Processing Level TD4 Data Restrictions TD5 Data Integrity O4 Data Content Policies O5 Structured Data Sharing Workflow O6 Data Sharing Agreements O7 Documentation S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
File Sharing (TM7) Description Examples TM7 is defined as activities involving the planned or unplanned exchange of data or information that resides in a stored electronic media or paper format between parties to support business objectives. This requirement applies when engaging in file sharing activities. Performance reports Lessons learned Email attachments FTP sites APIs Media streaming Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements File Sharing activities involve the planned or unplanned exchange of specific Knowledge Assets that reside in a stored electronic media or paper format between parties to support business objectives. The exchange may occur synchronously or asynchronously, in person using physical media, or over virtual electronic media. When engaging in file sharing, you should determine and designate an appropriate format for an electronic, analog, or physical file of data, information, or media content to enable exchange with another party or to allow another party to access and use it. File sharing should only occur with trusted, authenticated, and authorized parties to ensure external parties adhere to requirements and restrictions regarding the access, distribution, modification, or use of the data, information, or media content they receive. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the electronic or physical files to be exchanged with an external party. Identify the party with whom you are exchanging files and ensure all are authorized. Identify the tools, media, and methods to be used to exchange the files and ensure all are authorized, safe, secure, and compliant for use. Document instances of exchanging files with an external party. Determine the appropriate format for the file sharing (e.g., Word, Excel, PDF; locked or unlocked). Determine the permissible and restricted uses of the shared files by the receiving party, such as publication, modification, or exchange with additional parties. TD1 Data Format and Media TD2 Data Detail Level TD3 Data Processing Level TD4 Data Restrictions TD5 Data Integrity O1 Outside Entity Collaboration Rules O2 Permission Procedures O4 Data Content Policies O6 Data Sharing Agreements O7 Documentation O8 Lifecycle Management S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Records Management (TM8) Description Examples TM8 is defined as activities required when parties engage in the planned, controlled, and organized documentation of files, information, activities, and other pertinent assets related to a project or task in a stored electronic media or paper format to make it accessible for future use. This requirement applies when engaging in records management activities. Access and modifications Additions and removals Document activities of access or modification (who, when, what) Verification and validation Storage Organization Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should consider which physical or virtual assets should be documented and stored in an organized way, such as data or information, formatted knowledge, tools, and other stored media relevant to business objectives and related activities. While managing a system of storage and organization, agency owners are required to determine which records warrant storage, updates, and notification to designated parties (when required). A data retention policy should be determined for files and other Knowledge Assets. Agency owners should define the requirements determining which stored assets should be made available, to whom and by whom, under what conditions, and with what required authority or credentials, to ensure that only authorized parties have access to records, particularly for sensitive and proprietary information that should be managed in a safe and secure way. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the Knowledge Assets that will be stored and managed and the permissible uses or restrictions that apply, such as access, usage, exchange, or modification. Identify the level of security, privacy or other risk mitigation required to protect assets. Define the tools, media, and methods to be used to store Knowledge Assets. Identify parties authorized to access, use, add, remove, or modify the Knowledge Assets. Provide a process for facilitating safe and secure access and usage to authorized parties. Define and enforce usage guidelines for accessing, using, adding, removing, modifying, or exchanging the stored Knowledge Assets. Document all activities involving accessing, using, adding, removing, or modifying the stored Knowledge Assets. TM9 Content Access Controls TD1 Data Format and Media O2 Permission Procedures O4 Data Content Policies S2 Permission Procedures S3 Tools
Content Access Controls (TM9) Description Examples TM9 are the activities utilized when a party exercises or uses tools to control the exchange, access, or usage of virtual or physical assets such as data, information, knowledge, tools, environments, or media content with other parties. This requirement applies when engaging in Content Access Control activities. Providing limited or unlimited use access Determining period of time when data are available Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should determine when data, information, media content, or tools have access and use restrictions. Agency owners are required to define which parties can access or exchange what content, in what manner, for what purpose, at what time, through which media, and in what format. Content access controls involve the control of a partyâs ability to exchange or provide access or usage of data, information, or media content with other parties with respect to who has access, what content can be accessed or exchanged, in what manner, for what purpose, at what time, through which media, or in what format in order to protect the data or information from exposure to unauthorized parties or usage. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the Knowledge Assets and corresponding restrictions and limitations that apply regarding access, usage, exchange, or modification. Identify the level of security, privacy, or other risk mitigation required to protect Knowledge Assets via access controls. Identify parties authorized to access, use, add, remove, or modify the Knowledge Assets. Identify the tools, media, and methods to be used to store, restrict, and enable access to Knowledge Assets. Provide a process for facilitating safe, secure, and effective access and usage of Knowledge Assets to authorized parties. Identify and enforce usage guidelines for accessing, using, adding, removing, modifying, or exchanging the stored Knowledge Assets. Document all activities involving accessing, using, adding, removing, or modifying the stored Knowledge Assets. TM4 Collaborative Tools and Shared Media TD1 Data Format and Media TD4 Data Restrictions TD5 Data Integrity O2 Permission Procedures O4 Data Content Policies S1 Authorization S2 Permission Procedures S3 Tools
Step 4. Define Data Characteristics In Step 4, users are instructed to define the characteristics of the Knowledge Assets to be used, accessed, or exchanged in the course of activities involving the sharing of data or information or collaboration and coordination. Data Format and Media (TD1) Description Examples TD1 is defined as the key characteristics, such as format, organization, or other relevant information of a virtual or physical Knowledge Asset, such as data, files, information, knowledge, tools, environments, or media content that must be known to facilitate usage. This requirement applies when data form and media affect collaboration activities. Files Emails Paper copies Structured data Unstructured data Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should consider how the format, organization, or characteristics of a virtual or physical Knowledge Asset must be accommodated to enable collaboration, usage, or exchange activities. Some data characteristics have distinct associated requirements and should be considered carefully. Restricted/Unrestricted A Knowledge Asset is restricted when you are required to limit or exclude parties from access or exposure during collaboration, coordination or usage and exchange activities. It is unrestricted when no usage or access limitations apply. Ongoing/Finalized A Knowledge Asset is Ongoing when it is in a dynamic state of use and remains incomplete (i.e., the volume, value, status, and condition of its data and information is subject to change). A Knowledge Asset is Finalized when it is complete and is not subject to updates or modifications. Synchronous/Asynchronous Synchronous activities that are occurring simultaneously in real time may have different needs from those that are asynchronous and occur independently and at different times relative to each party. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the Knowledge Asset to be used or exchanged with an external party. Identify the format, organization, and technical characteristics of the Knowledge Asset that must be accommodated to enable its safe and secure usage or exchange. Determine the distinct characteristics of restricted/unrestricted, ongoing/finalized, and synchronous/asynchronous. Document the format details of Knowledge Assets required to facilitate its safe and secure exchange or use in collaboration and coordination activities. TD2 Data Detail Level TD3 Data Processing Level TD4 Data Restrictions
Data Detail Level (TD2) Description Examples TD2 is defined as the level of detail provided in the relevant virtual or physical Knowledge Asset, such as data, files, information, knowledge, tools, environments, or media content, which must be known to facilitate usage. This requirement applies when the pertinent details of data affect their exchange or collaboration activities. Raw data Processed data Performance measures Data visualizations Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should understand and be aware of the key characteristics of the Knowledge Asset that affect how one might interpret its value, meaning, or applicable uses. Detailed information about the type and intended purpose of a Knowledge Asset helps contextualize how you should interpret and use the data and information or tools to facilitate accurate and correct analysis and application. You should include documentation with details that allow for proper usage such as the source, purpose, level of processing, and any other pertinent details. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the unique characteristics of a Knowledge Asset to be used or exchanged with an external party regarding its condition, volume, values, or content, including limitations and defects, which affect how users can interpret, apply, or use it. Identify the technical characteristics of the Knowledge Asset and other requirements for use by external parties, such as security, format, connectivity, power, and usage fees. Document instances of using or exchanging Knowledge Assets with or from an external party. TD1 Data Format and Media TD3 Data Processing Level TD4 Data Restrictions TD5 Data Integrity
Data Processing Level (TD3) Description Examples TD3 is defined as the extent to which virtual or physical data, files, information, knowledge, tools, environments, or media content has been modified with respect to content, format, organization, or other relevant information from the raw or original format. This requirement applies when the data processing level affects the use of a Knowledge Asset. Whether the data has been cleaned Whether the data are verified How the data were validated Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should understand and be aware of the conditional state of a Knowledge Asset, such as virtual or physical data, files, information, knowledge, tools, environments, or media content, and the implications for its use due to that conditional state. You should include documentation that provides details allowing for proper usage by the end user. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the unique characteristics of a Knowledge Asset to be used or exchanged with an external party regarding its condition, volume, values, or content, including limitations, defects, recent modifications, and other aspects affecting its use. Assess the current condition of the Knowledge Asset to determine any incremental modifications, formatting, or other requirements that must be accommodated to enable its usage. Define the technical characteristics of the Knowledge Asset and other requirements for use by external parties, such as security, format, connectivity, power, or usage fees. Document instances of using or exchanging Knowledge Assets with or from an external party including details regarding their characteristics and extent of data processing. TD5 Data Integrity
Data Restrictions (TD4) Description Examples TD4 is defined as the nature of and the degree to which the formal requirements for a set of data or information limit its access or usage by other parties. This requirement applies when data are subject to limitations in access or usage by another party. PII Privacy Exposure to vulnerabilities Sensitive or confidential data (e.g., IP addresses) Limited-use or licensed third-party content Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You must limit and exclude unauthorized parties from gaining access or exposure to any set of data or information that is formally designated as or considered restricted based on the nature and degree to which such limits are otherwise required. Data restrictions for a set of data or information limit its access or usage by another party to only authorized users. Data that may include or expose PII or sensitive or confidential data (e.g., IP addresses) may raise privacy concerns, create an exposure to vulnerabilities such as cyber risk or threats, or represent limited-use or licensed third-party content. Other limitations may pertain to the technical nature of the Knowledge Asset, such as format, stability, physical condition, or other virtual properties. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify and document the characteristics of a Knowledge Asset that restrict its access, usage, or exchange with an external party, such as its degree of privacy, safety, security, or ownership. Identify the parties authorized to access, use, or exchange the Knowledge Asset and define the conditions required to obtain authorization for access or usage. Inform authorized users that a Knowledge Asset is restricted and describe the restrictions and allowable uses. Provide a process for safe and secure access or usage of the Knowledge Asset by authorized users that meets and enforces the requirements of its restrictions. Document instances of using or exchanging Knowledge Assets with restrictions. TD2 Data Detail Level
Data Integrity (TD5) Description Examples TD5 is defined as confirming the authenticity, accuracy, degree of verification or validation, reliability, integrity, and overall quality of a set of data or its source. This requirement applies when the integrity of the data is a primary concern. Undocumented modification of a data set by personnel Occurrences of unauthorized access of an electronic file by an external party Physical degradation of improperly stored paper records or electronic media Potential breaches in privacy of a data set from use of an unsecure electronic tool Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Data integrity for a set of data or information indicates the degree of fidelity of the content and accuracy of its values and information based on the extent of protection from or exposure to access, modification, or usage by another party or exposure to vulnerabilities such as cyber risk or threats. For example, a dataset may have been inadvertently or maliciously modified such that some or all records are no longer valid, particularly when a set of data or information is unprotected or exposed via unsecure virtual media. Other factors affecting the integrity of a Knowledge Asset may pertain to the technical nature of how the Knowledge Asset is stored or shared, such as technical defects arising from environmental exposure affecting its physical condition, stability, or electronic properties over time. Agency owners should consider the processes of sourcing, storing, or sharing a Knowledge Asset to ensure that any activities, media or tools used are safe, secure and do not adversely affect its integrity. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Determine if the quantity and values of data and information or other aspects of the Knowledge Asset are correct. Determine the extent of the delta and corrections required when the quantity and values of data and information or other aspects of the Knowledge Asset are not correct, are incomplete, or have been modified. Inform users of a Knowledge Asset when the quantity and values of its data, information or other aspects are potentially compromised. Document instances when the Knowledge Asset has been modified. Develop a process to ensure the Knowledge Asset is only used in ways that are permissible and compliant with acceptable uses and do not adversely affect integrity. Develop processes to protect the Knowledge Asset from unauthorized or unplanned exposure and modification due to cyber incidents, physical degradation, threats, or other vulnerabilities. TD3 Data Processing Level
Step 5. Select Operational Requirements In Step 5, users are instructed to define the specific steps and operational requirements of the collaboration, coordination, usage, or exchange activities involving Knowledge Assets to be undertaken to ensure adherence to safety and security best practices. Outside Entity Collaboration Rules (O1) Description Examples O1 is defined as the operational requirements and formal procedures a party must follow to ensure safety and security when engaging in coordinated business activities with another party. This requirement applies when engaging in collaboration, coordination, or exchange activities with an external party. Who can participate What is required for authorization to participate or gain access What can be shared Authorized participant management How and when to terminate collaboration Who has permission to share or receive data Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Agency owners should consider which external parties can participate, under what circumstances, and with what limitations, as well as procedures for terminating collaboration and procedures for accessing content, data or information and other Knowledge Assets produced as a result of the activities. All activities involving collaboration or information and data exchange should only be done by authenticated parties who are authorized to participate; they should only use authenticated Knowledge Assets that are authorized for usage in the activities and that all parties are mutually authorized to use. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Review the best practices for the methods and data to be used. Define the communication, collaboration and coordination, and Knowledge Asset exchange activities to be undertaken with external parties in order to achieve desired business objectives and outcomes. Authenticate external parties authorized to participate in collaboration activities. Define requirements, conditions, or limitations to be met for safe, secure, and compliant participation. Define the outputs and Knowledge Assets produced as a result of collaboration activities and define the roles, responsibilities, access, and usage rights of each external party. Summarize and communicate the requirements to external parties and document instances of collaboration activities. O2 Permission Procedures O3 Approved Collaboration Tools O4 Data Content Policies O7 Documentation O9 Roles and Responsibilities S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Permission Procedures: Operational (O2) Description Examples O2 is defined as the operational requirements and formal procedures a controlling party must follow to safely and securely determine when to provide another party with access to data or information or to allow their participation in activities. This requirement applies when a party must determine if or when to provide another party with access to data or activities. Requirements for communication Types of questions that may be answered in ad hoc meetings Who must give permission before sharing specific data Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Agency owners must ensure that all external parties are authenticated and authorized to participate in collaboration, coordination, or other exchange activities, and are authorized to access and use the media, tools, content, data, information, or other Knowledge Assets that are the subject of the activities, or that may be exposed during participation. As part of the rules of engagement, agency owners should communicate and provide to all participants a clear description of the requirements for eligible participation; the procedures that may be undertaken to authenticate authorized participants to commence or participate in the activities; the activities that are permissible and impermissible or other limitations on activities; permissions that may be required for certain activities that are otherwise limited; and the procedures to obtain such permissions. Finally, users should consult agency guidelines for additional requirements to ensure that participating parties comply. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the communication, collaboration and coordination, and Knowledge Asset exchange activities and the data, tools, media, environments, and other Knowledge Assets to be used. Define a process to authenticate, confirm eligibility, and grant access to external parties. Allow new external parties who meet eligibility requirements to request and become authorized to participate in collaboration activities, including with limitations or conditions. Document instances when external parties have been granted access to participation. O1 Outside Entity Collaboration Rules O3 Approved Collaboration Tools O4 Data Content Policies O7 Documentation O9 Roles and Responsibilities S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Approved Collaboration Tools (O3) Description Examples O3 is a formal list of electronic tools that enable parties to engage in common work tasks or to produce common outputs that have been assessed and deemed permissible, safe, and secure for use by an agency, typically in conjunction with specific usage requirements, prohibitions, or other formal procedures. This applies when using electronic tools in collaboration activities. Clear guidance on which tools are authorized for use Guidance on what activities, if any, are allowed or unallowed for unauthorized tools Information on the different features of tools available for in-agency or external users Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Agency owners must specify which electronic tools are authorized to use and describe requirements for proper, safe, secure, and effective usage, as well as applicable usage limits and prohibitions. Approved collaboration tools indicate the specific set of electronic tools an agency is authorized to use and any corresponding requirements for proper, safe, secure, and effective usage and applicable usage limits and prohibitions. Agency owners should consider and properly review the electronic tools with respect to the degree to which such tools are safe and secure to use and document acceptable usage by agency staff to comply with all security, safety, licensing, commercial, and other usage requirements. The use of a tool not specifically included in the list is prohibited. You should consult agency guidelines to ensure participating parties meet and comply with applicable requirements pertaining to the usage of tools. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Develop and provide a list of authorized tools that includes: Who can use the tool (e.g., external users). Information on the proper use and purpose of all available functionality. What functionality is and is not permitted (e.g., sharing files in a web conference). Limits on uses or functionality availability to external parties (e.g., internal chat in a web conference). Determine what should be done if asked to use an unapproved tool and the procedures to get a tool approved. If asked to use a tool that isnât approved, determine under what conditions it can be allowed (e.g., web version). When evaluating tools: Determine the purpose, benefits, risks, and vulnerabilities. Determine allowable uses and activities, applicable limitations, and procedures. Determine which parties are eligible to use the tool. Develop procedures (e.g., alternative options) to follow when a collaborating party cannot use an approved tool. Other considerations include who hosts the tool, who determines access to it, and whether licenses are required for access or usage. O1 Outside Entity Collaboration Rules O4 Data Content Policies S3 Tools S4 Policies and Procedures
Data Content Policies (O4) Description Examples O4 is defined as the formal operational requirements and specific procedures to follow to ensure the proper, safe, and secure acquisition, storage, management, usage, and exchange of data or other physical and virtual content assets. This applies when managing access, use, and exchange of data. Methods for adding data Data that is allowable to add How data must be formatted Data that is restricted from sharing Methods for modifying or deleting data The data that can be modified or removed Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements In addition to requirements for authorization and participation, agency owners must specify the permissible activities and uses pertaining to data, information, and other Knowledge Assets, such as when and how a participant is authorized to access, view, obtain, utilize, modify, or extend a specific set of data; whether such activities may only be conducted using specific procedures or media and tools; for what period of time; whether specific formats must be used; and other applicable requirements during and after collaboration, coordination, and exchange activities, such as conditional restrictions, procedures to document activities, and archival and retrieval requirements. You should consult agency guidelines for additional requirements to ensure that participating parties each meet and comply with applicable requirements pertaining to data content and usage policies. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Determine and define clear agency policies around permissible activities for using a specific dataset, such as to access, view, obtain, utilize, modify, or extend a specific dataset and how permissions that apply to agency users and other parties may vary by dataset. Prepare methods for restoring or recovering damaged or lost data (e.g., cloud backup files). Enforce policies and compliance with required procedures and have mechanisms in place to support enforcement and compliance. Provide clear guidance on how to request access to specific data. If datasets are regularly requested and authorized, consider putting a mechanism in place to request access to the data. O1 Outside Entity Collaboration Rules S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Structured Data Sharing Workflow (O5) Description Examples O5 is defined as the formal operational requirements and specific procedures to follow to ensure the proper, safe, and secure exchange of data that resides in a predefined, mutually available format to facilitate controlled exchange. This requirement applies when engaged in a controlled exchange of data. Identify the steps for setting up structured data sharing Define available structured data Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Structured data sharing must follow defined procedures to facilitate the proper, safe, secure, and successful exchange of data, information, or other Knowledge Assets and only with parties authorized to do so. Operational requirements may be specific to a predefined format of the data in the set or to the specific external party. Agency owners must ensure that exchange activities specify datasets that are authorized for exchange and that the exchange activities follow the applicable agency rules for tools, methods, and operations. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Determine answers to the following questions: Who can receive the data? Does the data exchange require a data-sharing agreement? What are the restrictions on the dataâs use? What connectivity to the agencyâs network is required for accessing the data? What are the security implications? Data owners should determine methods to confirm that the data exchange was successful and completed in a way that did not harm, modify, or affect the dataset or the ability of any authorized party to use it. Data owners should determine and communicate clear requirements around conditions and procedures for when structured data exchange activities will be denied, limited, curtailed, discontinued, or reengaged. O1 Outside Entity Collaboration Rules O4 Data Content Policies S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Data Sharing Agreements (O6) Description Examples O6 is defined as a documented set of formal operational requirements and specific procedures that parties agree to follow to ensure the proper, safe, and secure exchange of data that resides in a predefined, mutually available format to facilitate controlled exchange. This requirement applies when documenting a process for the controlled exchange of predefined data between parties. Templates for data-sharing agreements Required documentation Benefits and rights on both sides What data will be shared both directions Expiration or renewal terms Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements A data-sharing agreement provides the data owners and parties with whom data or Knowledge Assets will be exchanged with a mechanism to document specific procedures, guidelines, and technical requirements to be followed to facilitate a safe, secure, and successful exchange of data. Agency data owners and exchange participants should consider such mutually agreed upon provisions as the format of the data to be exchanged, the conditions for authorized participation, the permissible uses of the data assets received, and other rules governing the applicability and termination of the agreement itself. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Data owners should define and communicate specific operational procedures to be followed to facilitate the successful exchange, including: Data formats. Activity documentation. Specific time frames when the exchange can take place, if applicable. Expiration date and renewal procedures for the agreement. Other technical steps to be taken by a party (e.g., allowing access to a specific server port to enable the exchange), which may include connectivity diagrams, specific tools or media that will be used, and procedures to follow if problems are encountered on either side. Permissible uses of the data or Knowledge Assets by external parties following the completion of the exchange. Benefit of the exchange for both parties. Responsibilities of both parties for communication of any problems with the data, changes to the structure of data, or interruptions of data for maintenance activities. O1 Outside Entity Collaboration Rules O2 Permission Procedures O3 Approved Collaboration Tools O4 Data Content Policies O5 Structured Data Sharing Workflow O7 Documentation O9 Roles and Responsibilities S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Documentation (O7) Description Examples O7 is defined as the materials a party produces and provides to other parties, such as files, information, activities, and other pertinent Knowledge Assets in a stored electronic media or paper format when observing and recording information related to a project or task or when imparting specific knowledge, such as a manual to make materials accessible. This requirement applies when recording collaboration and data-sharing activities. Documentation and records of activities/version management Data modification procedures Activity logs (e.g., meetings, calls) Recordings Conversations (e.g., chat logs, email) Records modifications and removals Records sharing (who, when) Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should document the milestones and participation activities when multiple parties engage in the exchange of data or information or other Knowledge Assets, or in the collaboration or coordination of work tasks. This process provides you with a written record and promotes accountability, transparency, compliance with security requirements, and mutual trust among participants. Prior to commencing documentation, you should obtain permission from all involved parties, and should consider the authorization, proprietorship, usage limitations, and privacy of the activities being observed. You should store the documented information generated and consider the extent to which the stored information will be available, the requirements for its authorized access and usage, and the media and tools by which it will be made accessible. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Determine which activities warrant and are authorized for documentation and provide guidance on content. Disclose and seek permission for documenting the activities and the intended ways in which the documented information will be used. Designate the party to be responsible for documenting the activities, storing the record of the activities, and making the record available to authorized parties. Indicate whether or not documented records will be made available to other parties, who they are, and what authorization or access requirements and other limitations may apply. If documented records will be made available, indicate the time period and what technical or formatting requirements may apply to achieve access. O4 Data Content Policies O8 Lifecycle Management S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Lifecycle Management (O8) Description Examples O8 is defined as the planned, controlled, and organized management (e.g., maintaining inventory, storage, access, modification, addition, and removal) of files, information, data, and other pertinent Knowledge Assets related to a project or task in a stored electronic media or paper format. This applies when managing files, information, data, content, and other Knowledge Assets. Capture Version control Retention, deletion, and storage Discovery Archiving and disposition Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements The integrity of data or information or other Knowledge Assets has important implications for how participants in activities involving collaboration, coordination, usage, or exchange activities perceive the safety and security of those activities. Effective lifecycle management protects and signals to participating parties that data or information or Knowledge Assets involved in collaboration, coordination, usage, or exchange activities, as well as the media, tools, and processes used for those activities, are safe, secure, and permissible to join. You should document the steps for the lifecycle management of the assets managed to facilitate greater collaboration with external parties and as a disciplinary function; this promotes internal adherence to asset management best practices. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Define the owned Knowledge Asset, its usage, distinct state of characteristics, and any capabilities that may change over time. Determine requirements for acquiring, storing, accessing, using, modifying, exchanging, and managing the Knowledge Asset while sustaining its safety, security, and integrity. Designate the party to be responsible for managing the Knowledge Asset and for making it available for use to authorized parties. Identify the tools and media used to manage the Knowledge Asset. Define, adhere to, and enforce practices to sustain the requirements for the safety, security, integrity, and effective utilization of the owned Knowledge Asset. Define the condition in which a Knowledge Asset has attained a state of dysfunction, obsolescence or disuse, for which retirement or replacement is more advantageous than repair. Document the life cycle and data retention policies of all Knowledge Assets of importance. O4 Data Content Policies S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Roles and Responsibilities (O9) Description Examples O9 is defined as the detailed procedures, whether formal or informal, that each specific party involved in a project or task should follow and the objectives and outcomes that party is responsible for achieving or managing. This requirement applies when assigning responsibilities to participating parties. Site ownership Tool ownership Data and information ownership Users and collaborators Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should consider the respective roles and responsibilities for allocating time, focus, and resources; the methods by which accountability will be achieved for each participating party; and the basis of security and protection of any data, information, or Knowledge Assets involved. Clearly delineated roles and responsibilities help facilitate and promote collaboration and coordination. External parties are more willing to collaborate and join shared activities when they perceive that their investment of resources and staff will succeed and benefit from the corresponding investments of other partners and when they have confidence in the safety and security of the activities in which they will engage. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Define the objectives and the individual tasks, processes, and collaboration and coordination activities that will be undertaken. Identify parties authorized to participate in the work activities and define their specific outcomes. Designate a process owner with the authority to manage participation of other partiesâ work activities. Develop a work plan including the participants, respective roles and responsibilities, goals and objectives, key milestones, work schedule, budget allocations, and other planning elements to facilitate effective management, transparency, and accountability. Delegate and assign responsibilities to a party to complete discrete tasks or to monitor or manage specified processes related to shared collaboration and coordination activities. Clarify key differences in responsibilities and authority among the participants. Document all activities, the participants, their responsibilities, and the outcomes over time. O7 Documentation S1 Authorization S2 Permission Procedures S3 Tools S4 Policies and Procedures
Authorization (S1) Description Examples S1 is the setting of rules that determine which parties may participate in collaborative activities; use certain tools and functionality; and access, use, modify, or exchange virtual or physical data, information, or media content in what manner, to what extent, and in what time frame. This applies when a party requires permission to participate in activities. Authorization tools Automated authorization processes Manual authorization processes Automated vs. manual electronic tools for collaboration Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Participation in activities involving collaboration, coordination or use and exchange of Knowledge Assets with external parties entails a degree of security risk for which consequences to agency operations and even public safety can be far-reaching. You are required to set and adhere to rules defining who may use, access or exchange tools and functionality, virtual or physical data, information, media content, or Knowledge Assets, and also in what manner, to what extent, and when. The rules also define the process and requirements to verify and validate a userâs identification and credentials. Authorization indicates that a designated party has been granted permission to participate in the access, usage, modification, or exchange of a set of data, information, or media content, or in the usage of tools and functionality. Rules and guidance to establish the requirements for a party to achieve authorization should define the process and requirements for facilitating the identification, verification, and authentication of authorized parties. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult agency policies, procedures, and guidelines. Identify Knowledge Assets for which access, usage, or exchange and related activities should be limited only to parties who have been granted explicit authorization. Define the party seeking to engage in activities involving collaboration, coordination, usage, or exchange of a Knowledge Asset for which authorization is required. Establish the criteria and procedures that a party must meet as a condition of obtaining authorization to participate in activities involving a Knowledge Asset. Establish procedures for determining, validating, or verifying the identity of a party. Define limitations in participation activities involving a Knowledge Asset when a partyâs authorization is limited or conditional. Establish procedures for enforcing authorization policies to prevent participation in activities involving a Knowledge Asset by parties who are not authorized. Identify tools to be used in the authorization processes and ensure that they are efficacious, authorized for use, and secure. Document when authorizations are granted or denied. S2 Permission Procedures S3 Tools S4 Policies & Procedures Step 6. Select Security Requirements In Step 6, users are instructed to define rules to manage risk and protect points of vulnerability, such as which parties may participate in collaborative activities or use Knowledge Assets, in what manner, to what extent, and in what time frame.
Permission Procedures: Security (S2) Description Examples S2 refers to the detailed procedures a party should follow when determining, validating, or verifying the identity and authorization of a party, the value of data or its source, or the availability of a certain activity to ensure the parties, Knowledge Assets, and activities involving collaboration and sharing of information and data are safe, secure, and permissible for use and participation. This applies when a party must achieve or validate permission to participate. Authentication tools Automated authentication processes Manual authentication processes Known vs. unknown collaborators Signature authority matrix Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements Participation in activities involving collaboration, coordination, or use and exchange of data, information, or Knowledge Assets with external parties entails some security risk, which must be balanced with the needs for collaboration. Agency owners should set and adhere to a set of detailed steps to be followed without exception when determining, validating, or verifying the identity and authorization of a party, the value of data or its source, the availability and permissibility of a certain activity, or to grant or deny a specific partyâs participation. These rules entail establishing the conditions and thresholds by which permissions will be granted (or by which Knowledge Assets or participants will be authenticated, validated, and verified). The rules will stipulate the requirements and procedures by which parties will request and be granted such permissions. You should consider the efficacy and permissibility of the tools that will be used in verification and validation processes. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Identify the Knowledge Assets for which access, usage, or exchange and related activities should be limited to only parties that have been granted explicit permission. Define the party seeking to engage in activities involving collaboration, coordination, usage, or exchange of a Knowledge Asset for which permission is required. Establish the criteria that a party must meet as a condition of obtaining permission to participate in activities involving a Knowledge Asset, and the procedures for doing so. Establish procedures for determining, validating, or verifying whether a party has met the applicable conditions required in order to grant or deny that partyâs participation. Define any conditions or limitations in a partyâs participation in activities involving a Knowledge Asset. Establish procedures to enforce permissions policies to prevent participation in activities involving a Knowledge Asset by unauthorized parties. Identify tools to be used in the permissions processes and ensure they are efficacious, authorized for use, and secure. Document instances of permissions being granted or denied. S1 Authorization S3 Tools S4 Policies & Procedures
Tools (S3) Description Examples S3 is defined as electronic, virtual, or physical tools a party might use for activities involving collaboration or the acquisition, exchange, or management of data, information, and other Knowledge Assets, and the detailed procedures a party should follow for their safe, secure, and effective use. This requirement applies when a party will use such tools in collaboration and data- and information-sharing activities. Required tools and specifications Allowable points of access (e.g., secured access for data centers) Allowable tools and conditions for allowable use (e.g., agency devices only, mobile devices, specific IP addresses) Required software applications (e.g., VPN for remote connection) Allowable software with required versions, acceptable uses, and conditions Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You should consider the electronic, virtual, or physical tools a party may use to facilitate activities involving collaboration and coordination or the acquisition, exchange, use, or management of data, information, and other Knowledge Assets. You should also consider the detailed procedures a party should follow for their safe, secure, and effective use. For purposes of procurement, deployment, establishing usage guidelines, or ongoing usage of tools, consider the following four things: ⢠The efficacy of a tool and its ability to successfully fulfill or support activities involving collaboration, coordination, or exchange and usage of Knowledge Assets. ⢠The safety and security of, and a partyâs authorization to use, a designated tool. ⢠The deployment and proper usage of the tool, including determining when, where, by whom, for what purpose, for how long, and under what conditions the tool can be used by certain parties. ⢠Management of the tool, including acquiring, deploying, maintaining, and protecting it. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Consult the applicable agency policies, procedures, and guidelines. Confirm the tool is authorized for use for a designated activity. Consider the efficacy of a tool and its ability to support the fulfillment of a partyâs objectives. Identify and adhere to safety and security requirements to mitigate risk resulting from using the tool. Develop and enforce guidelines regarding the permissible and proper uses of the tool, including requirements for usage (e.g., power, connectivity, licenses). Develop guidelines to manage tools, including acquisition, deployment, maintenance, storage, security, and protection. Confirm the requirements for permissible use have been met, such as license requirements or service fees. Ensure the tools and media used to share or receive information or data are safe, secure, agency compliant, and authorized for use by all parties. Document instances when a tool is acquired, retired, in active use, undergoing repairs or maintenance, and used by or exposed to external parties. S1 Authorization S2 Permission Procedures S4 Policies & Procedures
Policies and Procedures (S4) Description Examples S4 is the formal procedures a party is required to follow when engaging in collaboration or data- and information-sharing activities to comply with the requirements for safety and security and the roles and responsibilities of participating parties and relevant authorities. This applies when a party is required to comply with formal rules and guidance. Established guidelines Acceptable use policies Mutually shared use policies (e.g., permissions to record meetings) Acceptable data formats Rules for ad hoc sharing Manuals and reference materials Training Data classifications Tool Output Guidance Policies and Procedures Best Practices Applicable Requirements You are required to follow the policies and procedures and other guidance when communicating, collaborating, coordinating with other parties, or when using or exchanging data, information or other Knowledge Assets to comply with the requirements for safety and security. You should also refer to the policies and procedures or other guidance regarding the roles and responsibilities of participating parties and relevant authorities. This would include formal guidance or directives published by the agency, applicable regulatory requirements, and other mandates regarding the degree to which a specified activity, tool, Knowledge Asset, organization, or individual is permissible, prohibited, required, or subject to other prohibitions, limitations, and requirements for purposes of security, safety, and compliance. One usage of this tool is to populate the appropriate policies for each requirement. Link to applicable documents and agency policies & guidance or language indicating that no formal policy or guidance documentation is available. Identify activities involving collaboration, coordination, communication, usage, or exchange of Knowledge Assets for which formal guidance has been developed and documented and where documentation is still needed. Define and document the security requirements, conditions, and limitations for proper usage, access, and participation for every Knowledge Asset and official activity or process involving collaboration, coordination, communication, usage, or exchange of Knowledge Assets. When developing policies, procedures, and guidance, consider how requirements and corresponding guidance may differ with varying roles, responsibilities, and levels of authority. Communicate policies and procedures to appropriate parties, including through training or other media, as needed. Consider the enforcement methods and enforce documented policies and procedures to ensure adherence and accountability for all internal and external parties. Conduct regular reviews of policies, procedures, and formal guidance to ensure its validity and effectiveness and to facilitate updates as needed. Encourage ongoing communication from agency users to ensure that policies and procedures do not discourage collaboration. S1 Authorization S2 Permission Procedures S3 Tools
60 Guidelines on Collaboration and Information Security for State DOTs B.3 Glossary of Terms Access The enabling of another party to view and utilize Knowledge Assets, such as data, information, knowledge, content, tools, media, processes, or environments by removing restrictions and barriers, by providing a mechanism to facilitate access and exchange, or both. Access Controls A partyâs exercise of its ability or use of tools to control the exchange, access, or usage of virtual or physical assets with other parties, such as data, information, knowledge, tools, environments, media content, and other Knowledge Assets. Ad Hoc Activities involving unplanned, synchronous communication, collaboration, or data- and information-sharing activities that typically occur on a spontaneous or informal basis between parties. Asynchronous The usage, coordination, communication, or sharing activities of multiple parties that are mutually exclusive and independent, or coordination, communication, or sharing activities involving the same Knowledge Asset occur independently and at different times. Authorization The formal process of designating or determining that a specific party is permitted to participate in collaborative activities or in the use or exchange of Knowledge Assets, such as tools and functionality, or access, use, modify, or exchange virtual or physical data, information, or media content, and also in what manner, to what extent and when. Collaboration The mutual act of supporting or fulfilling another partyâs business and operational needs to achieve common objectives through reciprocated coordination of strategy and operations, allocation of resources, and exchange of information. Collaboration Tools The electronic or physical tools, media, and virtual environments that enable parties to mutually engage in common work tasks involving a Knowledge Asset to produce a common output, which have been assessed and deemed permissible, safe, or secure to use by an agency user or external party, typically in conjunction with specific usage requirements, prohibitions, or other formal procedures. Communication The act of two or more parties engaging in the synchronous or asynchronous mutual exchange of knowledge or information to support business and operational objectives. Compliance The act of adhering to formal safety, security, proprietary, or privacy requirements, such as mandates, regulations, or official policy, while engaging in collaboration, coordination, communication, or data- and information- exchange activities.
Implementation and Products of Research Findings 61  Content Data, information, or other physical and virtual Knowledge Assets that are rendered in an accessible format to enable its access, viewing, use, modification, exchange, or restriction. Coordination The mutual act of supporting another partyâs business and operational needs through the reciprocity of strategy and operations, allocation of resources, and exchange of information to achieve separate but complementary or non- conflicting objectives. Data A set of values of qualitative or quantitative variables pertaining to one or more persons or objects that incorporates characteristics or information collected through observation. Datum is a single value of a single variable. Data Sharing Activities involving the exchange of a set of data between an agency and one or more external parties and the specific procedures or operational requirements a party must follow to facilitate its proper, safe, secure, and successful exchange. Documentation The act or the product of observing and recording the collaboration, coordination, communication, or data and information exchange activities of one or more parties, including outputs and notable results, for the purposes of developing and preserving an archival record. Documentation also refers to the process of classifying and annotating Knowledge Assets for organizational purposes. Explicit Knowledge Knowledge that has been documented or codified and thereby transformed into information (e.g., a set of facts or rules for what action should be taken given specific circumstances). Finalized Circumstance in which the quantity, value, status, condition, or other characteristics of data, information, or other Knowledge Asset is not subject to change over time. Format The key characteristics (e.g., type, organization, or other critical information) of a virtual or physical Knowledge Asset that must be known and accommodated to facilitate successful exchange, usage, or collaboration activities. Goal An aspirational objective toward which a party seeks to make progress by engaging in collaboration, coordination, communication, or data and information exchange activities. Implicit Knowledge Implicit Knowledge is a set of tacit knowledge that is commonly understood among two or more individuals.
62 Guidelines on Collaboration and Information Security for State DOTs Information Management The custodianship of information and data resources through collecting, verifying, validating, authenticating, structuring, storing, curating, disseminating, archiving, and deleting data and information on behalf of those who use it to take effective action and make good decisions. Integrity The degree to which the quality, format, and state of a Knowledge Asset is whole, accurate, verified, validated, and unchanged from its intended state. Knowledge The understanding within an individualâs mind of information, its value, and its application that is derived from experience and used as the basis for judgment, prediction, decision-making, and action to achieve desired outcomes. Knowledge Assets A general term used to encompass data, information, content, or knowledge managed by or available to a party, including the media and tools used to acquire, verify, validate, store, access, modify or exchange them. Knowledge Environment The leadership, structures, and culture of an organization across people, process, and technology that facilitates or hinders the generation, flow, or retention of data to become information and subsequently knowledge. Knowledge Management The discipline of managing tacit and explicit intellectual capital as a strategic asset in a knowledge environment to optimize the generation, flow, and retention of knowledge between human-to-human, human-to-system, and system-to-system processes. Knowledge Sharing The explicit act of conveying an understanding within a designated individualâs mind regarding information, its value, and its application for judgment, prediction, decision-making, and action to achieve desired outcomes. Intelligent Sharing The act of facilitating human-to-human, human-to-system, system-to-human, or system-to-system collaboration or the sharing of data, information, or knowledge between internal and external agency partners in a way that is robust, safe, secure, and compliant, and that minimizes adverse risk. Information A set of data or facts that has been organized and presented with the context necessary to be valuable for use or application. Information Sharing or Information Exchange The act of exchanging (i.e., receiving or supplying) data, information, or other Knowledge Assets between two or more parties for the purpose of supporting the receiving partiesâ business and operational needs.
Implementation and Products of Research Findings 63  Lifecycle Management The planned, controlled, and organized management (e.g., maintaining inventory, storage, access, modification, addition, or removal) of files, information, data, and other pertinent Knowledge Assets related to a project or task in a stored electronic media or paper format. Management Activities involving the acquisition, storage, usage, access, modification, exchange, distribution, reproduction, protection, security, and maintenance of a Knowledge Asset by its owner. Notification A communication delivered to a specified party to alert them that a particular condition pertaining to a Knowledge Asset has changed, has been met, has not been met, or that a certain event has occurred. Objective A specific, quantifiable, or tangible outcome that a party seeks to achieve by engaging in collaboration, coordination, communication, or data and information exchange activities. Ongoing A Knowledge Asset that is in a dynamic state of use and remains incomplete; the volume, value, status, and condition of its data and information is subject to change over time. Ownership The designation of or claim by a party to possess, control, or be responsible for a physical or virtual Knowledge Asset, such as data or information, knowledge, tools, processes, or outcomes. This entails responsibility for the safety, security, propriety, and privacy of the Knowledge Asset and its users, including the right to grant, limit, or deny access and usage to other parties. Party An individual or agency participating in collaboration, coordination, or data- and information-sharing activities involving the use or exchange of Knowledge Assets. Permission Procedures The detailed steps a party should follow to ensure safety, security and compliance when determining, validating, or verifying the identity and authorization of a party, the value of data or its source, the availability and permissibility of a certain activity, or to grant or deny a specific partyâs participation in activities involving collaboration, coordination, or usage and exchange of Knowledge Assets. Policies and Procedures Documentation of the formal actions a party is required to follow when engaging in collaboration, coordination, communication, or the usage and exchange of Knowledge Assets to comply with safety and security requirements or other conditions.
64 Guidelines on Collaboration and Information Security for State DOTs Restrictions Specific conditions or requirements that limit the extent, degree, or nature to which a Knowledge Asset can be accessed, used, modified, or exchanged for purposes of safety, security, propriety, or privacy. Risk The probability and severity of an undesirable outcome resulting from collaboration or an activity involving the sharing of data, information, or knowledge (e.g., the likelihood that data or information could be exposed, leaked, misused, or corrupted), and the corresponding adverse material and political consequences. Security The external and internal factors, such as formal and informal policies, procedures, systems, and programs that prevent or enable the intentional or inadvertent occurrence of adverse action that corrupts or exposes people, data, and networks or other electronically connected systems. Shared Media Electronic tools that provide a common multi-media platform to facilitate communication, collaboration, or data- and information-sharing activities between two or more parties and that can produce a documented multi- media record of all communication and Knowledge Assets exchanged. Synchronous Circumstance in which two or more internal or external users are mutually engaged in real-time collaboration, coordination, communication, or sharing activities, or two or more collaboration, coordination, communication, or sharing activities involving the same Knowledge Asset are occurring simultaneously. Tacit Knowledge Knowledge that exists in an individualâs mind that is difficult to express or document (e.g., perception, intuition, experience, or know-how). Threaded Conversations Activities involving asynchronous communication, collaboration, or data- and information-sharing activities that occur between parties over a common electronic media platform and through which participants dynamically produce a documented record of all communication and the information and data exchanged. Tools The electronic, virtual, or physical implements used for activities involving collaboration or the acquisition, exchange, or management of data, information, and other Knowledge Assets. Unrestricted The state of a Knowledge Asset, such as data, information, or media, or the tools by which access to or usage of it is not explicitly limited or conditional and therefore can be shared or obtained by any party without adverse consequences. Validation The process of verifying the accuracy and integrity of a Knowledge Asset or that of an external party seeking access to a Knowledge Asset.
Implementation and Products of Research Findings 65  Verification The process of confirming the validity of the identity or the state of quality and characteristics claimed by a Knowledge Asset, its source, or an external party. Verification is also the process of confirming that procedures have been followed or that requirements or conditions have been met. Version Control The practice of tracking and managing changes to a content such as a document, software code, or other Knowledge Asset for purposes of ensuring the integrity and fidelity of the content and for the practical purpose of avoiding redundant or lost efforts. (Also known as source control or configuration management.) Version Standard A set of requirements to provide guidelines for establishing, implementing, maintaining, reviewing, and improving content such as a document, software code, or other Knowledge Asset for purposes of ensuring its integrity and fidelity. Vulnerabilities The points of weakness in a system in which data, information, or knowledge and information management processes can be exposed or corrupted via intentional or inadvertent adverse action. A Note on Definitions The definitions contained in this glossary are intended to help users to be aware of the key terms and the ways in which they are used in the secure collaboration tool. The terms defined are not comprehensive, nor are they intended to establish a definitive meaning for industry-wide usage. They are instead intended to clarify for transportation agency users how certain terms apply in the limited context of using the secure collaboration tool. Concepts related to activities involving collaboration and sharing of information between different parties are often esoteric to the knowledge management discipline. Hence, the definitions of these terms have been borrowed from numerous knowledge management- related sources and then adapted more generally to the needs of transportation agency staff seeking to understand agency requirements to promote collaboration and the sharing of information and data. See References for sources consulted when creating these definitions. B.4 Adoption Plan The success of this research project will depend in part on the extent to which, and how well, state transportation agencies adopt and utilize the collaboration tool. This section outlines a proposed adoption plan containing recommended activities to encourage the dissemination and adoption of the collaboration tool. These activities will promote the use of best practices to promote and follow safe, secure, and compliant collaboration and data- and information-sharing activities in order to fulfill the objective of this research project. Several activities are proposed that may facilitate the adoption and usage of the secure collaboration tool. The strength of any proposed activities to encourage both of these outcomes should be considered according to how well it fulfills the following objectives: 1. Promotes understanding of the potential benefits of improving safe and secure collaboration and the sharing of information and data for transportation agencies
66 Guidelines on Collaboration and Information Security for State DOTs 2. Promotes understanding of the barriers to safe and secure collaboration and the sharing of information and data for transportation agencies and stakeholders 3. Promotes awareness of the collaboration tool among transportation agencies and key stakeholders as part of the solution (i.e., the existence of the tool, its availability, and how and why it addresses barriers) 4. Promotes adoption of the collaboration tool among policymakers for their agencies Table B-3 presents five activities that fulfill one or more of these objectives for adoption and utilization. Table B-3. Suggested adoption activities. Opportunity Concept Rationale & Relevance Objectives Deliver presentations to AASHTO and key committees. Organize presentations to multiple AASHTO committees and councils to introduce the tool, its benefits, its deployment requirements, and other pertinent information. AASHTO is the leading industry association coordinating numerous initiatives to improve the operations and capabilities of state transportation agencies. Its membership represents the most active and influential segment of transportation agency staff and policymakers with the potential to consider and adopt the collaboration tool. The cross- disciplinary nature of the topic and breadth of stakeholders requires outreach to multiple committees. ⢠Potential benefits ⢠Barriers ⢠Awareness ⢠Adoption Presentation at major industry conferences. Organize presentations at multiple industry conferences to raise awareness of the need forâand opportunity to achieveâgreater collaboration and sharing of information and data through the tool. Such industry events could include: ⢠TRB Annual Meeting ⢠ITS World Congress ⢠AMPO Annual Conference ⢠ITE Annual Meeting ⢠International Conference on Highway Engineering Leading industry conferences and events present numerous opportunities to reach an active and influential segment of transportation agency staff and policymakers as well as key industry participants who would potentially use and benefit from the collaboration tool. The cross- disciplinary nature of the topic and breadth of stakeholder segments requires presentations at multiple industry events. ⢠Potential benefits ⢠Barriers ⢠Awareness ⢠Adoption
Implementation and Products of Research Findings 67  Opportunity Concept Rationale & Relevance Objectives Adoption workshop. Organize a workshop with national representation from all state transportation entities to deliver hands- on training and instruction on the deployment and usage of the tool. Multiple workshops could be organized to accommodate scheduling needs and the potentially staggered rates of adoption among agencies. Having the participation of agency staff in a hands-on workshop is the fastest and most effective method to promote the adoption and utilization of the collaboration tool, especially to the extent that workshop participants have the authority and capability to champion and promote adoption in their agencies. ⢠Potential benefits ⢠Barriers ⢠Awareness ⢠Adoption Publication in transportation journals. Summarize and publish the research findings in leading academic, research, and other industry publications. Promoting the research findings will raise awareness of the potential benefits from and barriers to safe, secure, and compliant collaboration and data- and information-sharing activities while also promoting awareness of the collaboration tool and its potential benefits. ⢠Potential benefits ⢠Barriers ⢠Awareness ⢠Adoption Demonstration pilots. Select one or more transportation agencies to adopt and use the tool (see also Chapter 4: Future Research). A demonstration pilot will highlight and help to address challenges to tool adoption and will quantify its benefits. ⢠Potential benefits ⢠Barriers ⢠Awareness ⢠Adoption
