Viewable by the world
Group Access to CIO
Can VIEW the space: cio-editors ,  anonymous ,  all-lbnl-users ,  confluence-administrators , 
Can EDIT the space: confluence-administrators , 
Can ADMINISTER the space: confluence-administrators , 

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Parent Policy: Lifecycle Management for Information, Hardware, Software, and Services
Document #:



Wireless Networking

Installation and attachment of wireless network equipment to LBLnet is not allowed. We monitor for and remove these 'rogue access points'.

Wired Networking

LBLnet is the sole provider or wired networking. Installation of personal switches, firewalls, and NAT devices are allowed. Users need explicit permission to participate in routing protocols, runs DHCP servers, send RA's, send BPDU's, or otherwise attempt to manage the network. LBLnet staff reserves the right to disconnect equipment from LBLnet, including NAT devices, when it is deemed necessary to protect operational stability or security.

IP Address and Host Name Allocations

Allocation of IP-related configurations (ip addresses, host names in, etc). This includes names of services inside and outside where such services could cause confusion with institutional services. IT may reject or change/require changes to hostnames or service names where they conflict with institutional services or appear to represent institutional services (e.g. A single science division may not manage "" or "", nor can a single division utilize or etc...).

Domain Name Server (DNS)

Advertising of DNS services to the internet

Network Time Protocol (NTP)

Advertising of NTP services 

Domain Registrar

LBNL owned domain properly must use the LBNL IT Division registrar service.

Telephony, including cellular

Provision of laboratory telephones, PBX, cell towers, and wiring

Applications containing Protected Information

Protected Information includes Personally Identifiable Information. This information is most often contained in the Human Resources Information System (HRIS) and the Financial Management System (FMS). Berkeley Lab must protect this information as it faces fines in the event of inappropriate disclosure.

Public address systems, radio communication, wired intercoms, and alarms.

All systems related to physical security and life safety communication, and spectrum management.

Email Servers Exposed to Internet

All email servers with exposure to the internet must be approved.

SSL certificates for systems in the namespace.

SSL certificates are purchased centrally so that they can be tracked.

Data Centers and Closets

Any special purpose room that provides environmental controls designed for computing and networking must be coordinated with IT and Facilities.  Datacenters and closets must be designed to meet efficiency standards and must be managed to ensure these standards are met.

Specific Procurement Controlled Items

IT implements additional controls on the procurement of a small number of items to ensure appropriate security and appropriate use of resources. The full list can be found in Procurement's Restricted Item list and includes cellular phones, tablets with cellular service, all cellular services, laptops/desktops limited to specific channels (to ensure they are tagged), wireless access points, and items that require additional justification such as smartwatches and fitness trackers.

This also includes internet service reimbursement which is subject to the procedures here: 9-02-320 - High Speed Remote Access Provisioning and Reimbursement

Operations and Directorate Web ServicesWith the launch of BLDS in 2022, all Ops and Directorate web development must take place in either OpsWeb, BLDS, or an IT approved alternative based on individual project needs.   Email [email protected] for additional information.
titlePolicy Implementing Document

This document helps implement a Berkeley Lab policy in the Requirements and Policies Manual.


Send feedback to [email protected].