Acceptable Use Policy¶
Document ID: AUL-POL-05 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy defines the acceptable use of Aulendur Labs information systems, networks, and data by all personnel. It establishes rules of behavior that protect organizational assets, Controlled Unclassified Information (CUI), and contractual obligations while supporting mission execution. This policy implements NIST SP 800-171 Rev. 3 controls 03.01.09 (System Use Notification), 03.01.20 (Use of External Systems), and 03.15.03 (Rules of Behavior).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, interns, advisors, and any individual granted access to Aulendur Labs systems or data.
- Systems: All Aulendur-owned or managed systems, including production infrastructure (Linode, Cloudflare, AWS), corporate IT (Google Workspace, GitHub, 1Password, Slack), endpoints (company and personal devices used for Aulendur work), and the planned CUI Enclave (AWS GovCloud).
- Networks: Aulendur office networks, VPN connections, and any network used to access Aulendur systems.
- Data: All Aulendur data in any form, at all classification levels.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; investigates alleged violations; approves external system use for CUI. |
| All Personnel | Read, acknowledge, and comply with this policy; report violations. |
4. Policy Statements¶
4.1 General Principles¶
4.1.1 Aulendur Labs information systems are provided for authorized business purposes. You may use them for incidental personal use provided such use does not: (a) interfere with your work duties, (b) consume significant system resources, (c) violate any law or regulation, or (d) create a security risk.
4.1.2 You have no expectation of privacy when using Aulendur systems. Aulendur reserves the right to monitor, log, audit, and inspect all activity on its systems, including email, file access, web browsing, and messaging, to the extent permitted by law.
4.1.3 All personnel shall sign an acknowledgment of this policy before receiving access to Aulendur systems. This acknowledgment shall be renewed annually.
4.2 System Use Notification¶
4.2.1 All Aulendur systems that support interactive login shall display a system use notification (login banner) before granting access (NIST SP 800-171 R3 03.01.09). The banner shall state:
NOTICE: This is an Aulendur Labs, Inc. information system. By accessing this system, you consent to monitoring and recording of all activity. Unauthorized use is prohibited and may result in disciplinary action, civil liability, and criminal prosecution. Use of this system constitutes acceptance of the Acceptable Use Policy (AUL-POL-05).
4.2.2 The CTO/ISSM shall deploy login banners on: (a) Google Workspace (custom login message), (b) SSH access to production and development servers (Linode, AWS), (c) VPN login, and (d) the CUI Enclave (when operational).
4.3 Authorized Use¶
4.3.1 You shall use Aulendur systems only for: (a) activities directly supporting your assigned duties, (b) authorized research and development, (c) professional development activities approved by your supervisor, and (d) incidental personal use as described in 4.1.1.
4.3.2 You shall access only the systems, data, and resources for which you have been explicitly authorized. Attempting to access systems or data beyond your authorization is prohibited, regardless of whether the attempt succeeds.
4.3.3 You shall use your own uniquely assigned credentials. You shall not share passwords, API keys, SSH keys, or YubiKey hardware tokens with any other person. You shall not use another person's credentials.
4.4 Prohibited Activities¶
4.4.1 The following activities are prohibited on Aulendur systems:
- (a) Accessing, downloading, storing, or transmitting illegal material.
- (b) Accessing, modifying, or deleting data or systems without authorization.
- (c) Installing unauthorized software on Aulendur-managed endpoints without CTO/ISSM approval.
- (d) Disabling, bypassing, or tampering with security controls (antivirus, endpoint detection, firewalls, disk encryption, MFA).
- (e) Connecting unauthorized devices to Aulendur networks or production systems.
- (f) Using Aulendur systems for cryptocurrency mining, personal commercial activities, or any activity unrelated to Aulendur business beyond incidental personal use.
- (g) Sending unsolicited bulk email or messages from Aulendur accounts.
- (h) Intercepting, sniffing, or recording network traffic not addressed to your systems, except as authorized for security monitoring.
- (i) Running vulnerability scanners, penetration testing tools, or exploit frameworks against Aulendur or third-party systems without written CTO/ISSM authorization.
- (j) Storing Aulendur Confidential, CUI, or ITAR-controlled data on personal cloud storage (iCloud, personal Google Drive, Dropbox, OneDrive personal), personal USB drives, or unauthorized external systems.
- (k) Sharing Aulendur Confidential, CUI, or ITAR data via unauthorized channels (personal email, unauthorized messaging apps, social media, public file sharing services).
- (l) Connecting or using covered telecommunications equipment or services prohibited under Section 889(a)(1)(A) and (a)(1)(B) of the FY2019 NDAA — specifically Huawei, ZTE, Hytera, Hikvision, or Dahua products (or their subsidiaries and affiliates).
4.5 Email and Messaging¶
4.5.1 You shall use Aulendur Google Workspace email (@aulendur.com) and Slack for all business communications. You shall not use personal email accounts for Aulendur business.
4.5.2 You shall not open attachments or click links in emails from unknown or suspicious senders. Report suspected phishing to the CTO/ISSM immediately via the Phishing Reporting SOP (forthcoming) or by forwarding the email to the designated security alias.
4.5.3 Email containing CUI shall include "CUI" in the subject line and shall be transmitted only via Google Workspace with TLS 1.2+ encryption verified. CUI shall not be sent to personal email addresses.
4.6 Internet and Web Use¶
4.6.1 Internet access from Aulendur systems is permitted for business purposes and incidental personal use. You shall not access websites that host illegal content, malware, or that pose a known security risk.
4.6.2 You shall not download or install browser extensions without CTO/ISSM approval. Browser extensions with broad permissions (access to all site data, clipboard, etc.) are prohibited unless specifically authorized.
4.7 Use of External Systems¶
4.7.1 You shall not process, store, or transmit Aulendur CUI or ITAR-controlled data on external systems (systems not owned or operated by Aulendur) unless the CTO/ISSM has verified that the external system meets NIST SP 800-171 R3 requirements and the use is authorized in writing (NIST SP 800-171 R3 03.01.20).
4.7.2 Authorized external cloud services for Aulendur business data (Internal and above) are limited to: Google Workspace, GitHub (AulendurForge organization), 1Password Business, Slack (Aulendur workspace), Linode, Cloudflare, AWS, and Modal. Use of any other external service for Aulendur data requires CTO/ISSM approval.
4.7.3 You shall not use public generative AI services (ChatGPT, Google Gemini, Claude via consumer web, etc.) to process Aulendur Confidential, CUI, or ITAR data. Use of generative AI tools for Aulendur work shall comply with the Generative AI / Third-Party AI Tool Use Policy (forthcoming).
4.8 Endpoint Security¶
4.8.1 You shall keep your Aulendur-managed endpoint's operating system and applications updated. You shall not defer security updates for more than 5 calendar days after notification.
4.8.2 You shall enable full-disk encryption on all devices used for Aulendur work: FileVault (macOS), BitLocker (Windows), or LUKS (Linux). You shall not disable disk encryption.
4.8.3 You shall lock your workstation (screen lock) when stepping away, or configure automatic lock after no more than 15 minutes of inactivity.
4.8.4 You shall not connect Aulendur-managed endpoints to untrusted public Wi-Fi networks without an active VPN connection.
4.9 Password and Authentication¶
4.9.1 You shall use a unique, complex password (minimum 16 characters) for each Aulendur system, generated and stored in 1Password Business. You shall not reuse passwords across systems.
4.9.2 You shall use your assigned YubiKey 5 (FIDO2/WebAuthn) for multi-factor authentication on all systems that support it, including Google Workspace, GitHub, 1Password, and production infrastructure.
4.9.3 You shall not store passwords in browsers, text files, sticky notes, or any location outside 1Password Business.
4.10 Reporting Obligations¶
4.10.1 You shall report the following to the CTO/ISSM within 1 hour of discovery: (a) suspected security incidents, (b) lost or stolen devices, (c) suspected malware infection, (d) unauthorized access attempts, (e) phishing attempts, (f) potential CUI spillage, and (g) any activity that may violate this policy.
4.10.2 You shall not attempt to investigate, contain, or remediate a security incident on your own unless directed by the CTO/ISSM. Preserve evidence and report.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Information Classification & Handling Policy
- Remote Work / Telework Policy (forthcoming)
- Password & Credential Policy (forthcoming)
- MFA Policy (forthcoming)
- Generative AI / Third-Party AI Tool Use Policy (forthcoming)
- Phishing Reporting SOP (forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in immediate revocation of system access and disciplinary action up to and including termination of employment or contract. Illegal activity will be reported to law enforcement. Violations involving CUI may trigger DFARS 252.204-7012 incident reporting obligations. Violations involving ITAR-controlled data may result in criminal penalties under 22 USC 2778.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy (forthcoming). Exceptions to CUI or ITAR handling requirements additionally require CEO approval. Exceptions are time-bounded, backed by compensating controls, and tracked in the Exception Register.
8. Definitions¶
| Term | Definition |
|---|---|
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
| ITAR | International Traffic in Arms Regulations (22 CFR 120-130). |
| External System | An information system not owned, operated, or managed by Aulendur Labs. |
| Incidental Personal Use | Brief, infrequent personal use of Aulendur systems that does not interfere with work, consume significant resources, or create security risks. |
| Login Banner | A system use notification displayed before or during the logon process informing users of monitoring and usage terms. |
| FIDO2 | Fast Identity Online 2, an authentication standard using public-key cryptography for phishing-resistant authentication. |
| Section 889 | Section 889 of the FY2019 NDAA prohibiting use of covered telecommunications equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- Section 889, John S. McCain National Defense Authorization Act for Fiscal Year 2019
- ITAR (22 CFR 120-130), International Traffic in Arms Regulations
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.01.09 | System Use Notification | Full |
| NIST SP 800-171 R3 | 03.01.20 | Use of External Systems | Full |
| NIST SP 800-171 R3 | 03.15.03 | Rules of Behavior | Full |
| CMMC 2.0 L2 | AC.L2-3.1.9 | Privacy and Security Notices | Full |
| CMMC 2.0 L2 | AC.L2-3.1.20 | External Connections | Full |
| NIST SP 800-53 R5 | AC-8 | System Use Notification | Full |
| NIST SP 800-53 R5 | AC-20 | Use of External Systems | Full |
| NIST SP 800-53 R5 | PL-4 | Rules of Behavior | Full |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.