5 FAH-8 H-100
WEB DEVELOPMENT HANDBOOK
5 FAH-8 H-110
WEB DEVELOPMENT
(CT:WEB-16; 07-24-2017)
(Office of Origin: IRM/OPS/SIO)
5 FAH-8 H-111 PURPOSE
(CT:WEB-1; 09-29-2005)
This handbook prescribes the basic procedures and practices
for developing websites/pages domestically and abroad. It is intended:
(1) For the use of officers, supervisors, or other
personnel who are directly or indirectly responsible for management of website
programs;
(2) For the design, development, and maintenance of
the web pages; and
(3) To establish the base standard, not to limit the
developer's creativity.
5 FAH-8 H-112 SCOPE
(CT:WEB-14; 05-24-2016)
a. This handbook contains specific guidelines for
design, development, and maintenance of the web pages. It also presents
guidance on managing web development programs.
b. Information contained in this handbook is relevant
to web pages on all Department of State networks, including but not limited to:
OpenNet+
ClassNet
The Internet
It is applicable to SIPRNet except where requirements of
this handbook conflict with Department of Defense requirements for SIPRNet.
c. As a minimum, the requirements in 5 FAH-8 H-500,
Accessibility and Usability, apply to web-enabled applications.
d. Although individual websites do not require approval
of the IT Configuration Control Board (IT CCB), web-based applications may be
of sufficient scope as to meet IT CCB criteria. Web applications development
staff should consult with their bureau IT CCB representative when making this
determination.
e. Recommendations for additions, deletions, or
revisions to this handbook should be forwarded to IRM's Governance and Policy
Division (IRM/BMP/GRP/GP) to be considered during regular reviews.
f. Requirements and policies for approval of content
are outside the scope of this handbook. Refer to post/bureau procedures for
obtaining appropriate approvals.
g. Issues not addressed within this handbook are
omitted by design rather than oversight.
5 FAH-8 H-113 CODE EXAMPLES AND
TYPOGRAPHICAL CONVENTIONS
5 FAH-8 H-113.1 Code Examples
(CT:WEB-16; 07-24-2017)
Examples of hypertext markup language (HTML) and cascading
style sheet (CSS) code shown in this handbook are not the only way to meet the
various requirements for website development. They have been tested on a
computer configured in accordance with the Directorate
of Cyber and Technology Security (DS/CTS) specifications and are
provided for the benefit of website developers who may not know how to
implement the feature being described.
5 FAH-8 H-113.2 Typographical
Conventions
(CT:WEB-1; 09-29-2005)
Code examples are shown in fixed pitch Courier typeface. The
constant width property of the characters allows the reader to distinguish
between single and multiple spaces.
5 FAH-8 H-114 AUTHORITIES
(CT:WEB-14; 05-24-2016)
Authorities for this handbook are:
(1) Executive Order 13526 as amended Classified
National Security Information;
(2) Americans with Disabilities Act of 1990, 42 U.S.C.
12101 note et seq.;
(3) Rehabilitation Act of 1973, 29 U.S.C. 794d et
seq., as amended (Section 508);
(4) Children's Online Privacy Protection Act, 15
U.S.C. 6501 et seq.;
(5) Government Paperwork Elimination Act, 44 U.S.C.
3504;
(6) Information Technology Management Reform Act of
1996 (Clinger-Cohen Act), Public Law 104-106, Division E;
(7) Federal Information Security Management Act of
2002, Public Law 107-347, Section 301, 44 U.S.C. 3541 - 3549;
(8) OMB Directive M-15-13, Policy to Require Secure
Connections Across Federal Websites and Web Services;
(9) OMB Memorandum M-99-18, Privacy Policies on
Federal Websites;
(10) OMB Circular A-130, Management of Federal
Information Resources, 61 Federal Register 6428 (1996);
(11) OMB Memorandum M-05-04, Policies for Federal
Agency Public Websites, December 17, 2004;
(12) OMB Memorandum M-00-13, Privacy Policies and Data
Collection on Federal Websites, June 22, 2000;
(13) United States Information and Educational Exchange
Act of 1948 (Smith-Mundt Act), as amended, 22 U.S.C. 1461; and
(14) 36 CFR 1194.22, web-based intranet and Internet
information and applications.
5 FAH-8 H-115 ROLES AND
RESPONSIBILITIES
(CT:WEB-14; 05-24-2016)
a. A successful design and production of a website
requires an interdisciplinary team which may be comprised of FTE personnel and,
when determined to be effective, contractors. The composition and overlap of
duties of the web program team will vary, depending upon the needs of the website,
available budget, and the availability of expertise. However, most websites
require expertise in three distinct groups: content, graphic design, and
technology.
b. There are many different titles for the various
roles and responsibilities of a web team. The responsibilities associated with
each role must be performed regardless of the title assigned to the role:
(1) Content manager: Responsible
for defining the content of part or all of a website. The content manager will
focus on the use of language throughout the website. Tasks may involve
proofreading and editing copy, massaging content to ensure a common voice for
the site, and creating new content. The content manager is responsible for
insuring the information provided on the website is current and accurate. The
content manager is also responsible for ensuring information forbidden by 5 FAM 776.3 is
not included on the website;
(2) Database administrator: If
a database is used to maintain information displayed on a website, a database administrator
will be responsible for ensuring high degrees of data integrity and data
quality are maintained;
(3) Developer: Responsible
for creating the website to meet the requirements and specifications of the website
development program. The development team works closely with the content
manager and database administrator to produce a website that meets these goals.
Depending on the size of the program, this may be a team consisting of:
(a) Information architect: Responsible
in a broad term for the design tasks of deciding how to structure, select, and
present information (inclusive of information architecture, information
visualization, and information retrieval);
(b) Writer/editor: Responsible
for routine, ongoing organization of content; writing/editing names of links,
titles, and other web page text; editing documents and defining appropriate
breakdowns due to page length; reading document and selecting appropriate
metatags, etc.; and
(c) Graphic designer: Responsible
for the graphic design and page layout that defines the graphic identity or
look of the website;
(4) Program manager: An
individual who may require program manager certification and who has overall
responsibility for the initial development and operational maintenance of the website.
The program manager is responsible for coordinating the requirements with
those organizational elements that will use the site to convey information; and
(5) Technical (web administration):
Responsible for the server administration and the development or integration of
site production tools and website applications. Provides advice regarding
technology-related opportunities and limitations.
c. Website asset owners must certify their websites
are configured and maintained to comply with the HTTPS requirements in
accordance with OMB directive M-15-13. The website asset owner will verify
that the websites are listed in the Integrated Management, Analytics, and
Technology Resource for Information, Exchange (iMATRIX) application within the
HTTPS compliance field, along with all the appropriate architectural details.
iMATRIX is located at:
http://imatrix.irm.state.gov/.
d. Websites must employ Department-issued PKI
certificates for implementing HTTPS session authentication and encryption.
Contact the PKI Program Office in IRM/FO/ITI/SI/IIB at
PKIRegistrationCenter@state.gov to obtain
Department PKI certificates.
e. Websites must demonstrate that the cryptographic
modules used for HTTPS have been validated under FIPS 140-2. Information on
validated cryptographic modules is available at
http://csrc.nist.gov/groups/STM/cmvp/.
5 FAH-8 H-116 DEFINITIONS
(CT:WEB-14; 05-24-2016)
Accessibility: The degree to
which the content of a website is available to everyone, including persons with
disabilities.
Active Server Pages (ASP):
Microsoft's server-side technology for dynamically-generated web pages in
conjunction with a Microsoft Internet Information Services (IIS) web server.
Applet: A small program,
frequently in Java script, that can be embedded in an HTML page. Applets
differ from full-fledged applications in that they are not allowed to access
certain resources on the local computer, such as files and serial devices
(modems, printers, etc.), and are prohibited from communicating with most other
computers across a network. The current rule is that an applet can only make
an Internet connection to the computer from which the applet was sent.
Authentication: Providing a
password or using an encryption key to prove you are who you say you are.
Bandwidth: The amount of data
that can be transmitted in a fixed amount of time. For digital devices, the
bandwidth is usually expressed in bits per second (bps) or bytes per second.
For analog devices, the bandwidth is expressed in cycles per second (cps), or
Hertz (Hz).
Baud rate: Rate at which
packets of data are sent and received through the network. These rates are
defined in terms of bps. The higher the baud rate, the faster the connection.
Deprecated: In the context of
this document, deprecated is used in its specific technical meaning to describe
a feature that has been phased out or is in the process of being phased out,
and/or is no longer recommended for usage.
Development network: A
dedicated standalone network comprised of not more than fifteen user accounts
and used exclusively for developing websites and local applications.
DMZ: A DMZ, demilitarized
zone, is a subnetwork that sits between a trusted internal network and an
untrusted external network.
Domain names: The plain-language
address that points to a numeric internet protocol (IP) address. A fully
qualified domain name includes a top-level, second-level, and third-level
component. Domain name structure is:
(1) Top-level: The extension
or country code located at the right of the domain name. Top-level domain
names that do not include a country code are assumed to be in the United
States. Examples: .gov for government, .fr for France;
(2) Second-level: The top-level
combined with a name which describes the company or organization. Example:
state.gov;
(3) Third-level: The
second-level combined with the name of the host server where web-based services
can be located. Examples: www.state.gov identifies the web server at the
Department of State within the Federal government; www2.state.gov might
identify a second web server in the Department of State; and
(4) Sub-domain: A further
division of the second-level. Example: webx.irm.state.gov points to a host
server named "webx" on subdomain "irm" of domain
"state.gov."
E-zine: An electronic magazine
or journal.
Extensible Markup Language (XML):
A simplified subset of Standard Generalized Markup Language (SGML), XML is a
very extensible markup language used to describe many different kinds of data,
with the end of making such data easier to share across systems and over the
Internet.
Extranet: An extranet is
partially accessible to authorized outsiders and requires a valid user name and
password, which determines the level of access.
Graphical interchange format (GIF):
GIF files support 8-bit or 256-bit colors and are best used for illustrations
and flat graphics.
Home page: The first page of a
website that commonly acts as a menu to other pages. A web portal is an
example of a home page.
HyperText Mark-up Language (HTML):
The language used to describe web pages. Browsers interpret HTML documents and
display the text and graphics represented in the code.
iMATRIX: The Department's IT portfolio management tool
that serves as the single authoritative source for information on Department
technology investments, programs, projects, and assets. It merged and replaced
two legacy repositories, ITAB and eCPIC.
Information architecture: The
content organization of a website (similar to the outline for a book with
chapters, subchapters, cross-references, index).
Internet (upper-case I): The
commonly accepted name for the vast collection of interconnected networks that
all use the TCP/IP protocols and that evolved from the ARPANET of the late 60s
and early 70s. The Internet has no access controls and is publicly
accessible.
Internet (lower-case i): Any
time you connect 2 or more networks together, you have an internet.
Internet Protocol (IP) address:
An identifier for a computer or device on a network employing
Transmission-Control Protocol/Internet Protocol (TCP/IP). Networks using the
TCP/IP protocol route messages based on the IP address of the destination. The
format of an IP address is a 32-bit numeric address written as four numbers
separated by periods. Each number can be 0 (zero) to 255. The local IP
address of your computer is 127.0.0.1.
Intranet: A private network
inside a company or organization that, at a minimum, resides behind a firewall
and requires a user name and password for access.
IP protocol: A guaranteed
delivery protocol within the TCP family of protocols. Individual packets that
compromise a communication may be transmitted by different routes through the
network to reach their destination. IP ensures:
(1) Each packet reaches the destination; and
(2) The packets are reassembled in the correct
sequence (see also UDP protocol).
Java: A powerful programming
language originally developed by Sun Microsystems that is used by software
developers to build a variety of applications, including web pages.
Joint Photographic Expert Group (JPEG):
A method of compressing bitmapped images that allows for variable degrees of
compression (low, medium, high, and maximum quality). There is some loss of
image quality when a compressed image is decompressed.
OpenNet+: A physical and
logical global network that uses Internet Protocol (IP) that links the
Department of States domestic and Local Area Networks (LANs) abroad. The
physical aspect of the network uses Diplomatic Telecommunications Service (DTS)
provided X.25 circuits for posts abroad, FTS-2001 provided X.25 circuits,
leased lines and dial-up public switch networks. This includes interconnected
hubs, routers, bridges, switches, and cables. The logical aspect of the
network uses Network Management System (NMS) and TCP/IP software, and other
operational network applications.
Portable Document Format (PDF):
Adobe's file format for creating documents that are independent (hence,
portable) from the original software, operating systems and hardware used to
create them. In addition to open source readers for many platforms, Adobe also
provides the free Acrobat Reader software for viewing PDF files.
Portable Network Graphics (PNG):
A bitmap image format used largely on the World Wide Web. PNG allows for
greater bit depth (more colors per image) than GIF yet, unlike JPEG, is a
lossless compression format, meaning that there is no loss of image quality
when an image is compressed or decompressed.
Script: Also called a macro or
batch file, a script is an ordered list of commands that can be executed as a
unit without user interaction. During execution, a script can require a
response from a user. A script language is a simple programming language with
which you can write scripts. Common script languages include: Java Script,
Visual Basic (VB), PERL, and PHP: Hypertext Preprocessor (PHP).
Search engine: A computer
program that helps a user find information on the Internet.
TCP/IP: An acronym for
Transmission Control Protocol/Internet Protocol: The set of rules that allows
computers to communicate on a network.
UDP protocol: A nonguaranteed
delivery protocol within the TCP family of protocols. Individual packets that
comprise a communication may be transmitted by different routes through the
network to reach their destination. UDP is used when lost packets are
tolerable, such as periodic readings from an outdoor weather station (see also
IP protocol).
Uniform Resource Locator (URL):
The address of a website that includes the protocol used to reach the target
server (http, https, ftp, etc.) and the host system (domain name) on which the
document resides. The URL may also include the directory path to the document,
and the document filename. The URL http://www.state.gov identifies the
protocol http and the domain name www.state.gov. The absence of a path and
filename cause the host system to use locally assigned default values.
Upgrade: a new version of a
website or web page designed to replace an older version of the same product.
Usability: The ease with which
a user can locate information on a website.
Web browser: Software that
communicates with web servers via the HTTP protocol and translates HTML pages
and image data into a nicely formatted, on-screen display, or in the case of
browsers for the vision-impaired, other alternative interface technologies.
Web portal: term used to
describe a website that is intended to be the first place people see when using
the web. Typically, a "portal site" has a catalog of websites, a
search engine, or both. A portal site may also offer e-mail and other service
to entice people to use that site as their main "point of entry"
(hence "portal") to the web. A web portal is commonly referred to as
simply a portal.
Website: A website is a
related collection of files and information that includes a beginning file
called a home page. An organization or individual tells you how to get to its website
by giving you the IP address (e.g., 192.168.0.1) or domain name (e.g.,
companyname.com or office.gov) of its home page (e.g., http://www.companyname.com).
Upon arrival at a home page you can navigate to all the other pages or
information on that website. Multiple websites can cross-link to files on each
others sites or even share the same files. Websites on the Internet first
appeared in the form of HTML-based files.
World Wide Web Consortium (W3C):
An association of corporations, research groups, nonprofit organizations, and
governmental agencies that are working together to define a web infrastructure
based on open, interoperable standards.
5 FAH-8 H-117 THROUGH H-119 UNASSIGNED