5 FAM 720
GENERAL POLICIES
(CT:IM-231; 11-13-2018)
(Office of Origin: IRM/BMP)
5 FAM 721 GENERAL POLICIES
(CT:IM-231; 11-13-2018)
a. Access to the Internet through the Department of
State's facilities is for official and unclassified use by authorized
personnel. Limited personal use is authorized as described in 5 FAM 723,
Personal Use of U.S. Government Equipment. The OpenNet is the network for
intra-Departmental unclassified and Sensitive But Unclassified (SBU) email, web
and other standard client/server computer systems services.
b. All users of the Internet and Department of State
Intranets (classified and unclassified) through the Department of State's
facilities are required to abide by the security requirements outlined in 12 FAM 600,
Information Security Technology. For more information, contact the Directorate
of Cyber and Technology Security (DS/CTS).
c. Email messages may be subject to the Federal
Records Act and/or they may be considered official records. Official business
messages shall comply with the requirements of the Federal Records Act. See 5 FAM 443 Electronic Mail (Email) Records for more information.
5 FAM 722 RESPONSIBILITIES
5 FAM 722.1 Chief Information
Officer
(CT:IM-33; 02-27-2002)
The Chief Information Officer:
(1) Provides technical policy and related procedural
guidance for establishing, operating, and maintaining sites on the Intranet and
Internet domestically and for locations abroad;
(2) Maintains liaison with the Assistant Secretary for
Public Affairs and the Coordinator for International Information Programs to
provide policy oversight and guidance to ensure the effective dissemination of
foreign affairs information on the Internet;
(3) Serves as the authority for Department wide
information systems security programs. In conjunction with this authority,
implements and maintains security solutions on worldwide Department networks
developed in conjunction with the Assistant Secretary for Diplomatic Security
to prevent unauthorized access and tampering;
(4) Provides operational support to all Department
bureaus, posts, and tenant organizations to protect Department IT resources
from computer virus invasion and to recover IT systems that have been infected
by computer viruses;
(5) Develops handbooks and other guidance, as
necessary, to direct or assist with Intranet and Internet activities;
(6) Evaluates evolving web technologies and tools for
deployment on Department sites to improve their efficiency and effectiveness;
(7) Provides host servers and expertise for the
ongoing development of the Intranet. Maintains Intranet servers and develops
sites for other Department elements on a fee-for-service basis;
(8) Provides TCP/IP address and network management for
all sites. Advises and assists locations abroad in adding their sites to the
worldwide network;
(9) Administers firewall protection for Department
networks;
(10) Performs operational monitoring of networks to
detect unauthorized access and for improper use by employees;
(11) Provides network traffic management in accordance
with policies approved by the ITCCB and administered by the Office of
Enterprise Network Management. Provides application monitoring of Internet and
Intranet use; and
(12) Models and analyzes network traffic growth and
prepares an annual Network Capacity Plan for the Department which is used for
circuit management in cooperation with DTS-PO. Models, tests, and analyzes new
bureau enterprise applications for their impact on network performance and
capacity. These results are reported to the ITCCB.
5 FAM 722.2 Assistant Secretary for
Diplomatic Security
(CT:IM-33; 02-27-2002)
The Assistant Secretary of Diplomatic Security:
(1) Implements the Departments intrusion detection
system program;
(2) Implements a computer security awareness training
program, that includes Internet and Intranet security;
(3) Implements and maintains security solutions on
worldwide Department networks developed in conjunction with the Chief
Information Officer to prevent unauthorized access and tampering;
(4) Provides consultation on Internet web page
development to ensure the content does not violate security requirements
contained in 12 FAM 600,
Information Security Technology;
(5) Leads the Computer Incident Response Team (CIRT)
and is the point of contact for reporting unauthorized activity on Department
of State computer systems. Diplomatic Security is responsible for providing
incident reports to the OIG and other appropriate offices; and
(6) Provides computer and communications security
evaluations.
5 FAM 722.3 Assistant Secretary for
Public Affairs
(CT:IM-175; 03-15-2016)
The Assistant Secretary for Public Affairs:
(1) Operates and maintains the Department of States website
which is the official primary point of public access to information about the
Department and Departmental foreign policy material;
(2) Provides content and design guidance to Department
elements that publish public web pages in order to ensure credibility of
information released and to maintain a degree of consistency in its appearance
throughout the Department. Approves Internet publication of information in
accordance with clearance procedures outlined in 10 FAM 142, Electronic/Hard-Copy
Dissemination; and
(3) Works with the Coordinator for International
Information Programs on website content related to public diplomacy programs
abroad.
5 FAM 722.4 Coordinator for
International Information Programs
(CT:IM-175; 03-15-2016)
The Coordinator for International Information Programs:
(1) Operates and maintains the International
Information Program home page for the Department;
(2) Provides advice and assistance to missions abroad
that set up their own web pages. Serves as the primary point of contact for
guidance on content of pages containing material related to the public
diplomacy mission; and
(3) In conjunction with the Office of the Assistant
Legal Adviser for Public Diplomacy (L/PD) and the Bureau of Public Affairs
(PA), oversees compliance with the Smith-Mundt Act, which prohibits domestic
dissemination of public diplomacy program materials the Department has prepared
for dissemination abroad.
5 FAM 722.5 Department Heads of
Bureaus, Offices and Other Elements
(CT:IM-175; 03-15-2016)
Department heads of bureaus, offices, and other elements
are responsible to:
(1) Establish a process for identifying information
appropriate for posting to the Internet or Intranets;
(2) Ensure all information to be placed on public websites
is properly reviewed for security levels of sensitivity and is cleared through
the Public Affairs' Office of Electronic Information, as necessary, using Form DS-1837,
Request for Approval of New or Recurring Information Dissemination (see 10 FAM 142,
Electronic/Hard-Copy Dissemination);
(3) Ensure appropriate privacy, security, copyright
notices and any other applicable disclaimers are used on all web pages under
their purview;
(4) Conform to Department security requirements and
cooperate with all risk assessments conducted on their web sites;
(5) Provide for regular functional review and
management oversight of all web pages under their purview;
(6) Provide resources to adequately support website
operations including funding, equipment, staffing and training; and
(7) Work with A/GIS/IPS to preserve email and other
data that qualify as Federal records (see 5 FAM 443,
Electronic Mail (Email) Records and NARA regulations).
5 FAM 722.6 Internet/Intranet Site
Managers
(CT:IM-33; 02-27-2002)
The following responsibilities apply to all sites, whether
managed internally with Department resources, or by an external Internet
service provider. Internet/Intranet site managers are responsible to:
(1) Ensure that a system is in place to provide
effective day-to-day operation and maintenance of web servers or pages in their
control, including making routine backups and contingency plans in the event of
external attack or server failure;
(2) Immediately report server anomalies or evidence of
unauthorized access to the computer incident response team (CIRT) and information
systems security officer (ISSO);
(3) Ensure internally hosted sites conform to all
Department security requirements. Site managers using external Internet service
providers should select those that most closely meet Department security
requirements and recommendations;
(4) Ensure no classified information or NOFORN (No Foreign
Dissemination) material is published on any unclassified Internet or Intranet
site and that no SBU (Sensitive But Unclassified) material is published on the
Internet;
(5) Assist users in learning how to use web browser
software;
(6) Keep all operating system software, web server,
and anti-virus software updated with the latest ITCCB-approved patches,
releases, and definitions. In the case of externally hosted sites, encourage
the hosting Internet service provider (ISP) to do the same;
(7) Keep website content current. Remove old pages
that are no longer relevant or useful. Routinely verify that links are still
valid;
(8) Ensure the Departments Cookie Policy as described
in 5 FAM 741,
General Policy, is enforced; and
(9) Comply with the revised Section 508 of the
Rehabilitation Act of 1973, on accessibility of websites.
5 FAM 722.7 Intranet and Internet
Users
(CT:IM-175; 03-15-2016)
A user is any person who is given Intranet and Internet
access. Internet and Intranet users must:
(1) Follow email usage policies as outlined in 5 FAM 750, Electronic
Mail (Email) Policy, and Internet access policies stated in 5 FAM 780,
Internet Access;
(2) Ensure that only unclassified data is transmitted
unencrypted via the Internet;
(3) Appropriately mark the classification of email
messages, as detailed in 5 FAM 753,
Marking Email; and
(4) Abide by the user security requirements outlined
in 12
FAM 600, Information Security Technology.
5 FAM 722.8 Office of Inspector
General
(CT:IM-33; 02-27-2002)
The Office of the Inspector General:
(1) Conducts an annual evaluation of the Department of
States information security program that may include the use of the Internet
and Intranet, under the Government Information Security Reform Act;
(2) Investigates misuse of U.S. Government computer
resources for personal gain, and the excessive personal use of official U.S.
Government computers; and
(3) Investigates conduct when the Internet and/or
Intranet is being used by an employee or contractor of the Department of State
in furtherance of a fraud or crime.
5 FAM 723 PERSONAL USE OF U.S. GOVERNMENT EQUIPMENT
(CT:IM-175; 03-15-2016)
The following policies, in addition to all relevant laws
and regulations, including those relating to copyright, trademark, obscenity,
defamation, the right of privacy, false advertising, and fraud, apply to all
U.S. Government equipment and all methods of accessing the Internet using U.S.
Government equipment. In addition to such laws and regulation, use of U.S.
Government equipment and the Internet is governed by the Standards of Ethical
Conduct for Employees of the Executive Branch. The definitions in 5 FAM 724,
Monitoring and Auditing Policies, shall apply for purposes of this section:
(1) Employees may make personal use of unclassified
Department of State office equipment if it involves negligible additional
expense to the U.S. Government such as electricity, ink, small amounts of
paper, and ordinary wear and tear. Such use is authorized as long as only
small amounts of paper are involved and as long as the use does not interfere with
official duties;
(2) Personal use of U.S. Government classified
computers is strictly prohibited;
(3) Employees may use the Internet if basic access to
the Internet does not result in increased cost to the Department. Employees
may use the Internet in moderation, on personal time, for matters that are not
directly related to official business. This includes the use of Internet email;
however, anyone making personal use of Internet email should make it clear that
his or her personal email is not being used for official business (see 5 FAM 752.1, Prohibitions
When Using Email;
(4) Employees have no expectation of privacy while
using any U.S. Government-provided access to the Internet. The Department
considers electronic mail messages on U.S. Government computers, using the
Internet or other networks, to be government materials and it may have access
to those messages whenever it has a legitimate purpose for doing so. Such
messages are subject to regulations and laws covering government records, and
may be subject to Freedom of Information Act (FOIA) requests or legal discovery
orders;
(5) Employees must conduct themselves professionally
in the workplace and must refrain from using Department resources for
activities that may be offensive to co-workers or to the public;
(6) The following personal uses of U.S. Government
equipment and networks are strictly prohibited, regardless of whether the use
occurs on or off government premises or whether the use is during or outside
normal work hours:
(a) Use that results in an additional charge to the U.S.
Government. It is the employee's responsibility to be aware whether an
additional cost is involved;
(b) Use that compromises the security of U.S. Government
systems. For example, email attachments sometimes contain a virus or other
destructive package. Up-to-date virus protection software must be used. Be
particularly wary of ".zip" files, which can contain multiple
compressed files (including viruses);
(c) Viewing or accessing sexually explicit material;
(d) Visiting or subscribing to any Internet-based
service (e.g. mailing lists) in violation of any applicable law;
(e) Use that involves gambling; and
(f) Use that generates either personal income or income
for any organization with which the employee is affiliated including
advertising, conducting a personal business, soliciting clients, and making
sales; and
(7) Personal use of U.S. Government equipment must be
restricted to personal time, and must not detract from an employee's
performance of official duties. It is the responsibility of each employee to
protect and conserve U.S. Government property, and to use official time in an
honest effort to perform official government duties:
(a) Supervisors are authorized to, and should, limit
personal use if it becomes necessary because of cost, time away from official
duties, degraded computer or network performance, or other deviation from the
letter or spirit of this section;
(b) Where nonemployees are authorized access to or use
of U.S. Government equipment, they must comply with the policies set forth
above, as well as all other applicable legal and regulatory requirements;
(c) Failure to comply with the provisions in subsection
(a) may result in a number of corrective actions ranging from minor to severe.
For example, employees accessing, distributing, or generating pornography using
Department resources are subject to disciplinary action that may include
dismissal and/or applicable legal proceedings; and
(d) The personal use of U.S. Government equipment and
Internet access is a privilege, not a right. It may be restricted or revoked,
whenever appropriate, in the interest of the U.S. Government.
5 FAM 724 Monitoring and Auditing
Policies
(CT:IM-175; 03-15-2016)
a. As stated in 5 FAM 723, Personal
Use of U.S. Government Equipment, is a privilege, not a right, and there is no
expectation of privacy while using any U.S. Government-provided equipment or
access to the Internet. It is imperative that individuals make every effort to
maintain the security of the network, comply with all requirements, and act in
such a manner that will not bring discredit on the Department. Monitoring and
auditing user activity is a means by which the Department can ensure compliance
with 5 FAM 723.
b. Definitions, roles and responsibilities:
(1) The term supervisor will refer to the supervisor
or higher-level manager of an employee. A supervisor may request an audit of
an employee's activities on government-owned communications equipment or
networks;
(2) The reviewing official makes the decision whether
an audit is justified and has the authority to task the systems administrators,
information system security officers, and firewall administrators to conduct an
audit and report the result:
(a) Domestically, the reviewing official function shall
rest with the office director or higher; the bureau executive director may also
serve as the reviewing official; and
(b) Overseas, the reviewing official function shall rest
with the deputy chief of mission at an embassy, or consul general/principal
officer at other posts, or their designee;
(3) An employee may be a Department employee in the
Foreign Service, Civil Service, or locally employed staff (LE staff); an employee of another U.S. Government agency
authorized to use Department resources; or a contract employee working on a
Department contract;
(4) Nonemployees include all other authorized users
such as eligible family members at overseas posts. Nonemployees will be held
to the same standards of use as employees when using government equipment;
(5) Firewall administrators will be responsible for
reviewing audit logs for email and Internet access as directed by a reviewing
official; and
(6) Systems administrators and/or information system security
officers (ISSOs) will be responsible for reviewing content of local workstation
files and server files as directed by a reviewing official. Personal use of
government equipment is any IT activity that does not support the official
business of the Department.
c. Continuous monitoring is performed to ensure the
integrity of the Department networks and systems. Activities found in the
course of continuous monitoring that appear to be in violation of applicable
law, regulation, or policy will be referred to Diplomatic Security for investigation
(see 12
FAM 600, Information Security Technology), or refer to the employee's
reviewing official for action. Continuous monitoring includes but is not
limited to:
(1) ISSO review of audit logs for security violations
as required in 12
FAH-10 H-120, Audit and Accountability;
(2) Firewall administrator review of audit logs for
inappropriate access and use of the Internet;
(3) Firewall administrator review of audit logs of
electronic communication activity for inappropriate content and/or attachments;
and
(4) System administrator and/or ISSO audit of user
workstations to ensure a prescribed configuration is in effect.
d. Auditing of an employee's network activity or
workstation use, which includes but is not limited to electronic communication,
Internet access, local disk files, and server files, may be performed under the
following conditions:
(1) When there is suspicion that improper use of government
equipment has occurred;
(2) When the concurrence of a reviewing official has
been obtained. The supervisor identifying a need to audit an employee's
activity or workstation must explain the reasons for requesting an audit to the
reviewing official who has authority to approve the audit;
(3) The reviewing official must send a memorandum to
whomever performs the audit, authorizing the audit to be conducted;
(4) The results of the audit must be returned to the
reviewing official who will make a determination whether the reported
activities should be referred to Diplomatic Security (DS) for further investigation.
Where appropriate, matters may be addressed administratively as described in
subparagraph d(5) of this section; and
(5) Where an allegation of improper use of government
equipment has been substantiated by an audit:
(a) An allegation against a U.S. Government employee
will either be addressed administratively within the employee's bureau or all
documentation will be forwarded to HR for review and administrative action as
described in 3 FAM 4300,
Disciplinary Action (Including Separation for Cause) [Foreign Service], or 3 FAM 4500,
Civil Service Disciplinary and Adverse Actions;
(b) An allegation against a contractor will be addressed
by the cognizant contracting officer and domestically the bureau executive
director or overseas the deputy chief of mission at an embassy or consul
general/principal officer at other posts;
(c) An allegation against a nonemployee may result in
suspension of the privilege to use government equipment and, in some
circumstances, may subject the nonemployees sponsor to discipline; and
(d) Should the allegation result in disciplinary action,
Department employees have the right to appeal as described in 3 FAM 1560,
Processing Mixed Case Complaints. Employees of organizations other than the
Department should refer to their own organizations for appeals procedures.
5 FAM 725 THROUGH 729 UNASSIGNED