10 FAM 180
Official Communication Using Social Media
(CT:PEC-56; 11-20-2018)
(Office of Origin: R/PPR)
10 FAM 181 SOCIAL MEDIA INTRODUCTION
(CT:PEC-38; 08-24-2017)
Digital Diplomacy is an important tool of public
diplomacy. A key element of digital diplomacy is social media.
10 FAM 181.1 Official Use of Social
Media
(CT:PEC-38; 08-24-2017)
a. Department organizations and personnel may access
and contribute unclassified content (both original entries and responses to
entries) on social media platforms in their official capacity. Department
personnel must obtain and document all required approvals prior to creating a
social media account used for official Department business (not personal use).
Official Department social media accounts must follow federal rules and
regulations guiding their use by federal agencies and associated personnel.
b. To engage on social media in an official capacity,
personnel must use an account created specifically for official use that is
separate from an account used for private, personal use.
c. Employees must adhere to the public information
dissemination clearance requirements found in 3 FAM 4170 and 10 FAM 120.
d. Supervisors may not compel personnel either to
create a personal account or personal profile at any social media site or to
post personal entries at any public site. Personnel enrolled in training
programs that utilize social networking programs may be required to create a
personal account for the duration of the training for the purpose of
instruction. Personnel may retain or delete the account or profile at their
sole discretion upon the end of the training program.
10 FAM 181.2 Creating an Official
Public Social Media Site or Application
(CT:PEC-38; 08-24-2017)
a. Official Department social media sites and content
must be clearly labeled and identifiable as such. Naming conventions and
disclosure statements may vary in form and/or content depending on the
account's documented purpose, as well as the governance framework guiding use
of the account for official Department business. Please see the Social Media
Hub for platform-specific guidelines for naming and properly disclosing
official Department social media assets and/or projects.
b. Domestically, creation of social media sites for
official purposes must have management approval at the Deputy Assistant
Secretary (DAS) level or above, and be cleared through the Bureau of Public
Affairs in accordance with 3 FAM 4175.1.
At post, creation of official accounts must be approved by the Public Affairs
Officer (PAO). The creation of a new official account necessarily involves
accepting the underlying terms of service for the accounts platform or
service. Terms of service can be problematic and must be carefully reviewed by
personnel with contracting authority or by the Office of the Legal Adviser
before a decision is made to accept them. Creation of new accounts may also be
subject to specific requirements within the bureau.
d. All Department social media sites used for official
public communications must be registered by visiting the Social Media Account
Registry on Diplopedia.
10 FAM 181.3 Social Media
Advertising
(CT:PEC-38; 08-24-2017)
a. Management officers may authorize expenditures
(using a government credit card or otherwise) for social media advertising,
i.e., paid promotions of official social media content or accounts.
b. All federal and Department ethics rules and
regulations continue to apply to social media advertising, including the
prohibition on improper endorsements (5 CFR 2635.702), fundraising (5 CFR 950)
and the Hatch Act on prohibited political activities.
c. See 10 FAH for additional guidance in using social
media advertising.
10 FAM 182 OFFICIAL COMMUNICATION USING
SOCIAL MEDIA
(CT:PEC-38; 08-24-2017)
a. Senior officials and other employees whose positions
make it appropriate for them to engage in official communications on behalf of
the Department over social media (Department social media spokespersons) must
not use personal social media accounts to do so. They must use official social
media accounts, created and owned by the Department.
(1) Department social media spokespersons must be
instructed before they begin their positions that they will not be able to use
their personal social media accounts for official communications, and that
content on personal social media accounts must comply with 3 FAM 4176.
Forwarding, linking to, or otherwise reposting official content on a personal
social media account will not ordinarily constitute official communications if
the content was first released on an official platform, provided that it is
clear from the circumstances that the personal social media account is not
being used to communicate on behalf of the Department.
(2) When Department social media spokespersons begin
their positions, they are provided access to official social media accounts,
and they will lose access to those accounts when they leave that position.
Whenever possible, the same account is passed from one incumbent in a position
to the next. As such, account names include only the office or position (e.g.,
@USEmbConsularManila, @USAmbManila); they do not include personal names.
(3) Missions, bureaus, or offices must maintain a list
of their authorized official social media accounts and the credentials for
those accounts. Accounts are created in accordance with 5 FAM 793.
b. In order to put a human face on the Departments
social media presence, Department social media spokespersons are authorized,
but not required, to post certain kinds of personal content to their official
accounts (e.g., posts about family news, pictures of pets, discussions of
hobbies). This personal content may be considered official communications and
must comply with, among other things, restrictions on partisan political
activities, endorsements of commercial goods or services, fundraising and
solicitations, official actions affecting financial interests, and the
publication of information that could compromise the security of the individual
or others. See 3
FAM 4175.2, Content of Official Capacity Public Communications, for
additional guidance on content of official communications.
c. All accounts that have been used for official
communications are considered Department accounts, and are either retained by
the Department for use by the next incumbent or retired in accordance with
applicable records disposition schedules, as appropriate.
The content of such accounts is also retired in accordance with applicable
records disposition schedules.
10 FAM 183 Social Media Site Management
(CT:PEC-38; 08-24-2017)
a. All social media sites require ongoing oversight to
ensure proper management. In addition, the sites require sufficient
maintenance and a commitment of resources. Department personnel should be
aware of these commitments, before requesting supervisory approval.
b. Supervisors are responsible for ensuring social
media sites under their purview are actively used to deliver an appreciable
return on investment that advances organizational strategic goals.
c. Responsibilities for social media site management
should be included in position descriptions and staff work requirements, as
appropriate.
d. Social media sites that no longer advance the
strategic goals of the Department and/or fail to meet performance objectives
should be retired from use. Any social media account, site, platform, or other
asset type eligible to be retired must follow Department procedure for retiring
social media accounts and their content.
10 FAM 184 Impersonations on Social
Media
(CT:PEC-38; 08-24-2017)
a. Impersonations, or the creation of an account that
is intended to be mistaken for another account, are not permitted on most major
U.S.-based social media platforms, including Facebook and Twitter.
International Information Programs' (IIP's) Digital Support and Training
Division is responsible for coordinating with U.S.-based third-party social
media platforms to assist Department personnel in addressing situations where
sites or accounts are impersonating official U.S. Government sites or accounts,
including seeking removal of imposter accounts in an expedited manner.
Impersonation accounts are not the same as parody accounts. Parody accounts
pretend to be another account but for humor, satire, or other reasons that rely
upon the viewers ability to tell that the account is not real, and they are
generally permitted under platforms Terms of Service.
b. If you determine that there is an impersonation
account on Facebook, you must file a ticket with Facebook and then email IIPs
Digital Support and Training Division at IIPSMS@state.gov with relevant details
for documentation so that the ticket may be elevated with Facebook.
c. If you determine that there is an impersonation
account on Twitter, you must report the imposter to Twitter using this form and
forward the autoreply email from Twitter, including the ticket number, to
IIPSMS@state.gov to expedite the removal process with Twitter.
d. If you determine there is an impersonation account
on another platform, you must follow that platforms reporting guidelines and
notify IIPSMS@state.gov.
e. You must not interact with or acknowledge the
impersonator to avoid encouraging further activity.
10 FAM 185 Terms of Use/Terms of
Service
(CT:PEC-38; 08-24-2017)
a. Department accounts should make clear that members
of the public opting to use official Department sites must abide by both the
Terms of Service of the hosting commercial or third-party platform and the
Department's Terms of Use.
b. Terms of Service refers to a contract between the
users and the providers of a service. Pertaining to the Department's use of
social media, terms of service define the contractual relationship between
the Department as the holder/owner of the account itself, and the social media
platform on which that account has been established. Social media platforms
often require users to agree to Terms of Service (also known as User Agreement
or End User License Agreements) in order to use the service or platform. This
acceptance binds the Department of State to the terms outlined in the Terms of
Service agreement. To accept Terms of Service on behalf of the Department, the
individual accepting the agreement must be a direct-hire Department of State
employee. Acceptance can take place only after review and approval of the Terms
of Service by personnel with contracting authority or by the Office of the
Legal Adviser.
c. Terms of Use is a very similar concept, but the
Department uses it to refer to an agreement between the Department and the
non-Department social media users who are accessing State Department accounts
or sites. Because social media users often access information and post
commentary on official Department social media sites, those sites must include
a Terms of Use statement that defines the site as a "limited public
forum" for engagement between the U.S. government and the public, and
explains responsibilities of site administrators and site users, rules of
behavior, privacy policies, and other terms. If the user must create an
account just for the State Department social media site, agreement to the Terms
of Use should be a requirement for registration. Site administrators must post
the Terms of Use before opening the site to the public. When users follow or
subscribe for updates from official social media accounts, they are requesting
additional information from the Department, constituting an information service
provided to the public by the government.
d. Department personnel are authorized to notify
commercial or third-party platforms of violations of those platforms' Terms of
Service by users, which may result in the removal of content or banning users
(per the platforms' Terms of Service). Such notification is required in the
case of impersonations of U.S. government officials or entities per 10 FAM 184.
e. Department personnel are authorized to remove
content users post to an official site (as they are able, given the features of
the platform) that is found to violate the Department-posted Terms of Use.
Department personnel are further authorized to ban users who repeatedly post
content violating the Terms of Use.
10 FAM 186 Protecting Government Social
Media Accounts
(CT:PEC-56; 11-20-2018)
a. Bureaus and posts must authenticate all official
Facebook, Twitter, and other social media accounts in the Departments standard
social media management tool, Hootsuite Enterprise. Further guidance can be
found on IIPs Social Media Hub Tag.
b. The following are required practices when administering
official Department social media accounts:
1. Secure Passwords: Using
unique, complex password is essential to protecting official Department
accounts. Passwords must be unique to the account (not used for other
accounts), at least 12 characters long, and must include a mix of uppercase and
lowercase letters, numbers and symbols. Good passwords should not be based
around words or phrases that are easy to guess. You must change the password
regularly: at least every 60 days, or sooner if there is any indication an
account may be compromised, or following employee transitions. Users are
required to implement these password policies both for their Hootsuite and
platform-specific credentials, as both can be used to access a social media
account.
2. Do not share official social media account
passwords with anyone outside the Department.
3. Protect against Credential
Harvesting: Credential harvesting occurs when a malicious actor obtains
a victim's username and password in order to access the victims email,
banking, or social media accounts. This may be accomplished through social
engineering to trick the victim into sharing this information voluntarily, or a
malicious actor may send a spear phishing message by email, text message, or on
social media. A link in the spear phishing message would direct the target to
a malicious Web site impersonating the login page for the social media
platform. Believing they are logging into the real Web site, the victim would
enter their credentials, and the malicious actor would be able to access or
hijack the victim's account.
c. To protect against credential harvesting, always
verify the legitimacy of the sender when a message asks you to open a link or
attachment. If you receive notice of suspicious activity, manually navigate to
the account settings on that social media platform instead of clicking the link
provided in the e-mail. When entering credentials online, verify that the URL
of the Web page displays the prefix https, not http; this will help identify
malicious pages impersonating the legitimate login page. If you suspect
credential harvesting activity, contact the Cyber Incident Response Team at
CIRT@state.gov and the local Information Systems Security Officer (ISSO).
4. Use multi-factor authentication (also known as
two-factor authentication).When two-factor authentication is enabled for an
account, the user will be required to enter an additional piece of information
besides a password when logging in (usually a short numeric code that can only be
used once). Two-factor authentication must be used whenever available and
practicable. When feasible, it is strongly recommended to use app-based
two-factor authentication services.
5. Secure email accounts: Posts
and bureaus must use a ".gov" email address as the primary e-mail
account for managing an official Department social media account. If (and only
if) the social media platform requires using a personal social media or e-mail
account for authentication purposes, you may use, but are not required to use,
personal accounts to manage official social media accounts. The same security
precautions, including password requirements and two-factor authentication,
must be used for any non-".gov" email address used to administer an
official social media account. When using a personal Facebook account to
manage an official Department Facebook page, register the personal account /
email address using Hootsuite so as to be able to act in the event of a cyber
incident.
6. Protect endpoint devices: Where
possible, anti-virus software must be installed on any non-OpenNet device
(including personally-owned devices) you use to access Department accounts.
These devices should be properly patched, including the operating system and
all applications and software. When entering credentials online, always ensure
connections to social media sites display the prefix https, not http. At
the end of a session, ensure the session is ended by logging out of the service
platform and closing the browser, not just the browser tab.
7. Limit access: Posts and
bureaus must limit the number of individuals with access to their official
social media accounts. Grant access to as few Department personnel as feasible
to manage the account effectively.
8. Use Hootsuite Enterprise: Every
official Department Twitter and Facebook account must be integrated into and
accessible via the Hootsuite Enterprise social media management tool. This
tool allows for centralized control of accounts in the event of a crisis at
post, providing posts backup support from Regional Digital Coordinators,
Consular Affairs New Media Unit and other authorized offices and users in
Washington. Guidance on how to authenticate official media accounts in
Hootsuite Enterprise is available on IIPs Social Media Hub.
9. Register individual accounts: Hootsuite
Enterprise users must register their individual user accounts using their
individual official .gov email address. Access will not be granted to group or
shared Hootsuite or email accounts or non-.gov accounts. Exceptions may be
granted on a case-by-case basis by submitting a thorough explanation of the
need for an exception to IIPs Digital Support and Training division at
IIPSMS@state.gov.
10. Use multi-factor authentication:
In addition to using multi-factor authentication to secure official
social media accounts when accessed directly (10 FAM 186),
multi-factor authentication must also be used when accessing official
government social media accounts via the social media management tool, if
technically feasible. A mobile app for multi-factor authentication can be used
to generate codes without the use of text messaging and should be used for this
purpose; such apps can also be used to sign into other third party sites such
as Facebook.
d. For additional information on Protecting Government
Social Media Accounts, refer to 16 State 5974 and DS Awareness Social Media.
e. Refer questions to IIPs Digital Support and
Training Division at IIPSMS@state.gov.