|
Web Site Administration
Policies & Procedures
November 25, 1998
With Amendments and Corrections incorporated in red italics
(latest corrections from 11 January, 2002)
|
Office of the Assistant Secretary of Defense
(Command, Control, Communications & Intelligence)
6000 Defense Pentagon
Washington, DC 20301-6000
Department of Defense
WEB SITE ADMINISTRATION GUIDANCE
CONTENTS
DEPSECDEF
Memorandum Subject: Web Site Information Services DoD-Wide, dated November 25, 1998
implements the policies, responsibilities and procedures for Web Site
Administration. An electronic copy of this guidance is available at http://www.defenselink.mil/admin/about.html#WebPolicies.
Please forward comments, suggestions and recommendations for changes to: OASD (C3I), ODASD (Policy &
Implementation/Deputy CIO), 6000 Defense Pentagon, Washington, DC 20301-6000.
WEB SITE ADMINISTRATION
Part I – Policy & Responsibilities
November 25, 1998
1. PURPOSE
This document delineates the policy and assigns responsibility related to
establishing, operating and maintaining unclassified Web sites and other
related services. It supersedes the "Guidelines
for Establishing and Maintaining a Publicly Accessible Department of Defense
Web Information Service" jointly published by the Office of the Assistant Secretary of Defense
(Public Affairs) and the Office of the
Assistant Secretary of Defense (Command, Control, Communications and
Intelligence) on July 18, 1997 (updated January 9, 1998).
2. APPLICABILITY
This policy applies to:
2.1. The Office of the Secretary of Defense
(OSD), the Military Departments
(including the Coast Guard when it is
operated as a Military Service in the Navy),
the Chairman of the Joint Chiefs of
Staff, the Combatant Commands, the
Defense Agencies, and the
Department of Defense (DoD) Field
Activities (hereafter referred to collectively as "the DoD
Components") and to their contractors and consultants including those who
operate or maintain DoD Web sites for them, through incorporation into
contracts.
2.2. All unclassified DoD Web sites, both publicly and non-publicly
accessible.
2.3. Reviewing approval requests received from DoD contractors and subcontractors
relative to the posting of unclassified DoD information to a DoD contractor Web
site.
3. DEFINITIONS
Terms used in this document are defined in Part III.
4. POLICY
It is the policy of the DoD that:
4.1. Using the World Wide Web is strongly encouraged in that it provides the
DoD with a powerful tool to convey information quickly and efficiently on a
broad range of topics relating to its activities, objectives, policies and
programs.
4.2. The considerable mission benefits gained by using the Web must be
carefully balanced through the application of comprehensive risk management
procedures against the potential risk to DoD interests, such as national
security, the conduct of federal programs, the safety and security of personnel
or assets, or individual privacy created by having electronically aggregated
DoD information more readily accessible to a worldwide audience.
4.3. Each organization operating a DoD Web site will implement technical
security best practices with regard to its establishment, maintenance and
administration.
4.3.1. DoD Web sites containing
i) FOR OFFICIAL USE ONLY information, ii) information not specifically cleared
and marked as approved for public release in accordance with DoD Directive 5230.9 and DoD Instruction 5230.29
(references (h) and (o)), or iii) information of questionable value to the
general public and for which worldwide dissemination poses an unacceptable risk
to the DoD, especially in electronically aggregated form, must employ
additional security and access controls. Web sites containing information in
these categories should not be accessible to the general public.
4.4. Consistent with other leadership responsibilities for public and
internal communication, the decision whether or not to establish an
organizational Web site, and to publish appropriate instructions and
regulations for a Web site within the limitations established by this document,
is hereby delegated to each DoD Component.
5. RESPONSIBILITIES
5.1. The Assistant Secretary of Defense
for Command, Control, Communications and Intelligence (ASD (C3I)) shall:
5.1.1. Provide policy and
procedural guidance with respect to establishing, operating and maintaining Web
sites.
5.1.2. Maintain liaison with the Assistant Secretary of Defense for Public
Affairs to provide policy oversight and guidance to ensure the effective
dissemination of defense information via the Internet.
5.1.3. Provide technical support
consistent with existing Chief Information Officer (CIO) responsibilities.
5.1.4. Develop and maintain, in
coordination with the Chairman of the Joint
Chiefs of Staff, Under Secretary
of Defense (Personnel &Readiness), and General
Counsel, training guidance and requirements that addresses information
security on the Web.
5.1.5. Approve and publish DoD
Instructions and Publications, as necessary, to guide, direct, or help Web site
activities, consistent with DoD
5025.1-M (reference (kk)).
5.1.6. Provide a mechanism for
feedback reporting across DoD, to include "Lessons Learned" and the
identification of useful automated tools to aid in the conduct of
multi-disciplinary security assessments of Web sites.
5.1.7. Ensure compliance with
this policy.
5.2. The Assistant Secretary of Defense for Public Affairs (OASD (PA))
shall:
5.2.1. Operate and maintain
DefenseLINK (http://www.defenselink.mil) as the official
primary point of access to DoD information on the Internet.
5.2.2. In coordination with the
other OSD Principal Staff Assistants, provide oversight policy and guidance to
ensure the absolute credibility of defense information released to the public
through publicly accessible Web sites.
5.2.3. Establish and maintain a
central Web site registration system for the Department that meets the
requirements for the Government
Information Locator Service (GILS) and is integrated with Service-level
registration systems.
5.3. The Assistant Secretary of Defense
for Reserve Affairs and the Chairman of
the Joint Chiefs of Staff shall develop and implement a plan that uses
Reserve Component assets to conduct ongoing operations security and threat
assessments of Component Web sites.
5.4. The Secretaries of the Military
Departments shall establish and maintain a central registration system for
the respective service that meets the requirements for GILS and is integrated with DefenseLINK.
5.5. The Heads of the DoD Components shall:
5.5.1. Establish a process for
the identification of information appropriate for posting to Web sites and
ensure it is consistently applied.
5.5.2. Ensure all information
placed on publicly accessible Web sites is properly reviewed for security,
levels of sensitivity and other concerns before it is released. Detailed
requirements for clearance of information for public release are located in DoD Directive 5230.9 and DOD Instruction 5230.29
(references (h) and (o)) and Part II of this document.
5.5.3. Ensure approved DoD
security and privacy notices and applicable disclaimers are used on all Web
sites under their purview.
5.5.4. Ensure all information
placed on publicly accessible Web sites is appropriate for worldwide
dissemination and does not place national security, DoD personnel and assets,
mission effectiveness, or the privacy of individuals at an unacceptable level
of risk.
5.5.5. Ensure procedures are
established for management oversight and regular functional review of the Web
site.
5.5.6. Ensure operational
integrity and security of the computer and network supporting the Web site is
maintained.
5.5.7. Ensure that reasonable
efforts are made to verify the accuracy, consistency, appropriateness, and
timeliness of all information placed on the Web site.
5.5.8. Register each publicly
accessible Web site with the Government
Information Locator Service (GILS).
5.5.9. Provide the necessary
resources to adequately support Web site operations to include funding,
equipping, staffing and training.
5.5.10. Ensure that a
comprehensive, multi-disciplinary security assessment is conducted of their Web
sites within 120 days of the promulgation of this document, and at least
annually thereafter.
5.5.11. Provide a mechanism for
feedback reporting within the Component, to include "Lessons Learned"
suitable for all DoD Components.
5.5.12. Ensure compliance with
this policy for those functions, missions, agencies, and activities in their
purview.
5.5.13. Grant waivers on a
non-delegable basis to a provision of the procedures contained in Part II of this document when it has been determined that
immediate implementation would adversely impact essential mission
accomplishment. Instances where such waivers have been granted will be reported
to the Assistant Secretary of Defense (C3I).
6. EFFECTIVE DATE. This policy is effective immediately.
WEB SITE ADMINISTRATION
Part II – Procedures
November 25, 1998
With Amendments and Corrections incorporated in red italics (latest corrections from 11 January, 2002)
1. PURPOSE
This document delineates the processes and procedures related to
establishing, operating and maintaining unclassified Web sites and other
related services. It also provides guidelines for the review of material prior
to its posting to Web sites.
2. WEB SITE ESTABLISHMENT
2.1. Support of Mission. Each Web site shall have a clearly defined purpose
that supports the mission of the DoD Component. The Head of the DoD Component,
or his/her designee in accordance with official policies, shall approve the
defined purpose and general content of the Web site. Non-copyrighted material,
text, clip art, hypertext links, images and sound or video clips may be used
only if they directly relate to the Component’s mission.
2.2. Web Site Security Accreditation. Each organization establishing a Web
site shall institute a security certification and accreditation procedure in
accordance with DoD Directive 5200.40 (Reference (v)). Successful
implementation depends on defining security requirements early in the process
of establishing a Web site. All security-related disciplines (computer,
communications, personnel, etc.) shall be considered in the requirements
definition for the Web site. Cost versus risk tradeoffs shall be evaluated and
security requirements assigned accordingly.
2.3 Single Source Information. For the purpose of preventing duplication on
the Web, a Web site shall normally be limited only to information for which the
establishing organization is responsible. Web sites that contain information
pursuant to the requirements of the Electronic Freedom of Information Act, 5
USC 552(a)(2)(D) & (E) (reference (j)) are exempt from this restriction.
Information from other sources on the Internet will not be copied but will be
referenced or otherwise linked. This does not prevent information providers
from mirroring or replicating information for performance, security or other
mission-related reasons. However, when this is done, the information provider
posting the replicated file on its server should contact the content owner of
the information and obtain written permission to replicate the information. No
copyrighted information may be posted in this process without the permission of
the copyright owner. Procedures must also be established for updating the
information. In addition, the releasability of the information must be verified
by the source from which it is copied. The DoD information provider should
continue to control the information to ensure its protection from inappropriate
manipulation and make reasonable efforts to verify its currency and accuracy.
2.4. Web Site Registration. All DoD Web sites shall register with the
appropriate Service-level site or directly with DefenseLINK.
3. INFORMATION POSTING PROCESS
3.1. DoD Component Heads and Heads of subordinate organizations that
establish Web sites are responsible for instituting a process for the
identification of information appropriate for posting to Web sites and the
appropriate security and access controls. The steps of this process (see
illustration 1) include:
3.1.1. Identification of
information that needs to be conveyed quickly and efficiently and thus will
benefit from the attributes of the Web;
3.1.2. Identification of a
specific target audience for the information;
3.1.3. Identification of the DoD
Originating Office for the information if the sensitivity of the information or
distribution restrictions on its release cannot be readily ascertained;
3.1.4. Review of the content for
sensitivity and distribution/release controls, including sensitivity of
information in the aggregate;
3.1.5. Determination of the
appropriate access and security controls;
3.1.6. Approval of the
information for public release in accordance with DoD Directive 5230.9 and DoD Instruction 5230.29
(references (h) and (o)) if it is to be posted to a publicly accessible Web
site;
3.1.7. Posting the information,
once all required steps have been taken;
3.1.8. Verification; and
3.1.9. Feedback reporting, to
include "Lessons Learned."
Illustration 1. Information Posting Process
3.2 Identification of Information. The World Wide Web provides the DoD with
a powerful tool to convey suitable information quickly and efficiently on a
broad range of topics relating to its activities, objectives, policies and
programs. It is at the heart of the Defense Reform
Initiative and is key to the reengineering and streamlining of our business
practices. The American democratic process rests on the right of our citizens
to know what government is doing, and the corresponding ability to judge its
performance. Access to information by the public through the Web is an
important component of this right. Nevertheless, careful examination of the
potential consequences of placing information on the Web must be undertaken
before it is made available.
3.2.1. The identification of a
need to post information to a Web site will normally be made by the entity that
generates the information and thus has the best knowledge of its content.
3.3. Identification of Target Audience. Illustration 2 depicts many of the
target audiences for DoD information posted to the Web. Only information of
value to the general public and which does not require additional protection
should be posted to publicly accessible sites on the World Wide Web.
Information requiring additional protection, such as FOR OFFICIAL USE ONLY
(FOUO) information, information not specifically cleared and approved for
public release, or information of questionable value to the general public and
for which worldwide dissemination poses an unacceptable risk to the DoD,
including military personnel and civilian employees, should be placed on Web
sites with security and access controls.
Illustration 2. Target Audience
3.4. DoD Originating Office (DOO). Is the entity that created or sponsored
the work that generated the information or received/acquired the information on
behalf of the DoD. The DOO has the responsibility for assigning appropriate
markings to information to include its sensitivity (i.e. classified, FOR
OFFICIAL USE ONLY, or other distribution control markings for unclassified
information), its releasability to the public, and the approved audience for
access (e.g. DoD only, contractors, general public, etc.). The DOO shall be
consulted whenever there is doubt with regard to the sensitivity of the
information or distribution restrictions on its release.
3.5. Content Review.
3.5.1. Clearance Requirements for
Publicly Accessible Web Sites. Heads of DoD Components must establish, in accordance
with DoD Directive 5230.9
and DoD Instruction 5230.29
(references (h) and (o)), clearance review procedures for official DoD
information that is prepared by or for DoD personnel and is proposed for
posting to publicly accessible Web sites.
3.5.2. The above procedures must
address the need for trained and knowledgeable personnel, familiar with the
rules governing FOR OFFICIAL USE ONLY (FOUO) information as well as pertinent
security classification guides, as appropriate. Such individuals must also be
familiar with the aspects of the organization’s operations considered critical,
its vulnerabilities, as well as the pertinent threat in order to assess the
nature of the risk associated with posting specific information to Web sites.
This risk assessment must also include the increased sensitivity of certain
information when electronically aggregated in significant volume.
3.5.2.1. In assessing the
increased sensitivity that information may assume in electronic format, it is
necessary to take into account the attributes of data mining (i.e., the
nontrivial extraction of implicit, previously unknown, and potentially useful
information from data). Data mining uses machine learning, statistical and
visualization techniques to discover and present knowledge in a form, which is
easily comprehensible to humans.
3.5.2.2. The content provider
will also take into account the form in which the information was distributed,
such as press releases, press conferences, or publicly disseminated documents,
the susceptibility of the information to data mining, and the likelihood that
the information could directly lead to the discovery and presentment of knowledge
that is otherwise controlled (e.g., classified information or FOUO
information). Also to be assessed is a specific risk to the Department's
credibility if publicly released information is omitted and/or deleted from the
Web.
3.5.2.3. If the overall risk
resulting from posting the information is determined to be unacceptable, the
information must be afforded security and access controls. Part
V of this document provides additional guidance in this area while the
paragraphs below provide specific prohibitions.
3.5.3. FOR OFFICIAL USE ONLY
(FOUO). Information, the disclosure of which would cause a foreseeable harm to
an interest protected by one or more of the exemptions to the Freedom of Information Act (FOIA), shall not be posted to
a publicly accessible Web site. This information is designated FOUO pursuant to
reference (j). While records containing FOUO information will normally be
marked at the time of their creation, records that do not bear such markings
shall not be assumed to contain no FOUO information without examination for the
presence of information that requires continued protection and qualifies as
exempt from public release. This may require coordination with the DOO for the
information. The following examples are illustrative of the type of information
that may be considered to be FOUO. These examples are not an exclusive listing
and they are not intended to offer any guidance in responding to Freedom of Information Act (FOIA) requests.
3.5.3.1. Analysis and
recommendations concerning lessons learned which would reveal sensitive
military operations, exercises or vulnerabilities.
3.5.3.2. Reference to
unclassified information that would reveal sensitive movements of military
assets or the location of units, installations, or personnel where uncertainty
regarding location is an element of a military plan or program.
3.5.3.3. Personal information
including compilations of names of personnel assigned to overseas, sensitive,
or routinely deployable units.
3.5.3.4. Information, the
release of which would be a clearly unwarranted invasion of personal privacy,
to include the following categories about U.S. citizens, DoD employees and military
personnel: 1) Social Security Account Numbers; 2) dates of birth; 3) home
addresses, and 4) telephone numbers other than duty office numbers. Duty phone
numbers of units described in paragraphs C.3.2.1.6.2.2. of DoD 5400.7-R
(reference (j)) may not be posted.
3.5.3.5. Names, locations, and
specific identifying information about family members of DoD employees and
military personnel.
3.5.3.6. Proprietary
information submitted by a contractor and protected by a Limited Rights
Statement or other agreement, and trade secrets, commercial and financial
information submitted by an entity outside the government which considers the
information to be protected from release to the public.
3.5.3.7. Test and evaluation
information that could result in an unfair advantage or disadvantage to the
manufacturer or producer.
3.5.3.8. Technical Information
not marked or otherwise determined to be appropriate for Distribution Statement
A in accordance with DoD Directive
5230.24 (reference (r)). This includes all technical information that can
be used or be adapted for use to design, engineer, produce, manufacture,
operate, repair, overhaul, or reproduce any military or space equipment or
technology concerning such equipment.
3.5.4. Unclassified information
pertaining to classified programs. The clearance review procedures for
unclassified information pertaining to classified programs proposed for posting
to a publicly accessible Web sites must take into account the likelihood of
classification by compilation. Consultation with the program security
classification guide may be required to determine the likelihood that the
information, if compiled or aggregated with other information likely to be
contained on publicly accessible Web sites, will reveal an additional
association or relationship that meets the standards for classification under DoD 5200.1-R (reference
(kk)). If such information is posted to a Web site, it must be afforded
security and access controls as specified in Part V of
this document.
3.5.4.1. In instances where a
question arises as to whether information in compilation/aggregation requires protection
as classified information, and the information has not yet been entered onto
the Web site, the DOO(s) for the information shall be contacted to obtain a
decision on the matter before the information is posted. Where the information
has already been posted, the information will be withdrawn from the system and
will not be re-posted until a decision is obtained from the DOO(s) for the
information. In instances where there is a conflict among the DOOs as to the
sensitivity of the information, which they are unable to resolve, the matter
may be referred to the next higher level within each of the DOOs’ organizations
until a resolution can be obtained.
3.5.4.2. Users of a Web site
who believe that information in compilation or aggregation on a system or
systems to which they have access contains classified information, should
contact the webmaster of the system(s) in question or, if the webmaster is
unknown, report the matter to their own organization's security office for
evaluation and action as appropriate.
3.5.4.3. When conducting
multi-disciplinary security assessments of Web sites, advanced search engines
(e.g. high-end natural-language-based systems optimized for English syntax
analysis) and other automated means will be used to assess the likelihood of
the presence of information classified by compilation
3.5.5. Copyrighted Material.
Copyrighted material will be used only when allowed by prevailing copyright
laws and may be used only if the materials relate to the Component’s mission.
Consult with Counsel when using any copyrighted material.
3.5.6. Conflicts of Interest. In
accordance with the Joint Ethics Regulation (reference (k)), product
endorsements or preferential treatment of any private organization or
individual shall not appear on any official DoD publicly accessible site.
3.6. Access Controls.
3.6.1. A DoD Web site may not
post FOR OFFICIAL USE ONLY information, or information not specifically cleared
and approved for public release unless it employs adequate security and access
controls. Information of questionable value to the general public must be
evaluated before worldwide dissemination to assess the risk to the DoD.
Adequate security and access controls must likewise be employed for such
information if it is determined to place national security, DoD personnel and
assets, mission effectiveness, or the privacy of individuals at an unacceptable
level of risk.
3.6.2 Determinations as to the
appropriate security and access controls to employ will be based upon the
sensitivity of the information, the target audience for which the information
is intended, and the level of risks to DoD interests. Part V
of this document contains additional guidance.
3.6.3. Publicly accessible DoD
Web sites will not normally contain links or references to DoD Web sites with
security and access controls. Under certain circumstances, however, it may be
appropriate to establish a link to a log-on site provided details as to the
controlled site’s contents are not revealed.
3.7. Release Approval. Approvals for posting of information to publicly
accessible Web sites must be in accordance with the provisions of DoD Instruction 5230.29
(reference (o)). Approvals can be granted only by an appropriately trained
individual specifically delegated that authority by the Head of the DoD
Component or his or her designee.
3.8. Information Posting. Once the procedures established in paragraphs 3.2,
3.3, 3.5, and 3.6. have been completed, the information may be posted to the
Web. In addition, the following steps must be accomplished:
3.8.1. A reasonable effort to
validate the accuracy of the information.
3.8.2. All links associated with
the Web site have been validated.
4. ADMINISTRATION AND VERIFICATION
4.1. Web Server Environment Administration. Procedures governing the
administration of the Web server environment must be established and, as a
minimum, address the following:
4.1.1. Operation of the Web
server environment.
4.1.2. Security of the Web server
environment.
4.1.3. Maintenance of access and
security control features and ensuring that warning and consent to monitoring
notices are posted as appropriate.
4.1.4. Ensuring designated
approving authority (DAA) approval is re-accomplished if any configuration
changes are made to the Web server environment.
4.1.5. Ensuring all links from
pages under its control are appropriate and valid.
4.1.6. Establishing procedures
for content providers and page maintainers to place information on the Web
server.
4.1.7. Granting and monitoring
write-access privileges.
4.1.8. Maintaining and evaluating
audit control logs.
4.1.9. Gathering and analyzing
performance data.
4.1.10. Developing, coordinating,
publishing, maintaining, and testing support plans for contingency and service
restoration.
4.1.11. Coordinating mirror or
replication sites with other system administrators, as required.
4.1.12. Implementing security and
access controls requested by content providers and page maintainers as
required.
4.1.13. Ensuring access lists are
maintained where appropriate.
4.1.14. Incorporating a feedback
mechanism for users’ comments in accordance with the Paperwork reduction Act of
1995 (reference (a)).
4.2. Verification. Procedures must be established for each DoD Web site to
ensure that:
4.2.1. A comprehensive,
multi-disciplinary security assessment addressing both content and technical
issues is conducted at least annually.
4.2.2. Periodic reviews are
conducted to assess compliance with established information posting procedures.
4.2.3. Outdated or superseded
information is identified and promptly removed from the system or appropriately
archived.
4.3. Feedback Reporting.
4.3.1. Reserve component assets
used for DoD-wide OPSEC and threat assessment of unclassified DoD Web sites
will observe feedback reporting to include "Lessons Learned."
4.3.2. Web site content providers
and administrators will support and participate in the feedback reporting
system.
4.3.3. Web site content providers
and administrators will review "Lessons Learned" and incorporate
content and security changes where appropriate.
5. System Security Considerations
5.1. Operators of DoD Web server environments shall be trained in technical
information security best practices, or shall have immediate access to
appropriately trained individuals. Security maintenance and administration
shall be considered an essential element of Web site operation and maintenance
at all times.
5.2. A formal risk assessment shall be conducted at each organization
operating a DoD Web site to determine the appropriate risk management approach
based on the value of the information; the threat to the DoD Web server
environment and the information contained thereon; the vulnerability of the DoD
Web server environment and the information contained thereon; and the
countermeasures employed by the DoD Web server environment. A security policy
shall be written for each DoD Web server environment or multiple sites
furnishing similar data on the same system infrastructure or architecture based
on the results of the risk assessment.
5.3. DoD Web servers that are externally accessed shall be isolated from the
internal network of the sponsoring organization. The isolation may be physical,
or it may be implemented by technical means such as an approved firewall. The
server software will be FIPS 140-1 compliant with all security patches properly
installed. Approved DoD security protocols will be used for all Web servers.
Additional security measures shall also be employed consistent with the risk
management approach and security policy of the individual DoD Web site.
Examples of additional measures to be considered include:
5.3.1. Disable IP forwarding,
avoid dual-homed servers
5.3.2. Employ least privilege
5.3.3. Limit functionality of Web
server implementation
5.3.4. Employ tools to check
configuration of host
5.3.5. Enable and regularly
examine event logs
5.4. In addition, all DoD Web servers shall employ a back-up methodology as
part of the Web site architecture. Information shall be replicated to the
back-up environment to ensure that the information will not be lost in the
event that the Web server environment is corrupted, damaged, destroyed or
otherwise compromised.
5.5. In cases where an organization operating a DoD Web site determines a
requirement to host both a public and non-public Web server, then additional
security measures shall be required for the non-public Web server. At minimum,
appropriate access controls, audit of security events, and additional measures
to ensure confidentiality, integrity and availability of the information shall
be employed (see Part V).
5.6. ID and Password Protection. The Internet is an unsecured network where
compromise of user ID and password can occur during open transmission. IDs and
passwords should not be transmitted without encryption. Secure protocols (e.g.
secure sockets layer (SSL) protocol) provides a transmission level of
encryption between the client and server machines.
5.7. It is essential that DoD Web server environment be implemented and
maintained by certified personnel in accordance with OSD memorandum, subject:
Information Assurance (IA) Training and Certification (reference (ll)). Day-to-day
maintenance of the hardware and software, including security patches and
configurations, is essential to the system security posture of DoD Web server
environments.
6. GOVERNMENT INFORMATION LOCATOR SERVICE (GILS) REQUIREMENT
DefenseLINK is the central registration point for DoD Web
sites. Each Service-level site will establish and maintain registration
systems, integrated with DefenseLINK, for their Service. All DoD Web sites
shall register with
the appropriate Service-level site or directly with DefenseLINK. As part of the
registration process, a release authority for the information must be named and
the entrant must certify that the content of the Web site complies with the
policies set forth in the issuance.
7. PRIVACY AND SECURITY NOTICE
A privacy and security notice must be given to users of each Web site and shall be
prominently displayed or announced on at least the first page of all major sections of
each Web site. The notice describes how, in general, security
is maintained on the site, and what specific information is collected, why it is
collected, and how it is used. All information collected must be described in this
notice. Providing a statement such as "Please read this privacy and
security notice" linked to the actual notice is satisfactory. Organizations shall
avoid flashy graphics or other indicators that create a misperception of danger,
such as skull-and-crossbones logos or "warning" signs.
Agencies subject to DoD Directive 5240.1 (reference (q))
must comply with its provisions. See paragraph 12 below for details and
limitations regarding the collection of information, including information
voluntarily provided by the user (e.g., e-mail to the webmaster). See Part V
for the text of the required privacy and security notice.
8. EXTERNAL LINKS
8.1. Approval. The ability to hyperlink to sources external to your
organization is a fundamental part of the World Wide Web, and can add
significant value to the functionality of publicly accessible DoD Web sites.
DoD Components must establish objective and supportable criteria or guidelines
for the selection and maintenance of links to external Web pages.
8.1.1. Links to non-DoD Web
resources should support the organization’s mission. External links should be
reviewed periodically to ensure their continued suitability. If the content of
a linked external site becomes questionable or objectionable, remove the link.
8.1.2. In accordance with DoD 5500.7-R (reference
(k)), no product endorsements or preferential treatment shall be given on
publicly accessible official DoD Web sites.
8.1.3. No payment of any kind
shall be accepted in exchange for a link placed on an organization’s publicly
accessible official DoD Web site.
8.1.4. In accordance with DoD 5500.7-R, publicly
accessible DoD Web sites shall not require or encourage users to choose any
specific browser software. Only text or hyperlinked text shall be used to
direct visitors to software download sites. Graphics or logos depicting
companies/products shall not appear on publicly accessible DoD Web sites.
8.1.5. Organizations considering
the use of "frames" technology to connect to external sites should
consult legal counsel concerning trademark and copyright issues before
establishing such links.
8.1.6. Organizations are
encouraged to link to authorized activities in support of the organization’s
mission, such as the Army and Air Force Exchange Service (AAFES, http://www.aafes.com), the Navy Exchange
Service Command (NEXCOM,
http://www.navy-nex.com) and the Marine Corps Exchange. If these sites contain
commercial advertisements or sponsorships, the appropriate disclaimer below
shall be given.
8.1.7. When external links to
non-government Web sites are included, the head of the DoD Component, or the
subordinate organization, is responsible for ensuring that a disclaimer is made
that neither the DoD nor the organization endorses the product or organization
at the destination, nor does the DoD exercise any responsibility over the
content at the destination. This includes credits given to contractors who
produce DoD Web sites.
8.1.8. When a publicly accessible
DoD Web site is intended to serve a public purpose, organizations must realize
that once the decision is made to include a link to one non-DoD site, the
organization may have to link to all similar sites.
8.2. Disclaimer for External Links. The disclaimer below shall be displayed
when linking to external sites. This disclaimer may appear on the page or pages
listing external links, or through an intermediate "exit notice" page
generated by the server machine whenever a request is made for any site other
than the official DoD Web site (usually the .mil domain). An example of such an
exit notice is located at the White House WWW site at http://www.whitehouse.gov/.
"The appearance of
hyperlinks does not constitute endorsement by the (Department of
Defense/the U.S. Army/the U.S. Navy/the U.S.
Air Force/the U.S. Marine Corps, etc.) of
this Web site or the information, products or services contained therein. For
other than authorized activities such as military exchanges and Morale, Welfare
and Recreation sites, the (Department of Defense/the U.S. Army/the U.S.
Navy/the U.S. Air Force/the U.S. Marine Corps, etc.) does not exercise any
editorial control over the information you may find at these locations. Such
links are provided consistent with the stated purpose of this DoD Web
site."
8.3. DoD Newspapers. The policies and procedures in DoD Instruction 5120.4
(reference (n)) apply to all DoD newspapers and civilian enterprise
publications, whether printed or electronic. DoD funded newspapers and
editorial content of civilian enterprise publications may be posted on DoD Web
sites without advertising. Commanders and heads of organizations are authorized
to link to a commercial/civilian Web site carrying the authorized civilian
enterprise publications, which include advertising, provided the standard
disclaimer for external links is given.
9. IMAGE MANIPULATION STANDARDS
Official DoD imagery provided on publicly accessible DoD Web sites must
conform to DoD Directive
5040.5 (reference (g)).
10. COMMERCIAL SPONSORSHIP AND ADVERTISING
Commercial sponsorships, advertisements and endorsements are prohibited on
publicly accessible pages of official DoD Web sites. Publicly accessible Web
sites are official communications to the public. Just as the DoD would not
print advertisements on news releases, the Department shall not post
advertisements on publicly accessible official DoD Web sites. Organizations shall
ensure that the credibility of official information is not adversely affected
by association with commercial sponsorships, advertisements or endorsements.
10.1. Non-appropriated Fund Activities and Web sites. In accordance with DoD Instruction 1015.10
(reference (m)). Morale, Welfare and Recreation (MWR) programs may have
commercial sponsors and may sell electronic advertising as outlined in that
instruction. As the instruction points out, MWR products with advertisements
are intended for distribution to the DoD internal audience authorized to take
advantage of these programs.
10.1.1. However, having
advertisements on pages that are part of an official, publicly accessible DoD
Web site is inappropriate. Organizations are encouraged to include official
information about non-appropriated fund (NAF) activities on official DoD Web
sites as long as the information does not include commercial sponsorships or
advertisements.
10.1.2. With organization approval,
NAF activities may use non-appropriated funds to develop and maintain
commercial Web sites for unofficial information, where commercial sponsorship
or advertising may appear. External links to authorized, unofficial NAF
commercial Web sites are authorized, with an appropriate disclaimer preceding
the actual connection to the NAF commercial Web site to avoid product
endorsement or preferential treatment.
10.1.3. Official information
pertaining to the NAF activity may be posted on the commercial non-appropriated
fund Web site with installation commander/organization head approval, but only
if it is also posted on the official publicly accessible DoD Web site. Other
official information shall not be posted to the commercial site.
11. DESIGN STANDARDS AND NON-STANDARD FEATURES
11.1. Web site documents shall conform to the approved technical
specifications approved in the Joint
Technical Architecture (JTA). In situations where World Wide Web Consortium (W3C) recommendations
or proposed recommendations are more recent than those examined by the JTA,
developers may use the W3C recommendations or proposed recommendations.
11.2. Incorporation of non-standard or browser-specific features into Web
pages shall also be evaluated in light of the potential security risks and
interoperability. Certain features have the capability of installing malicious
programs on networks or on individual machines, if downloaded. The same danger
exists when downloading any executable file, which is why many organizations
have a policy in place prohibiting downloads of such files. In general terms,
it is recommended that existing local guidelines concerning the
download/installation of executable files should apply to any software that
installs programs on networks or individual machines. Use of non-standard or
browser specific features may exclude a portion of a Web site’s audience, and
should be avoided.
12. COLLECTION OF INFORMATION
In certain instances it is necessary and appropriate to
collect information from visitors to Web sites. Agencies subject to DoD Directive
5240.1 (reference (q)) must comply with its provisions in addition to those cited
below.
12.1. Compliance with the Paperwork Reduction Act.
Publicly accessible Web sites shall comply with the requirements of Paperwork
Reduction Act of 1995 (PRA), (reference (a)), as described below. The PRA requires
that collection of information from the public be approved by OMB under some
circumstances.
12.1.1.
Requests for identical information from ten or more members of the public
, to include DoD contractors, must be
approved by OMB. Such requests include
surveys using check box, radio button or text form fields.
12.1.2.
The PRA applies to electronic forms/information collections on Web sites that
collect standardized information from the public. It does not apply to
collection of information strictly from current DoD employees or service
members in the scope of their employment. Surveys on publicly accessible Web
sites will not ordinarily be exempt from the requirement to obtain OMB approval
under this exception.
12.1.3.
Forms for general solicitations of comments that do not seek responses to
standard questions, such as the common opinion-based feedback forms and e-mail
links, do not require OMB clearance. See, however,
paragraph 12.2 below..
12.1.4.
Organizations are responsible for ensuring their publicly accessible Web sites
comply with this requirement and follow procedures in DoD 8910.1-M (reference
(l)). For more information about the Paperwork Reduction Act of 1995, contact
your local Information Management Control Office.
12.2. Collection of User-Identifying Information from DoD Web Sites.
The solicitation or collection of personally identifying information, including
collection through capabilities which allow a user to contact the Web site
owner or webmaster, triggers the requirement for either a Privacy Act Statement (PAS) or
a privacy advisory (PA).
12.2.1 Use of a Privacy Act Statement.
12.2.1.1 Whenever personally-identifying information (see Part III, Definitions)
is solicited from an individual (e.g., eligibility for benefits determinations) and
the information is maintained in a Privacy Act system of records (i.e.,
information about the individual is retrieved by name or other personal
identifier), a Privacy Act Statement (PAS), consistent with the requirements of
reference (mm), must be posted to the Web page where the information is being
solicited or provided through a well-marked hyperlink.
12.2.1.2 If the information collected is being maintained in a Privacy Act
system of records for which a notice has not yet been published in the Federal
Register, such a notice must be published, consistent with the requirements of
the Act, prior to any information being collected.
12.2.1.3 If a PAS would be required if the solicitation were made in the
paper-based world, it is required in the on-line world, whether the site is
publicly accessible or non-publicly accessible.
12.2.2 Use of a Privacy Advisory.
12.2.2.1. If personally-identifying information (see Part III, Definitions) is
solicited by a DoD Web site (e.g., collected as part of an email
feedback/comments feature on a Web site) and the information is not
maintained in a Privacy Act system of records, the solicitation of such
information triggers the requirement for a privacy advisory (PA). The PA
informs the individual as to why the information is being solicited (e.g., so that
the Department can provide the information that has been requested by the
individual) and how such information will be used (e.g., it will be destroyed
after the information the individual is seeking has been forwarded to him or
her).
12.2.2.2. If personally-identifying information (see Part III, Definitions) is
solicited by a DoD Web site (e.g., as part of electronic commerce transactions),
a PA must be provided regardless of where the information is maintained.
12.2.2.3. The PA must be posted to the Web page where the information is
being solicited or provided through a well-marked hyperlink. Providing a
statement such as "Privacy Advisory: Please refer to the Privacy and Security
Notice that describes why this information is being collected and how it will be
used." linked to the applicable portion of the privacy and security notice
required by paragraph 7 above is satisfactory.
12.3 Automated Collection of Information on Publicly Accessible Web Sites
12.3.1 Use of Session Cookies. The use of session cookies (see Part III,
Definitions) is permitted for session control and to maintain state, but such
cookies shall expire at the end of the logical session. Data from those cookies
may not be utilized
for other purposes or stored subsequently.
The use of session cookies shall be explicitly identified in the site’s
privacy notice (see Part V, paragraph 4.1).
12.3.2 Use of Persistent Cookies.
The use of persistent cookies is authorized only if all of
the following conditions are met:
(a) there is a compelling need to gather the data on the Web site;
(b) appropriate technical procedures have been established to
safeguard the data;
(c) the Secretary of Defense has personally approved use of the
cookie prior to implementation of the data collection; and
(d) privacy notices clearly specify, in addition to other required information, that
cookies are being used and describe the safeguards for handling the information
collected from the cookies.
Requests for
approval to use persistent cookies should be submitted at least 30 days prior
to operational need date, through the appropriate chain of command, to the
Office of the Assistant Secretary of Defense (C3I), for processing prior to
submission to the Secretary of Defense for decision.
The request shall describe the need and the safeguards to be used
to protect the data, provide an explanation of why other technical approaches are
inadequate, and include a copy of the privacy notice(s) proposed for use.
12.3.3. Other Automated Means of Collecting Information.
Except for system log files/site usage data addressed
in paragraph 12.4 below, the use of any other automated means to collect
information requires the same approvals as described
in paragraph 12.3.2 above.
12.4.
Usage Statistics. As a management function, evaluation of site usage data (log
files) is a valuable way to evaluate the effectiveness of Web sites. However,
collection of data from publicly accessible sites for undisclosed purposes is
inappropriate. There are commercially available software packages that will
summarize log file data into usable statistics for management purposes, such as
the most/least requested documents, type of browser software used to access the
Web site, etc. Use of this type of software is appropriate, as long as there is
full disclosure as specified in the privacy and security notice, referenced
in Paragragh 7above.
Organizations shall establish a destruction disposition
schedule for collected data.
13. DoD WEBMASTER LISTSERV
To share and coordinate information, an e-mail listserv has been
established for all DoD "Webmasters." All personnel responsible for
developing and/or maintaining a Web site are encouraged to join this
listserv. The list is open to members in all services. Instructions
are located at http://www.dod.mil/webmasters/faq/
14. EFFECTIVE DATE: These procedures are effective 120 days from the
date of this document.
WEB SITE ADMINISTRATION
Part III – Definitions
November 25, 1998
With Amendments and Corrections incorporated in red italics (latest corrections from 11 January, 2002)
Cookie A "cookie" is a small piece of
information (token) sent by a Web server and stored on a user’s system (hard
drive) so it can later be read back from that system. Using cookies is a
convenient technique for having the browser
remember some specific information.
Cookies may be categorized as "session" or "persistent" cookies.
"Session" cookies are temporary cookies that
are used to maintain context or "state" between otherwise stateless Web
transactions (e.g., to maintain a "shopping basket" of goods selected
during a single logical session at a site) and that must be deleted at the end
of the web session in which they are created.
"Persistent" cookies remain over time and can be used for a variety of
purposes, including to track a user's access over time and across Web sites, or
to establish user preferences.
DefenseLINK. The name of the official
publicly accessible Web site for the Department of Defense (DoD). DefenseLINK
provides the official single point of access to all DoD information on the
World Wide Web, and establishes a means to ensure that the information is
readily accessible, properly cleared and released, accurate, consistent,
appropriate and timely.
DoD Originating Office (DOO). Is the entity that created or
sponsored the work that generated the information or received/acquired the
information on behalf of the DoD.
Home page. The index or introductory document for a Web
site.
Internet. The loosely connected worldwide collection of
computer systems that uses a common set of communications standards to send and
receive electronic information.
Operations Security (OPSEC). OPSEC is a process of
identifying critical information and subsequently analyzing friendly actions
attendant to defense acquisitions, military operations, and other activities in
order to: i) identify those actions that can be observed by adversary
intelligence systems; and ii) determine what indicators might be obtained by
hostile intelligence systems that could be interpreted or pieced together to
derive critical information in time to be useful to adversaries; and iii)
select and execute measures that eliminate or reduce to an acceptable level the
vulnerabilities of friendly actions to adversary exploitation
Official DoD Web site. A DoD Web site that is developed and
maintained with command sponsorship and approval, and for which the DoD
Component, a subordinate organization or individual, exercises editorial
control over content. The content of official DoD Web sites is of an official
nature that may be endorsed as the official position of the DoD Component.
Content may include official news releases, installation history, command
position papers, etc. Official DoD Web sites are prohibited from displaying
sponsorships or commercial advertisements.
Personally-Identifying Information.
Information, including, but not limited to,
name, e-mail or postal address, or telephone number, that can be used to
identify an individual.
Technical Information. Information, including scientific
information, which relates to research, development, engineering, test,
evaluation, production, operation, use, and maintenance of munitions and other
military supplies and equipment. (JCS Pub 1)
Unofficial DoD Web site. A DoD Web site that is developed
and maintained with non-appropriated funds; and for which the DoD Component, or
a subordinate organization, does not usually exercise editorial control over
content. The content of unofficial DoD Web sites is not endorsed as the
official position of the DoD Component. Content will not normally include
official news releases, installation history, command position papers, etc.
Unofficial DoD Web sites may include sponsorships and commercial
advertisements, and may also advertise products for sale, in accordance with
the mission of the organization. In most cases, unofficial DoD Web sites are
developed and maintained by commercial or nonprofit organizations. Certain
military-affiliated organizations may develop and maintain unofficial DoD Web
sites. Such organizations include service exchanges and Morale, Welfare and
Recreation activities that use non-appropriated funds.
World Wide Web or Web. The subset of the Internet capable
of providing the public with user-friendly graphics-based multi-media access to
information on the Internet. It is the most popular means for storing and
linking Internet-based information in all multi-media formats. Navigation is
accomplished through a set of linked documents that may reside on the same
computer or on computers located almost anywhere else in the world.
Web site. A collection of information organized into a
number of Web documents related to a common subject or set of subjects,
including the "home page" and the linked subordinate information.
Web Server Environment. The physical computing resources,
including servers, software, network, communications, security, and peripheral
devices that provide the platform upon which Web sites are made available to
users through internetworking.
WEB SITE ADMINISTRATION
Part IV – References
November 25, 1998
With Amendments and Corrections incorporated in red italics (latest corrections from 11 January, 2002)
(a) 44 USC Chapter 35, "Paperwork Reduction Act", as amended
(b) Government Printing and Binding Regulations, Joint Committee on Printing,
Congress, US, February 1990, No. 26
(c) National Archives and Records Administration General Schedule 20, August
1995
(d) Deputy Secretary of Defense Policy Memorandum, "Government
Information Locator Service (GILS)," September 2, 1995
(e) Chairman, Joint Committee on Printing Memorandum granting waiver for
Commercial Enterprise Newspapers, July 15, 1983
(f) Office of Management and Budget (OMB) Bulletin 95-01,
"Establishment of Government Information Locator Service," December
7, 1994
(g) DoD Directive 5040.5, "Alteration of Official DoD Imagery,"
August 29, 1995
(h) DoD Directive 5230.9, "Clearance of DoD Information for Public
Release," April 9, 1996
(i) DoD Directive 5400.7, "DoD Freedom of Information Act
Program," May 22, 1997
(j) DoD 5400.7-R, "DoD Freedom of Information Program Regulation",
September 1998
(k) DoD 5500.7-R, Joint Ethics Regulation (JER), August 30, 1993
(l) DoD Directive 8910.1-M, "DoD Procedures for Management of
Information Requirements," June 30,
1998, authorized by DoD Directive 8910.1, "Management and Control of
Information Requirements," June 11, 1993
(m) DoD Instruction 1015.10, "Programs for Morale, Welfare, and
Recreation (MWR)," November 3, 1995, w/ Ch 1, October 31, 1996
(n) DoD Instruction 5120.4, "DoD Newspapers and Civilian Enterprise
Publications," June 16, 1997
(o) DoD Instruction 5230.29, Security and Policy Review of DoD Information
for Public Release," May 6, 1996
(p) AR 60-20/AFR 147-14, "Army and Air Force Exchange Service Operating
Policies," 15 December 1992
(q) DoD Directive 5240.1, "DoD Intelligence Activities," April 25,
1988
(r) DoD Directive 5230.24, "Distribution Statements on Technical
Documents," March 18, 1987
(s) DoD Directive 5230.25, "Withholding of Unclassified Technical Data
From Public Disclosure," November 6, 1984
(t) Public Law 100-235, "Computer Security Act of l987"
(u) DoD Directive 5200.5, "Communications Security (COMSEC),"
April 21, 1990
(v) DoD Directive 5200.40, "DoD Information Technology Security
Certification and Accreditation Process (DITSCAP)," December 30, 1997
(w) DoD Directive 4640.6, "Communications Security (COMSEC) Telephone
Monitoring and Recording, " June 26, 1981
(x) DoD Directive 5205.2, "DoD Operations Security Program," July
7, 1983
(y) DoD Instruction 3200.14, "Principles And Operational Parameters of
the DoD Scientific and Technical Information Program," May 13, 1997, Enl 6
(z) International Traffic in Arms Regulation (ITAR), Department of State,
May 1998
(aa) Wassenaar Arrangement, see Federal Register, January 15, 1998 (Vol 63
No. 10) pages 2451 – 2500
(bb) Carnegie Mellon University Software Engineering Institute,
"Security for a Public Web Site," CMU/SEI-SIM-002, August 1997
(cc) National Institute of Standards and Technology (NIST), "Internet
Security Policy: Technical Guide,"
(dd) Defense Information Systems Agency (DISA), "DISA/NCS World Wide
Web (WWW) Handbook Version 2.2," http://www.disa.mil/handbook/toc.html
(ee) DoD Directive 8500.xx, "Information Assurance," draft
(ff) DoD Instruction 8500.xx, "Information Assurance
Requirements," draft
(gg) National Security Telecommunications and Information Systems Security
Instruction (NSTISSI) No. 4009, "National Information Systems Security
Glossary," August 1997.
(hh) DoD General Counsel Memorandum, "Communication Security and
Information Systems Monitoring," March 17, 1997
(ii) DoD Directive 5200.28, "Security Requirements for Automated
Information Systems (AISs)," March 21, 1988
(jj) DoD 5025.1-M, "DoD Directive Systems Procedures, August 1994
(kk) DoD 5200.1-R, "Information Security Program, " January 1997
(ll) USD (P&R) and OASD (C3I) memorandum entitled "Information
Assurance (IA) Training and Certification," June 29, 1998.
(mm) Section 552a of
title 5, United States Code, as implemented by DoD 5400.11-R, "Department of
Defense Privacy Program, " August 1983.
WEB SITE ADMINISTRATION
Part V – Examples & Best Practices
November 25, 1998
With Amendments and Corrections incorporated in red italics (latest corrections from 11 January, 2002)
1. INFORMATION VULNERABILITY, THE WEB AND OPSEC
1.1. General
1.1.1. Over the last three
decades, the world has experienced the rapid integration of information
processes and telecommunications technology. As we leveraged these gains, the
national security posture of the United States has become increasingly
dependent on the Defense (DII), National (NII) and the larger Global Information
Infrastructure (GII). These information infrastructures (which consist of
information, information systems, telecommunications, networks, and technology)
represent lucrative targets in an increasingly asymmetrical threat environment.
1.1.2. Within this global
infrastructure lies a mosaic of interconnectivity which is growing at a rate of
500,000 new World Wide Web (WWW) entry points a month. This interconnectivity,
when coupled with search engines and information compilation algorithms,
provides a single user the ability to aggregate, analyze, and construct new
levels of understanding from unclassified sources. As such, the information
provided on publicly accessible Web sites is an OPSEC concern.
1.1.3. This section addresses why
information technology makes sensitive but unclassified information vulnerable.
It will address why certain types of DoD information cannot be posted to
publicly accessible Web sites within the context of the OPSEC process.
1.2. Information Technology
1.2.1. The information
infrastructure is extremely complex. There is no simple way to define and
establish its bounds, to measure its impact, or to identify clear
responsibilities for its evolution, operation, maintenance, and repair.
Therefore, the various views of the infrastructure presented here only
partially address the complexity.
1.2.2. One way of viewing the
information infrastructure is in terms of its basic components. In simple
terms, the information infrastructure is comprised of the components necessary
for the transportation of information, the information itself, the means for
creating, gathering, and processing data to obtain information, and the storage
of the data and information.
1.2.3. Another way of viewing the
information infrastructure is as a collection of networks and services. Some of
these networks and services, such as the Internet and public telephone and data
networks, have an identity of their own and are clearly an integral part of the
Information infrastructure. Others, such as financial networks and services,
have developed within a specific industry and evolved into a complex
inter-network necessary to provide responsive support to the customer. This is
particularly true regarding the Defense Information Infrastructure (DII).
1.2.4. The information
infrastructure can also be thought of in terms of the various domains it
serves. These infrastructure domains have the potential of containing vast
amounts of sensitive but unclassified information. This has not gone unnoticed
by Internet users who have developed and are now refining sophisticated
"data mining" tools and techniques that allow precision targeting and
rapid aggregation of data.
1.2.5. When you combine these
infrastructure components, networks and services, and domains, the OPSEC
oriented user will quickly recognize the vast resources of information
available to the public and the adversary. The potential for inadvertent or
unauthorized disclosure of sensitive information continues to grow.
1.3. Information Vulnerability and the OPSEC Process
1.3.1. Given the increasing
dependence of our national and economic security upon the information
infrastructure, it is essential that the commander and other organizational
Heads review organizational information connectivity and content to ensure good
OPSEC procedures are being applied within their organizations. As such, risk
assessment and risk management become critical factors in evaluating publicly
accessible Web site information.
1.3.2. The worldwide connection
of computer local area networks (LAN) and wide area networks (WAN) such as the
NIPRNET makes access to defense information from anywhere in the world
relatively easy. Separation between the NIPRNET and the WWW is ambiguous, and
occasionally these networks may be indistinguishable to Web page
administrators. Web pages intended for internal DoD use should not be made
available on the NIPRNET without appropriate access control, as this
information is likely to be accessible to non-DoD users. Consequently, OPSEC
and INFOSEC concerns arise.
1.3.3. This requires a
convergence of Information Security (COMPUSEC and COMSEC) tools and the OPSEC
process at the activity level. Activity webmasters, page maintainers, subject
matter experts and OPSEC personnel must develop a disciplined review of all
information posted to their locally generated Web sites. This must be done to
protect sensitive unclassified and classified information -- while recognizing
the importance of making available timely and accurate information to the
intended DoD audiences, the public, Congress, and the news media.
1.3.4. Evaluations of activity
information provided on the NIPRNET and publicly accessible DoD Web sites on
the Internet should follow current OPSEC methodology:
1.3.4.1. Identify information
access points (NIPRNET, Internet, etc.,..) and evaluate their importance to
activity operations.
1.3.4.2. Determine the critical
information for the activity’s operations and plans. Information that would not
be of interest/use to the general public should not be on a public access page.
1.3.4.3. Determine the threat
–assume that any potential adversary has access and knows how to search the
net.
1.3.4.5. Determine the
vulnerabilities – how protected are the Web pages? Remember, the hacker is
generally the INFOSEC threat, the search engine and browser are generally the
OPSEC threat.
1.3.4.6. Assess the risk – what
protection should be applied to minimize potential loss of critical information
and what is the impact on operations and operations support?
1.3.4.7. Apply protection –
combine INFOSEC and OPSEC tools to minimize information loss and vulnerability.
1.3.5. When applying the OPSEC
process to information posted to Web sites, the activity will also need to
evaluate subject data with regard to the time factor. Information gathering in
the past was a manpower and resource intensive process that was dependent on
various types of overt and clandestine means. Collection, compilation,
analysis, and dissemination of information could take days, weeks, or months. Today,
a single user can connect to the Web and using varying search engines,
browsers, and certain aggregation methods develop a composite of information
that surpasses traditional knowledge levels. In essence, geography is no longer
a factor in information retrieval--time becomes the dominant factor.
1.3.6. As such, the user must
determine the value of information with regards to time. Certain data such as
unit history, emblems, command affiliation, etc. will have less time
criticality than will deployment orders for exercises or real world operations.
The value of information may also flex over time. For example, the specifics of
post-deployment preparations should not be posted to a publicly accessible Web
site prior to the deployment. But once in theater, unit types, number of
personnel and equipment will become public knowledge over time, decreasing the
sensitivity of the data. Subsequently, the same information will again become
sensitive as redeployment dates and unit withdrawal specifics are planned. This
will require units to actively scrub their Web pages for time sensitive data.
1.4. Conclusion. Operations security is a process of identifying critical
information and subsequently analyzing friendly actions attendant to military
operations and other sensitive activities. OPSEC training and education apply
to computer use just as it does in conversations between personnel,
correspondence, and telephone conversations. In the past, OPSEC has focused on
activities that might be seen by a human observer, a satellite, a radio
intercept operator or the news. But with the proliferation of information
technologies over the last three decades, the access to DoD data has grown
exponentially. The old threats have not gone away, but there is a new area of
concern that OPSEC officers and planners must consider – the Internet. A
disciplined approach to INFOSEC procedures in conjunction with the OPSEC
process will ensure that sensitive but unclassified information is properly
safeguarded.
2. GUIDE FOR IDENTIFYING INFORMATION INAPPROPRIATE FOR POSTING TO A
PUBLICLY ACCESSIBLE DOD WEB SITE
This guidance is authorized to be used for one purpose only: identifying
information that may be inappropriate for posting to publicly accessible DoD
Web sites. It is not to be used as guidance in responding to requests
under the FOIA or the Privacy Act under any circumstances. It is
intended as an interim guide to the identification of categories of information
that are inappropriate for posting to a publicly accessible Web site. Additional
guidance will be forthcoming when this document is formalized in the DoD
publication system.
FOR OFFICIAL USE ONLY (FOUO) information may not be posed to official Web
sites that are open to public access. (Information which is typically FOUO is
followed by an * below). Also identified below is information whose sensitivity
may be increased when electronically aggregated in significant volume. All
information proposed for posting to a publicly accessible Web site must be
reviewed in accordance with the provisions of DoD Directive 5230.9 and DoD Instruction 5230.29
(references (h) and (o)) and as described in Paragraph 3, Part
II of this document.
Do not use this compendium as the sole source for identifying such
information. Questions about FOUO information should be referred to your local
FOIA office. Questions about aggregated information should be referred to your
local security office and/or OPSEC coordinator.
2.1 Military Operations & Exercises information relating to:
- Unit Organization
- Unit readiness specificity
- Detailed mission statement
- Specific Unit phone/fax numbers (secure and unsecured)
- Time-Phase Force Deployment Data (TPFDD)
- Ops schedules
- Logistics support requirements
- Medical
- Civil engineering
- POL
- Host nation support
- Transportation
- Munitions
- Force Apportionment
- Force Allocation
- Unit Beddown information
- Planning guidance
- Unit augmentation
- Force Synchronization
- Counter-terrorism information
- Detailed Budget Reports
- Images of Command and Control (C2) nodes
- Inventory reports
- Intelligence, Surveillance and Reconnaissance (ISR) Capabilities
- Command, Control, Communications, Computers and Intelligence(C4I) Architecture
- Non-Combatant Evacuation Operations (NEO) Plans or Ops
- Counter-drugs Ops
- Unit Recall Rosters
- Weapons Movements
- Mobilization information
- Detailed maps or installation photography
- Standard Operating Procedures
- Tactics, Techniques, and Procedures
- Critical maintenance
2.2. Personnel information relating to:
- Information, the release of
which would be a clearly unwarranted invasion of personal privacy, to include
the following categories about U.S. citizens, DoD employees and military
personnel: (1) Social Security Account Numbers; 2) dates of birth; 3) home
addresses, and 4) telephone numbers other than duty office numbers. Duty phone numbers
of units described in C.3.2.1.6.2.2. of DoD 5400.7-R (reference (j)) may not be
posted.*
- Names, locations, and any other
identifying information about family members of DoD employees and military
personnel*
- Official travel itineraries of
individuals and units before it is performed*
- Duty rosters, or detailed
organizational charts and directories with names (as opposed to organizational
charts, directories, general telephone numbers for commonly requested
resources, services and contacts without names)*
- Internal DoD personnel rules
and practices unless cleared for release to the public*
- Financial Disclosure Reports of
Special Government Employees (5 USC App. 4, §207 (a) (1) 2)*
- Representation Rights and
Duties, Labor Unions (5 USC §7114 (b)(4))*
- Action on reports of Selection
Boards (10 USC §618)*
- Confidential Medical Records
(10 USC §1102)*
- Civil Service Examination (18
USC §1917)*
- Drug Abuse
Prevention/Rehabilitation Records (21 USC §1175)*
- Confidential of Patient Records
(42 USC §290dd-2)*
- Information Concerning US
Personnel Classified as POW/MIA During Vietnam Conflict (42 USC §401)*
- Information Identifying
Employees of DIA, NRO, and NIMA (10 USC §424)*
2.3. Proprietary Information submitted by a contractor and protected by a
Limited Rights Statement or other agreement, and trade secrets, commercial and
financial information submitted by an entity outside the government that
considers the information to be protected from release to the public. Other
specific provisions include:
- Contractor Proposals (10 USC
§2305 (g))*
- Commercial or financial
information received in confidence with loans, bids, contracts or proposals*
- Information received in
confidence e.g. trade secrets, inventions, discoveries or other proprietary
data*
- Statistical data and commercial
or financial information concerning contract performance, income, profits,
losses and expenditures, if offered and received in confidence from a
contractor or potential contractor*
- Scientific and manufacturing
processes or developments concerning technical or scientific data and other
information submitted with an application for research grant or with a report
while research is in progress*
- Test and evaluation of commercial
products or military hardware produced by a non-governmental entity*
- Patents, unless licensed for
publication by the United States*
- Software documentation: shall
be distributed according to the terms of the software license*
- Premature Dissemination: The
information related to patentable military systems or processes in the
developmental stage.*
- Confidential Status of Patent
Applications (35 USC §122)*
- Secrecy of Certain Inventions
and Withholding of Patents (35 USC §181-188)*
- Confidential Inventions
Information (35 USC §205)*
2.4. Test and Evaluation information could result in an unfair advantage or
disadvantage to the manufacturer or producer or could reveal the capabilities,
limitations, or incapabilities of a DoD weapons systems or component.
2.5. Scientific and technological information
relating to:
- Critical technology on either
the Munitions List or the Commerce Control List*
- Unclassified Special Nuclear
Weapons Information (10 USC §128)*
- Unclassified Technical Data
with Military or Space Application (10 USC §130)*
- Centers for Industrial
Technology – Reports of Technology Innovations (15 USC §3705 (e)(E))*
- Information Regarding Atomic
Energy (42 USC §2161-2168)*
- Control of Arms Exports Sec
38(e) of the Arms Export Control Act (22 USC §2778(e))*
- Technical and scientific data
developed by a contractor or sub-contractor exclusively or in part at private
expense*
- Sensitive S&T Reports such
as:*
- Defense Acquisition Executive
System Reports
- Selected Acquisition Reports
- Weapons System Unit Cost
Reports
- Approved Program Baselines
for ACAT I, II, III Weapons Systems
- Weapons Systems Evaluation
and Testing Results and Reports
- Reports Based on Joint USA
and Foreign Government Technical Research and Weapons Systems Evaluations
- Weapons System Contractor
Performance Reporting Under earned Value Reporting System at the Level of CPE
Reporting
- Weapons Systems staff working
papers, correspondence and staff assessments
- DoD Component
"Feedback" staff working papers and assessments on weapons System
Program Performance
2.6. Intelligence information relating to:
- Organizational & Personnel
Information for DIA, NRO and NIMA (10 USC §424)*
- Maps, Charts, and Geodetic Data
(10 USC §455)*
- Communications Intelligence (18
USC §798)*
- NSA Functions and Information
(50 USC §402)*
- Protection of Identities of US
Undercover Intelligence Officers, Agents, Informants and Sources (50 USC §421)*
- Protection of Intelligence
Sources and Methods 50 USC §403(d)(3))*
2.7. Other information relating to:
- A-76 studies and other
outsourcing studies that provide detailed descriptions of sensitive
organizational operations
- Administrative
Dispute Resolutions (5 USC §574 (j))*
- Confidentiality of Financial
records (12 USC §3403)*
- National Historic Preservation
(16 USC §470w-3)*
- Internal advice,
recommendations and subjective evaluations*
3. SECURITY AND ACCESS CONTROLS
3.1. Determinations as to the appropriate security and access controls to
employ will be based upon the sensitivity of the information and the target
audience for which it is intended. The table below provides additional guidance
to include the vulnerability of various combinations of each. Use this table in
conjunction with the above list of types of sensitive information to determine
an acceptable level of risk. Do not regard these guidelines as the only options
available for protecting information content.
If
access control is:
|
and transmission control
is:
|
the vulnerability is:
|
and the information posted
can be:
|
Open – Includes Webmaster
training and certification, isolation of the server, current version of
server software and O/S, with all security patches properly installed
|
Plain text, unencrypted
|
Extremely High -- Subject
to worldwide dissemination and access by everyone on Internet
|
Non-sensitive, of general
interest to the public, cleared and authorized for public release for which
worldwide dissemination poses limited risk for DoD or DoD personnel, even if
aggregated with other information reasonably expected to be in public domain.
|
Limited by Internet Domain
(e.g. .mil, .gov) or IP address
|
Plain text, unencrypted
|
Very High -- Can circumvent
access controls, affords lowest level of access control, and no encryption
|
Non-sensitive, not of
general interest to the public although approved and authorized for public
release, and intended for DoD or other specifically targeted audience.
|
Limited By User ID and
password (e.g. DMDC database or other registration system)
|
Plain text, unencrypted
|
High -- Can circumvent
access controls, affords higher level of access controls, however, IDs and
passwords can be compromised if encryption is not used.
|
Non-sensitive but limited
to a specific, targeted audience.
|
User Certificate Based (Software) Requires PKI
|
Encrypted text through use
of secure sockets layer
|
Moderate -- Provides
moderate level of access controls
|
FOR OFFICIAL USE ONLY and
information sensitive by aggregation
|
User Certificate Based (Hardware) Requires PKI
|
Encrypted text
|
Very Low
|
FOR OFFICIAL USE ONLY and
information sensitive by aggregation where extra security is required
due to compilation
|
Table 1. Security and Access Controls
3.2. Until such time as specific technical policy guidelines are formalized
for all Internet services , Webmasters and users are encouraged to consult
existing authoritative literature on security and access controls. Examples of
such literature include, but are not limited to:
3.2.1. Carnegie Mellon University
Software Engineering Institute, "Security for a Public Web Site,"
CMU/SEI-SIM-002, August 1997.
3.2.2. National Institute of
Standards and Technology (NIST), "Internet Security Policy: A Technical Guide,"
3.2.3. Defense Information
Systems Agency (DISA), "DISA/NCS World Wide Web (WWW) Handbook Version
2.2," "http://www.disa.mil/handbook/toc.html"
4. TEXT OF PRIVACY AND SECURITY NOTICE
4.1. The following privacy and security notice may be tailored in the
indicated areas by each organization sponsoring a publicly accessible Web site.
The notice shall be approved by the appropriate local legal authority before
use.
Link from Index.html pages --
"Please read this privacy and security notice."
( ) - indicates sections to be
tailored at the installation level
[ ] - indicates hyperlinks
* - indicates information located at the hyperlink destination indicated
Quote:
PRIVACY AND SECURITY NOTICE
1. (DefenseLINK) is provided as a
public service by the ([Office of the Assistant Secretary of Defense-Public
Affairs] and the [Defense Technical Information Center]).
2. Information presented on
(DefenseLINK) is considered public information and may be distributed or
copied. Use of appropriate byline/photo/image credits is requested.
3. For site management,
[information is collected]* for statistical purposes. This government computer
system uses software programs to create summary statistics, which are used for
such purposes as assessing what information is of most and least interest,
determining technical design specifications, and identifying system performance
or problem areas.
4. For site security purposes and
to ensure that this service remains available to all users, this government
computer system employs software programs to monitor network traffic to
identify unauthorized attempts to upload or change information, or otherwise
cause damage.
5. Except for authorized law
enforcement investigations, no other attempts are made to identify individual
users or their usage habits. Raw data logs are used for no other purposes and
are scheduled for regular destruction in accordance with [National Archives and
Records Administration Guidelines].
Agencies subject to DoD Directive
5240.1 shall add the following to paragraph 5:
"All data collection activities are in strict accordance with DoD Directive 5240.1 (reference(p))."
6. Unauthorized attempts to
upload information or change information on this service are strictly
prohibited and may be punishable under the Computer Fraud and Abuse Act of 1987
and the National Information Infrastructure Protection Act.
7. If you have any questions or
comments about the information presented here, please forward them to (us using
the DefenseLINK [Comment Form]
The following,
when appropriately tailored, may be used as a notice for sites using session
cookies.
Cookie Disclaimer. (DefenseLINK) does not use persistent cookies, i.e., tokens that
pass information back and forth from your machine to the server and remain
after you close your browser. (DefenseLINK) does use session cookies, i.e., tokens that remain active only until you close your browser, in order to (make the site easier for you to use). No database of information obtained from these cookies is kept and when you close your browser, the cookie is deleted from your computer.
(DefenseLINK) uses cookies in the following ways:
- (Describe use, e.g., "to save you time in
filling out forms," "to maintain a relationship between the image and the
correct link, the program that displays the banners on the bottom of some of our
pages uses a session cookie.")
You can chose
not to accept these cookies and still use the site, but (you may need to enter
the same information repeatedly and clicking on the banners will not take you
to the correct page). The help
information in your browser software should provide you with instruction on how
to disable cookies.
________________________________________________ End Quote:
* Link from above -
"information is collected" to the following text:
NOTE: The information below should be tailored, if necessary, to show an accurate example of the specific information being collected.
Example: Information Collected from (DefenseLINK) for Statistical Purposes
Below is an example of the information collected based on a standard request for a World Wide Web document:
xxx.yyy.com - -
[28/Jan/1997:00:00:01 -0500] "GET /DefenseLINK/news/nr012797.html
HTTP/1.0" 200 16704 Mozilla 3.0/www.altavista.digital.com
xxx.yyy.com (or 123.123.23.12)--
this is the host name (or IP address) associated with the requester (you as the
visitor). In this case, (....com) the requester is coming from a commercial
address. Depending on the requester’s method of network connection, the host
name (or IP address) may or may not identify a specific computer. Connections
via many Internet Service Providers assign different IP addresses for each
session, so the host name identifies only the ISP. The host name (or IP
address) will identify a specific computer if that computer has a fixed IP
address.
[28/Jan/1997:00:00:01 -0500] --
this is the date and time of the request
"GET
/DefenseLINK/news/nr012797.html HTTP/1.0" -- this is the location of the
requested file on (DefenseLINK)
200 -- this is the status code - 200
is OK - the request was filled
16704 -- this is the size of the
requested file in bytes
Mozilla 3.0 -- this identifies
the type of browser software used to access the page, which indicates what
design parameters to use in constructing the pages
www.altavista.digital.com - this
indicates the last site the person visited, which indicates how people find
(DefenseLINK)
Requests for other types of
documents use similar information. No personally-identifying information is collected.
4.2. The following notice and consent banner, approved by the DoD General
Counsel (reference (hh)), may be used on all DoD Web sites with security and
access controls. This banner may be tailored by an organization but such modifications
shall be accomplished in compliance with reference (hh), and shall be approved
by the Component’s General Counsel before use.
"This is a Department of
Defense Computer System. This computer system, including all related equipment,
networks, and network devices (specifically including Internet access) are
provided only for authorized U.S. Government use. DoD computer systems may be
monitored for all lawful purposes, including to ensure that their use is
authorized, for management of the system, to facilitate protection against
unauthorized access, and to verify security procedures, survivability, and
operational security. Monitoring includes active attacks by authorized DoD
entities to test or verify the security of this system. During monitoring, information
may be examined, recorded, copied and used for authorized purposes. All
information, including personal information, placed or sent over this system
may be monitored.
Use of this DoD computer system,
authorized or unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of
unauthorized use collected during monitoring may be used for administrative,
criminal, or other adverse action. Use of this system constitutes consent to
monitoring for these purposes."
|