AR 380-19 Information Systems Security


Appendix D Army Internet Policy

This policy covers Army-sponsored use of the Internet computer systems. It provides the minimum guidelines for such use and does not preclude MACOMs from imposing more stringent local procedures. MACOMs may further delegate responsibilities to the appropriate designated approval authorities, as desired. However, the ultimate responsibility for securing systems remains with the MACOM.

D-1. Many unclassified Army systems allow users to access the Internet. While the Army promotes the use of the Internet to achieve Army goals, appropriate safeguards must be established to prevent and detect technical attacks made on Army systems and to ensure classified or sensitive information is not inadvertently released to unauthorized personnel.

D-2. Users will employ Internet access for official, unclassified U.S. Government business only. Users are not to use their own private accounts for Army-related business unless specifically authorized to do so by their DOIM/DCSIM. Users are authorized to down load and upload programs, graphics, and textual information between the Internet and an unclassified Government-owned personal computer. Personnel will scan all files for viruses before storing, transmitted, or processed within Army computers, systems, or networks. D-3. DAA approval is required before connection of any system to the Internet. DAAs (in coordination with Directors of Information Management (DOIMs)) will ensure adequate firewalls are in place to prevent the contamination of Army systems and/or possible denial of service. Systems containing classified information will not be connected to the Internet. Systems containing SBU information will employ the DES standard 1027 during transmission of information. Users of any system connected to the Internet must be provided and must read a copy of the "Army Internet User Security Guidelines", seen at figure D-1. These forms will be provided to the user prior to access to the Internet. ISSMs are responsible for ensuring that authorized users are trained and briefed on the use of such systems. Government use of the Internet may be monitored as MACOMs deem necessary.

D-4. Personnel will not share E-Mail and internet accounts with other persons. However, MACOMs may establish group E-mail/group accounts as a cost-saving measure. The system ISSO must maintain a list of users who may access the group account and must monitor access to prevent unauthorized use of the account. The individual user is responsible for all activity during access to the account. The user will not attempt to "talk around" classified topics while communicating on the Internet. Personnel may only conduct classified discussions on systems approved for the approoriate classification level (SIPRNET, JWICS, etc.)

D-5. Home pages/web sites may be created allowing access to the public at large or to a limited audience. The links to information on web sites intended for limited audiences should have access controls. These controls should be administered by the webmaster or system administrator per paragraph 2-3 of this regulation. Webmasters or systems administrators shall develop and publish local policies for the submission of information onto the organization_s home page. Publishing Army information onto electronic bulletin boards or worldwide web home pages constitutes the public release of information and must comply with the established policy for the release of specific information. Persons wishing to release Army information must first ensure that they have public release authority. Clearance of specific information should be directed to the appropriate proponent, the local public affairs office, or foreign disclosure office.

D-6. Army Internet sites are considered as lucrative intelligence sources and are targeted for information collection efforts. As stated in AR 380-12, Army personnel must report suspicious activity through Counterintelligence (SAEDA) and OPSEC channels. The Copyright Act, the Freedom of Information Act, the Privacy Act, and statutory federal records requirements also contain provisions with which users must comply. Users should consult the Internet User Guidelines and the Office of General Counsel regarding any Internet activity that raises legal concerns.

D-7. MACOMs are responsible for any search and review of their holdings of Internet data for purposes of responding to requests for information pursuant to Freedom of Information Act, Privacy Act, Congressional, or other investigative inquiry.

FIGURE D-1. INTERNET USER SECURITY GUIDELINES

1. SCOPE. These guidelines cover any Army-sponsored use of the Internet computer network. These are minimum guidelines for such use and do not exempt users from further restrictions that may be imposed by their MACOMs. A signature on this document signifies awareness of and compliance with governing security policies. These guidelines do not apply to personal E-mail accounts or subscriptions to computer services that an Army employee uses for non-Army related purposes. Users are not to use their private accounts for Army-related business unless specifically authorized by the MACOMs. If such authorization is granted, these guidelines apply to the conduct of Army-related business on personal accounts.

2. USER RESPONSIBILITIES. Individuals using their personal or Army-sponsored accounts should use the same kind of discretion in their "electronic on-line relationships" that they would in any private telephone conversation or face-to-face meeting. Misuse of Army-sponsored accounts (chain mail, access for personal gain, etc.) is considered fraud, waste, and abuse, and may be chargeable under UCMJ, OPM regulation, or relevant U.S. Codes.

3. APPROPRIATE USES OF THE INTERNET. Army-sponsored accounts may be used for official unclassified U.S. Government business only. Users may not use their U.S. Government access to the Internet for personal purposes. Access to the Internet through Army accounts is subject to monitoring. Consequently, only Army-related business that may be publicly attributed to the Army may be conducted on Army-sponsored accounts. In addition to normal duties, appropriate uses of Army-sponsored accounts include (but is not limited to) the following:

a. Keeping up with the professional literature of a field; b. acquiring publicly-available information of value to the Army; c. conducting unclassified contract/Contract Officer Technical Representative (COTR)-related contact; and d. keeping current with unclassified office matters while on temporary duty.

4. CONTACTS WITH THE MEDIA AND CONGRESS. All official contacts with the media concerning Army matters must be made through an appropriate level Army Public Affairs Office and all official contacts with Congress concerning Army matters must be made through the Office of Congressional Liaison.

5. CONTRIBUTING TO THE INTERNET. Although Army-sponsored account users may participate in E-mail correspondence and contribute to its publicly accessible services, they may not release official Army information. Only HQDA may authorize the release of information identified as the Army's official position. In contributing to discussions on publicly accessed Internet services and in E-mail correspondence, users must provide a disclaimer that their views do not represent an official Army position. Even so, users should exercise caution in their posting and correspondence because they and their comments may be identifiable with the Army, the communications may be widely distributed, and foreign intelligence services may be tracking Internet messages originating from Army-sponsored accounts.

6. LEGAL RESTRICTIONS ON INTERNET USE (Copyright, Title 17, U.S.C.). Users shall respect the legal protection provided by copyright, license, and authorship of messages, programs, and data on the network. The copyright laws of the United States provide that the owner of copyright (usually the originator of the work) has exclusive rights to reproduce, distribute, prepare derivative works, and publicly display or perform a work. Unless there is specific notice to the contrary, material on the Internet is protected by copyright even if it does not have a copyright notice (such as the "c" in a circle or the word "copyright" followed by a name and date). There is, however, an exception to the copyright statutes known as the "fair use" exception. Under this exception, it is fair to use a copyrighted work without the owner's consent where such use is necessary or desirable for the public benefit or welfare and does not exceed reasonable limits. Determinations as to whether a use is "fair" are made on a case-by-case basis by examining such factors as the purpose of the use, the nature of the work, the amount and substantiality of the portion used, and the effect of the use on the value of or market for the copyrighted work. Users should consult with the Office of General Counsel regarding certain limited exceptions to the Copyright Act_s prohibitions and for additional guidance on this subject.

7. PRIVACY ACT (5 U.S.C. PARA 552a). The Privacy Act, like the copyright laws, applies equally to electronic data. The Privacy Act is one of the laws governing the Army_s collection and dissemination of information about U.S. citizens and permanent resident aliens. If such information can be retrieved from an Army records system by the name of the individual or by some other identifying particular (such as a social security number), it is a Privacy Act record. Because of the Privacy Act restrictions, users may not post or send in any manner Privacy Act records outside Army control without guidance from the Office of General Counsel.

8. PROVISIONS GOVERNING THE COLLECTION, RETENTION, AND DISSEMINATION OF INFORMATION; CONTACTS WITH U.S. PERSONS; AND PARTICIPATION IN ORGANIZATIONS IN THE UNITED STATES (Executive Order 12333). The EO governs Army_s interactions with U.S. persons and our collection, retention, and dissemination of information concerning U.S. persons. Users may not solicit or gather information on the domestic activities of U.S. persons through participation on the Internet. Users should consult with the Office of General Counsel if they have specific concerns regarding U.S. person matters.

9. INTERCEPTION OF COMMUNICATIONS (Fourth Amendment, Electronic Communications Privacy Act, and Executive Order 12333). In the U.S., users may not intercept the private transmissions of other users or attempt to access stored electronic communications of others without authorization. Users may, however, access electronic bulletin boards, list servers, and discussions groups that are generally accessible to any member of the public.

10. RECORDKEEPING. Internet communications may be considered Federal records. Those that qualify as Army records must be managed according to their information content; therefore, users must follow Army Regulation 25-11 with respect to such records.

11. UNAUTHORIZED USE. Any user who fails to follow the Army's Internet Policy, these guidelines, or any laws or regulations applicable to Internet use is subject to such action as may legally be taken under the UCMJ, OPM regulation, or relevant U.S. Code.