ADMINISTRATIVE MESSAGE

ROUTINE

R 212001Z JUL 95 ZYB MIN

FM CNO WASHINGTON DC//N6//
 
TO ALCOM
 
***THIS IS A 2 PART MSG COLLATED BY MRS***
UNCLAS  //N02250//                 
ALCOM 035/95
 
MSGID/GENADMIN/CNO WASH DC N643//
 

SUBJ/GUIDELINES FOR NAVAL USE OF THE INTERNET//

REF/A/DOC/SECNAV/870603// REF/B/DOC/SECNAV/920617// REF/C/DOC/CNO/880429// REF/D/DOC/CNO/930430// REF/E/DOC/CNO/850401// NARR/REF A IS SECNAVINST 5720.44A U.S. NAVY PUBLIC AFFAIRS REGULATIONS. REF B IS SECNAVINST 5211.5D DEPARTMENT OF THE NAVY PRIVACY ACT PROGRAM. REF C IS OPNAVINST 5510.1H DEPARTMENT OF NAVY INFORMATION AND PERSONNEL SECURITY PROGRAM REGULATION. REF D IS OPNAVINST 2710 NAVY LOCAL AREA NETWORKS POLICIES. REF E IS OPNAVINST 5239.1A ADP SECURITY POLICY.// RMKS/1. THE DOD AND DON ARE CURRENTLY IN THE MIDST OF WHAT IS COMMONLY CALLED THE INFORMATION EXPLOSION. THE EXPONENTIAL GROWTH OF THE INTERNET AND THE WORLD WIDE WEB (WWW OR WEB) IS IN PART DUE TO THE EASE OF THE USE AND POPULARITY OF HYPERTEXT BROWSING APPLICATIONS. HYPERTEXT INTERNET APPLICATIONS MAY IMPROVE MANY FACETS OF OUR OPERATIONS, AND PROVIDE AN EFFICIENT AND EFFECTIVE MEANS OF COMMUNICATION AND INFORMATION DISTRIBUTION. THE NATIONAL INFORMATION INFRASTRUCTURE (NII) AND THE DEFENSE INFORMATION INFRASTRUCTURE (DII) HAVE AS A GOAL TO INCREASE THE EASE AND AVAILABILITY OF INFORMATION, BOTH WITHIN THE GOVERNMENT AND TO INFORMATION APPROVED FOR PUBLIC RELEASE AND ACCESSIBILITY BY THE PUBLIC. 2. EASY TO USE WEB BROWSERS AND SOFTWARE TOOLS TO EASE THE DEVELOPMENT OF DOCUMENTS WRITTEN IN HYPERTEXT MARKUP LANGUAGE (HTML) HAVE GIVEN RISE TO A PROLIFERATION OF WWW HOME PAGES ON THE INTERNET, INCLUDING MANY BY NUMEROUS NAVY COMMANDS OPERATING IN THE DOMAIN NAME NAVY.MIL. COUPLED WITH THEIR PROMISED BENEFITS HOWEVER, SERVICES SUCH AS WWW, HYPERTEXT TRANSFER PROTOCOL (HTTP), GOPHER, ANONYMOUS FILE TRANSFER PROTOCOL (FTP), AND OTHER OPEN ANONYMOUS INFORMATION SERVERS PRESENT POTENTIAL PROBLEMS: (A) DEPENDING ON THE SIZE OF THEIR INFORMATION FILES AND THE EXTERNAL DEMAND FOR THESE FILES, SUCH SERVICES CAN CONSUME SIGNIFICANT NETWORK BANDWIDTH, AND SERIOUSLY DEGRADE NETWORK PERFORMANCE FOR OTHER SYSTEMS SHARING THE SAME NETWORK COMPONENTS, AND POTENTIALLY DEGRADE OR DENY ACCESS TO REQUIRED INFORMATION BY INTERNAL USERS. (B) TO BE USEFUL, SUCH SERVERS MUST ACCEPT OUTSIDE USERS WITHOUT REQUIRING EITHER A LOCAL USER ACCOUNT OR PASSWORD. PROVIDING SUCH SERVICE CLEARLY ENTAILS SECURITY RISKS, RISKS TO WHICH THE DON MUST BE ESPECIALLY SENSITIVE BECAUSE MILITARY COMPUTER SYSTEMS ARE TRADITIONALLY HIGH PROFILE TARGETS. THE CONNECTION OF NAVAL INFORMATION SYSTEMS AND NETWORKS TO UNCLASSIFIED PUBLICLY ACCESSIBLE COMPUTER NETWORKS AND INFORMATION SYSTEMS POSES A POTENTIAL THREAT TO NAVAL OPERATIONS. WE CANNOT VIEW THESE CONNECTIONS AS RISK-FREE. THE POTENTIAL EXISTS NOT ONLY FOR UNAUTHORIZED PERSONS TO GAIN ACCESS TO NAVAL INFORMATION SYSTEMS, BUT FOR THE INADVERTENT DISCLOSURE OF CLASSIFIED, UNCLASSIFIED BUT SENSITIVE, AND PRIVACY INFORMATION, AND THE COMPROMISE OF NAVAL OPERATIONS AND ACTIVITIES AS WELL. REQUIRING A LOCAL USER ACCOUNT OR PASSWORD PRIOR TO ACCESSING DATA AVAILABLE ON THE INTERNET IS NOT IN ITSELF A SUFFICIENT SAFEGUARD. IT IS IMPERATIVE THAT THE DEPARTMENT OF THE NAVY ENDEAVOR TO EVALUATE THE RISK AND ENSURE THAT DUE CARE IS TAKEN TO MINIMIZE THE CHANCE OF COMPROMISE. 3. IT IS FULLY APPROPRIATE FOR NAVAL COMMANDS TO ESTABLISH AND MAINTAIN INFORMATION SERVERS AND SERVICES ON THE INTERNET, INCLUDING WORLD WIDE WEB HOME PAGES WITH LINKS TO OTHER PAGES, PROVIDED THEY SUPPORT LEGITIMATE, MISSION-RELATED ACTIVITIES OF THE NAVY AND MARINE CORPS, AND ARE CONSISTENT WITH PRUDENT OPERATIONAL AND SECURITY CONSIDERATIONS. ONE TYPE OF LINK THAT MUST BE AVOIDED IS THE LINK TO A SPECIFIC VENDOR WHO IS SELLING SERVICES AND PRODUCTS TO THE GOVERNMENT, AS THAT TYPE OF LINK MAY GIVE THE APPEARANCE THAT THE DON IS ENDORSING THE PRODUCT OR SERVICE, OR SHOWING FAVOR TO A PARTICULAR VENDOR. INFORMATION PLACED ON THE INTERNET, WITHOUT CONTROLS TO ELIMINATE OR PREVENT PUBLIC ACCESS, MUST BE CLEARED IN A MANNER CONSISTENT WITH THE PROCEDURES ALREADY IN PLACE FOR CLEARING "HARD" COPY INFORMATION. (SEE REFS (A), (B), AND (C)). IN MOST CASES, MATERIAL PROPOSED TO BE MADE AVAILABLE ELECTRONICALLY TO THE PUBLICLY ACCESSIBLE INTERNET MUST BE SUBMITTED THROUGH THE SAME PUBLIC AFFAIRS CHANNELS AS "HARD" COPY MATERIAL PROPOSED FOR PUBLICATION, (FOR NATIONAL RELEASE). (A) COMMANDERS/COMMANDING OFFICERS MUST ENSURE THAT INFORMATION PROVIDED ON ANY OF THEIR INFORMATION SERVERS CONNECTED TO THE INTERNET, DOES NOT CONTAIN CLASSIFIED, UNCLASSIFIED SENSITIVE, OR PRIVACY INFORMATION, OR INFORMATION THAT COULD ENABLE THE RECIPIENT TO INFER CLASSIFIED OR UNCLASSIFIED SENSITIVE INFORMATION, EITHER FROM INDIVIDUAL SEGMENTS OF THE INFORMATION, OR FROM THE AGGREGATE OF ALL THE INFORMATION AVAILABLE. (B) ANY INFORMATION PROVIDE THROUGH INTERNET SERVICES MUST BE PROFESSIONALLY PRESENTED, CURRENT, ACCURATE AND FACTUAL, AND RELATED TO THE COMMAND'S MISSION. COMMANDS MAY CHOOSE TO PRODUCE PERIODIC WRITTEN GENERAL GUIDELINES AND PARAMETERS FOR THEIR AUTHORIZED USERS OF UNCLASSIFIED PUBLICLY ACCESSIBLE COMPUTER NETWORKS SUCH AS THE INTERNET. THIS GUIDANCE WILL INDICATE THOSE TOPICS (SUCH AS SENSITIVE INFORMATION ASSOCIATED WITH THE COMMAND'S MISSION OR FLEET OPERATIONS, OR OTHER SENSITIVE DON BUSINESS), WHICH MAY BE RESTRICTED OR PROHIBITED FROM BEING DISCUSSED PUBLICLY OVER NETWORKS. (C) EACH WEB HOME PAGE WILL HAVE A DESIGNATED AUTHOR OR MAINTAINER WHO WILL BE RESPONSIBLE FOR THE CONTENT AND APPEARANCE OF THAT PAGE. THE INDIVIDUAL'S NAME, ORGANIZATIONAL CODE, ORGANIZATIONAL PHONE NUMBER, EMAIL ADDRESS, AND DATE OF LAST REVISION WILL BE INCLUDED IN THE SOURCE CODE FOR THAT PAGE. THE ORIGINATORS OF ANY MATERIAL PROPOSED FOR DISTRIBUTION OR POSTING TO A WEB HOME PAGE, ARE RESPONSIBLE FOR OBTAINING APPROVAL RELEASE, PRIOR TO SUBMITTING THE MATERIAL TO THE WEB SERVER ADMINISTRATOR. (D) PUBLICLY ACCESSIBLE NEWSGROUPS, BULLETIN BOARDS, AND EMAIL MAILING LISTS THAT ARE OPERATED BY A COMMAND SHOULD ALSO REFLECT A HIGH LEVEL OF PROFESSIONALISM. INDIVIDUAL USERS WHO SUBMIT EMAIL POSTINGS TO THESE NAVY AND MARINE CORPS OPERATED AND MAINTAINED PUBLICLY ACCESSIBLE NEWSGROUPS AND BULLETIN BOARDS, ARE NOT AUTHORIZED TO SUBMIT CLASSIFIED, UNCLASSIFIED SENSITIVE, OR PRIVACY INFORMATION. COMMANDERS/COMMANDING OFFICERS SHOULD ESTABLISH PROCEDURES FOR PERIODIC REVIEW OF THE CONTENT OF POSTINGS THAT HAVE BEEN MADE TO THESE NEWSGROUPS AND BULLETIN BOARDS OPERATED BY THEIR COMMAND TO ENSURE THE POSTINGS DO NOT BRING DISCREDIT TO THE COMMAND AND THE DON. ALL NAVY AND MARINE CORPS EMAIL USERS SHOULD STRIVE TO ENSURE THAT THE CONTENT OF EMAIL MESSAGES REFLECT A HIGH LEVEL OF PROFESSIONALISM AND PERSONAL INTEGRITY. 4. INFORMATION SYSTEMS SECURITY GUIDELINES: (A) ALL NAVAL INFORMATION SYSTEMS WITH SERVERS (INCLUDING WEB SERVERS) WHICH ARE CONNECTED TO UNCLASSIFIED PUBLICLY ACCESSIBLE COMPUTER NETWORKS SUCH AS THE INTERNET, WILL EMPLOY APPROPRIATE SECURITY SAFEGUARDS (SUCH AS FIREWALLS) AS NECESSARY TO ENSURE THE INTEGRITY, AUTHENTICITY, PRIVACY, AND AVAILABILITY OF A COMMAND'S INFORMATION SYSTEM AND ITS DATA. (B) ALL INFORMATION SYSTEMS WITH SERVERS CONNECTED TO THE INTERNET MUST HAVE A FORMAL COMMANDER/COMMANDING OFFICER, OR DESIGNATED APPROVING AUTHORITY (DAA) AUTHORIZATION TO OPERATE. IN ACCORDANCE WITH OPNAVINST 5239.1 (REF (E)), ALL SYSTEMS MUST RECEIVE SECURITY ACCREDITATION AND AUTHORIZATION TO OPERATE BY THE DAA PRIOR TO BEING PUT INTO OPERATION. A NETWORK RISK ANALYSIS MUST BE CONDUCTED AS A PART OF THE OVERALL NETWORK SECURITY PLAN TO DETERMINE THE APPROPRIATE LEVEL OF SECURITY. DON WAN/LAN SYSTEMS SECURITY ACCREDITATIONS MUST BE UPDATED TO REFLECT THE ADDITION OF, OR EXISTENCE OF, A WEB SERVER OR OTHER INTERNET INFORMATION SERVER. 5. SINCE THE INTERNET IS OPEN AND LEGALLY ACCESSED BY THE WORLD-WIDE PUBLIC, INFORMATION PRESENTED BY NAVAL COMMANDS IN THEIR HOME PAGES ON THE INTERNET WILL REFLECT ON THE DEPARTMENT OF THE NAVY'S PROFESSIONAL STANDARDS AND CREDIBILITY. REGARDLESS OF HOW OR BY WHOM THESE PAGES ARE ACTUALLY DEVELOPED, THE APPEARANCE OF, AND THE ACCURACY, CURRENCY, AND RELEVANCE OF THIS INFORMATION WILL REFLECT DIRECTLY, OR INDIRECTLY, ON THE DEPARTMENT OF THE NAVY'S IMAGE. INFORMATION RESIDING ON A SERVER WITH A NAVY.MIL DOMAIN OR USMC.MIL DOMAIN, OR ANY OTHER NAVY OR MARINE CORPS OWNED AND OPERATED SERVER, MAY BE INTERPRETED BY THE WORLDWIDE PUBLIC, INCLUDING THE AMERICAN TAXPAYER AND MEDIA, AS REFLECTING OFFICIAL DEPARTMENT OF THE NAVY, OR DEPARTMENT OF DEFENSE POLICIES OR POSITIONS. THERE IS NO SUCH THING AS A PERSONAL OR UNOFFICIAL HOME PAGE ON A ".MIL" SERVER BECAUSE THESE SERVERS AND THE INFORMATION THEY CONTAIN ARE PROPERLY USED ONLY FOR OFFICIAL BUSINESS, AND IN AN OFFICIAL CAPACITY. COMMANDING OFFICERS SHOULD REVIEW ALL WEB HOME PAGES OR OTHER INTERNET INFORMATION SERVERS BEING OPERATED BY PERSONNEL AT THEIR COMMANDS, TO ENSURE COMPLIANCE WITH THE GUIDELINES NOTED IN THIS MESSAGE. 6. ADDITIONAL MORE DETAILED TECHNICAL AND INFOSEC GUIDELINES PERTAINING TO DON USE OF THE INTERNET WILL BE PUBLISHED IN FUTURE REVISIONS TO REFS D AND E. 7. THIS MESSAGE HAS BEEN COORDINATED WITH CMC, CHINFO, NAVY JAG, AND COMNAVSECGRU. THE N6 POINT OF CONTACT IS CDR D. GALIK, N643G. PHONE 703 697-7755, OR EMAIL: CNON643G@SMTP-GW.SPAWAR.NAVY.MIL. THE MARINE CORPS POINT OF CONTACT IS MARINE CORPS COMBAT DEVELOPMENT COMMAND, ARCHITECTURE AND STANDARDS DIVISION; PHONE 703 784-4720. 8. RELEASED BY VADM DAVIS, USN.// BT