12 FAM 544.3 Electronic Transmission Via the Internet
(CT: DS-117; 11-04-2005)
a. It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS, which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information. The Department’s authorized telework solution(s) are designed in a manner that meet these requirements and are not considered end points outside of the Department’s management control.
b. The Department is expected to provide, and employees are expected to use, approved secure methods to transmit SBU information when available and practical.
c. Employees should be aware that transmissions from the Department’s OpenNet to and from non-U.S. Government Internet addresses, and other .gov or .mil addresses, unless specifically directed through an approved secure means, traverse the Internet unencrypted. Therefore, employees must be cognizant of the sensitivity of the information and mandated security controls, and evaluate the possible security risks and then decide whether a more secure means of transmission is warranted (i.e., secure fax, mail or network, etc.)
d. In the absence of a Department-provided secure method, employees with a valid business need may transmit SBU information over the Internet unencrypted, after carefully considering that:
(1) SBU information within the category in 12 FAM 541b(7)(a) and (b) must never be sent unencrypted via the Internet;
(2) Unencrypted information transmitted via the Internet is susceptible to access by unauthorized personnel;
(3) Email transmissions via the Internet generally consist of multipoint communications that are routed to their destination through the path of least resistance, which may include multiple foreign and U.S. controlled Internet service providers (ISP);
(4) Once resident on an ISP server, the SBU information remains until it is overwritten;
(5) Unencrypted email transmissions are subject to a risk of compromise of information confidentiality or integrity;
(6) SBU information resident on personally owned computers connected to the Internet is generally more susceptible to cyber attacks and/or compromise than information on Government-owned computers connected to the Internet;
(7) The Internet is globally accessed (i.e., there are no physical or traditional territorial boundaries). Transmissions through foreign ISPs or servers can magnify these risks; and
(8) Current technology can target specific email addresses or suffixes and content of unencrypted messages.
e. SBU information must not be posted on any public Internet Web site, discussed in a publicly available chat room or any other public forum on the Internet.
f. To preclude inadvertent transmission of SBU information prohibited on the Internet, AIS users must not use an “auto-forward” function to send emails to an address outside the Department’s network.
g. SBU information created on or downloaded to publicly available non- U.S. Government-owned computers, such as Internet kiosks, should be removed when no longer needed.
h. All users who process SBU information on personally owned computers must ensure that these computers will provide adequate and appropriate security for that information. This includes:
(1) Disabling unencrypted wireless access;
(2) The maintenance of adequate physical security;
(3) The use of anti-virus and spyware software; and
(4) Ensuring that all operating system and other software security patches, virus definitions, firewall version updates, and spyware definitions are current.