UNCLASSIFIED/
ROUTINE
R 211334Z JAN 15 PSN 505960H25
FM CNO WASHINGTON DC
TO NAVADMIN
INFO CNO WASHINGTON DC
BT
UNCLAS
NAVADMIN 018/15
SUBJ/ACCEPTABLE USE POLICY FOR NAVY INFORMATION TECHNOLOGY RESOURCES
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6BC/DEC//
REF/A/MSG/DON CIO/031648ZOCT11//
REF/B/DOC/CJCS/9FEB2011//
REF/C/DOC/DOD/17NOV2011//
REF/D/DOC/DOD/24FEB2012//
REF/E/MSG/SECNAV/192027ZAUG10//
REF/F/MSG/SECNAV/192031ZAUG10//
REF/G/MSG/DON CIO/032009ZOCT08//
AMPN/Reference (a) is Department of the Navy (DON) Chief Information Officer
(CIO) message on Acceptable use of DON Information Technology Resources.
Reference (b) is Chairman of the Joint Chiefs of Staff Instruction 6510.01F,
Information Assurance and Support to Computer Network Defense. Reference (c)
is Department of Defense (DoD) 5500.7-R CH7, Joint Ethics Regulation,
Sections 2-301 and 10-100. Reference (d) is DoDM 5200.01, DoD Information
Security Program Manual. Reference (e) is ALNAV 056/10 that provides
Secretary of the Navy (SECNAV) guidance for official posts on internet-based
capabilities. Reference (f) is ALNAV 057/10 that provides SECNAV guidance
for unofficial posts on internet-based capabilities. Reference (g) provides
SECNAV policy on the use of digital signatures and encryption with email.//
POC/MS. BROOKE ZIMMERMAN/CIV/OPNAV N2N6BC4/TEL: (571) 256-8521
/TEL: DSN: 260-8521/E-MAIL: brooke.zimmerman@navy.mil//
RMKS/1. In support of references (a) and (b), this message outlines
acceptable use standards when using Navy information technology (IT)
resources for official and authorized unofficial purposes.
2. Scope and Applicability. This message applies to all Navy IT resource
users including military, civilian, and contract support personnel.
3. Background. When used appropriately, Navy IT resources greatly enhance
our warfighting and business processing capabilities. However, when used
inappropriately and without regard to good cybersecurity practices, these
same resources increase the Navy’s exposure to malicious intrusions, expose
our information to threats, and increase costs through spillage and higher
bandwidth (B/W) requirements.
4. Discussion
a. This is the first in a series of forthcoming Cyber Hygiene
messages.
b. Appropriately controlling access to, and personal use of,
Navy IT resources is a leadership issue. Commanders, Commanding
Officers, Civilian Leaders, and Officers in Charge (hereafter
referred to as Commanding Officers) must engage with their users
to ensure IT resources are being utilized in an acceptable manner
and in accordance with the below policy. Following this policy and
instilling a climate of accountability combined with an effective
command training program will enhance productivity, maintain
network stability, and support a solid defense-in-depth approach.
c. Penalties for violation of the rules republished in, and
prescribed by, this message include applicable criminal, civil,
and administrative sanctions for current DoD employees, including
punishment under the Uniform Code of Military Justice
(UCMJ). References (c) and (d) are germane.
5. Action
a. Users are directed to read, understand, and comply with
reference (a) in its entirety. Paragrah 6 of this message
provides additional focus and direction to the Department of the Navy
(DON) policy.
6. Policy
a. Commercial Email
(1) Navy personnel are authorized to access commercial web-based email
using Navy IT resources for personal use within the limitations of
reference (a), paragrah 5.D and reference (c).
(2) Use of commercial email for official business is only permitted
when necessary to meet operational requirements in cases where Navy
provided email is unavailable. This use must be endorsed by the
command Information Assurance Manager (IAM) and approved in advance by
the Designated Accrediting Authority (DAA) or the DAA*s written
designee.
(3) Users must follow specific guidelines defined in references (e) and
(f) and to ensure controlled unclassified information (CUI), including
personal identifiable information (PII), and for official use only
(FOUO) is safeguarded. Commercial email cannot be authorized to
transmit CUI (including PII).
b. To ensure the confidentiality, integrity, availability, and
security of Navy IT resources and information, users shall not:
(1) Auto-forward any email from a Navy account to a commercial email
account (e.g., .com, .edu, etc.);
(2) Bypass, stress, or test cybersecurity or computer network defense
(CND) mechanisms (e.g., firewalls, content filters, proxy servers,
anti-virus programs, etc.);
(3) Introduce or use unauthorized software, firmware, or hardware on
any Navy IT resource;
(4) Relocate or change equipment or the network connectivity of
equipment without authorization from the local information assurance
(IA) authority;
(5) Use personally owned hardware, software, shareware, or public
domain software without written authorization from the localIA
authority;
(6) Upload or download executable files (e.g., .exe, .com, .vbs, or
.bat) onto Navy IT resources without the written approval of the local
cybersecurity authority;
(7) Participate in or contribute to any activity resulting in a
disruption or denial of service;
(8) Write, code, compile, store, transmit, transfer, or introduce
malicious software, programs, or code;
(9) Use Navy IT resources in a way that would reflect adversely on the
Navy per reference (c). Such uses include pornography, chain letter,
unofficial advertising, soliciting, or selling except on authorized
bulletin boards established for such use, violation of statute or
regulation, inappropriately handled classified information and PII, and
other uses that are incompatible with public service; or
(10) Place data onto Navy IT resources processing insufficient security
controls to protect that data at the required classification (e.g.,
secret data on unclassified IT asset).
c. To ensure the confidentiality, integrity, availability, and
security of Navy resources and information, users shall:
(1) Safeguard information and information systems from unauthorized or
inadvertent modification, disclosure, destruction, or misuse;
(2) Protect CUI, to include PII, and classified information to prevent
unauthorized access, compromise, tampering, or exploitation of the
information;
(3) Protect authenticators (e.g., passwords and personal identification
numbers) required for logon authentication at the same classification
as the highest classification of the information accessed;
(4) Protect authentication tokens (e.g., CAC, alternate logon token,
personal identity verification, National Security System tokens) at all
times. Authentication tokens shall not be left unattended at any time
unless properly secured;
(5) Virus-check all information, programs, and other files prior to
uploading onto any Navy IT resource;
(6) Report all security incidents, including PII breaches, immediately
per applicable procedures;
(7) Access only that data, controlled information, software, hardware,
and firmware for which they are authorized access by their Commanding
Officer, have a need-to-know, and have the appropriate security
clearance. Assume only those roles and privileges for which the user
is authorized;
(8) Observe all policies and procedures governing the secure operation
and authorized use of a Navy information system;
(9) Digitally sign and encrypt email when appropriate per reference
(g); and
(10) Employ sound operations security measures per DoD, DON, Navy, and
command directives.
7. Action. Command leadership shall familiarize themselves with references
(a) through (g) and incorporate applicable requirements and guidelines into
command policy, guidance, training, and accountability actions.
8. This NAVADMIN will remain in effect until cancelled or superseded.
9. Released by Vice Admiral Ted N. Branch, OPNAV N2N6.
BT
#2856
NNNN
UNCLASSIFIED//