21 July 1995 (The Naval Message is DTG 212001Z JUL 95)
From: Chief of Naval Operations, Washington DC
Info: Secretary of the Navy
To: All Navy commands (The Naval Message is ALCOM 035/95)
Subject: GUIDELINES FOR NAVAL USE OF THE INTERNET// SSIC:
N02250
[Ref A is SECNAVINST 5720.44A - U.S. Navy Public Affairs
Regulations. Ref B is SECNAVINST 5211.5D Department of the
Navy Privacy Act Program. Ref C is OPNAVINST 5510.1H
Department of Navy Information and Personnel Security
Program Regulation. Ref D is OPNAVINST 2710 Navy Local Area
Networks policies. Ref E is OPNAVINST 5239.1A ADP Security
Policy.]
1. The DOD and DON are currently in the midst of what is
commonly called the information explosion. The exponential
growth of the Internet and the World Wide Web (WWW or web)
is in part due to the ease of the use and popularity of
hypertext browsing applications. Hypertext Internet
applications may improve many facets of our operations, and
provide an efficient and effective means of communication
and information distribution. The National Information
Infrastructure (NII) and the Defense Information
Infrastructure (DII) have as a goal to increase the ease and
availability of information, both within the government and
to information approved for public release and accessibility
by the public.
2. Easy to use web browsers and software tools to ease the
development of documents written in hypertext markup
language (HTML) have given rise to a proliferation of WWW
home pages on the Internet, including many by numerous Navy
commands operating in the domain name navy.mil. Coupled with
their promised benefits however, services such as WWW,
hypertext transfer protocol (http), gopher, anonymous file
transfer protocol (ftp), and other open anonymous
information servers present potential problems:
(a) Depending on the size of their information files and the
external demand for these files, such services can consume
significant network bandwidth, and seriously degrade network
performance for other systems sharing the same network
components, and potentially degrade or deny access to
required information by internal users.
(b) To be useful, such servers must accept outside users
without requiring either a local user account or password.
Providing such service clearly entails security risks, risks
to which the DON must be especially sensitive because
military computer systems are traditionally high profile
targets. The connection of naval information systems and
networks to unclassified publicly accessible computer
networks and information systems poses a potential threat to
naval operations. We cannot view these connections as
risk-free. The potential exists not only for unauthorized
persons to gain access to naval information systems, but for
the inadvertent disclosure of classified, unclassified but
sensitive, and privacy information, and the compromise of
naval operations and activities as well. Requiring a local
user account or password prior to accessing data available
on the Internet is not in itself a sufficient safeguard. It
is imperative that the Department of the Navy endeavor to
evaluate the risk and ensure that due care is taken to
minimize the chance of compromise.
3. It is fully appropriate for naval commands to establish
and maintain information servers and services on the
Internet, including World Wide Web home pages with links to
other pages, provided they support legitimate,
mission-related activities of the Navy and Marine Corps, and
are consistent with prudent operational and security
considerations. One type of link that must be avoided is the
link to a specific vendor who is selling services and
products to the government, as that type of link may give
the appearance that the DON is endorsing the product or
service, or showing favor to a particular vendor.
Information placed on the Internet, without controls to
eliminate or prevent public access, must be cleared in a
manner consistent with the procedures already in place for
clearing "hard" copy information. (See refs (a), (b), and
(c)). In most cases, material proposed to be made available
electronically to the publicly accessible Internet must be
submitted through the same public affairs channels as "hard"
copy material proposed for publication, (for national
release).
(a) Commanders/commanding officers must ensure that
information provided on any of their information servers
connected to the Internet, does not contain classified,
unclassified sensitive, or privacy information, or
information that could enable the recipient to infer
classified or unclassified sensitive information, either
from individual segments of the information, or from the
aggregate of all the information available.
(b) Any information provide through Internet services must
be professionally presented, current, accurate and factual,
and related to the command's mission. Commands may choose to
produce periodic written general guidelines and parameters
for their authorized users of unclassified publicly
accessible computer networks such as the Internet. This
guidance will indicate those topics (such as sensitive
information associated with the command's mission or fleet
operations, or other sensitive DON business), which may be
restricted or prohibited from being discussed publicly over
networks.
(c) Each web home page will have a designated author or
maintainer who will be responsible for the content and
appearance of that page. The individual's name,
organizational code, organizational phone number, email
address, and date of last revision will be included in the
source code for that page. The originators of any material
proposed for distribution or posting to a web home page, are
responsible for obtaining approval release, prior to
submitting the material to the web server administrator.
(d) Publicly accessible newsgroups, bulletin boards, and
email mailing lists that are operated by a command should
also reflect a high level of professionalism. Individual
users who submit email postings to these Navy and Marine
Corps operated and maintained publicly accessible newsgroups
and bulletin boards, are not authorized to submit
classified, unclassified sensitive, or privacy information.
Commanders/commanding officers should establish procedures
for periodic review of the content of postings that have
been made to these newsgroups and bulletin boards operated
by their command to ensure the postings do not bring
discredit to the command and the DON. All Navy and Marine
Corps email users should strive to ensure that the content
of email messages reflect a high level of professionalism
and personal integrity.
4. Information systems security guidelines:
(a) All naval information systems with servers (including
web servers) which are connected to unclassified publicly
accessible computer networks such as the Internet, will
employ appropriate security safeguards (such as firewalls)
as necessary to ensure the integrity, authenticity, privacy
and availability of a command's information system and its
data.
(b) All information systems with servers connected to the
Internet must have a formal commander/commanding officer, or
Designated Approving Authority (DAA) authorization to
operate. In accordance with OPNAVINST 5239.1 (Ref (e)), all
systems must receive security accreditation and
authorization to operate by the DAA prior to being put into
operation. A network risk analysis must be conducted as part
of the overall network security plan to determine the
appropriate level of security. DON WAN/LAN systems security
accreditations must be updated to reflect the addition of,
or existence of, a web server or other Internet information
server.
5. Since the Internet is open and legally accessed by the
world- wide public, information presented by naval commands
in their home pages on the Internet will reflect on the
Department of the Navy's professional standards and
credibility. Regardless of how or by whom these pages are
actually developed, the appearance of, and the accuracy,
currency and relevance of this information will reflect
directly, or indirectly, on the Department of the Navy's
image. Information residing on a server with a navy.mil
domain or server, may be interpreted by the worldwide
public, including the American taxpayer and media, as
reflecting official Department of the Navy, or Department of
Defense policies or positions. There is no such thing as a
personal or unofficial home page on a ".mil" server because
these servers and the information they contain are properly
used only for official business, and in an official
capacity. Commanding officers should review all web home
pages or other Internet information servers being operated
by personnel at their commands, to ensure compliance with
the guidelines noted in this message.
6. Additional more detailed technical and InfoSec guidelines
pertaining to DON use of the Internet will be published in
future revisions to refs d and e.
7. This message has been coordinated with Commandant of the
Marine Corps, the Chief of Information, Navy Judge Advocate
General, and Commander, Naval Security Group. The N6 point
of contact is CDR D. Galik, N643G. Phone 703 697-7755, or
e-mail: cnon643g@smtp- gw.spawar.navy.mil. The Marine Corps
point of contact is Marine Corps Combat Development Command,
Architecture and Standards Division; phone 703 784-4720.
8. Released by VADM Davis, USN.
Secure Discussion Boards