CNO 212001ZJUL95 GUIDELINES FOR NAVAL USE OF THE INTERNET

ADMINISTRATIVE MESSAGE
ROUTINE
R 212001Z JUL 95 ZYB MIN
FM CNO WASHINGTON DC//N6//
 
TO ALCOM
 
***THIS IS A 2 PART MSG COLLATED BY MRS***
UNCLAS  //N02250//                 
ALCOM 035/95
 
MSGID/GENADMIN/CNO WASH DC N643//
 
SUBJ/GUIDELINES FOR NAVAL USE OF THE INTERNET// 
REF/A/DOC/SECNAV/870603//
 
REF/B/DOC/SECNAV/920617//
 
REF/C/DOC/CNO/880429//
 
REF/D/DOC/CNO/930430//
 
REF/E/DOC/CNO/850401//
 
NARR/REF A IS SECNAVINST 5720.44A U.S. NAVY PUBLIC AFFAIRS
REGULATIONS.  REF B IS SECNAVINST 5211.5D DEPARTMENT OF THE NAVY
PRIVACY ACT PROGRAM.  REF C IS OPNAVINST 5510.1H DEPARTMENT OF NAVY
INFORMATION AND PERSONNEL SECURITY PROGRAM REGULATION.  REF D IS
OPNAVINST 2710 NAVY LOCAL AREA NETWORKS POLICIES.  REF E IS OPNAVINST
5239.1A ADP SECURITY POLICY.//
 
RMKS/1.  THE DOD AND DON ARE CURRENTLY IN THE MIDST OF WHAT IS
COMMONLY CALLED THE INFORMATION EXPLOSION.  THE EXPONENTIAL GROWTH OF
THE INTERNET AND THE WORLD WIDE WEB (WWW OR WEB) IS IN PART DUE TO
THE EASE OF THE USE AND POPULARITY OF HYPERTEXT BROWSING
APPLICATIONS.  HYPERTEXT INTERNET APPLICATIONS MAY IMPROVE MANY
FACETS OF OUR OPERATIONS, AND PROVIDE AN EFFICIENT AND EFFECTIVE
MEANS OF COMMUNICATION AND INFORMATION DISTRIBUTION.  THE NATIONAL
INFORMATION INFRASTRUCTURE (NII) AND THE DEFENSE INFORMATION
INFRASTRUCTURE (DII) HAVE AS A GOAL TO INCREASE THE EASE AND
AVAILABILITY OF INFORMATION, BOTH WITHIN THE GOVERNMENT AND TO
INFORMATION APPROVED FOR PUBLIC RELEASE AND ACCESSIBILITY BY THE
PUBLIC.
 
2.  EASY TO USE WEB BROWSERS AND SOFTWARE TOOLS TO EASE THE
DEVELOPMENT OF DOCUMENTS WRITTEN IN HYPERTEXT MARKUP LANGUAGE (HTML)
HAVE GIVEN RISE TO A PROLIFERATION OF WWW HOME PAGES ON THE
INTERNET, INCLUDING MANY BY NUMEROUS NAVY COMMANDS OPERATING IN THE
DOMAIN NAME NAVY.MIL.  COUPLED WITH THEIR PROMISED BENEFITS HOWEVER,
SERVICES SUCH AS WWW, HYPERTEXT TRANSFER PROTOCOL (HTTP), GOPHER,
ANONYMOUS FILE TRANSFER PROTOCOL (FTP), AND OTHER OPEN ANONYMOUS
INFORMATION SERVERS PRESENT POTENTIAL PROBLEMS:
     (A) DEPENDING ON THE SIZE OF THEIR INFORMATION FILES AND THE
EXTERNAL DEMAND FOR THESE FILES, SUCH SERVICES CAN CONSUME
SIGNIFICANT NETWORK BANDWIDTH, AND SERIOUSLY DEGRADE NETWORK
PERFORMANCE FOR OTHER SYSTEMS SHARING THE SAME NETWORK COMPONENTS,
AND POTENTIALLY DEGRADE OR DENY ACCESS TO REQUIRED INFORMATION BY
INTERNAL USERS.
     (B) TO BE USEFUL, SUCH SERVERS MUST ACCEPT OUTSIDE USERS
WITHOUT REQUIRING EITHER A LOCAL USER ACCOUNT OR PASSWORD.
PROVIDING SUCH SERVICE CLEARLY ENTAILS SECURITY RISKS, RISKS TO WHICH
THE DON MUST BE ESPECIALLY SENSITIVE BECAUSE MILITARY COMPUTER
SYSTEMS ARE TRADITIONALLY HIGH PROFILE TARGETS.  THE CONNECTION OF
NAVAL INFORMATION SYSTEMS AND NETWORKS TO UNCLASSIFIED PUBLICLY
ACCESSIBLE COMPUTER NETWORKS AND INFORMATION SYSTEMS POSES A
POTENTIAL THREAT TO NAVAL OPERATIONS.  WE CANNOT VIEW THESE
CONNECTIONS AS RISK-FREE.  THE POTENTIAL EXISTS NOT ONLY FOR
UNAUTHORIZED PERSONS TO GAIN ACCESS TO NAVAL INFORMATION SYSTEMS, BUT
FOR THE INADVERTENT DISCLOSURE OF CLASSIFIED, UNCLASSIFIED BUT
SENSITIVE, AND PRIVACY INFORMATION, AND THE COMPROMISE OF NAVAL
OPERATIONS AND ACTIVITIES AS WELL.  REQUIRING A LOCAL USER ACCOUNT
OR PASSWORD PRIOR TO ACCESSING DATA AVAILABLE ON THE INTERNET IS NOT
IN ITSELF A SUFFICIENT SAFEGUARD.  IT IS IMPERATIVE THAT THE
DEPARTMENT OF THE NAVY ENDEAVOR TO EVALUATE THE RISK AND ENSURE THAT
DUE CARE IS TAKEN TO MINIMIZE THE CHANCE OF COMPROMISE.
 
3.  IT IS FULLY APPROPRIATE FOR NAVAL COMMANDS TO ESTABLISH AND
MAINTAIN INFORMATION SERVERS AND SERVICES ON THE INTERNET, INCLUDING
WORLD WIDE WEB HOME PAGES WITH LINKS TO OTHER PAGES, PROVIDED THEY
SUPPORT LEGITIMATE, MISSION-RELATED ACTIVITIES OF THE NAVY AND
MARINE CORPS, AND ARE CONSISTENT WITH PRUDENT OPERATIONAL AND
SECURITY CONSIDERATIONS.  ONE TYPE OF LINK THAT MUST BE AVOIDED IS
THE LINK TO A SPECIFIC VENDOR WHO IS SELLING SERVICES AND PRODUCTS TO
THE GOVERNMENT, AS THAT TYPE OF LINK MAY GIVE THE APPEARANCE THAT THE
DON IS ENDORSING THE PRODUCT OR SERVICE, OR SHOWING FAVOR TO A
PARTICULAR VENDOR.  INFORMATION PLACED ON THE INTERNET, WITHOUT
CONTROLS TO ELIMINATE OR PREVENT PUBLIC ACCESS, MUST BE CLEARED IN A
MANNER CONSISTENT WITH THE PROCEDURES ALREADY IN PLACE FOR CLEARING
"HARD" COPY INFORMATION.  (SEE REFS (A), (B), AND (C)).  IN MOST
CASES, MATERIAL PROPOSED TO BE MADE AVAILABLE ELECTRONICALLY TO THE
PUBLICLY ACCESSIBLE INTERNET MUST BE SUBMITTED THROUGH THE SAME
PUBLIC AFFAIRS CHANNELS AS "HARD" COPY MATERIAL PROPOSED FOR
PUBLICATION, (FOR NATIONAL RELEASE).
     (A) COMMANDERS/COMMANDING OFFICERS MUST ENSURE THAT INFORMATION
PROVIDED ON ANY OF THEIR INFORMATION SERVERS CONNECTED TO THE
INTERNET, DOES NOT CONTAIN CLASSIFIED, UNCLASSIFIED SENSITIVE, OR
PRIVACY INFORMATION, OR INFORMATION THAT COULD ENABLE THE RECIPIENT
TO INFER CLASSIFIED OR UNCLASSIFIED SENSITIVE INFORMATION, EITHER
FROM INDIVIDUAL  SEGMENTS OF THE INFORMATION, OR FROM THE AGGREGATE
OF ALL THE INFORMATION AVAILABLE.
     (B) ANY INFORMATION PROVIDE THROUGH INTERNET SERVICES MUST BE
PROFESSIONALLY PRESENTED, CURRENT, ACCURATE AND FACTUAL, AND RELATED
TO THE COMMAND'S MISSION.  COMMANDS MAY CHOOSE TO PRODUCE PERIODIC
WRITTEN GENERAL GUIDELINES AND PARAMETERS FOR THEIR AUTHORIZED USERS
OF UNCLASSIFIED PUBLICLY ACCESSIBLE COMPUTER NETWORKS SUCH AS THE
INTERNET.  THIS GUIDANCE WILL INDICATE THOSE TOPICS (SUCH AS
SENSITIVE INFORMATION ASSOCIATED WITH THE COMMAND'S MISSION OR FLEET
OPERATIONS, OR OTHER SENSITIVE DON BUSINESS), WHICH MAY BE RESTRICTED
OR PROHIBITED FROM BEING DISCUSSED PUBLICLY OVER NETWORKS.
     (C) EACH WEB HOME PAGE WILL HAVE A DESIGNATED AUTHOR OR
MAINTAINER WHO WILL BE RESPONSIBLE FOR THE CONTENT AND APPEARANCE OF
THAT PAGE.  THE INDIVIDUAL'S NAME, ORGANIZATIONAL CODE,
ORGANIZATIONAL PHONE NUMBER, EMAIL ADDRESS, AND DATE OF LAST REVISION
WILL BE INCLUDED IN THE SOURCE CODE FOR THAT PAGE.  THE ORIGINATORS
OF ANY MATERIAL PROPOSED FOR DISTRIBUTION OR POSTING TO A WEB HOME
PAGE, ARE RESPONSIBLE FOR OBTAINING APPROVAL RELEASE, PRIOR TO
SUBMITTING THE MATERIAL TO THE WEB SERVER ADMINISTRATOR.
     (D) PUBLICLY ACCESSIBLE NEWSGROUPS, BULLETIN BOARDS, AND EMAIL
MAILING LISTS THAT ARE OPERATED BY A COMMAND SHOULD ALSO REFLECT A
HIGH LEVEL OF PROFESSIONALISM.  INDIVIDUAL USERS WHO SUBMIT EMAIL
POSTINGS TO THESE NAVY AND MARINE CORPS OPERATED AND MAINTAINED
PUBLICLY ACCESSIBLE NEWSGROUPS AND BULLETIN BOARDS, ARE NOT
AUTHORIZED TO SUBMIT CLASSIFIED, UNCLASSIFIED SENSITIVE, OR PRIVACY
INFORMATION.  COMMANDERS/COMMANDING OFFICERS SHOULD ESTABLISH
PROCEDURES FOR PERIODIC REVIEW OF THE CONTENT OF POSTINGS THAT HAVE
BEEN MADE TO THESE NEWSGROUPS AND BULLETIN BOARDS OPERATED BY THEIR
COMMAND TO ENSURE THE POSTINGS DO NOT BRING DISCREDIT TO THE COMMAND
AND THE DON.  ALL NAVY AND MARINE CORPS EMAIL USERS SHOULD STRIVE TO
ENSURE THAT THE CONTENT OF EMAIL MESSAGES REFLECT A HIGH LEVEL OF
PROFESSIONALISM AND PERSONAL INTEGRITY.
 
4.  INFORMATION SYSTEMS SECURITY GUIDELINES:
     (A) ALL NAVAL INFORMATION SYSTEMS WITH SERVERS (INCLUDING WEB
SERVERS) WHICH ARE CONNECTED TO UNCLASSIFIED PUBLICLY ACCESSIBLE
COMPUTER NETWORKS SUCH AS THE INTERNET, WILL EMPLOY APPROPRIATE
SECURITY SAFEGUARDS (SUCH AS FIREWALLS) AS NECESSARY TO ENSURE THE
INTEGRITY, AUTHENTICITY, PRIVACY, AND AVAILABILITY OF A COMMAND'S
INFORMATION SYSTEM AND ITS DATA.
     (B) ALL INFORMATION SYSTEMS WITH SERVERS CONNECTED TO THE
INTERNET MUST HAVE A FORMAL COMMANDER/COMMANDING OFFICER, OR
DESIGNATED APPROVING AUTHORITY (DAA) AUTHORIZATION TO OPERATE.  IN
ACCORDANCE WITH OPNAVINST 5239.1 (REF (E)), ALL SYSTEMS MUST RECEIVE
SECURITY ACCREDITATION AND AUTHORIZATION TO OPERATE BY THE DAA PRIOR
TO BEING PUT INTO OPERATION.  A NETWORK RISK ANALYSIS MUST BE
CONDUCTED AS A PART OF THE OVERALL NETWORK SECURITY PLAN TO DETERMINE
THE APPROPRIATE LEVEL OF SECURITY.  DON WAN/LAN SYSTEMS SECURITY
ACCREDITATIONS MUST BE UPDATED TO REFLECT THE ADDITION OF, OR
EXISTENCE OF, A WEB SERVER OR OTHER INTERNET INFORMATION SERVER.
 
5.  SINCE THE INTERNET IS OPEN AND LEGALLY ACCESSED BY THE
WORLD-WIDE PUBLIC, INFORMATION PRESENTED BY NAVAL COMMANDS IN THEIR
HOME PAGES ON THE INTERNET WILL REFLECT ON THE DEPARTMENT OF THE
NAVY'S PROFESSIONAL STANDARDS AND CREDIBILITY.  REGARDLESS OF HOW OR
BY WHOM THESE PAGES ARE ACTUALLY DEVELOPED, THE APPEARANCE OF, AND
THE ACCURACY, CURRENCY, AND RELEVANCE OF THIS INFORMATION WILL
REFLECT DIRECTLY, OR INDIRECTLY, ON THE DEPARTMENT OF THE NAVY'S
IMAGE.  INFORMATION RESIDING ON A SERVER WITH A NAVY.MIL DOMAIN OR
USMC.MIL DOMAIN, OR ANY OTHER NAVY OR MARINE CORPS OWNED AND OPERATED
SERVER, MAY BE INTERPRETED BY THE WORLDWIDE PUBLIC, INCLUDING THE
AMERICAN TAXPAYER AND MEDIA, AS REFLECTING OFFICIAL DEPARTMENT OF THE
NAVY, OR DEPARTMENT OF DEFENSE POLICIES OR POSITIONS.  THERE IS NO
SUCH THING AS A PERSONAL OR UNOFFICIAL HOME PAGE  ON A ".MIL" SERVER
BECAUSE THESE SERVERS AND THE INFORMATION THEY CONTAIN ARE PROPERLY
USED ONLY FOR OFFICIAL BUSINESS, AND IN AN OFFICIAL CAPACITY.
COMMANDING OFFICERS SHOULD REVIEW ALL WEB HOME PAGES OR OTHER
INTERNET INFORMATION SERVERS BEING OPERATED BY PERSONNEL AT THEIR
COMMANDS, TO ENSURE COMPLIANCE WITH THE GUIDELINES NOTED IN THIS
MESSAGE.
 
6.  ADDITIONAL MORE DETAILED TECHNICAL AND INFOSEC GUIDELINES
PERTAINING TO DON USE OF THE INTERNET WILL BE PUBLISHED IN FUTURE
REVISIONS TO REFS D AND E.
 
7.  THIS MESSAGE HAS BEEN COORDINATED WITH CMC, CHINFO, NAVY JAG, AND
COMNAVSECGRU.  THE N6 POINT OF CONTACT IS CDR D. GALIK, N643G.  PHONE
703 697-7755, OR EMAIL: CNON643G@SMTP-GW.SPAWAR.NAVY.MIL.  THE MARINE
CORPS POINT OF CONTACT IS MARINE CORPS COMBAT DEVELOPMENT COMMAND,
ARCHITECTURE AND STANDARDS DIVISION; PHONE 703 784-4720.
 
8.  RELEASED BY VADM DAVIS, USN.//
 
BT