United States Department of Defense United States Department of Defense

Seal of the Department of Defense

INFORMATION SECURITY/WEBSITE ALERT

06 AUG 2006



UNCLASSIFIED//

PRECEDENCE TO: IMMEDIATE DTG: 090426Z AUG 06
PRECEDENCE CC: IMMEDIATE
TYPE: AUTODIN
FROM PLA: SECDEF WASHINGTON DC
SUBJECT: INFORMATION SECURITY/WEBSITE ALERT
TEXT:
OAAUZFH1 RUEONGC0284 2210512-UUUU--RUHQOSU.
ZNR UUUUU ZOV RUEONGC1195 RELAY OF RUEKJCS0284 2210427 O 090426Z AUG 06 FM SECDEF WASHINGTON DC TO ALDODACT ZEN/ALDODACT @ AL ALDODACT(UC) INFO RUEKJCS/SECDEF WASHINGTON DC BT UNCLAS

SUBJ: INFORMATION SECURITY/WEBSITE ALERT ALDODACT 11/06 ADRESSEES PASS TO ALL SUBORDINATE COMMANDS 1. EFFECTIVE IMMEDIATELY, NO INFORMATION MAY BE PLACED ON WEBSITES THAT ARE READILY ACCESSIBLE TO THE PUBLIC UNLESS IT HAS BEEN REVIEWED FOR SECURITY CONCERNS AND APPROVED IN ACCORDANCE WITH DEPUTY SECRETARY OF DEFENSE MEMORANDUM *WEB SITE POLICIES AND PROCEDURES,* DECEMBER 7, 1998 (HTTP://WWW.DEFENSELINK.MIL/WEBMASTERS/) AND, AS APPLICABLE, DOD INSTRUCTION (DODI) 5230.29, *SECURITY AND POLICY REVIEW OF DOD INFORMATION FOR PUBLIC RELEASE.* COMMAND REVIEW PROCEDURES MUST ALSO SPECIFICALLY ADDRESS IDENTIFICATION OF FOR OFFICIAL USE ONLY (FOUO) INFORMATION AND SHALL ENSURE ALL INFORMATION IS REVIEWED BY PERSONNEL TRAINED IN OPERATIONS SECURITY (OPSEC).

THIS DIRECTION DOES NOT CHANGE THE CURRENT PROCEDURES UNDER WHICH PUBLIC AFFAIRS OFFICES RELEASE INFORMATION TO THE MEDIA OR GENERAL PUBLIC.

2. ALL PERSONNEL HAVE THE RESPONSIBILITY TO ENSURE THAT NO INFORMATION THAT MIGHT PLACE OUR SERVICE MEMBERS IN JEOPARDY OR THAT WOULD BE OF USE TO OUR ADVERSARIES IS POSTED TO WEBSITES THAT ARE READILY ACCESSIBLE BY THE PUBLIC. ALTHOUGH NOT A FINITE LIST, SUCH INFORMATION INCLUDES, AMONG OTHER THINGS, TECHNICAL INFORMATION, OPERATIONAL PLANS, TROOP ROTATION SCHEDULES, POSITION AND MOVEMENT OF U.S. NAVAL CRAFT, DESCRIPTIONS OF OVERSEAS MILITARY BASES, VULNERABILITY OF WEAPON SYSTEMS OR DISCUSSION OF AREAS FREQUENTED BY U.S. PERSONNEL OVERSEAS. SPECIAL ATTENTION SHALL BE GIVEN TO IDENTIFICATION OF INFORMATION THAT WOULD FACILITATE CIRCUMVENTION OF DOD, COMPONENT OR COMMAND POLICIES, RULES, REGULATIONS OR OTHER SIGNIFICANT GUIDANCE (E.G., ORDERS, MANUALS, INSTRUCTIONS, SECURITY CLASSIFICATION GUIDES). SUCH INFORMATION SHOULD BE MARKED FOUO AND SHALL NOT BE POSTED TO WEBSITES ACCESSIBLE BY THE PUBLIC. DOD 5400.7-R, *DOD FREEDOM OF INFORMATION ACT PROGRAM,* CHAPTER 3, DESCRIBES EXEMPTIONS 2-9 AND PROVIDES GUIDELINES FOR THE TYPES OF INFORMATION THAT MAY QUALIFY AS FOUO. AS WITH CLASSIFIED INFORMATION, IT IS THE ORIGINATOR*S RESPONSIBILITY TO IDENTIFY AND MARK INFORMATION THAT MAY BE FOUO.

3. *BLOGS,* OR WEB LOGS, POSTED TO PUBLIC WEBSITES ARE INCREASINGLY USED BY MILITARY PERSONNEL AS PERSONAL JOURNALS. COMMANDERS SHALL ENSURE SUBORDINATES ARE AWARE THAT, IN ACCORDANCE WITH DOD DIRECTIVE 5230.9, *CLEARANCE OF DOD INFORMATION FOR PUBLIC RELEASE,* AND THE JOINT ETHICS REGULATION (DOD 5500.7-R), PERSONAL BLOGS (I.E., THOSE NOT HAVING DOD SPONSORSHIP AND PURPOSE) MAY NOT BE CREATED/MAINTAINED DURING NORMAL DUTY HOURS AND MAY NOT CONTAIN INFORMATION ON MILITARY ACTIVITIES THAT IS NOT AVAILABLE TO THE GENERAL PUBLIC. SUCH INFORMATION INCLUDES COMMENTS ON DAILY MILITARY ACTIVITIES AND OPERATIONS, UNIT MORALE, RESULTS OF OPERATIONS, STATUS OF EQUIPMENT, AND OTHER INFORMATION THAT MAY BE BENEFICIAL TO ADVERSARIES.

4. IN ACCORDANCE WITH PARAGRAPH 6.2.7 OF DODI 5230.29, *SECURITY AND POLICY REVIEW OF DOD INFORMATION FOR PUBLIC RELEASE,* ANY INFORMATION MEETING THE REQUIREMENTS OF PARAGRAPH 6.1 OF THAT INSTRUCTION, INCLUDING INFORMATION REGARDING MILITARY OPERATIONAL PLANS, SHALL BE REVIEWED AND APPROVED FOR RELEASE BY THE DEPARTMENT OF DEFENSE OFFICE OF FREEDOM OF INFORMATION AND SECURITY REVIEW PRIOR TO POSTING ON WEBSITES ACCESSIBLE TO THE PUBLIC.

5. WHERE COLLABORATION WITH NON,-DOD PERSONNEL REGARDING UNCLASSIFIED OFFICIAL INFORMATION WILL BENEFIT THE DEPARTMENT, OFFICIAL *CHAT ROOMS* OR COLLABORATION SITES SHALL BE ESTABLISHED AND REGULATED THROUGH THE USE OF POSITIVE TECHNICAL CONTROLS SUCH AS PROXY SERVICES AND SCREENED SUBNETS IN ACCORDANCE WITH DODI 8500.2, *INFORMATION ASSURANCE (IA) IMPLEMENTATION* AND APPROVED BY THE DESIGNATED APPROVING AUTHORITY (DAA). COLLABORATION CAN TAKE PLACE AMONG DOD PERSONNEL OR AMONG DOD PERSONNEL AND AUTHORIZED NON-DOD PERSONNEL (INCLUDING PUBLIC MEMBERS OF THE SCIENTIFIC COMMUNITY) WITHIN SECURITY AND INFORMATION DISSEMINATION GUIDELINES (E.G.,

EXPORT CONTROL RESTRICTIONS). NON-DOD PERSONNEL SHALL BE AUTHORIZED
ACCESS TO THE *CHAT ROOM* OR COLLABORATION SITE ON A BY-NAME BASIS BY THE DOD SPONSOR IN ACCORDANCE WITH PROCEDURES ESTABLISHED BY THE DAA.

USER AUTHENTICATION SHALL BE REQUIRED FOR SYSTEM ACCESS.
6. DOD PERSONNEL WHO ENGAGE IN THE UNAUTHORIZED DISCLOSURE OF U.S.
GOVERNMENT INFORMATION MAY BE SUBJECT TO CRIMINAL AND/OR ADMINISTRATIVE ACTION.
7. ALL COMMAND OPSEC MANAGERS, AND WEBMASTERS WHO REVIEW INFORMATION FOR PUBLIC RELEASE VIA WEBSITES, SHALL RECEIVE WEB OPSEC TRAINING.

PUBLIC AFFAIRS SPECIALISTS WHO REVIEW INFORMATION FOR WEB POSTING SHALL RECEIVE WEB OPSEC TRAINING. OPSEC TRAINING IS ENCOURAGED FOR THOSE WEBMASTERS WHO WORK DIRECTLY WITH WEBSITE MANAGEMENT OR SUPERVISION. THE INTERAGENCY OPSEC SUPPORT STAFF (IOSS) SPONSORS TWO APPROPRIATE COURSES, *OPSEC AND WEB CONTENT VULNERABILITY* AND *WEB RISK ASSESSMENT COURSE.* SPECIFIC INFORMATION REGARDING IOSS TRAINING CAN BE ACQUIRED FROM THE IOSS, 6411 IVY LANE, SUITE 400, GREENBELT, MARYLAND 20770, (443) 479-4677, HTTP://WWW.IOSS.GOV.

OTHER SOURCES OF TRAINING MAY BE AVAILABLE LOCALLY.
8. WEBSITES READILY ACCESSIBLE TO THE PUBLIC ARE DEFINED AS THOSE THAT DO NOT AUTHENTICATE INDIVIDUAL USERS AND INCLUDE THOSE WITH ACCESS RESTRICTED SOLELY BY DOMAIN OR IP ADDRESS. QUESTIONS MAY BE FORWARDED, THROUGH COMMAND CHANNELS, TO OUSD(I), SECURITY DIRECTORATE.

9. THIS IS A JOINT DEPUTY SECRETARY OF DEFENSE / VICE CHAIRMAN OF THE JOINT CHIEFS OF STAFF MESSAGE.
BT
#0284

UNCLASSIFIED//