DOC

Army Web sites and services - The United States Army Homepage

By Nicole West,2014-05-07 17:05
6 views 0
Army Web sites and services - The United States Army Homepage

67. Army Web sites and services

    a. General.

    (1) Format conventions. The Army CIO/G6 is responsible for promulgating policies, procedures, and

    format conventions for Army Web sites and services.

    (2) Use of AKO/DKO. Official Army Web sites may exist on either public or non-public (private) Web sites. The AKO/DKO portal is the primary source for collaboration and coordination of Army’s non-public

    information. The use of net-centric communications and AKO/DKO supports execution of Army missions

    through information sharing and saves resources currently expended on traditional means of

    communication. Any organization desiring Web capabilities that would duplicate services already available

    on AKO/DKO must request a waiver from the CIO/G6, ATTN: SAISGKM, prior to purchasing this

    capability. Waiver requests must demonstrate coordination with the AKO/DKO Program Office.

    (3) Web domain registry. NETCOM 9th/SC (A) will manage the ―army.mil‖ Web site assignment of subdomains and the Web domain registration process. The Web domain registry will include all the Web

    domain information of ―army.mil‖ Web sites at the third level domain as well as any commercial Web sites

    being used. Army organizations desiring subdomains must register their domain through this process.

    (4) Coordination through the DOIM. Organizations requesting Web domains will coordinate their requests

    through the supporting DOIM to apply for any new Internet protocol addresses. DOIMs will complete the

    application through the NETCOM/9th SC (A) OIA&C. See also DA Pam para 81f.

    (5) Use of army.mil Web domain. All Army public and non-public Web sites must be located on an ―army.mil‖ domain unless the CIO/G–6 waives that requirement. See also paragraphb for policy

    concerning use of .mil domains, required waivers, and exceptions.

    (6) Web domain authorizations. Only specified organizations or functions are authorized to have Web sites at the third-tier level of the Web domain (for example, netcom.army.mil) as primary Army Web sites.

    HQDA principals, US Army Reserves, Army National Guard, ACOMs, ASCCs, DRUs, PEOs, PMs,

    service schools or centers, installations, division-level units, and special service organizations will establish

    third-tier level Web sites and will consolidate subordinate organizations into these sites in order to

    minimize the total number of Army Web sites. All other organizations may have a Web presence (for

    example, Web pages) on the Web sites of their respective parent organizations.

    (7) Use of IP restriction. Public Web sites are on the Internet (World Wide Web) and are considered unrestricted. A Web site which relies only on an Internet protocol (IP) restriction to control access is

    considered a public Web site.

    (8) Web management policy. Army Web site managers/maintainers must comply with the Web management policy in this regulation and the DOD Web site administration policy located at

    http://www.defenselink.mil/webmasters and subsequent DOD guidance and direction.

    (9) Web content. Management and utilization of public and non-public Web sites must be consistent with

    Army and Defense policy on official and authorized use of telecommunications. See paragraphs 61,e and f

    above.

    (10) FTP. File Transfer Protocol sites in the public domain are not authorized and will not be used in the

    place of authorized public Web sites.

    (11) Privacy. Army organizations must observe Federal, Defense, and Army policies for protecting

    personal privacy on official Army Web sites and must establish a documented process for Web

    masters/maintainers to screen their Web sites quarterly to ensure compliance.

    (12) Security and access. Army organizations must establish a security and access-control process based upon the sensitivity of the information and the target audience for which it is intended.

    (13) Assignment of Web master/maintainer. Army organizations will assign a Web master/maintainer for

    each of their Web sites/pages.

    (a) Army organizations will provide their Web masters/maintainers sufficient resources and training on

    both technical and content matters. Resources are available at the Army Web master’s homepage:

    http://www.army.mil/webmasters/ . (b) On-line training is available at https://iatraining.us.army.mil/_usermgmt/login.htm and

    http://www.disa.mil/handbook/handbook_v1.6.doc.

    (c) Web masters/maintainers will have technical control over the site’s content and will ensure the site

    conforms to Defense and Army policies, standards, and conventions.

    (14) Section 508. Web sites are required to comply with the provisions of Section 508 of the Rehabilitation

    Act Amendments of 1998 (29 USC 794d). Web sites must be equally accessible to disabled and non-

    disabled Federal employees and members of the public. Guidance on Section 508 standards concerning

Web-based information and applications is located at http://www.access-

    board.gov/sec508/508standards.htm. Exceptions should be referred to the Staff Judge Advocate for legal

    review. (See also paragraph 67a(2) on information access.) (15) Private Web sites. Activities will establish organizational private Web sites for collaboration and coordination purposes. Organizational Web site managers will install access-control mechanisms, as

    required. (See para 67a (2) above for waiver requirements.) b. Required Use of Army.Mil Domain.

    (1) Use of army.mil. Per DODI 8410.01, organizations must use ―army.mil‖ domain as their second-level

    domain name for the Unclassified-but-Sensitive Internet Protocol Router Network (NIPRNet) and

    ―army.smil.mil‖ for the Secret Internet Protocol Router Network (SIPRNet) unless a waiver has been

    granted by the CIO/G6 and, in turn, the DOD CIO. Requests for a waiver must explain the rationale for the use of any domain other than army.mil on a temporary or permanent basis.

    (2) Exception. The following are exceptions to the ―army.mil‖ policy and do not require waivers:

    (a) Army Reserve Officer Training Units that do not fund or operate Internet systems, but use, instead, the

    domains of their hosting organizations or the organizations that support their Internet communication needs.

    (b) US Military Academy, which is authorized to use an ―edu‖ domain.

    (c) MWR activities, AAFES operations, and other NAF instrumentalities, which are authorized to use

    commercial domains.

    (d) Army recruiting Web sites in the public domain, which may be hosted and served in a commercial Web

    domain.

    (3) Special needs. Examples of special needs or requirements that may be considered and approved for other than the Army.mil domain are as follows:

    (a) Inability of GIG assets to support the operations as documented by a GIG waiver.

    (b) An international program for which an Army organization is the lead agency representing the United

    States; the Web site may require a ―gov‖ domain.

    (c) A public-private partnership information system or service in which most of the content is non-

    government, but where the government shares data with a private entity.

    (d) Organizations requiring use of ―dod.mil‖ domain because they are designated DOD executive agents or

    single managers for specified programs.

    (e) Temporary Web site (six months or less) used to directly support crisis/disaster, law enforcement,

    intelligence, counter intelligence, or information warfare operations.

    (f) Specialized services on contracted commercial systems not connected to the NIPRNet or SIPRNet and

    not reliant on access-control mechanisms used in the ―.mil‖ domain. (Generic services such as Web site hosting and e-mail services do not constitute specialized services.)

    (4) Waivers. Requests for waivers to the required use of the ―army.mil‖ domain, signed by colonel or

    civilian equivalent, must be submitted by the Web site owner’s HQDA element or parent command through

    Headquarters, Department of the Army CIO/G6 (SAISGKP), 107 Army Pentagon, Washington, DC

    203100107, to Principal Deputy DOD CIO. Signed memo will be scanned and forwarded by e-mail to:

    armycio@hqda.army.mil.

    (5) Waiver justification. Requests for non-army.mil domains must be accompanied by the completed templates from enclosures 6 and 7 in the DODI 8410.01. Minimum justification will include

    (a) Purpose of the Web site.

    (b) Army or DOD sponsor.

    (c) Authority (statute or regulation) to disseminate/exchange this information.

    (d) Time period in which this Web site will be used.

    (e) Reason why an Internet domain other than ―army.mil‖ is needed. (Explanations will normally address

    cost and expedience.)

    (f) If non-public, why AKO/DKO or other .mil site cannot be used. (Explanation will include coordination

    with AKO/DKO and other server administrators to confirm that other .mil solutions are not achievable.)

    (g) Confirmation that there will be no association on the Web site with the name of the private provider, no

    advertising, and no commercial trademarks or symbols.

    (h) Access controls and overall security to be applied. (If PKI with AKO/DKO Single Sign-On (AKO/DKO

    SSO) is not used for access, explain the reason. Refer to paragraphe on commercial certificates.)

    (i) Description of any personally identifiable information concerning a military service member, family

    member, or other individuals that will be collected and maintained, a justification for why this information

    must be collected, and explanation of how it will be managed and safeguarded.

c. Army Public Web Site Management.

    (1) Guidance. The Army CIO/G6 promulgates policies, procedures, and format conventions for public

    Web sites in this regulation and the DA Pam 2511, chapter 8. This guidance, in addition to any updated

    policy, is posted on the CIO/G6 Web site at http://www.army.mil/ciog6/references/webmaster/policy.html .

    (2) Registration. In order to facilitate the public in locating government information resources, organizations must register their public Web sites (for example, http://www.netcom.army.mil) with the

    Army Homepage Web master at http://www.army.mil. Army organizations’ Web maintainers must update

    this information as changes occur.

    (3) Posting. Only official Army information that is releasable and of value to the public may be posted on

    Army public Web sites. Official information of interest to Army employees will be posted on AKO/DKO.

    Army commanders/organizational heads will ensure that the PAO and other appropriate designee(s) (for

    example, command counsel, force protection, intelligence, and so on) review and clear Web content and

    format prior to posting to the Internet. Information contained on publicly accessible Web sites is subject to

    the policies and clearance procedures prescribed in AR 3601, chapter 5, for the release of information to

    the public. Possible risks must be judged and weighed against potential benefits prior to posting any Army

    information on the Internet. (See also paragraph 510.)

    (4) Web site reviews. The designated reviewer(s) will conduct routine reviews of Web sites on a quarterly basis to ensure that each Web site is in compliance with the policies herein and that the content remains

    relevant and appropriate. The use of Web analysis software for reviews is encouraged but not required. The

    minimum review will include all of the Web site management control checklist items at appendix C,

    paragraph C4. In addition, Army organizations using the Internet will not post the following types of

    information on Army’s publicly accessible Web sites:

    a. FOIA-exempt information.

    b. Records currently and properly classified in the interest of national security.

    c. Records related solely to internal personnel rules and practices that are not meant for public release.

    d. Restricted or limited distribution information.

    e. Records protected by another law that specifically exempts the information from public release. This

    includes information protected by copyright.

    f. Trade secrets and commercial or financial information obtained from a private source which would cause

    substantial competitive harm to the source if disclosed.

    g. Internal records that are deliberative in nature and are part of the decision-making process that contain

    opinions and recommendations. This exemption includes draft documents, draft publications, or pre-

    decisional information of any kind.

    h. Records which, if released, would result in a clearly unwarranted invasion of personal privacy.

    i. Lists of names and other personally identifying information of personnel assigned within a particular

    component, unit, organization, or office in the DA. Discretionary release of names and duty information of

    personnel who frequently interact with the public by nature of their positions and duties-such as general

    officers and senior executives, PAOs, or other personnel designated as official command spokespersons-is

    permitted. In addition, command Web sites may publish the name, rank, and duty station of military

    personnel in photo captions and news stories. Point of contact information on posted memoranda is also

    excluded from this restriction.

    j. Investigatory records or information compiled for law enforcement purposes.

    k. Web logs, video logs, or chat rooms.

    (5) Privacy and security. Web masters/maintainers will apply appropriate privacy and security policies to respect visitors’ privacy.

    a. Web sites will display a privacy and security notice in a prominent location on at least the first page of

    all major sections of each Web site.

    b. Each privacy and security notice must clearly and concisely inform visitors to the site what information

    the activity collects about individuals, why it is collected, and how it will be used. For an example, see the

    Defenselink Web site (official Web site of DOD), which states, ―For management purposes, statistical

    summary information or other non-user identifying information may be gathered for the purposes of

    assessing usefulness of information, determining technical design specifications, and identifying system

    performance or problem areas.‖ c. Persistent ―cookies‖ that track users over time and across different Web sites to collect personal

    information are prohibited on public Web sites. The use of any other automated means to collect personally

identifying information on public Web sites without the express permission of the user is prohibited.

    Requests for exceptions must be forwarded to the Army CIO/G6.

    d. Third-party cookie generation will be disabled.

    (6) Web content. Web site owners/maintainers will ensure that

    a. Web servers are IAVM compliant and placed behind a reverse proxy server or implement an alternative

    security procedure. Reverse proxy servers must be configured in a way that does not cache secure sockets

    layer (SSL) traffic.

    b. Web site content is accurate, current, and provides reliable data in compliance with information quality

    guidelines at paragraph 112.

    (7) Army commands and activities will establish objective and supportable criteria or guidelines for the

    selection and maintenance of links to external Web sites. Guidelines should consider the information needs

    of mission-related requirements and public communications and community relations objectives.

    a. No compensation of any kind may be accepted in exchange for a link placed on an organization’s

    publicly accessible official Army Web site.

    b. Listings of Web links on Army Web pages must separate external Web links from Government and

    military links.

    c. When external links to non-Government Web sites are included, the following disclaimer must appear on

    the page(s) listing external links or through an intermediate ―exit notice‖ page: ―The appearance of external

    hyperlinks does not constitute endorsement by the U.S. Army of this Web site or the information, products,

    or services contained therein. For other than authorized activities such as military exchanges and MWR

    sites, the U.S. Army does not exercise any editorial control over the information you may find at these

    locations. Such links are provided consistent with the stated purpose of this Web site.‖

    (8) Web site owners notified by the AWRAC of Web site violations will make immediate corrections or

    block the Web site or link until corrections can be made. (See paragraph 510 for additional information.)

    d. AKO/DKO and AKO-S.

    (1) Use of AKO/DKO. AKO/DKO (www.us.army.mil) and AKO-S are the enterprise portals supporting unclassified and classified Army web sites. Activities will leverage AKO/DKO and AKO-S to the

    maximum extent possible to develop knowledge networks and portals inside AKO/DKO. Private Web sites

    separate from AKO/DKO should be established only when AKO/DKO cannot support the requirement.

    The use of AKO/DKO and AKO-S enables optimal sharing of Army information and knowledge resources

    across the entire Army enterprise. Army activities will maximize their use of AKO/DKO resources,

    features, and tools to reduce the need for investment in the same types of IT resources.

    (2) Authentication of access. AKO/DKO is the single authoritative source for authenticating user access to Army Web-enabled ISs and Web servers that serve users with DOD IP addresses. Existing Army portals or

    Web servers with authentication services that duplicate AKO/DKO services will migrate to AKO/DKO

    authentication unless waived by CIO/G6. Army Web-enabled business applications are required to be

    linked from the AKO/DKO portal. The initial minimum standard is a URL link on the Army portal to the

    application. The objective standard is to use the AKO/DKO directory services for authentication as well as

    a URL link on the Army portal.

    (3) Administration. For organizational space on the AKO/DKO portal, each Army organization will assign a toplevel administrator for their primary organizational presence, and, where needed, assign delegated

    administrators to manage the content within subordinate organizations. Army organizations will provide

    administrators sufficient resources and support.

    (4) Content control. Organizations will ensure their AKO/DKO site content posting procedures conforms to Defense-and Armywide Web site policies. Content that is made available to all AKO/DKO users and

    groups, that is, ―Unrestricted‖ content, should be treated as publicly accessible and subject to Web

    guidelines for PAO review. Organizations should establish procedures for content providers to place

    information on the site and ensure that administrators assign security and access controls requested by

    content providers. Content owners are required to establish the appropriate mechanisms to protect sensitive

    information from being accessed by unauthorized individuals.

    (5) Logon. All AKO/DKO account users are responsible for the security of their AKO/DKO credentials

    (that is, user

    name and password) and content that they create on the portal. CAC logon is preferable to user name and

    password logon.

    (6) Posting. AKO/DKO users will conform to AKO/DKO posting procedures and policy on the use of

    official and authorized telecommunications. See paragraphs 61d, e, and f.

(7) Security. Users that fail to properly secure their AKO/DKO credentials and content on the AKO/DKO

    portal will be subject to nonjudicial or judicial action under the Uniform Code of Military Justice. See

    Summary page of this publication.

    (8) AKO records. E-mail and other files on AKO/DKO that are determined to be records will be managed per chapter 8 and AR 254002. e. Other Private Web Sites (Intranets and Extranets).

    (1) Hosting. Army organizations are authorized to host private Web sites when AKO/DKO resources

    cannot support the functional requirement (para 67d). See also paragraph 67b for Web domain

    restrictions.

    (2) Authentication. All unclassified Intranets (private Web sites used for processing information limited to DOD users) will be enabled to use DOD PKI certificates for server authentication and client/server

    authentication. Owners of authorized Intranets must ensure that the SSL is enabled and that PKI encryption

    certificates are loaded. Use of Internet Protocol restriction by itself is insufficient; such sites will be

    considered publicly accessible rather than private. PKI Web server certificates may be obtained from the

    NETCOM/9th SC (A) TNOSC.

    (3) Web application authentication. All Intranet Web applications will use AKO SSO or AKO SSO with

    CAC for user access, unless waived by NETCOM/9th SC (A). Legacy applications currently using

    AKO/DKO Lightweight Directory Access Protocol to authenticate clients must migrate to SSO capable

    platforms. For more information on how to use AKO/DKO directory authentication and AKO SSO, visit

    the AKO/DKO Authentication Center and SSO Homepage at AKO Home, Quick Links, AKO Tips &

    Training, and Single Sign-On Home.

    (4) Use of PKI. Web applications must be PKI-enabled.

    (5) Exceptions. The following type of Web server is exempt from using CAC/PKI or other forms of encryption: any unclassified Army Web server providing non-sensitive and publicly releasable information

    resources categorized as a private Web server only because it limits access to a particular audience only for

    the purpose of preserving copyright protection of the contained information sources, facilitating its own

    development, or restricting access to link(s) with limited access site(s) (and not the information resources).

    (6) Extranets authentication. Unclassified Extranets (private Web sites used for exchanging non-public

    domain information with members of the public and other individuals not authorized to use DOD PKI

    resources) may be operated to facilitate Army missions and functions. To ensure ease of access,

    organizations that collect sensitive but unclassified information from the general public as part of their

    assigned mission are authorized to purchase and use approved commercially available certificates to

    provide SSL services. Extranet owners must select from the trusted and validated products lists on DISA’s

    Web site (http://iase.disa.mil/common/index.html).

Report this document

For any questions or suggestions please email
cust-service@docsford.com