6–7. Army Web sites and services
(1) Format conventions. The Army CIO/G–6 is responsible for promulgating policies, procedures, and
format conventions for Army Web sites and services.
(2) Use of AKO/DKO. Official Army Web sites may exist on either public or non-public (private) Web sites. The AKO/DKO portal is the primary source for collaboration and coordination of Army’s non-public
information. The use of net-centric communications and AKO/DKO supports execution of Army missions
through information sharing and saves resources currently expended on traditional means of
communication. Any organization desiring Web capabilities that would duplicate services already available
on AKO/DKO must request a waiver from the CIO/G–6, ATTN: SAIS–GKM, prior to purchasing this
capability. Waiver requests must demonstrate coordination with the AKO/DKO Program Office.
(3) Web domain registry. NETCOM 9th/SC (A) will manage the ―army.mil‖ Web site assignment of subdomains and the Web domain registration process. The Web domain registry will include all the Web
domain information of ―army.mil‖ Web sites at the third level domain as well as any commercial Web sites
being used. Army organizations desiring subdomains must register their domain through this process.
(4) Coordination through the DOIM. Organizations requesting Web domains will coordinate their requests
through the supporting DOIM to apply for any new Internet protocol addresses. DOIMs will complete the
application through the NETCOM/9th SC (A) OIA&C. See also DA Pam para 8–1f.
(5) Use of army.mil Web domain. All Army public and non-public Web sites must be located on an ―army.mil‖ domain unless the CIO/G–6 waives that requirement. See also paragraphb for policy
concerning use of .mil domains, required waivers, and exceptions.
(6) Web domain authorizations. Only specified organizations or functions are authorized to have Web sites at the third-tier level of the Web domain (for example, netcom.army.mil) as primary Army Web sites.
HQDA principals, US Army Reserves, Army National Guard, ACOMs, ASCCs, DRUs, PEOs, PMs,
service schools or centers, installations, division-level units, and special service organizations will establish
third-tier level Web sites and will consolidate subordinate organizations into these sites in order to
minimize the total number of Army Web sites. All other organizations may have a Web presence (for
example, Web pages) on the Web sites of their respective parent organizations.
(7) Use of IP restriction. Public Web sites are on the Internet (World Wide Web) and are considered unrestricted. A Web site which relies only on an Internet protocol (IP) restriction to control access is
considered a public Web site.
(8) Web management policy. Army Web site managers/maintainers must comply with the Web management policy in this regulation and the DOD Web site administration policy located at
http://www.defenselink.mil/webmasters and subsequent DOD guidance and direction.
(9) Web content. Management and utilization of public and non-public Web sites must be consistent with
Army and Defense policy on official and authorized use of telecommunications. See paragraphs 6–1,e and f
(10) FTP. File Transfer Protocol sites in the public domain are not authorized and will not be used in the
place of authorized public Web sites.
(11) Privacy. Army organizations must observe Federal, Defense, and Army policies for protecting
personal privacy on official Army Web sites and must establish a documented process for Web
masters/maintainers to screen their Web sites quarterly to ensure compliance.
(12) Security and access. Army organizations must establish a security and access-control process based upon the sensitivity of the information and the target audience for which it is intended.
(13) Assignment of Web master/maintainer. Army organizations will assign a Web master/maintainer for
each of their Web sites/pages.
(a) Army organizations will provide their Web masters/maintainers sufficient resources and training on
both technical and content matters. Resources are available at the Army Web master’s homepage:
http://www.army.mil/webmasters/ . (b) On-line training is available at https://iatraining.us.army.mil/_usermgmt/login.htm and
(c) Web masters/maintainers will have technical control over the site’s content and will ensure the site
conforms to Defense and Army policies, standards, and conventions.
(14) Section 508. Web sites are required to comply with the provisions of Section 508 of the Rehabilitation
Act Amendments of 1998 (29 USC 794d). Web sites must be equally accessible to disabled and non-
disabled Federal employees and members of the public. Guidance on Section 508 standards concerning
Web-based information and applications is located at http://www.access-
board.gov/sec508/508standards.htm. Exceptions should be referred to the Staff Judge Advocate for legal
review. (See also paragraph 6–7a(2) on information access.) (15) Private Web sites. Activities will establish organizational private Web sites for collaboration and coordination purposes. Organizational Web site managers will install access-control mechanisms, as
required. (See para 6–7a (2) above for waiver requirements.) b. Required Use of Army.Mil Domain.
(1) Use of army.mil. Per DODI 8410.01, organizations must use ―army.mil‖ domain as their second-level
domain name for the Unclassified-but-Sensitive Internet Protocol Router Network (NIPRNet) and
―army.smil.mil‖ for the Secret Internet Protocol Router Network (SIPRNet) unless a waiver has been
granted by the CIO/G–6 and, in turn, the DOD CIO. Requests for a waiver must explain the rationale for the use of any domain other than army.mil on a temporary or permanent basis.
(2) Exception. The following are exceptions to the ―army.mil‖ policy and do not require waivers:
(a) Army Reserve Officer Training Units that do not fund or operate Internet systems, but use, instead, the
domains of their hosting organizations or the organizations that support their Internet communication needs.
(b) US Military Academy, which is authorized to use an ―edu‖ domain.
(c) MWR activities, AAFES operations, and other NAF instrumentalities, which are authorized to use
(d) Army recruiting Web sites in the public domain, which may be hosted and served in a commercial Web
(3) Special needs. Examples of special needs or requirements that may be considered and approved for other than the Army.mil domain are as follows:
(a) Inability of GIG assets to support the operations as documented by a GIG waiver.
(b) An international program for which an Army organization is the lead agency representing the United
States; the Web site may require a ―gov‖ domain.
(c) A public-private partnership information system or service in which most of the content is non-
government, but where the government shares data with a private entity.
(d) Organizations requiring use of ―dod.mil‖ domain because they are designated DOD executive agents or
single managers for specified programs.
(e) Temporary Web site (six months or less) used to directly support crisis/disaster, law enforcement,
intelligence, counter intelligence, or information warfare operations.
(f) Specialized services on contracted commercial systems not connected to the NIPRNet or SIPRNet and
not reliant on access-control mechanisms used in the ―.mil‖ domain. (Generic services such as Web site hosting and e-mail services do not constitute specialized services.)
(4) Waivers. Requests for waivers to the required use of the ―army.mil‖ domain, signed by colonel or
civilian equivalent, must be submitted by the Web site owner’s HQDA element or parent command through
Headquarters, Department of the Army CIO/G–6 (SAIS–GKP), 107 Army Pentagon, Washington, DC
20310–0107, to Principal Deputy DOD CIO. Signed memo will be scanned and forwarded by e-mail to:
(5) Waiver justification. Requests for non-army.mil domains must be accompanied by the completed templates from enclosures 6 and 7 in the DODI 8410.01. Minimum justification will include—
(a) Purpose of the Web site.
(b) Army or DOD sponsor.
(c) Authority (statute or regulation) to disseminate/exchange this information.
(d) Time period in which this Web site will be used.
(e) Reason why an Internet domain other than ―army.mil‖ is needed. (Explanations will normally address
cost and expedience.)
(f) If non-public, why AKO/DKO or other .mil site cannot be used. (Explanation will include coordination
with AKO/DKO and other server administrators to confirm that other .mil solutions are not achievable.)
(g) Confirmation that there will be no association on the Web site with the name of the private provider, no
advertising, and no commercial trademarks or symbols.
(h) Access controls and overall security to be applied. (If PKI with AKO/DKO Single Sign-On (AKO/DKO
SSO) is not used for access, explain the reason. Refer to paragraphe on commercial certificates.)
(i) Description of any personally identifiable information concerning a military service member, family
member, or other individuals that will be collected and maintained, a justification for why this information
must be collected, and explanation of how it will be managed and safeguarded.
c. Army Public Web Site Management.
(1) Guidance. The Army CIO/G–6 promulgates policies, procedures, and format conventions for public
Web sites in this regulation and the DA Pam 25–1–1, chapter 8. This guidance, in addition to any updated
policy, is posted on the CIO/G–6 Web site at http://www.army.mil/ciog6/references/webmaster/policy.html .
(2) Registration. In order to facilitate the public in locating government information resources, organizations must register their public Web sites (for example, http://www.netcom.army.mil) with the
Army Homepage Web master at http://www.army.mil. Army organizations’ Web maintainers must update
this information as changes occur.
(3) Posting. Only official Army information that is releasable and of value to the public may be posted on
Army public Web sites. Official information of interest to Army employees will be posted on AKO/DKO.
Army commanders/organizational heads will ensure that the PAO and other appropriate designee(s) (for
example, command counsel, force protection, intelligence, and so on) review and clear Web content and
format prior to posting to the Internet. Information contained on publicly accessible Web sites is subject to
the policies and clearance procedures prescribed in AR 360–1, chapter 5, for the release of information to
the public. Possible risks must be judged and weighed against potential benefits prior to posting any Army
information on the Internet. (See also paragraph 5–10.)
(4) Web site reviews. The designated reviewer(s) will conduct routine reviews of Web sites on a quarterly basis to ensure that each Web site is in compliance with the policies herein and that the content remains
relevant and appropriate. The use of Web analysis software for reviews is encouraged but not required. The
minimum review will include all of the Web site management control checklist items at appendix C,
paragraph C–4. In addition, Army organizations using the Internet will not post the following types of
information on Army’s publicly accessible Web sites:
a. FOIA-exempt information.
b. Records currently and properly classified in the interest of national security.
c. Records related solely to internal personnel rules and practices that are not meant for public release.
d. Restricted or limited distribution information.
e. Records protected by another law that specifically exempts the information from public release. This
includes information protected by copyright.
f. Trade secrets and commercial or financial information obtained from a private source which would cause
substantial competitive harm to the source if disclosed.
g. Internal records that are deliberative in nature and are part of the decision-making process that contain
opinions and recommendations. This exemption includes draft documents, draft publications, or pre-
decisional information of any kind.
h. Records which, if released, would result in a clearly unwarranted invasion of personal privacy.
i. Lists of names and other personally identifying information of personnel assigned within a particular
component, unit, organization, or office in the DA. Discretionary release of names and duty information of
personnel who frequently interact with the public by nature of their positions and duties-such as general
officers and senior executives, PAOs, or other personnel designated as official command spokespersons-is
permitted. In addition, command Web sites may publish the name, rank, and duty station of military
personnel in photo captions and news stories. Point of contact information on posted memoranda is also
excluded from this restriction.
j. Investigatory records or information compiled for law enforcement purposes.
k. Web logs, video logs, or chat rooms.
(5) Privacy and security. Web masters/maintainers will apply appropriate privacy and security policies to respect visitors’ privacy.
a. Web sites will display a privacy and security notice in a prominent location on at least the first page of
all major sections of each Web site.
b. Each privacy and security notice must clearly and concisely inform visitors to the site what information
the activity collects about individuals, why it is collected, and how it will be used. For an example, see the
Defenselink Web site (official Web site of DOD), which states, ―For management purposes, statistical
summary information or other non-user identifying information may be gathered for the purposes of
assessing usefulness of information, determining technical design specifications, and identifying system
performance or problem areas.‖ c. Persistent ―cookies‖ that track users over time and across different Web sites to collect personal
information are prohibited on public Web sites. The use of any other automated means to collect personally
identifying information on public Web sites without the express permission of the user is prohibited.
Requests for exceptions must be forwarded to the Army CIO/G–6.
d. Third-party cookie generation will be disabled.
(6) Web content. Web site owners/maintainers will ensure that—
a. Web servers are IAVM compliant and placed behind a reverse proxy server or implement an alternative
security procedure. Reverse proxy servers must be configured in a way that does not cache secure sockets
layer (SSL) traffic.
b. Web site content is accurate, current, and provides reliable data in compliance with information quality
guidelines at paragraph 1–12.
(7) Army commands and activities will establish objective and supportable criteria or guidelines for the
selection and maintenance of links to external Web sites. Guidelines should consider the information needs
of mission-related requirements and public communications and community relations objectives.
a. No compensation of any kind may be accepted in exchange for a link placed on an organization’s
publicly accessible official Army Web site.
b. Listings of Web links on Army Web pages must separate external Web links from Government and
c. When external links to non-Government Web sites are included, the following disclaimer must appear on
the page(s) listing external links or through an intermediate ―exit notice‖ page: ―The appearance of external
hyperlinks does not constitute endorsement by the U.S. Army of this Web site or the information, products,
or services contained therein. For other than authorized activities such as military exchanges and MWR
sites, the U.S. Army does not exercise any editorial control over the information you may find at these
locations. Such links are provided consistent with the stated purpose of this Web site.‖
(8) Web site owners notified by the AWRAC of Web site violations will make immediate corrections or
block the Web site or link until corrections can be made. (See paragraph 5–10 for additional information.)
d. AKO/DKO and AKO-S.
(1) Use of AKO/DKO. AKO/DKO (www.us.army.mil) and AKO-S are the enterprise portals supporting unclassified and classified Army web sites. Activities will leverage AKO/DKO and AKO-S to the
maximum extent possible to develop knowledge networks and portals inside AKO/DKO. Private Web sites
separate from AKO/DKO should be established only when AKO/DKO cannot support the requirement.
The use of AKO/DKO and AKO-S enables optimal sharing of Army information and knowledge resources
across the entire Army enterprise. Army activities will maximize their use of AKO/DKO resources,
features, and tools to reduce the need for investment in the same types of IT resources.
(2) Authentication of access. AKO/DKO is the single authoritative source for authenticating user access to Army Web-enabled ISs and Web servers that serve users with DOD IP addresses. Existing Army portals or
Web servers with authentication services that duplicate AKO/DKO services will migrate to AKO/DKO
authentication unless waived by CIO/G–6. Army Web-enabled business applications are required to be
linked from the AKO/DKO portal. The initial minimum standard is a URL link on the Army portal to the
application. The objective standard is to use the AKO/DKO directory services for authentication as well as
a URL link on the Army portal.
(3) Administration. For organizational space on the AKO/DKO portal, each Army organization will assign a toplevel administrator for their primary organizational presence, and, where needed, assign delegated
administrators to manage the content within subordinate organizations. Army organizations will provide
administrators sufficient resources and support.
(4) Content control. Organizations will ensure their AKO/DKO site content posting procedures conforms to Defense-and Armywide Web site policies. Content that is made available to all AKO/DKO users and
groups, that is, ―Unrestricted‖ content, should be treated as publicly accessible and subject to Web
guidelines for PAO review. Organizations should establish procedures for content providers to place
information on the site and ensure that administrators assign security and access controls requested by
content providers. Content owners are required to establish the appropriate mechanisms to protect sensitive
information from being accessed by unauthorized individuals.
(5) Logon. All AKO/DKO account users are responsible for the security of their AKO/DKO credentials
(that is, user
name and password) and content that they create on the portal. CAC logon is preferable to user name and
(6) Posting. AKO/DKO users will conform to AKO/DKO posting procedures and policy on the use of
official and authorized telecommunications. See paragraphs 6–1d, e, and f.
(7) Security. Users that fail to properly secure their AKO/DKO credentials and content on the AKO/DKO
portal will be subject to nonjudicial or judicial action under the Uniform Code of Military Justice. See
Summary page of this publication.
(8) AKO records. E-mail and other files on AKO/DKO that are determined to be records will be managed per chapter 8 and AR 25–400–2. e. Other Private Web Sites (Intranets and Extranets).
(1) Hosting. Army organizations are authorized to host private Web sites when AKO/DKO resources
cannot support the functional requirement (para 6–7d). See also paragraph 6–7b for Web domain
(2) Authentication. All unclassified Intranets (private Web sites used for processing information limited to DOD users) will be enabled to use DOD PKI certificates for server authentication and client/server
authentication. Owners of authorized Intranets must ensure that the SSL is enabled and that PKI encryption
certificates are loaded. Use of Internet Protocol restriction by itself is insufficient; such sites will be
considered publicly accessible rather than private. PKI Web server certificates may be obtained from the
NETCOM/9th SC (A) TNOSC.
(3) Web application authentication. All Intranet Web applications will use AKO SSO or AKO SSO with
CAC for user access, unless waived by NETCOM/9th SC (A). Legacy applications currently using
AKO/DKO Lightweight Directory Access Protocol to authenticate clients must migrate to SSO capable
platforms. For more information on how to use AKO/DKO directory authentication and AKO SSO, visit
the AKO/DKO Authentication Center and SSO Homepage at AKO Home, Quick Links, AKO Tips &
Training, and Single Sign-On Home.
(4) Use of PKI. Web applications must be PKI-enabled.
(5) Exceptions. The following type of Web server is exempt from using CAC/PKI or other forms of encryption: any unclassified Army Web server providing non-sensitive and publicly releasable information
resources categorized as a private Web server only because it limits access to a particular audience only for
the purpose of preserving copyright protection of the contained information sources, facilitating its own
development, or restricting access to link(s) with limited access site(s) (and not the information resources).
(6) Extranets authentication. Unclassified Extranets (private Web sites used for exchanging non-public
domain information with members of the public and other individuals not authorized to use DOD PKI
resources) may be operated to facilitate Army missions and functions. To ensure ease of access,
organizations that collect sensitive but unclassified information from the general public as part of their
assigned mission are authorized to purchase and use approved commercially available certificates to
provide SSL services. Extranet owners must select from the trusted and validated products lists on DISA’s
Web site (http://iase.disa.mil/common/index.html).