CHAPTER 5, PART 2

INTERNET USE & COPYRIGHT RESTRICTIONS

 

 

1                    BACKGROUND

 

The proliferation of the Internet as a working tool in USDA has

necessitated that security measures for its use be more clearly defined.  This has been highlighted by the results of Intrusion

Detection Scans (IDS) of networks and firewalls nationwide.  During these scans, Cyber Security has detected increased activity in areas that users should know are unauthorized.

 

Scans of department Internet Protocol (IP) addresses have identified users engaging in the download of programs that enable the user to subsequently download other software, music, graphics or videos, including pornographic materials; in some instances, this material is downloaded and distributed to others.  These users are using a number of Peer-to-Peer (P2P) programs and “file sharing” products available for download from the Internet.   Some of the products detected include: gnutella, LimeWire, SwapNut, KaZaA, and Morpheus.  These “evasive” programs have the ability to send inbound and outbound traffic to regular Internet ports for transport, thus disguising their purpose.

 

Removing these programs from Government equipment causes undue departmental expense and can involve days of effort.  Repeated and continuous use of this type of software can impact network resources and inhibit USDA’s ability to properly discharge our mission.  Software downloads have been detected independent of the use of P2P programs and the like.  As indicated above, the fact that special programming is not involved in downloading these materials does not alter the possible criminal nature of distributing pornographic material to others.  In addition, copyright infringement may exist if the material being downloaded found its way onto the Internet without the owner’s permission, or if the user employs the downloaded material contrary to instructions therewith.

 

2          POLICY

 

            USDA has a long established policy that does not condone or

            support employees use of Government computers or networks

for unauthorized purposes.  P2P Programs and other programs that perform those functions have no recognized departmental business need and should not be loaded on workstations or equipment used to conduct USDA Official Business without an approved exception  from the Associate CIO for Cyber Security.  Specifically, USDA employees are prohibited from loading P2P software on USDA equipment, downloading illegal material, downloading copyrighted material for personal use, and the distribution of illegally obtained files and software.  The “Limited Personal Use Policy” defined in DR 3300-1 cannot be used as a justification for downloading P2P or other programs that perform those functions, downloading or distributing pornographic material or copyright infringement.

 

Agencies must apply this policy to all personnel that use USDA equipment, facilities, including USDA telecommunications, and Internet access networks, or perform services for or on behalf of USDA.   Agencies have no authority to allow these groups to use Government equipment for these unauthorized activities improperly or to charge the Government for these unauthorized activities. 

 

Each agency will establish an electronic system to monitor Internet usage by all personnel using USDA equipment to ensure that they adhere to these requirements in the performance of their official duties and while using USDA computers and networks.  This system should be designed to monitor each website a user accesses but not be keystroke monitoring.  For accountability reasons, each agency and mission area will be able to electronically identify all IP addresses to specific users.  Each agency is required to provide warning banners to users advising them of the intent to monitor USDA network, systems and equipment, making specific reference to the unauthorized activities and notifying users that the use of the computer system and network is an expression of consent to such monitoring.  All agencies and mission areas are responsible for enforcing this policy to protect USDA Information Technology (IT) resources and for providing security awareness training on an annual basis.

 

Agencies will refer instances of pornography to the Office of the Inspector General (OIG) and will respond to requests from CS for follow up action on instances of unauthorized use.  They will coordinate all necessary investigative and follow up actions with the OIG, law enforcement and appropriate agency Office of Human Resources Management (HRM). 

 

Policy Exception Requirements – Agencies will submit all policy exception requests directly to the ACIO for Cyber Security.  Exceptions to policy will be considered only in terms of implementation timeframes; exceptions will not be granted to the requirement to conform to this policy.  Exceptions that are approved will be interim in nature and will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestone (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved.  Interim exceptions expire with each fiscal year.  Compliance exceptions that require longer durations will be renewed on an annual basis with a updated timeline for completion.  CS will monitor all approved exceptions.

 

 

3          RESPONSIBILITIES

 

            a         The Chief Information Officer and Deputy will:

 

Support and enforce this policy throughout all of USDA

and actively coordinate with law enforcement and

agency activities to ensure that employees and other

groups use the Internet to conduct authorized activities.

 

            b         The Associate CIO for Cyber Security will:

 

(1)              Perform continuous scans of all USDA networks and

systems to detect unauthorized activity by employees, contractors, subcontractors, grantees  and cooperators;

                       

(2)              Analyze closely the results of these scans and take

remedial action  with the agency and mission area to ensure that :

 

(a)      Instances of pornography are forwarded to the Office of Inspector General (OIG);

(b)      Instances of child pornography are forwarded

            to the appropriate law enforcement office;

(c)       Instances of unauthorized use are forwarded

to the agency and mission area for review, appropriate follow-up and administrative

action;

 

(3)              Actively support each agency and mission area in the resolution of all instances of unauthorized use of the Internet;

 

(4)              Actively provide assistance to the OIG, law

enforcement offices, and agency Human Resource Management offices in the investigation of all parties violating this policy;

 

(5)              Maintain an electronic record of all instances of

unauthorized use of USDA equipment, networks and

systems to support prosecution or administrative action requirements;

 

(6)              Ensure through audits that each agency and mission area complies with the requirements of this policy to include modification of warning banners to advise users of unauthorized activities and the USDA’s intent to monitor all networks, systems and equipment;

 

(7)              Collaborate with agencies and mission areas in conducting training and awareness programs designed to inform all USDA users of the appropriate use of the Internet, networks, systems and equipment;

           

(8)              Collaborate with the Office of Procurement and

Property Management to ensure that guidance (AGAR Advisory) is issued to the procurement community advising them of the need to incorporate this policy in all new contracts; and

 

(9)              Ensure that agency program offices preparing

procurement requests, including statements of work, and specifications, incorporate a requirement that contractors and subcontractors comply with this  policy;  

 

c          The Associate CIO for Information Resources Management will:

           

                        (1)       Support the policy and procedures contained in this

chapter to ensure that appropriate security protection is provided to all USDA managed networks, systems and servers; and

 

(2)       Receive, review and coordinate a response with the Associate CIO for Cyber Security to any exception  requests for exceptions to this policy.

 

d         The Office of Inspector General will:

 

(1)              Respond to all instances of unauthorized use of the Internet or USDA networks, systems and equipment by working with Cyber Security to take the appropriate remedial action to include prosecution or administrative action;

 

(2)              Promptly initiate investigations, where deemed appropriate, to protect USDA IT resources or advise Cyber Security that administrative action is warranted by the agency or mission area;

 

(3)              Collaborate with agencies and mission areas to ensure appropriate administrative action is being taken; and

 

(4)              Conduct routine audits on agency and mission areas Internet use, Warning Banners, training and awareness programs and monitoring systems to determine compliance with this policy and procedures.

 

e          The Office of the Chief Financial Officer will:

 

Issue Department-wide guidance applicable to assistance

grants and cooperative agreements to reflect the requirements of this policy and procedures to prevent unauthorized use of the Internet or USDA Information Technology resources by grantees and cooperators;

 

f           Agency Chief Information Officer will:

 

(1)              Ensure that the policy and procedures in this Chapter are implemented in all areas for which they are responsible;

 

(2)              Coordinate with acquisition activities to modify existing contracts, as necessary, to apply this policy to all USDA contractors, subcontractors, grantees and cooperators that use USDA equipment and facilities, including telecommunications and Internet access networks, or perform services for or on behalf of USDA;

 

(3)              Ensure a system is established to monitor Internet usage by all employees, contractors, subcontractors, grantees, and cooperators using USDA equipment to ensure that they adhere to the requirements of this policy during the performance of their official duties and while using USDA networks and systems; this system should be designed to monitor each Web site that a user accesses (audit trail) but should not include keystroke monitoring;

 

(4)              Ensure that agency programs assign one IP address per user or be able to identify dynamically assigned addresses to individual users;

 

(5)              Ensure that all agency/mission area Warning Banners are revised to make specific reference to the above-described unauthorized activities, and to include notice that there will be periodic and routine monitoring of Internet usage and that the user expresses consent to such monitoring through his or her use of USDA computer systems or networks;

 

(6)              Provide oversight to ensure that computer security   awareness and training is conducted for all users in the authorized use of the Internet and all IT resources;

 

(7)              Ensure that necessary action is taken to report all instances of unauthorized use of the Internet and USDA IT resources, and cooperate with the OIG, law enforcement and Human Resource Officials during investigations and any subsequent legal or administrative proceedings; and

 

(8)              Ensure that language is included in all new Statements of Work, specifications and procurement/grant/cooperative agreement requirements that require compliance with this policy by contractors, subcontractors, grantees and cooperators.

 

g         Agency Information Systems Security Program Managers or designate will:

 

(1)              Assist the system and network administrators in monitoring Internet use by agency employees, contractors and subcontractors;

           

(2)              In coordination with the SA ensure that agency Warning Banners are updated to: make specific reference to unauthorized Internet activities; to include notice concerning periodic and routine monitoring of Internet use; and that the user expresses consent to such monitoring through his or her use of USDA computer systems and networks;

 

(3)              Electronically identify and monitor incidents of policy violations and report such incidents to Cyber

Security in accordance with the USDA Computer Incident Response Procedures;

 

(4)              Assist the OIG and law enforcement offices in collecting investigative and forensic evidence as required;

 

(5)              Secure all investigative and forensic data in a locked cabinet in accordance with the USDA Computer Incident Response Procedures; and

 

(6)              Conduct security awareness training for all agency and mission area employees and contractors with a focus on authorized Internet use and appropriate use of USDA systems, networks and equipment.

 

h          Agency System and Network Administrators and Webmasters will:    

 

(1)       Monitor all agency Internet usage by all authorized users; assign one IP address per user;

 

(2)       Coordinate all instances of unauthorized activities with the agency ISSPM or designate;

 

(3)       Update all agency computer Warning Banners with language meeting the requirements outlined above; and

 

(4)       Assist, as required, in collecting investigative and forensic data for cases under investigation by the OIG or law enforcement offices.

 

 

- END -