| 4-5 a. | Prohibited activities. In addition to the prohibited activities listed in AR 25-1, the following activities are specifically prohibited by any authorized user on a Government provided IS or connection: |
| 4-5 a.(1) | Use of ISs for unlawful or unauthorized activities such as file sharing of media, data, or other content that is protected by Federal or state law, including copyright or other intellectual property statutes. |
| 4-5 a.(2) | Installation of software, configuration of an IS, or connecting any ISs to a distributed computer environment (DCE), for example the SETI project or the human genome research programs. |
| 4-5 a.(3) | Modification of the IS or software, use of it in any manner other than its intended purpose, or adding user-configurable or unauthorized software such as, but not limited to, commercial instant messaging, commercial Internet chat, collaborative environments, or peer-to-peer client applications. These applications create exploitable vulnerabilities and circumvent normal means of securing and monitoring network activity and provide a vector for the introduction of malicious code, remote access, network intrusions or the exfiltration of protected data. |
| 4-5 a.(4) | Attempts to strain, test, circumvent, or bypass network or IS security mechanisms, or to perform network or keystroke monitoring. RCERTs, Red Team, or other official activities, operating in their official capacities only, may be exempted from this requirement. |
| 4-5 a.(5) | Physical relocation or changes to configuration or network connectivity of IS equipment. |
| 4-5 a.(6) | Installation of non-Government-owned computing systems or devices without prior authorization of the appointed DAA including but not limited to USB devices, external media, personal or contractor-owned laptops, and MCDs. |
| 4-5 a.(7) | Release, disclose, transfer, possess, or alter information without the consent of the data owner, the original classification authority (OCA) as defined by AR 380-5, the individual's supervisory chain of command, Freedom of Information Act (FOIA) official, Public Affairs Office, or disclosure officer's approval. |
| 4-5 a.(8) | Sharing personal accounts and authenticators (passwords or PINs) or permitting the use of remote access capabilities through Government provided resources with any unauthorized individual. |
| 4-5 a.(9) | Disabling or removing security or protective software and other mechanisms and their associated logs from IS. |
| 4-5 b. | Accreditation. ISs and networks will be accredited in accordance with interim DOD and Army DIACAP documentation and Army supplemental networthiness guidance. |
| 4-5 c. | Access control. IA personnel will implement system and device access controls using the principle of least privilege (POLP) via automated or manual means to actively protect the IS from compromise, unauthorized use or access, and manipulation. IA personnel will immediately report unauthorized accesses or attempts to their servicing RCERT in accordance with Section VIII, Incident and Intrusion reporting. Commanders and DAAs will- |
| 4-5 c.(1) | Enforce users' suspensions and revocation for violations of access authorization or violation in accordance with para 3-3c(11). |
| 4-5 c.(2) | Develop the approval processes for specific groups and users. |
| 4-5 c.(3) | Validate individual security investigation (or approve interim access) requirements before authorizing IS access by any user. |
| 4-5 c.(4) | Verify systems are configured to automatically generate an auditable record or log entry for each access granted or attempted. |
| 4-5 c.(5) | Validate that systems identify users through the user's use of unique user identifications (USERIDs). |
| 4-5 c.(6) | Validate that systems authenticate users through the use of the CAC as a two-factor authentication mechanism. The CAC has certificates on the integrated circuit chip (ICC), and will be used as the primary user identifier and access authenticator to systems. |
| 4-5 c.(7) | Validate system configurations to authenticate user access to all systems with a minimum of a USERID and an authenticator when the systems are incapable of CAC enablement until these are replaced. An authenticator may be something the user knows (password), something the user possesses (token), or a physical characteristic (biometric). The most common authenticator is a password. |
| 4-5 c.(8) | Verify that system configurations use password-protected screen savers, screen locks, or other lockout features to protect against unauthorized access of ISs during periods of temporary non-use. Ensure such mechanisms automatically activate when a terminal is left unattended or unused. The DOD activation standard is established at 15 minutes.
Establish a shorter period when IS are used in a multinational or coalition work area. In instances where the unattended lockout feature hinders operations, for example; standalone briefing presentation systems, medical triage devices, or operating room systems status; the DAA and SO can approve longer timeouts as an exception only when it imposes a minimum of risk, other control mechanisms are enabled to mitigate these risks, and documented in the C&A package.
However the timeout feature will never be disabled and the system will never remain unattended during this extended use period. Exceptions will never be granted for matters of convenience or ease of use. |
| 4-5 c.(9) | Validate that system configurations prohibit anonymous accesses or accounts (for example, Student1, Student2, Patron1, Patron2, anonymous). |
| 4-5 c.(10) | Prohibit the use of generic group accounts. Permit exceptions only on a case-by-case basis when supporting an operational or administrative requirement such as watch-standing or helpdesk accounts, or that require continuity of operations, functions, or capabilities. IAMs will implement procedures to identify and audit users of group accounts through other operational mechanisms such as duty logs. |
| 4-5 c.(11) | Verify that system configurations limit the number of user failed log-on attempts to three before denying access to (locking) that account, when account locking is supported by the IS or device. If IS-supported, the system will prevent rapid retries when an authenticator is incorrectly entered and gives no indications or error messages that either the authenticator or ID was incorrectly entered (for example, implement time delays between failed attempts). |
| 4-5 c.(12) | Verify that system configurations generate audit logs, and investigate security event violations when the maximum number of authentication attempts is exceeded, the maximum number of attempts from one IS is exceeded, or the maximum number of failed attempts over a set period is exceeded. |
| 4-5 c.(13) | Reinstate accesses only after the appropriate IA (for example, SA/NA) personnel have verified the reason for failed log-on attempts and have confirmed the access-holder's identity. Permit automatic account unlocking, for example, after an established time period has elapsed, as documented in the C&A package and approved by the DAA, based on sensitivity of the data or access requirements. |
| 4-5 c.(14) | If documented in the C&A package and authorized by the DAA, time-based lockouts (that is, access is restricted based on time or access controls based on IP address, terminal port, or combinations of these) and barriers that require some time to elapse to enable bypassing may be used. In those instances the DAA will specify, as a compensatory measure, the following policies: |
| 4-5 c.(14)(a) | Implement mandatory audit trails to record all successful and unsuccessful log-on attempts. |
| 4-5 c.(14)(b) | Within 72 hours of any failed log-on and user lockout, IA personnel will verify the reason for failure and implement corrective actions or report the attempted unauthorized access. |
| 4-5 c.(14)(c) | The SA will maintain a written record of all reasons for failure for 1 year. |
| 4-5 c.(15) | Enforce temporary disabling of all accounts for deployed forces on garrison networks unless the accounts are operationally required. |
| 4-5 c.(16) | Create and enforce procedures for suspending, changing, or deleting accounts and access privileges for deployed forces in the event of capture, loss, or death of personnel having network privilege-level access. |
| 4-5 c.(17) | Create and enforce access auditing, and protect physical access control events (for example, card reader accesses) and audit event logs for physical security violations or access controls to support investigative efforts as required. |
| 4-5 d. | Remote access (RA). |
| 4-5 d.(1) | Systems being used for remote access must meet security configurations to include IAVM, certification and accreditation standards, and will employ host-based security, for example a firewall and IDS, with AV software before authorization to connect to any remote access server. Security configurations will be reviewed quarterly. |
| 4-5 d.(2) | Encrypt log-in credentials as they traverse the network as required for the level of information being accessed or required for need-to-know separation. |
| 4-5 d.(3) | Encrypt all RA for network configuration or management activities regardless of classification level, device, or access method. |
| 4-5 d.(4) | Users will protect RA ISs and data consistent with the level of information retrieved during the session. |
| 4-5 d.(5) | Disable remote device password save-functions incorporated within software or applications to prevent storage of plain text passwords. |
| 4-5 d.(6) | Remote access users will read and sign security and end-user agreements for remote access annually as a condition for continued access. |
| 4-5 e. | Remote access servers (RASs). |
| 4-5 e.(1) | Secure remote terminal devices consistent with the mode of operation and sensitivity of the information and implement non-repudiation measures when necessary. |
| 4-5 e.(2) | Any IS that provides RAS capabilities will employ host-based firewalls and intrusion detection systems to detect unauthorized access and to prevent exploitation of network services. |
| 4-5 e.(3) | Any RAS being accessed remotely will employ a "Time-Out" protection feature that automatically disconnects the remote device after a predetermined period of inactivity has elapsed, dependent on classification level of the information, but no longer than 10 minutes. |
| 4-5 e.(4) | Remote access users will be required to authenticate all dial-in operations with a unique USERID and password, compliant with the remote authentication dial-in user system (RADIUS) standard. |
| 4-5 e.(5) | All RAs will terminate at a centrally managed access point located within a demilitarized zone (DMZ) that is configured to log user activities during a session. |
| 4-5 e.(6) | Prohibit all RA (that is, virtual private network (VPN), dial-in) to individual ISs within an enclave (that is, behind the DMZ firewall). |
| 4-5 e.(7) | DOIMs and IAMs must ensure all remote access servers (RASs) undergo CM and C&A processes. |
| 4-5 e.(8) | Stand alone dial-back modems and modem systems that authenticate using RADIUS are the only allowable dialin modems. |
| 4-5 e.(9) | Physical security for the terminal will meet the requirements for storage of data at the highest classification level received at the terminal and must be implemented within a restricted access area. |
| 4-5 e.(10) | Data between the client and the RAS will be encrypted to provide confidentiality, identification, non-repudiation and authentication of the data. The CAC provides the user with an official certificate. |
| 4-5 e.(11) | Approved telework or telecommuting access will be in accordance with established DOIM, RCIO, and NETCOM/9th SC (A) C&A access procedures from a Government provided system only. Ad hoc telework access (defined as one-time, informal, or on an infrequent basis) will be through existing and approved external access methods or portals such as Terminal Server Access Control System (TSACS) or the Army Knowledge Online (AKO) Web site. |
| 4-5 e.(12) | Outside the continental United States (OCONUS) telework procedures and authorization will be approved by the DAA and RCIO on a case-by-case basis and documented in the C&A package. |
| 4-5 e.(13) | Audit all RAS connections at a minimum weekly. |
| 4-5 e.(14) | Review RAS devices biweekly for security configuration, patches, updates, and IAVM compliance. |
| 4-5 f. | Configuration management requirements. The following policy will be the minimum used for the CM of all systems: |
| 4-5 f.(1) | All CM plans will include a maintenance and update strategy to proactively manage all IS and networks with the latest security or application updates. While IAVM is part of a CM strategy, it is not all-inclusive for every IS in use in the Army. All ISs will have a vulnerability management strategy for testing and maintaining patches, updates, and upgrades. |
| 4-5 f.(2) | Hardware and software changes to an accredited IS, with an established baseline, will be effected through the CM process. |
| 4-5 f.(3) | The CCB or the CMB for a site must approve modifying or reconfiguring the hardware of any computer system. Hardware will not be connected to any system or network without the express written consent of the IAM and the CMB or CCB. In the absence of a CCB or CMB, the appropriate commander or manager will provide the consent on the advice of the cognizant IA official. |
| 4-5 f.(4) | Modifying, installing, or downloading of any software on any computer system may affect system C&A and must be evaluated and approved by the IAM with the local CMB, CCB, and DAA. |
| 4-5 f.(5) | Configuration management controls, including version controls, will be maintained on all software development efforts; RDT&E activities; follow-on test and evaluation (FOT&E) activities; and other related tests by the software designer. A CM "baseline image" will be created, documented, kept current, and maintained by network and system administration personnel for all ISs within their span of control. Exceptions to this baseline image will be documented in the C&A package and approved by the DAA. |
| 4-5 f.(6) | The minimum baseline configuration for ISs will be the published Security Technical Implementation Guide (STIG) requirements or the common criteria protection profiles for IA products, as available or supplemented published by DOD and NETCOM/9th SC (A), with any changes documented. STIGS are located at: http://iase.disa.mil/stigs/index.html. |
| 4-5 f.(7) | Prohibit default installations of "out of the box" configurations of COTS purchased products. COTS purchased products will require system CM and IAVM compliance as a minimum. Comprehensive vulnerability assessments of the test IS will be conducted and documented before and after installation of any COTS products under consideration for CM review or approval. |
| 4-5 f.(8) | Upon acceptance for operational use (whether developmental, GOTS, or COTS), keep software under close and continuous CM controls to prevent unauthorized changes. |
| 4-5 f.(9) | ISs must meet minimum levels of total system exposure. See paragraph 4-4 and DODI 8500.2 to establish IA baseline requirements. |
| 4-5 g. | Assessments. Commanders will verify that IA personnel conduct initial and continual assessments to detect IS and network vulnerabilities using approved tools, tactics, and techniques to facilitate the risk management process and to ensure compliance with network management, CM, IAVM requirements, and security policies and procedures. Commanders and IA personnel will ensure that all networks and networked ISs undergo a self-assessed, vulnerability assessment scan quarterly. Prohibit the use of commercial scanning services or vendors without the CIO/G6's chief information security officer's (CISO) approval. |
| 4-5 h. | Auditing. SAs will configure ISs to automatically log all access attempts. Audits of IS will be either automated or manual means. SAs will implement audit mechanisms for those ISs that support multiple users. |
| 4-5 h.(1) | Use audit servers to consolidate system audit logs for centralized review to remove the potential for unauthorized editing or deletion of audit logs in the event of an incident or compromise. |
| 4-5 h.(2) | Commands, organizations, tenants, activities, and installations will support centralized audit server implementations in the enterprise. |
| 4-5 h.(3) | Centralized audit servers logs will be maintained for a minimum of 1 year. |
| 4-5 h.(4) | Conduct self-inspections by the respective SA/NA or IA manager. |
| 4-5 h.(5) | Enable and refine default IS logging capabilities to identify abnormal or potentially suspicious local or network activity-- |
| 4-5 h.(5)(a) | Investigate all failed login attempts or account lockouts. |
| 4-5 h.(5)(b) | Maintain audit trails in sufficient detail to reconstruct events in determining the causes of compromise and magnitude of damage should a malfunction or a security violation occurs. Maintain system audit logs locally for no less than 90 days. |
| 4-5 h.(5)(c) | Retain classified and sensitive IS audit files for 1 year (5 years for SCI systems, depending on storage capability). |
| 4-5 h.(5)(d) | Provide audit logs to the ACERT, Army-Global Network Operations and Security Center (A-GNOSC), LE, or CI personnel to support forensic, criminal, or counter-intelligence investigations as required. |
| 4-5 h.(5)(e) | Review logs and audit trails at a minimum weekly, more frequently if required, and take appropriate actions. |
| 4-5 i. | Contingency planning. A contingency plan is a plan for emergency response, backup operations, transfer of operations, and post-disaster recovery procedures maintained by an activity as a part of its IA security program.
Commanders will create and practice contingency plans for each IS (a single IS or local area network (LAN)) for critical assets as identified by the data owner or commander to support continuity of operations planning (COOP). See DA Pam 25-1-2 for additional guidance and procedures for developing contingency plans. Exercise contingency plans annually. |
| 4-5 j. | Data integrity. |
| 4-5 j.(1) | Implement safeguards to detect and minimize unauthorized access and inadvertent, malicious, or non-malicious modification or destruction of data. |
| 4-5 j.(2) | Implement safeguards to ensure that security classification levels remain with the transmitted data. |
| 4-5 j.(3) | DAA will identify data owners for each database on their networks. Only the original classification authority (OCA) is authorized to change the data classification. |
| 4-5 j.(4) | DAA will develop and enforce policies and procedures to routinely or automatically backup, verify, and restore (as required) data, ISs, or devices at every level. These policies and procedures will be captured in the C&A package. |
| 4-5 j.(5) | Use data or data sources that have verifiable or trusted information. Examples of trusted sources include, but are not limited to, information published on DOD and Army sites and vendor sites that use verified source code or cryptographic hash values. |
| 4-5 j.(6) | Protect data at rest (for example, databases, files) to the classification level of the information with authorized encryption and strict access control measures implemented. |
| 4-5 k. | C&A package. The C&A package will be available to the site-assigned IASO for the life of each IS or LAN, including operational, prototype, test, or developmental systems. This C&A package will include at a minimum the System Identification Profile (SIP), Scorecard, and plan of action and milestones (POA&M). |
| 4-5 l. | IA product acquisition. All security-related COTS hardware, firmware, and software components (excluding cryptographic modules) required to protect ISs will be acquired in accordance with public law and will have been evaluated and validated in accordance with appropriate criteria, schemes, or protection profiles (http://www.niapnist.gov/) and this regulation. IA products listed on the CSLA managed Army approved products list will be evaluated/selected first, and then procured through managed Army Blanket Purchase Agreement (BPA) contract vehicles before other IA products are evaluated. For PEO/PM's, the CSLA BPA requirements only applies to the procurement of COMSEC devices. All GOTS products will be evaluated by NSA or in accordance with NSA-approved processes. NETCOM/9th SC (A) and CIO/G-6 may approve exceptions to IA products evaluations when no criteria, protection profile, or schema exists or is under development, and the removal or prohibition of such an IA product would significantly degrade or reduce the ability of personnel to secure, manage, and protect the infrastructure. |
| 4-5 m. | Notice and consent procedures. Commanders will verify that all computers under their control, independently, prominently and completely display the Notice and Consent Banner immediately upon users' authentication to the system, including, but not limited to, web, ftp, telnet, or other services access. |
| 4-5 m.(1) | General Notification: Army users of DOD telecommunications systems or devices are advised that DOD provides such systems and devices for conducting authorized use. Users are subject to telecommunications monitoring, including their personal communications and stored information. |
| 4-5 m.(2) | Using Government telecommunications systems and devices constitutes the user's consent to monitoring. |
| 4-5 m.(3) | Users will be advised that there is no expectation of privacy while using ISs or accessing Army resources. |
| 4-5 m.(4) | The user must take a positive action to accept the terms of the notice and consent warning banner before a successful logon is completed. |
| 4-5 m.(5) | Post appropriate warning banners and labels in accordance with this regulation. |
| 4-5 m.(6) | The following access warning banner replaces the warning banner in AR 380-53 and will not be modified further. The banner to be posted on Army networks, systems, and devices will state- |
| 4-5 m.(7) | "WARNING! This computer is the property of the United States Department of Defense and may be accessed only by authorized users. Unauthorized use of this system is strictly prohibited and may be subject to criminal prosecution. The Department may monitor any official or personal activity or communication on this system and retrieve any information stored within this system. By accessing and using this computer, you are consenting to such monitoring and information retrieval for any lawful purpose, including, but not limited to, a properly authorized law enforcement or counter-intelligence investigation; information systems security monitoring; an Inspector General inspection, investigation, or inquiry; or other authorized administrative investigation. Users have no expectation of privacy with respect to any information, either official or personal, transmitted over, or stored within this system, including information stored locally on the hard drive or other media used with this computer to include removable media or hand-held peripherals devices." |
| 4-5 n. | Virus protection. Implement the virus protection guidance provided below on all ISs and networks, regardless of classification or purpose- |
| 4-5 n.(1) | Users and SAs will scan all files, removable media, and software, including new "shrink-wrapped" COTS software, with an installed and authorized AV product before introducing them onto an IS or network. Files, media and software found to be infected with a virus will be reported by users to the SA. |
| 4-5 n.(2) | To minimize the risks of viruses, implement the following countermeasures: |
| 4-5 n.(2)(a) | SAs will configure all ISs with a current and supportable version of the AV software configured to provide realtime protection from the approved products list with automated updates and reporting enabled. |
| 4-5 n.(2)(b) | IA personnel should take the multilevel approach to virus detection by installing one AV package on the workstations and a different AV package on the servers. |
| 4-5 n.(2)(c) | SAs will update virus definitions at a minimum weekly, or as directed by the ACERT for immediate threat reduction. Virus definition availability is based on vendors' capabilities. IA personnel will institute automated antivirus definition updates as published or available from authorized DOD or Army sites. |
| 4-5 n.(3) | IA personnel will train users to recognize and report virus symptoms immediately. |
| 4-5 n.(4) | IAMs will implement virus-reporting procedures to support DOD and Army reporting requirements. |
| 4-5 o. | Mobile code. |
| 4-5 o.(1) | Mobile code is executable software, transferred across a network, downloaded, and executed on a local system without notification to, or explicit installation and execution by, the recipient. |
| 4-5 o.(2) | Mobile code has the potential to severely degrade operations if improperly used or controlled. The objective of the mobile code security policy is to deny untrusted mobile code the ability to traverse the Army enterprise. As a minimum, the Army mobile code mitigation policy will be implemented to support the DOD mobile code policy.
Untrusted mobile code will not be allowed to traverse the enterprise unless NETCOM/9th SC (A) CCB-approved mitigating actions have been emplaced. |
| 4-5 p. | Layering. |
| 4-5 p.(1) | Layering is a process of implementing similar security configurations or mechanisms at multiple points in an IS architecture. Doing so eliminates single points of failure, provides redundant capabilities, increases access granularity and auditing, and implements an effective computer or network attack detection and reaction capability. |
| 4-5 p.(2) | The Army enterprise IA security DiD structure requires a layering of security policies, procedures, and technology, including best practices such as redundant capabilities or use of alternative operating systems, to protect all network resources within the enterprise. Layered defenses at the boundaries, for example, include, but are not limited to using inbound and outbound proxy services, firewalls, IDSs, IPSs, and DMZs. |
| 4-5 q. | Filtering. Filtering policies will block ingress and egress services, content, sources, destinations, ports, and protocols not required or authorized across the enterprise boundary. Router and firewall access control lists (ACLs) provide a basic level of access control over network connections based on security or operational policy. |
| 4-5 q.(1) | Filtering at the enterprise boundary is the primary responsibility of the NETCOM/9th SC (A) TNOSCs using tools and techniques applied at the enterprise level. |
| 4-5 q.(2) | At all levels subordinate to NETCOM/9th SC (A), filtering policies and technology will be implemented and layered throughout the architecture and enforced at all capable devices. Audit and system or device generated event logs will be provided to NETCOM/9th SC (A). These policies should be complementary. |
| 4-5 q.(3) | Filtering products and techniques are intended to proactively reduce ingress and egress security threats to enterprise systems and information without targeting specific individuals. The most common threats are associated with malicious content, misuse, security policy violations, content policy violations, or criminal activity. Threat mitigation policies will be incorporated, configured, and monitored to reduce or identify these threats and include, but are not limited to, ACL configuration on routing devices to prevent access to unauthorized sites, AV installations, cache or proxy servers (to maintain connection state), firewalls, mail exchange configurations (for example, auto-deletion of attachments), network monitoring software such as IDS or Intrusion Prevention System (IPS) configured to terminate suspicious traffic, content management, or web filtering applications. |
| 4-5 r. | AUP. |
| 4-5 r.(1) | Commanders and Directors will implement an AUP for all user accesses under their control (see the sample AUP at appendix B). |
| 4-5 r.(2) | Users will review and sign an AUP prior to or upon account activation. Digital signatures are authorized. |
| 4-5 r.(3) | IA personnel will maintain documented training records. |
| 4-5 r.(4) | DOD policy states that Federal Government communication systems and equipment (including Government owned telephones, facsimile machines, electronic mail, internet systems, and commercial systems), when use of such systems and equipment is paid for by the Federal Government, will be for official use and authorized purposes only. |
| 4-5 r.(5) | Official use includes emergency communications and communications necessary to carry out the business of the Federal Government. Official use can also include other use authorized by a theater commander for Soldiers and civilian employees deployed for extended periods away from home on official business. |
| 4-5 r.(6) | Authorized purposes include brief communications by employees while they are traveling on Government business to notify family members of official transportation or schedule changes. Authorized purposes can also include limited personal use established by appropriate authorities under the guidelines of the Joint Ethics Regulation (DOD 5500.7-R). |
| 4-5 r.(7) | Certain activities are never authorized on Army networks. AUPs will include the following minimums as prohibited. These activities include any personal use of Government resources involving: pornography or obscene material (adult or child); copyright infringement (such as the sharing of copyright material by means of peer-to-peer software); gambling; the transmission of chain letters; unofficial advertising, soliciting, or selling except on authorized bulletin boards established for such use; or the violation of any statute or regulation. |
| 4-5 s. | Monitoring networks. |
| 4-5 s.(1) | Network monitoring includes any of a number of actions by IA personnel aimed at ensuring proper performance and management. When any of these monitoring activities involve intercepting (capturing in real time) the contents of wire or electronic communications, they must fall within the limits of the service provider exception to the Federal wiretap statute. The service provider exception allows system and network administrators to intercept, use, and disclose intercepted communications as long as the actions are conducted in the normal course of employment and the SA/NA is engaged in an activity that is necessary to keep the service operational or to protect the rights or property of the service provider. Therefore, IA personnel must consult with legal counsel to ensure that their activities involving systems management and protection are properly authorized. |
| 4-5 s.(2) | IA personnel performing ingress and egress network monitoring or filtering activities are authorized to use CIO/G-6-approved automated monitoring tools maintained and configured by NETCOM/9th SC (A) as network devices to aid in the performance and management. It is important to recognize that the SA/NA does not have unlimited authority in the use of these network monitoring tools. The approved tool may contain technical capabilities beyond those tasks for which the tool was approved; as such the IA personnel must ensure that approved tools are used only for their intended purpose. |
| 4-5 s.(3) | IA personnel will not use unapproved IA tools, use IA tools for unapproved purposes, or misuse automated IA tools. Violations will be reported through appropriate command channels to the CIO/G-6. Exceptions to the configuration of these devices will be approved on a case-by-case basis by NETCOM/9th SC (A). |
| 4-5 s.(4) | In general terms, IA personnel and SAs/NAs do not engage in blanket network monitoring of internal communications. However, the Army reserves the right at any time to monitor, access, retrieve, read, or disclose internal communications when a legitimate need exists that cannot be satisfied by other means pursuant to para 4-5t, below. |
| 4-5 s.(5) | As a matter of normal auditing, SAs/NAs may review web sites logs, files downloaded, ingress and egress services and similar audited or related information exchanged over connected systems. Supervisors and managers may receive reports detailing the usage of these and other internal information systems, and are responsible for determining that such usage is both reasonable and authorized. |
| 4-5 s.(6) | As a matter of normal auditing, SAs/NAs may store all files and messages through routine back ups to tape, disk, or other storage media. This means that information stored or processed, even if a user has specifically deleted it, is often recoverable and may be examined at a later date by SAs/NAs and others permitted by lawful authority. |
| 4-5 s.(7) | SA/NAs may provide assistance to Army supervisory and management personnel, under lawful authority, to examine archived electronic mail, personal computer file directories, hard disk drive files, and other information stored on ISs. This information may include personal data. Such examinations are typically performed to assure compliance with internal policies; support the performance of administrative investigations; and assist in the management and security of data and ISs. |
| 4-5 s.(8) | When IA personnel discover information during the course of their normal activity that indicates a violation of acceptable use or a possible criminal offense, they will immediately report the finding to their Commander. The commander will immediately report known or suspected criminal activity to LE and will consult with legal counsel concerning activities that appear merely to violate acceptable use. IA personnel will retain and provide information related to the matter to LE when required. |
| 4-5 s.(9) | With the exceptions of the SA/NA as identified below, Army personnel and contractors are prohibited from browsing or accessing other user's e-mail accounts.
(10) The SA/NA may only intercept, retrieve, or otherwise recover an e-mail message and any attachments thereto, only under the following circumstances: |
| 4-5 s.(9)(a) | With consent (expressed or implied) of a party to the communication involved. |
| 4-5 s.(9)(b) | In response to a request for technical assistance from: |
| 4-5 s.(9)(b)1. | LE/CI personnel pursuant to a properly authorized LE/CI investigation. |
| 4-5 s.(9)(b)2. | A supervisor as part of a non-investigatory management search in accordance with paragraph 4-5t, below. |
| 4-5 s.(9)(b)3. | An investigating officer pursuant to a properly authorized administrative investigation (for example, a preliminary inquiry under Rule for Courts-Martial 303, an informal investigation under AR 15-6, or a preliminary inquiry under AR 380-5). |
| 4-5 s.(9)(b)4 | . Information systems security monitoring personnel pursuant to properly authorized IS security monitoring activities. |
| 4-5 s.(9)(b)5. | Inspector General personnel pursuant to an authorized inspection, investigation, or inquiry. |
| 4-5 s.(11) | The SA/NA may remove any e-mail, file, or attachment that is interfering with the operation of an IS without consent of the originator or recipient. The SA/NA will notify the originator and recipient of such actions. |
| 4-5 s.(12) | The SA/NA is not authorized to use techniques or software to penetrate or bypass user's information protections (for example, content restrictions or read-only protections used to maintain or enforce document integrity, version control, or need-to-know enforcement). |
| 4-5 t. | Management search. In the absence of the user (for example, TDY, extended hospital stay, incapacitation, emergency operational requirement), only the SA/NA is authorized limited access to the user's files to support administrative management searches to provide the requested information as required for official purposes. When such access is requested, the SA will- |
| 4-5 t.(1) | Brief the supervisor as to the limits of accessing the user's data files. |
| 4-5 t.(2) | Limit the scope of the authorized search to those files reasonably related to the objective of the search (that is, email access would not be reasonable when searching for a word document file). |
| 4-5 t.(3) | Limit the search to the time necessary to locate the required data in the most relevant file location. |
| 4-5 t.(4) | Inform the individual of requested file access as soon as possible after such requests, and document this access in a memorandum. |
| 4-5 t.(5) | SAs/NAs will not grant unrestricted supervisory access to individual information, data files, or accounts. |
| 4-5 t.(6) | SA/NAs will not access individual information or data files unless conducting a management search, an authorized administrative search, or supporting a LE/CI authorized investigation. |
| 4-5 t.(7) | SA/NAs may conduct an authorized investigative or management search of assigned IS upon an individuals' termination of employment, death, or other permanent departure from the organization to retrieve data and files associated with the organizational mission. |