Approved Date – 02/22/2021
Published Date – 02/22/2021
Reviewed Date – 03/13/2023
1. Purpose
Establish policy for the proper use of District government provided electronic mail (email) services.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.
4. Roles and Responsibilities
4.1. All DC Government Email Users
4.1.1. Users of DC email must use the service only for the Allowable Uses defined above and refrain from any of the Prohibited Uses defined above.
4.1.2. Users must change passwords with regular frequency, per applicable agency and OCTO standards and recommendations.
4.2. DC Government Agencies
4.2.1. Each agency is responsible for its employees' and contractors' compliance with this policy and is expected to familiarize each user with this policy.
4.2.2. Because transmission of email may involve routing over an unsecured network, it is the responsibility of each agency to protect sensitive (i.e., confidential) information from intentional, inappropriate, or accidental disclosure, and to protect the DC government and individual users from loss or harm.
4.2.3. Agencies are responsible for the investigation of alleged or suspected violations of this policy, and the referral of violations to OCTO for suspension of service to users.
4.3. OCTO
4.3.1. The CTO (and/or CSO as designated) Security must develop and update email security policy and maintain awareness of email-related threats, vulnerabilities, and security issues.
4.3.2. The CTO or Deputy CTO (and/or Director of Messaging as designated) will maintain a content filtering system which scans the contents of messages on the DC government email system, rejects messages containing content that may violate this policy, and issue the sender a notification advising that the message has been rejected, and why, so that the message can be corrected and resent.
4.3.3. However, neither OCTO nor any agency or instrumentality of the DC government undertakes to protect users from receiving electronic mail they may find offensive, or to guarantee that electronic mail received was sent by the purported sender.
4.3.4. Because email is public, not private communication, OCTO may monitor any or all DC government email traffic to determine compliance with this and related policies.
5. Policy
Email is an efficient and timely communications tool that is provided by the DC government to its employees, contractors, and volunteers to assist them in supporting DC government functions and conducting the government's business within its organization, with government and private business partners, and with the public. Appropriate use of the DC government email system can enhance productivity and intra-governmental communication, but inappropriate use can conflict with DC government policies and compromise the availability of the system for all. This policy defines requirements and prohibitions for appropriate use of the DC government email system or any messaging system that uses the District's computer network.
5.1. Principles
5.1.1. Use of the DC government email system constitutes consent to abide by all elements of this policy, including such reviews of email correspondence as may be necessary and appropriate to effect DC government policies concerning the use of the email system and in aid of law-enforcement and auditing activities of federal and District of Columbia government agencies.
5.1.2. DC government email systems and services are "DC government facilities" as that term is used in other policies and guidelines. Any electronic mail address or account assigned by the DC government to individuals, sub-units, or functions of the DC government is the property of the District of Columbia and under the management control of the Office of the Chief Technology Officer.
5.1.3. All DC government policies relating to intellectual property protection, privacy, misuse of government resources, sexual harassment, data security, and confidentiality apply to the use of DC government email by persons and entities described under "Scope," above.
5.1.4. Emails are the equivalent of letters sent on official letterhead and must therefore be written in a professional and courteous tone.
5.1.5. DC government email is public, not private communication, not only because its principal purpose is the conduct of DC government functions, but also because the email system permits forwarding and other wide distribution of messages without the consent of the sender. Therefore, senders and receivers of email cannot expect privacy concerning DC government email messages.
5.1.6. Email messages are public records and are therefore subject to public inspection, Freedom of Information Act (FOIA) requests, and legal discovery unless otherwise protected by DC or federal law.
5.2. Allowable Uses
5.2.1. Communication and information exchange directly related to the mission, charter, or work tasks of a DC government agency.
5.2.2. Research and information exchange in support of standards, analysis, advisory, and professional development activities related to the user's DC government duties.
5.2.3. Announcement of DC government laws, procedures, policies, rules, services, programs, information, or activities, subject to the broadcast email requirements described below.
5.2.4. Application for, or administration of, contracts or grants for DC government programs or research.
5.2.5. Other governmental administrative communications not requiring a high level of security.
5.2.6. Interagency and external broadcast correspondence that:
- Is limited to 100 recipients or fewer,
- Is not sent to the group distribution list of any other agency, and
- Does not constitute or contain (as an attachment or otherwise) any inter-agency or external bulletin, newsletter, announcement, promotional material, manual, guide, brochure, or marketing collateral, all of which must be posted on websites and not sent in group emails outside the sender's agency list.
5.2.7. Interagency and external broadcast emails with distribution greater than 100 recipients that are authorized in advance by the director of communications of the Executive Office of the Mayor (EOM) or the Chief Technology Officer;
5.2.8. Mayoral broadcast missives, upon two hours' notice to OCTO or with shorter notice to OCTO, in the discretion of the Director of Communications, EOM;
5.2.9. Incidental personal purposes, provided that such use does not:
- Directly or indirectly interfere with the DC government operation of computing facilities or electronic mail services,
- Burden the DC government with noticeable incremental cost, or
- Interfere with the email user's employment or other obligations to the DC government.
5.3. Prohibited Uses
5.3.1. Any purpose that violates a federal or DC government law, code, or policy, standard or procedure;
5.3.2. Advertising or other promotion of any private business enterprise or activity;
5.3.3. Transmission or solicitation of information or statements that contain profane language, pander to bigotry, sexism, or other forms of prohibited discrimination, or can in any way be construed as intending to harass or threaten another individual, sexually, or otherwise;
5.3.4. Any activity with religious or political purposes outside the scope of the user's assigned and authorized governmental duties;
5.3.5. Any unauthorized purchase;
5.3.6. Sending email under names or addresses other than the employee's own officially designated DC government email address;
5.3.7. Adding, removing, or modifying identifying network header information ("spoofing") to deceive or mislead recipients;
5.3.8. Opening any "executable" email attachments (e.g., .exe, .bat, .scr, .vbs) from any source;
5.3.9. Sending or forwarding "chain" letters, i.e., those that ask the receiver to forward the message to multiple recipients;
5.3.10. Sending any attachment files larger than 10 megabytes (MB);
5.3.11. Sharing organized District email lists with any person outside the District, except as required by the Freedom of Information Act (FOIA), subpoena, or another compulsory process;
5.3.12. Setting email correspondence to forward automatically to an outside (non-District) address;
5.3.13. "Broadcast" emails that do not meet the "broadcast" email requirements above;
5.3.14. Disruption, obstruction, or burden of network resources;
5.3.15. Unauthorized enhancements or add-on software to Outlook (e.g., animations, backgrounds, pictures);
5.3.16. Use of non-District email services such as Yahoo or AOL on the District's computer network;
5.3.17. The intentional or negligent introduction of computer viruses into any DC Government systems: agencies must prevent the introduction of computer viruses into DC government systems and must install District-standard virus-scanning software to check any software downloaded as email attachments.
5.3.18. Transmission of sensitive (e.g., confidential) information unless protected by an approved encryption mode and/or identified as shown below:
5.3.19. Sensitive information includes medical information, information covered by attorney-client privilege, information subject to the Privacy Act, proprietary information, or other information, which must be protected from unauthorized disclosure,
5.3.20. Sensitive (e.g., confidential) messages must be identified immediately below the message header (i.e., the Subject, Date, From, and To lines) as "SENSITIVE/CONFIDENTIAL INFORMATION [or ATTORNEY/CLIENT PRIVILEGED INFORMATION] - DO NOT RELEASE TO UNAUTHORIZED PERSONNEL." In such cases, the sender must also be certain that the recipient is properly authorized to receive and view the information,
5.3.21. For approved encryption modes, refer to applicable information security policies, standards, and procedures.
6. Exemption
to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
7. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.