Policy Number: OCTO – 4040.2
Creation Date: 4/22/2016
Approval Date: 4/22/2016
Effective Date: 4/22/2016
1. Scope/Applicability: This policy applies to all District Government agencies.
2. Authority: DC Official Code § 1-1401 et seq.
3. Purpose: This policy establishes standards for the proper use of DC government-provided electronic mail (email) services.
4. Roles and Responsibilities
4.1. All DC Government Email Users
4.1.1. Users of DC email must use the service only for the Allowable Uses defined above and refrain from any of the Prohibited Uses defined above.
4.1.2. Users must change passwords with regular frequency, in accordance with applicable agency and OCTO standards and recommendations.
4.2. DC Government Agencies
4.2.1. Each agency is responsible for its employees' and contractors' compliance with this policy and is expected to familiarize each user with this policy.
4.2.2. Because transmission of email may involve routing over an unsecured network, it is the responsibility of each agency to protect sensitive (i.e., confidential) information from intentional, inappropriate, or accidental disclosure, and to protect the DC government and individual users from loss or harm.
4.2.3. Agencies are responsible for the investigation of alleged or suspected violations of this policy, and the referral of violations to OCTO for suspension of service to users.
4.3.1. The CTO (and/or CSO as designated) Security must develop and update email security policy and maintain awareness of email-related threats, vulnerabilities, and security issues.
4.3.2. The CTO or Deputy CTO (and/or Director of Messaging as designated) will maintain a content filtering system which scans the contents of messages on the DC government email system, rejects messages containing content that may violate this policy, and issue the sender a notification advising that the message has been rejected, and why, so that the message can be corrected and resent.
4.3.3. However, neither OCTO nor any agency or instrumentality of the DC government undertakes to protect users from receiving electronic mail they may find offensive, or to guarantee that electronic mail received was in fact sent by the purported sender.
4.3.4. Because email is public, not private communication, OCTO may monitor any or all DC government email traffic to determine compliance with this and related policies.
5. Policy Details:
Email is an efficient and timely communications tool that is provided by the DC government to its employees, contractors, and volunteers to assist them in supporting DC government functions and conducting the government's business within its own organization, with government and private business partners, and with the public. Appropriate use of the DC government email system can enhance productivity and intra-governmental communication, but inappropriate use can conflict with DC government policies and compromise availability of the system for all. This policy defines requirements and prohibitions for appropriate use of the DC government email system or any messaging system that uses the District's computer network.
5.1.1. Use of the DC government email system constitutes consent to abide by all elements of this policy, including such reviews of email correspondence as may be necessary and appropriate to effect DC government policies concerning the use of the email system and in aid of law-enforcement and auditing activities of federal and District of Columbia government agencies.
5.1.2. DC government email systems and services are "DC government facilities" as that term is used in other policies and guidelines. Any electronic mail address or account assigned by the DC government to individuals, sub-units, or functions of the DC government is the property of the District of Columbia and under management control of the Office of the Chief Technology Officer.
5.1.3. All DC government policies relating to intellectual property protection, privacy, misuse of government resources, sexual harassment, data security, and confidentiality apply to use of DC government email by persons and entities described under "Scope," above.
5.1.4. Emails are the equivalent of letters sent on official letterhead, and must therefore be written in a professional and courteous tone.
5.1.5. DC government email is public, not private communication, not only because its principal purpose is the conduct of DC government functions, but also because the email system permits forwarding and other wide distribution of messages without the consent of the sender. Therefore, senders and receivers of email can have no expectation of privacy with respect to DC government email messages.
5.1.6. Email messages are public records and are therefore subject to public inspection, Freedom of Information Act (FOIA) requests, and legal discovery, unless otherwise protected by DC or federal law.
5.2. Allowable Uses:
5.2.1. Communication and information exchange directly related to the mission, charter, or work tasks of a DC government agency;
5.2.2. Research and information exchange in support of standards, analysis, advisory, and professional development activities related to the user's DC government duties;
5.2.3. Announcement of DC government laws, procedures, policies, rules, services, programs, information, or activities, subject to the broadcast email requirements described below;
5.2.4. Application for, or administration of, contracts or grants for DC government programs or research;
5.2.5. Other governmental administrative communications not requiring a high level of security;
5.2.6. Interagency and external broadcast correspondence that:
184.108.40.206. Is limited to 100 recipients or fewer,
220.127.116.11. Is not sent to the group distribution list of any other agency, and
18.104.22.168. Does not constitute or contain (as an attachment or otherwise) any inter-agency or external bulletin, newsletter, announcement, promotional material, manual, guide, brochure, or marketing collateral, all of which must be posted on websites and not sent in group emails outside the sender's agency list;
5.2.7. Interagency and external broadcast emails with distribution greater than 100 recipients that are authorized in advance by the director of communications of the Executive Office of the Mayor (EOM) or the Chief Technology Officer;
5.2.8. Mayoral broadcast missives, upon two hours' notice to OCTO or with shorter notice to OCTO, in the discretion of the Director of Communications, EOM;
5.2.9. Incidental personal purposes, provided that such use does not:
22.214.171.124. Directly or indirectly interfere with the DC government operation of computing facilities or electronic mail services,
126.96.36.199. Burden the DC government with noticeable incremental cost, or
188.8.131.52. Interfere with the email user's employment or other obligations to the DC government.
5.3. Prohibited Uses:
5.3.1. Any purpose that violates a federal or DC government law, code or policy, standard or procedure;
5.3.2. Advertising or other promotion of any private business enterprise or activity;
5.3.3. Transmission or solicitation of information or statements that contain profane language, pander to bigotry, sexism, or other forms of prohibited discrimination, or can in any way be construed as intending to harass or threaten another individual, sexually or otherwise;
5.3.4. Any activity with religious or political purposes outside the scope of the user's assigned and authorized governmental duties;
5.3.5. Any unauthorized purchase;
5.3.6. Sending email under names or addresses other than the employee's own officially designated DC government email address;
5.3.7. Adding, removing, or modifying identifying network header information ("spoofing") in an effort to deceive or mislead recipients;
5.3.8. Opening any "executable" email attachments (e.g., .exe, .bat, .scr, .vbs) from any source;
5.3.9. Sending or forwarding "chain" letters, i.e., those that ask the receiver to forward the message to multiple recipients;
5.3.10. Sending any attachment files larger than 10 megabytes (MB);
5.3.11. Sharing organized District email lists with any person outside the District, except as required by the Freedom of Information Act (FOIA), subpoena, or other compulsory process;
5.3.12. Setting email correspondence to forward automatically to an outside (non-District) address;
5.3.13. "Broadcast" emails that do not meet the "broadcast" email requirements above;
5.3.14. Disruption, obstruction or burden of network resources;
5.3.15. Unauthorized enhancements or add-on software to Outlook (e.g., animations, backgrounds, pictures);
5.3.16. Use of non-District email services such as Yahoo or AOL on the District's computer network;
5.3.17. The intentional or negligent introduction of computer viruses into any DC Government systems: agencies must prevent the introduction of computer viruses into DC government systems and must install District-standard virus-scanning software to check any software downloaded as email attachments.
5.3.18. Transmission of sensitive (e.g., confidential) information unless protected by an approved encryption mode and/or identified as shown below:
5.3.19. Sensitive information includes medical information, information covered by attorney-client privilege, information subject to the Privacy Act, proprietary information, or other information, which must be protected from unauthorized disclosure,
5.3.20. Sensitive (e.g., confidential) messages must be clearly identified immediately below the message header (i.e., the Subject, Data, From, and To lines) as "SENSITIVE/CONFIDENTIAL INFORMATION [or ATTORNEY/CLIENT PRIVILEGED INFORMATION] - DO NOT RELEASE TO UNAUTHORIZED PERSONNEL." In such cases, the sender must also be certain that the recipient is properly authorized to receive and view the information,
5.3.21. For approved encryption modes, refer to applicable information security policies, standards, and procedures.
6. Procedures: Each DC Agency CIO in consultation with the Agency ISO must implement an Information System Change Management Procedure in written or electronic form in accordance with this policy.
7. Policy Maintenance: The Office of the Chief Technology Officer (OCTO) is responsible for the maintenance, administration, and publication of this policy. OCTO must annually review this policy and update as needed to ensure the policy's technical relevance and regulatory compliance.
8. Policy Enforcement: OCTO is responsible for the enforcement of this policy. Agencies must actively participate in the audit of this policy when requested by the OCTO.
9. Exemptions: None.
10. Sanctions: When OCTO discovers non-compliance with this policy, OCTO will:
10.1. Advise agency CIO of the non-compliance and assist the CIO in developing a corrective action plan and a reasonable timeframe for its implementation.
10.2. If the CIO fails to implement the corrective action plan within the stated timeframe, the CIO will be referred to the agency director for disciplinary action.
11. Disclaimer of Legal Rights: Nothing in this statement of policy shall be deemed to create any legal right on the part of a user of the email system, nor any legal obligation on the part of OCTO or any person having authorized access to search or review email correspondence in the system.
12. Supporting Laws and Regulations:
12.1. E-Government Act, (P.L. 107-347), Title III, Federal Information Security Management Act (FISMA).
12.2. Privacy Act of 1974, 5 U.S.C. § 552a, Public Law No. 93-579.
12.3. HIPAA Security Rule, 45 C.F.R. Part 164, Subpart C.
13. Reference Documents:
13.1. NIST FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems”, March 2006.
13.2. NIST IR 7298 Revision 2, “Glossary of Key Information Security Terms”, May 2013.
13.3. NIST SP 800-45 Revision 2, “Guidelines on Electronic Mail Security”, February 2007.
13.4. NIST SP 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, April 2013.
13.5. NIST SP 800-66 Revision 1, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”, October 2008.
14. Policy Review:
|Policy Number||Action||Effective Date||Next Review Date|
|OCTO – 4040.0||Published||4/7/2011||4/7/2012|
|OCTO – 4040.0||Reviewed||11/1/2012||11/1/2013|
|OCTO – 4040.0||Reviewed||11/7/2013||11/7/2014|
|OCTO – 4040.1||Published||11/7/2014||11/7/2015|
|OCTO – 4040.2||Published||4/22/2016||4/22/2017|
15. Policy Acceptance: Effective April 22, 2016