The Social Networking Draft Directive

As I reported yesterday, a draft of a new Defense Department social network policy that made its way to the Whats HQ in Las Vegas, N.M., will allow troops to Twitter away on Defense networks almost unfettered as long as they follow a few simple rules.

The draft directive from Defense Deputy Secretary William Lynn III refers to social networking sites and tools as "Internet capabilities," which includes Wikis, image and video hosting Web sites, blogs and even data mashups.

Troops are expected to apply some adult common sense when they venture into the Web 2.0 world, including adherence to operational security guidelines and procedures that will be developed by the undersecretary of Defense for intelligence.

Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman, emphasized that the copy of the directive I have is a draft, and no final decision has been made. I have a hunch the final policy will reflect this draft, which in the spirit of openness and transparency is posted below:

MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS

CHAIRMAN OF THE JOINT CHIEFS OF STAFF

UNDER SECRETARIES OF DEFENSE

DEPUTY CHIEF MANAGEMENT OFFICER

ASSISTANT SECRETARIES OF DEFENSE

GENERAL COUNSEL OF THE DEPARTMENT OF DEFENSE

DIRECTOR, OPERATIONAL TEST AND EVALUATION

INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE

ASSISTANTS TO THE SECRETARY OF DEFENSE

DIRECTOR, ADMINISTRATION AND MANAGEMENT

DIRECTOR, COST ASSESSMENT AND PROGRAM

EVALUATION

DIRECTOR, NET ASSESSMENT

DIRECTORS OF THE DEFENSE AGENCIES

DIRECTORS OF THE DoD FIELD ACTIVITIES

SUBJECT: Directive-Type Memorandum (DTM) - Responsible and Effective Use of Internet-based Capabilities

References. See Attachment 1

Purpose. This memorandum establishes Departmental policy on the responsible and effective use of Internet-based capabilities, including publicly accessible social networking services, which are not owned, operated, or controlled by the DoD. The policy addresses important changes in the way the Department of Defense communicates and shares information on the Internet. This policy recognizes that emerging Internet-based capabilities offer both opportunities and risks that need to be balanced in ways that provide an information advantage for our people and mission partners. It does not change DoD policy concerning operation and security of the DoD Information Enterprise, including the Global Information Grid (GIG), nor does it change the current procedures under which public affairs offices release information to the media or general public. This DTM is effective immediately and will be converted to a new DoD issuance or incorporated into an existing DoD issuance within 180 days.

Applicability. This DTM applies to OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands (COCOMs), the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the Department of Defense (hereafter referred to collectively as the "DoD Components") and authorized users of the Non Classified Internet Protocol Router Network (NIPRNET).

Definitions. These terms and their definitions are for the purpose of this DTM.

• External Official Presence. Representation on the Internet external to the DoD, e.g., outside of the .MIL domain, by DoD organizations in an official public affairs capacity.

• Internet-based capabilities. The full-range of publicly accessible information services resident on the Internet external to the DoD, e.g., outside of the .MIL domains, including Web 2.0 tools such as social networking services, social media, user generated content sites, social software, as well as email, instant messaging, and discussion forums. This does not include DoD-owned, DoD-operated, or DoD-controlled capabilities.

Policy. It is DoD policy that:

• The Department of Defense shall permit and encourage official use of Internet-based capabilities to leverage their potential while managing risk to build an information advantage for DoD personnel and mission partners.

• The establishment of External Official Presences by DoD organizations is permitted with the approval of the appropriate DoD Component Head. Approval signifies that the DoD Component Head concurs with the intended use and has determined that the Internet-based capability has an acceptable level of risk.

• External Official Presences are considered public affairs activities. As such, they shall comply with Reference (a) and clearly identify that their content is provided by the Department of Defense. The DoD shall maintain a publicly accessible Internet repository of External Official Presences.

• Business transformation, professional networking, education, and other official uses of Internet-based capabilities unrelated to public affairs are permitted. However, because these interactions take place in a public venue, personnel acting in their official capacity shall maintain liaison with public affairs staff to ensure organizational awareness.

• Personal, unofficial use of Internet-based capabilities by DoD employees from the NIPRNET is permitted, but users shall not claim representation of the Department or its policies, or those of the U.S. government.

• All use of Internet-based capabilities from the NIPRNET shall comply with all applicable policy regarding the sharing and safeguarding of information including Information Assurance (References (b) and (c)), Personally Identifiable Information (Reference (d)), Public Release of Information (Reference (e)), and operations security (Reference (f)); and shall comply with the Joint Ethics Regulations (Reference (g)).

• The NIPRNET shall be configured to enable access to Internet-based capabilities.

• Internet-based capabilities shall not be used to transact business that generates records subject to records management policy (reference (h)) unless applicable records management requirements can be met.

• All use of Internet-based capabilities shall comply with the basic guidelines set forth in Attachment 2.

Responsibilities. See Attachment 3

Releasability. UNLIMITED. This DTM is approved for public release and is available on the Internet from the DoD Issuances Web Site at http://www.dtic.mil/whs/directives.

ATTACHMENT 1

REFERENCES

(a) DoD Instruction 5400.13, "Public Affairs (PA) Operations," October 15, 2008

(b) DoD Directive 8500.1, "Information Assurance (IA), " October 24, 2002

(c) DoD Instruction 8500.2, "Information Assurance (IA) Implementation," February 6, 2003

(d) DoD Directive 5400.11, "Department of Defense Privacy Program," May 8, 2007

(e) DoD Directive 5230.09, "Clearance of DoD Information for Public Release, " August 22, 2008

(f) DoD Manual 5205.02-M, "DoD Operations Security (OPSEC) Program Manual," November 3, 2008

(g) DoD Regulation 5500.7-R, "Joint Ethics Regulation," August 30, 1993 (updated March 23, 2006)

(h) DoD Directive 5015.2, "DoD Records Management Program," March 6, 2000

(i) DoD Instruction O-8530.2, "Support to Computer Network Defense (CND),"

ATTACHMENT 2

BASIC GUIDELINES FOR USE OF INTERNET-BASED CAPABILITIES WITHIN THE DEPARTMENT OF DEFENSE

1. GENERAL. This attachment applies to the use of Internet-based capabilities by DoD employees for official and personal purposes. Examples include, but are not limited to:

a. Social networking sites

b. Image and video hosting websites

c. Wikis

d. Personal, corporate or subject-specific blogs

e. Data mashups that combine similar types of media and information from multiple sources into a single representation (i.e., a web page).

f. Similar collaborative, information sharing-driven Internet-based capabilities where users are encouraged to add/generate content.

2. EXTERNAL OFFICIAL PRESENCES. External Official Presences established pursuant to this DTM shall:

a. Receive approval from the responsible DoD Component head. Approval signifies that the Component head concurs with the planned use and has determined that the Internet-based capability has an acceptable level of risk.

b. Register on an Assistant Secretary of Defense for Public Affairs (ASD(PA)) -managed External Official Presences list.

c. Comply with references (b) through (g).

d. Use official branding in accordance with ASD(PA) guidance.

e. Clearly indicate role and scope of the External Official Presence.

f. Provide links to the organization's official public .Mil website.

g. Actively monitor for fraudulent or objectionable use.

3. OFFICIAL USE. DoD employees officially using Internet-based capabilities that are not part of a public affairs activity may discuss their relationship to the Department of Defense and their duties but shall:

a. Comply with references (b) through (g).

b. Ensure that the information posted is relevant, accurate, and professionally portrayed.

c. Provide links to official DoD content hosted on DoD-owned, operated, or controlled sites.

d. Include a disclaimer when personal opinions are expressed. (e.g., "This statement is my own and does not constitute an endorsement or opinion of the Department of Defense").

e. Comply with applicable DoD Component policies regarding responsible and effective use of Internet-based capabilities.

4. UNOFFICIAL USE. When acting in a personal or unofficial capacity, individuals shall:

a. Not claim representation of the Department or its policies.

b. Comply with references (b) through (g).

c Not have an online presence that could be viewed as representing the Department of Defense (e.g., may not use official title, military rank, military identifiers (i.e., e-mail address), or post imagery with their military uniform).

d. Comply with applicable DoD Component policies regarding responsible and effective use of Internet-based capabilities.

ATTACHMENT 3

RESPONSIBILITIES

1. UNDERSECRETARY OF DEFENSE FOR INTELLIGENCE (USD(I)). The USD(I) shall:

a. Develop procedures and guidelines to be implemented by the DoD Components for OPSEC reviews of DoD information shared via Internet-based capabilities

b. Develop and maintain threat estimates on current and emerging Internet-based capabilities.

c. Integrate guidance regarding the proper use of Internet-based capabilities into existing OPSEC education, training and awareness activities.

2. ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND INFORMATION INTEGRATION/ DoD CHIEF INFORMATION OFFICER. The ASD(NII)/DoD CIO shall:

a. Establish and maintain policy and procedures regarding Internet-based capabilities use, risk management and compliance oversight.

b. Integrate guidance regarding the proper use of Internet-based capabilities with existing IA education, training and awareness activities.

c. Establish mechanisms to monitor emerging Internet-based capabilities in order to identify opportunities for use and assess risks.

3. ASSISTANT SECRETARY OF DEFENSE FOR PUBLIC AFFAIRS (ASD(PA)). The ASD(PA) shall:

a. Extend the existing website registry to include registration of External Official Presences.

b. Provide policy for news, information, photographs, editorial, and other materials distributed via External Official Presences.

4. HEADS OF DOD COMPONENTS. The Heads of the DoD Components shall:

a. Approve the establishment of External Official Presences.

b. Ensure the implementation, validation and maintenance of applicable IA controls and OPSEC measures.

c. Ensure Computer Network Defense mechanisms that provide adequate security to access Internet-based capabilities from the NIPRNET are in place, effective, and compliant with reference (i).

d. Educate, train and promote awareness for the responsible and effective use of Internet-based capabilities.

5. DoD COMPONENT CHIEF INFORMATION OFFICERS (CIOs). The DoD Component CIOs shall:

a. Advise the ASD(NII)/DoD CIO and ensure that the policies and guidance issued by ASD(NII)/DoD CIO are implemented. Provide Component-specific implementation guidance on responsible and effective use of Internet-based capabilities.

b. Provide advice, guidance and other assistance to the Component Head and other Component senior management personnel to ensure that Internet-based capabilities are used responsibly and effectively.

c. Assist the Component Head to ensure effective implementation of Computer Network Defense mechanisms as well as the proper use of Internet-based capabilities with existing IA education, training and awareness activities.

d. Establish risk assessment procedures to evaluate and monitor emerging Internet-based capabilities in order to identify opportunities for use and assess risks.