Army IT User Agreement FICK
Army IT User Agreement FICK
The requirements in this IT User Access Agreement are consistent with the policy
established in Army Regulation 25-2, Army Cybersecurity; the proponent agency
is OCIO.
PART I
2. Consent.
(2) At any time, the U.S. Government may inspect and seize data stored on this
information system.
(3) Communications using, or data stored on, this information system are not
private, are subject to routine monitoring, interception, and search, and may be
disclosed or used for any U.S. Government authorized purpose.
(4) This information system includes security measures (e.g., authentication and
access controls) to protect U.S. Government interests—not for your personal benefit or
privacy.
(3) Whether any particular communication or data qualifies for the protection of a
privilege, or is covered by a duty of confidentiality, is determined in accordance with
established legal standards and DoD policy. Users are strongly encouraged to seek
personal legal counsel on such matters prior to using an information system if the user
intends to rely on the protections of a privilege or confidentiality.
(4) Users should take reasonable steps to identify such communications or data
that the user asserts are protected by any such privilege or confidentiality. However, the
user's identification or assertion of a privilege or confidentiality is not sufficient to create
such protection where none exists under established legal standards and DoD policy.
(5) The user’s failure to take reasonable steps to identify such communications or
data as privileged or confidential does not waive the privilege or confidentiality if such
protections otherwise exist under established legal standards and DoD policy. However,
in such cases the U.S. Government is authorized to take reasonable actions to identify
such communication or data as being subject to a privilege or confidentiality, and such
actions do not negate any applicable privilege or confidentiality.
(7) In cases when the user has consented to content searching or monitoring of
communications or data for personnel misconduct, law enforcement, or
counterintelligence investigative searching, (that is, for all communications and data
other than privileged communications or data that are related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants), the U.S.
Government may, solely at its discretion and in accordance with DoD policy, elect to
apply a privilege or other restriction on the U.S. Government’s otherwise-authorized use
or disclosure of such information.
PART II
1. Understanding. The user understands that they have the primary responsibility to
safeguard the information contained on the system being accessed from unauthorized
or inadvertent modification, disclosure, destruction, denial of service, and use. Any use
of Army Information Technology (IT) is made with the understanding that the user will
have no expectation as to the privacy or confidentiality of any electronic communication,
including minor incidental personal uses.
2. Access. DoD policy states that Federal Government communication systems and
equipment (including Government owned telephones, facsimile machines, electronic
mail, internet systems, and commercial systems), when use of such systems and
equipment is paid for by the Federal Government, will be for official use and authorized
purposes only. Official use includes emergency communications and communications
necessary to carry out the business of the Federal Government. Authorized purposes
include brief communications by employees while they are traveling on Government
business to notify family members of official transportation or schedule changes.
Authorized purposes can also include limited personal use established by appropriate
authorities under the guidelines of the DoD Regulation 5500.7-R, para. 2-301 “Joint
Ethics Regulation.”
a. Internet Access. Internet access is intended primarily for work related purposes.
(1) The user will not circumvent any filters or blocks to gain access to restricted
sites.
(2) If denied access to a particular website, needed for official or authorized use,
the user will follow procedures on the “blocked website” notification to request the site
be unblocked.
(3) The user will not use Army IS for activities that are illegal, inappropriate, or
offensive to fellow employees or the public. Such activities include, but are not limited
to: hate speech, or material that ridicules others on the basis of race, creed, religion,
color, sex, disability, national origin, or sexual orientation.
(4) The user will not inflict harm through the use of electronic communication –
the transfer of information (signs, writing, images, sounds, or data) transmitted by
b. Email.
(1) The user will adhere to the email practices as outlined in AR 25-1 or your
local command.
(2) The user will properly report chain email, spam, and virus warnings by
following the reporting procedures outlined by your local command.
(3) The user will not provide personal or official information if solicited by email
(4) The user will not use personal, commercial email to conduct official
government business.
(5) The user will not auto-forward email from official government email to a
commercial or personal email accounts.
a. The SIPRNet is the primary classified IS for the Department of the Army.
SIPRNet is a United States DoD system and approved to process SECRET collateral
information.
(4) The ultimate responsibility for ensuring the protection of information lies with
the user. The release of TOP SECRET information through the SIPRNet is a security
violation and will be investigated and handled as a security violation or as a criminal
offense.
a. The NIPRNet is the primary unclassified information system for the Department of
the Army. NIPRNet provides unclassified communication to external DoD and other
United States Government organizations. Foreign Nationals may only access the
network with authorizing official (AO) approval. Any release of Secret information on
NIPRNet is a security violation and will be investigated and handled as a security
violation or as a criminal offense.
c. The NIPRNet and the Internet, as viewed by the Army, are synonymous. Email
attachments are vulnerable to interception as they traverse the NIPRNet and Internet.
b. Token/Smart Card (or CAC). The Cryptographic Common Access Card Logon
(CCL) is now the primary authentication mechanism for all Army users (with very few
exceptions). This is a two phase authentication process. First, the CAC is inserted into a
middleware (reader), and then a unique user PIN number provides the validation
process.
d. Private Key (digital signature), should be used whenever e-mail is sent, with the
exception when sending to non-government. The digital signature provides assurances
that the integrity of the message has remained intact in transit, and provides for the non-
repudiation of the message that the sender cannot later deny having originated the e-
mail.
e. Public Key is used to encrypt information and verify the origin of the sender of an
email. It must be used to send sensitive information, information protected by the
Privacy Act of 1974, and Information protected under the Health Insurance Portability
and Accountability Act (HIPAA).
(2) The user must complete the approved DoD Cyber Awareness Challenge
training at https://cs.signal.army.mil (primary site) or
https://jkosupport.jten.mil/Atlas2/page/login/Login.jsf. Large groups can use the DoD
Facilitator’s Guide training as a last option, and participate in all training programs as
required (inclusive of threat identification, physical security, IT User Access Agreement
policies, malicious content and logic identification, and non-standard threats such as
social engineering) before receiving system access. The user understands that the
initial training certificate will expire one year from the date that the training is
successfully completed and that the completion of annual refresher training is required
(in accordance with AR 25-2).
(3) The user will use only authorized hardware, firmware, and software. The
user will not install or use any personally owned hardware, software, firmware,
shareware, or public domain software on Army IT without prior authorization of the AO.
(4) The user will not introduce executable code (such as, but not limited to, .exe,
.vbs, or .bat files) to the IS without authorization by the AO, nor will they write malicious
code.
(5) The user will use virus-checking procedures before uploading or accessing
information from AO authorized removable media (for example, diskette, Universal
serial bus [USB] device, compact disk, or secure digital memory card) to an Army IS.
The user will not attempt to access or process data exceeding the authorized IS
classification level. Ensure proper classification markings, storing, transportation and
destruction of all SIPRNET CDs/DVDs.
(6) The user will not alter, change, configure, or use operating systems or
programs, except as specifically authorized.
(7) The user will safeguard and mark with appropriate classification level on all
information created, copied, stored, or disseminated from the IS and will not
disseminate it to anyone without a specific need to know.
(8) The user is responsible for removing their hardware PKI Token and ensuring
that their computer has logged off prior to departing the area.
(9) The user will not utilize ARMY or DoD-provided ISs for commercial financial
gain or illegal activities.
(13) The user understands that unauthorized use or abuse of DOD and Army
telecommunications, unified capabilities (UC), and computing systems (including
telephone, email systems, DOD mobile devices, web services, or other systems) may
subject users to administrative, criminal, or other adverse action.
(14) The user understands that Army IT resources will not be used in a manner
that would reflect adversely on the Army, such as chain letters; unauthorized
advertising, soliciting or selling; uses involving gambling or pornography; uses that
violate statute or regulation; or other uses that are incompatible with public service. The
user understands that it is their duty to immediately report all Cybersecurity related
events, potential threats, vulnerabilities, and compromises or suspected compromises
involving Army IT resources to the appropriate ISSO.
(15) The user understands that they are responsible for any activity conducted
using their account. The user understands that they may only use the account to which
they are assigned and may not allow others to use their account, or permit the use of
remote access capabilities through Government provided resources with any
unauthorized individual. The user's password or PIN is not to be shared with anyone,
including the supervisor. Users are responsible for taking reasonable precautions to
maintain the security of their accounts and the data to which they are authorized
access.
(16) The user must not directly access, download or view emails and email
attachments containing or labeled as classified or unclassified sensitive information (for
example, Controlled Unclassified Information) from a device, equipment, system or
network (for example, cellphone, tablet, computer) not specifically authorized to process
such information – either directly or through a website (for example, webmail) – unless
this is done in a formally authorized and secured manner (for example, virtual
environment, secure viewing application, sandbox application, secure thin client) that
prevents such information from being either temporarily or permanently stored on the
device, equipment, system, or network.
8. The user will adhere to the following requirements regarding the use of social media.
a. Users will utilize social media sites only as authorized by job or duty description,
for official government purposes, to conduct official business or to release official
agency information or other official communication.
b. Users may establish and use personal accounts only within a personal capacity.
Personal accounts must have no connection to official agency sites and must not
appear to be, or represent, official opinion or content. Users recognizes that their
identity could be misused by the general public’s perception of their acting in official
responsibility or openness. Users cannot use personal accounts to conduct official
business or release official agency information or any other official communication
related to the job or government activities.
c. Users recognize it is their responsibility to ensure that they are not giving the false
impression that they are acting in an official capacity when using government office
equipment for non-government purposes. If there is expectation that such a personal
use could be interpreted to represent an agency, then an adequate disclaimer must be
used.
9. The user will adhere to the following requirements regarding political activism:
a. Users will not use the Army IS to engage in political activity while on duty (on pay
status, other than paid leave, or representing the government in an official capacity) or
in the workplace.
b. Users will not engage in political activity in an official capacity at any time. This
includes using an official email account or a social media account created for use in an
official capacity to engage in political activity.
c. Users will not use the Army IS to suggest, solicit or receive political contributions
at any time.
d. Users will not use the Army IS to engage in political transmissions, to include
transmissions that advocate the election of particular candidates for public office.
10. When a user is issued a mobile device, the issuing officer will provide a separate
agreement to sign.
1. Acknowledgement.
b. I have read, understand and agree to the notice of privacy rights, and consented
to monitoring and searches in accordance with this agreement.
FORSCOM MIL
Organization/Division/Office Symbol Military/civilian/Contractor/FN
5. CNSSP (Committee on National Security Systems Policy) 25, (National Policy for
Public Key Infrastructure in National Security Systems), 11 December 2017
(http://www.cnss.gov)
10
11. DoDD 8140.01 (Cyberspace Workforce Management, Change 1), 31 July 2017
(http://www.esd.whs.mil)
12. DoDI 1020.03 (Harassment Prevention and Response in the Armed Forces),
8 February 2018
(http://www.esd.whs.mil)
14. DoDI 8510.01 (Risk Management Framework (RMF) for DoD Information
Technology (IT), Change 2), 28 July 2017
(http://www.esd.whs.mil)
16. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-
53 revision 4 (Security and Privacy Controls for Federal Information Systems and
Organizations), 22 January 2015
(http://csrc.nist.gov/publications)
17. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-
53a (Assessing Security and Privacy Controls for Federal Information Systems and
Organizations: Building Effective Assessment Plans), 18 December 2014
(http://csrc.nist.gov/publications)
11