SECNAV M-5239.2 - June 30, 2016
The manual updates Department of Navy workforce policy and responsibilities to support the DON's transition from the Information Assurance Workforce Program to the new DoD Cyberspace Workforce structure.
SECNAV INSTRUCTION 2201.1 - May 23, 2016
This instruction establishes DON COMSEC Material System Program implementation policy, delegates implementation roles, and clarifies implementation responsibilities DON wide. The guidance facilitates consistent program implementation by designated DON Secretariat, Navy, Marine Corps, Coast Guard, and Military Sealift Command officials and authorizes publication of detailed implementation procedures by appropriate ...
Federal Register: Vol. 81, No. 94 - May 16, 2016
DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. The clause does not relieve the contractor of any other specific safeguarding requirement specified by Federal agencies and departments as it relates to covered contractor ...
SECNAV INSTRUCTION 5239.3C - May 2, 2016
This instruction establishes Department of the Navy policy for cybersecurity (CS) consistent with national and Department of Defense CS policy directives and instructions.
DON CIO Memo - February 12, 2016
This memorandum updates the Department of the Navy (DON) Acceptable Use Policy and cancels references (a) through (c). Enclosure (2) specifies acceptable use of DON IT. The DON uses tools to monitor user activity and to implement varying levels of capacity/filtering restrictions. Communications using, or information stored on, DON IT are not private and are subject to routine monitoring, interception, and search; and may ...
DON CIO Memo - February 10, 2016
In order to promote consistency in DON Risk Management Framework (RMF) implementation, the DON Chief Information Officer (CIO) collaborated with Navy and Marine Corps cybersecurity stakeholders to develop DON Information Type Baselines. The DON baseline includes the information types and impact levels from reference (c) and adds DON-unique impact levels for certain information types. The DON Information Type Baselines ...
UNSECNAV Memo - February 1, 2016
This memorandum designates the Office of the Deputy Under Secretary of the Navy for Policy (DUSN(P)) as the DON office of primary responsibility for Critical Infrastructure Protection (CIP). While no longer the Secretariat lead for CIP, DON CIO will continue to provide cybersecurity support and advice to DUSN(P).
DON CIO Guidance - November 16, 2015
The Department of the Navy Chief Information Officer has updated and renamed the Acquisition Information Assurance Strategy (AIAS) Guidance to the DON CIO Cybersecurity Strategy (CSS) Template and Instructions. The document includes information from the Draft DoD Cybersecurity Strategy outline, provides a template format, and contains DON CIO guidance on developing and submitting the CSS to support system acquisition.
NAVADMIN 239/15 - October 13, 2015
This NAVADMIN describes how, starting October 2015, the Navy has launched a year-long communications campaign to create a culture where cybersecurity discipline is a high priority and a daily habit, protecting the Navy from the persistent cyber threat it faces.
DON CIO Memo - April 8, 2015
This memo details how the DON Chief Information Officer, DON Office of Civilian Human Resources,
and Navy and Marine Corps civilian cybersecurity management personnel developed the responsibilities, requirements, and procedures necessary for FY 2015 implementation of OPM's direction to code positions that perform cybersecurity work with Cybersecurity Data Element Codes.
DoD Strategy Document - April 1, 2015
The purpose of this Cyber Strategy, the Department's second, is to guide the development of DoD's cyber forces and strengthen the cyber defense and cyber deterrence posture. It focuses on building cyber capabilities and organizations for DoD's three cyber missions: to defend DoD networks, systems, and information; defend the U.S. homeland and U.S. national interests against cyberattacks of significant consequence; and ...
DON CIO Memo - June 23, 2014
The purpose of this memo is to announce the availability of Microsoft BitLocker as a Department of the Navy approved enterprise data at rest solution for the encryption of controlled unclassified information on Microsoft-based systems.
DoD Memo - June 9, 2014
The purpose of this memo is to clarify the roles, responsibilities, and relationships for cyberspace matters in the Department; to streamline seemingly overlapping duties concerning information technology networks and cyber; and, to provide guidance on establishing a single governance structure for cyberspace going forward.
DON CIO Memo - May 20, 2014
The purpose of this memo is to implement the Risk Management Framework for Department of Defense Information Technology, within the Department of the Navy.
DON CIO Memo - March 19, 2014
This memo details how the Department of the Navy will transition to DoD Mobile Classified Capability (DMCC) once Defense Information Systems Agency has fielded DMCC phones, and DMCC access to NMCI Secret Internet Protocol Router Network Outlook Web Access email has been enabled.
DON CIO Memo - December 3, 2013
This memo outlines an efficient path to compliance with Department of Defense information systems Certification and Accreditation requirements when connecting end-user electronic fingerprint (eFP)hardware and installing end-user eFP software on DON networks.
DTG 312035Z MAY 13 - May 13, 2013
This NAVADMIN provides guidance on the use of Microsoft Windows XP and all prior versions of Microsoft operating systems. Effective April 30, 2014, Microsoft will no longer provide vendor lifecycle support (automatic fixes, updates, or online technical assistance) for Windows XP.
DON CIO Memo - March 20, 2013
This memo outlines the certification and accreditation pilot of information technology systems within the Department of the Navy.
Presidential Policy Directive 21 - February 12, 2013
This directive establishes national policy on critical infrastructure security and resilience; refines and clarifies the critical infrastructure-related function, roles, and responsibilities across the Federal government; and enhances overall coordination and collaboration.
Executive Order 13636 - February 12, 2013
This executive order establishes the United States' policy to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. Such goals are achieved through a partnership with the owners and operators of critical ...
SECNAVINST 1543.2 - November 30, 2012
The purpose of this instruction is to establish policy and procedures for Department of the Navy cyberspace/information technology(IT) workforce (WF) professional development through a continuous learning program (CLP). The CLP requires 40 hours per year of education, training, certification and other activities that support the sustainment and continued improvement of the capabilities of the DON Cyberspace/IT WF.
DTG 281759Z AUG 12 - August 28, 2012
The purpose of this coordinated Department of the Navy Chief Information Officer, DON Deputy CIO (Navy), DON Deputy CIO (Marine Corps), and DON Information Security Program Authority message is to update policy for the disposal and mandatory physical destruction of electronic storage media.
DoD CIO Memo - May 8, 2012
The Department of Defense requires its "Five Eyes" (FVEY) partner nations (Australia, New Zealand, Canada, and the United Kingdom) to use Public Key Infrastructure (PKI) for secure communication with DoD personnel on the Nonsecure Internet Protocol Router Network (NIPRNet), and authentication to DoD NIPRNet websites. In February 2006, the FVEY partner nations signed an Annex to the Combined Joint Multilateral Master ...
DON Performance Plan - March 20, 2012
This plan details the Department of the Navy's continued efforts to reduce the Navy's overall data center footprint, deliver cost and environmental efficiencies and increase the overall information technology security posture while ensuring Navy and Marine Corps warfighting capability remains strong. This effort aligns directly with the Office of Management and Budget Federal Data Center Consolidation Initiative and the ...
SECNAVINST 5720.44C Change 1 - February 21, 2012
The purpose of this instruction is to provide basic policy and regulations for carrying out the public affairs and internal relations programs of the Department of the Navy.
DON CIO Memo - February 1, 2012
This memo formally establishes Department of the Navy Cyber Range guidance. The Cyber Range provides an operationally realistic environment to support exercises, training, testing and evaluation with no risk to operational networks.
CJCSI 6211.02D - January 24, 2012
This instruction establishes policy, responsibilities and connection approval process for sub networks of the Defense Information System Network (DISN).
SECNAVINST 3501.1C - December 13, 2011
In February 2016, the Under Secretary of the Navy designated the Office of the Deputy Under Secretary of the Navy for Policy (DUSN(P)) as the DON office of primary responsibility for Critical Infrastructure Protection (CIP). While no longer the Secretariat lead for CIP, DON CIO will continue to provide cybersecurity support and advice to DUSN(P).
This instruction provides policy and delineates specific ...
DoD Guidance - July 18, 2011
This document provides an outline, content and formatting guidance for the Program Protection
Plan (PPP) required by DoDI 5000.02 and DoDI 5200.39. The outline structure and tables are
considered minimum content that may be tailored to meet individual program needs.
The guidance is based on the July 18, 2011, memo, "Document Streamlining -- Program Protection Plan," which can be found on the first page of the ...
DON CIO Memo - June 15, 2011
This memo provides the Department of the Navy with execution guidance in response to Department of Defense (and Federal Government) direction to migrate to the use of a stronger cryptographic hash algorithm for network security (authentication activities including CAC logon and digital signatures).
UNSECNAV Memo - May 11, 2011
The purpose of this memo is to establish a common enterprise approach between the functions of the DON CIO and the Navy and Marine Corps. This renewed approach is designed to strengthen the integration and success of the Department's IM, IT (to include national security systems) and cyberspace (excluding intel, attack and exploit), and information resource management operations, procurement and business processes.
DTG 211312Z APR11 - April 21, 2011
This Naval message updates guidance for requesting public key enablement waivers through the Department of Defense Information Technology Portfolio Repository-DON. While the requirement for a waiver for a system that is not public key enabled has not changed, the process was incorporated into the DON Enterprise Architecture compliance assessment.
UNSECNAV Memo - December 3, 2010
This memo addresses information technology/cyberspace efficiency initiatives and realignment in the Department of the Navy. It underscores the challenge by the Secretary of Defense to think about the DON's approach to IT initiatives and to centralize and consolidate efforts where it makes sense. This memo directs the DON Chief Information Officer to take the lead for the Department for this endeavor, noting that it is a ...
DoD CIO Memo - October 5, 2010
This Department of Defense Deputy Chief Information Officer memorandum establishes the DoD's position on acceptance and use of qualified Personal Identity Verification Interoperable (PIV-I) credentials for access to DoD logical and physical resources. Where appropriate, DoD relying parties (e.g., DoD installation commanders or information systems owners) should accept electronically validated PIV-I credentials for ...
SECNAVINST 5239.21 - August 27, 2010
This policy establishes electronic signature policy for the Department of the Navy consistent with Federal and Department of Defense legislation and policies. This policy is not a mandate to replace handwritten signatures with electronic signatures but rather is a policy to adopt electronic signatures as the preferred means of conducting business transactions within the DON.
DTG 192014Z AUG 10 - August 19, 2010
The purpose of this Naval message is to reinforce how personnel store and distribute national security information (NSI), as well as to remind personnel of their responsibility to safeguard NSI commensurate with level of classification until the information is declassified by the appropriate original classification authority.
DON CIO Memo 02-10 - April 26, 2010
The purpose of this memo is to update the Department of the Navy Information Assurance (IA) Platform Information Technology (PIT) policy. DON Platform IT is a concept for risk management and approval of DON IT systems that do not interconnect with Department of Defense networks and the Global Information Grid. The DON PIT policy stresses that IA requirements still apply to PIT systems and provides guidance to PIT policy ...
UNSECNAV Memo - February 12, 2010
This memo conveys the seriousness the Under Secretary of the Navy places on personal privacy and the safe management of Department of the Navy personally identifiable information (PII) and his intention to make eradicating further PII breaches a Departmental priority. This includes implementing a DON-wide plan to reduce the collection and use of Social Security numbers.
DTG 201807Z JAN 10 - January 20, 2010
This Naval message declares that Strategic Missions Assurance Data Systems (SMADS) is the single authoritative source of Task Critical Assets (TCAs) for Department of the Navy reporting. It also lists the deadlines for entering TCAs into SMADS, which will better facilitate rapid and consistent DON-level reporting.
DON CIO Memo - January 15, 2010
The Department of the Navy Chief Information Officer has released a memorandum designating the DON Principal Deputy CIO as the DON Senior Information Assurance Officer (SIAO).
The DON SIAO responsibilities include facilitating alignment and consistent application of information management, information technology, and information assurance policies, processes, responsibilities, and procedures across the Department. ...
DTG 291445Z DEC 09 - December 29, 2009
This Naval message details the steps that must be taken by the Department of the Navy Deputy Chief Information Officers to ensure proper public key enablement of unclassified private web servers and applications. It also requires submission of a service-specific plan of actions and milestones by Jan. 31, 2010.
DTG 231919Z NOV 09 - November 23, 2009
This Naval message modifies the Dec. 31, 2009, compliance requirement established for purchase and installation of personal electronic device smart card readers as a result of shortages and unavailability of the required hardware at the manufacturer level.
Federal CIO Council Guidance - September 23, 2009
The use of social media for federal services and interactions is growing tremendously, supported by initiatives from the administration, directives from government leaders, and demands from the public. This situation presents both opportunity and risk. Guidelines and recommendations for using social media technologies in a manner that minimizes the risk are analyzed and presented in this document.
This document is ...
DoD Memo - August 10, 2009
This memo rescinds and replaces the Sept. 6, 2007, Department of Defense Information Technology Portfolio Repository (DITPR) and DoD SIPRNET IT Registry Guidance 2007-2008 memo. This memo directs that all IT and National Security Systems must be registered in DITPR.
ASD(NII) Directive-Type Memorandum 08-027 - July 31, 2009
This Assistant Secretary of Defense (Networks and Information Integration) Directive-Type Memorandum
establishes policy for managing the security of unclassified Department of Defense information on non-DoD information systems. A list of frequently asked questions provides information and direction for implementation in the Department of the Navy.
DoD Memo - July 23, 2009
This memo provides a systematic, repeatable process for ensuring timely reciprocity of Department of Defense information systems and will advance information sharing, and reduce rework and cycle time when establishing Combined/Joint ISs/Networks.
SECNAVINST 5239.3B - June 17, 2009
This instruction establishes information assurance (IA) policy for the Department of the Navy consistent with national and Department of Defense (DoD) policies. It also designates the DON Chief Information Officer as the DON official assigned responsibility and delegated authority in order to ensure Federal, DoD and DON IA requirements are carried out within the Department of the Navy.
DTG 181430Z MAY 09 - May 18, 2009
This Naval message implements the Department of Defense Privacy Impact Assessment (PIA) guidance of Feb. 12, 2009, for the Department of the Navy. The following is highlighted:
The guidance expands PIA coverage from just members of the public to include Federal personnel, Federal contractors, and Foreign Nationals employed at U.S. military facilities abroad.
PIAs are required for legacy systems and electronic ...
DON CIO Memo - May 13, 2009
This memo provides guidance for the interactions among the Service Certifying Authorities (CAs), Service Designated Accrediting Authorities (DAAs), and the DON Senior Information Assurance Officer (SIAO). These interactions are based on the business rules stated in the Dec. 18, 2008, memorandum, Senior Information Assurance Officer Alignment and Responsibilities for Information Assurance and Certification and Accredi
DON Guidance - April 28, 2009
The purpose of the Department of the Navy Computer Network Defense (CND) Roadmap is to communicate the DON strategy for sustaining and improving CND now and in the future as the DON transitions to the Naval Networking Environment (NNE). In this age of network-centric warfare, computer and network technologies are diffused into virtually all military systems, and interconnected military units operate cohesively. CND is ...
DTG 241757Z APR 09 - April 24, 2009
This Naval message is about the NIPRNet Hardening Initiative. The first increment of this initiative involves the registering, testing, and restricting access to and from the Internet of all public-facing File Transfer Protocol (FTP), web, e-mail and Domain Name System (DNS) servers. The first step in this first increment was successfully completed. The DON CIO congratulates all involved for a job well done. This message ...
SECNAVINST 5230.15 - April 10, 2009
SECNAVINST 5230.15 mandates that all COTS software in use across the Department of the Navy be vendor supported. DON organizations desiring to continue to use COTS software that is no longer supported must request and receive a waiver to this policy.
DON Charter - March 16, 2009
This charter establishes the DON Information Assurance Workforce Management Oversight and Compliance Council (IAWF MOCC). The IAWF MOCC will provide DON-wide oversight of, and ensure compliance with, the IAWF improvement program. The IAWF MOCC will oversee development of IAWF education, training and certification standards.
SECNAVINST 3052.2 - March 6, 2009
This instruction establishes policies and responsibilities for the administration of cyberspace within the Department of the Navy.
DoD Instruction 5400.16 - February 12, 2009
This instruction establishes policy and assigns responsibilities for completion and approval of privacy impact assessments to analyze and ensure personally identifiable information in electronic form is collected, stored, protected, used, shared and managed in a manner that protects privacy.
DTG 312021Z JAN 09 - January 31, 2009
This Naval message announces the availability of the Department of Navy Data At Rest Enterprise Solution for Non-NMCI assets and ends the moratorium on DAR software purchases. Implementation of this solution enables compliance with Department of Defense, Joint Task Force-Global Network Operations and DON policy mandates for encryption of sensitive information on mobile computing devices and portable storage media.
DTG 281919Z JAN 09 - January 28, 2009
This Naval message provides amplification guidance for the purchase and installation of Common Access Card readers on all Personal Electronic Devices including BlackBerrys. It also identifies the procurement options for the required hardware.
DTG 181905Z DEC 08 - December 18, 2008
This Naval message emphasizes that personally identifiable information (PII) annual awareness training is foundational to the safeguarding of PII and key to understanding the Department's breach reporting responsibilities. It explains how DON leadership must continually reinforce PII awareness, through training, so that personnel properly safeguard privacy sensitive information in order to improve business processes.
DON CIO Memo - December 18, 2008
This memo aligns Senior Information Assurance Officer responsibilities for the Department of the Navy with requirements in the DoD Information Assurance Certification and Accreditation Process (DIACAP)
DTG 031859Z DEC 08 - December 3, 2008
This Naval message details policy changes that have been made as a result of an impact assessment and data call conducted by the DON CIO to understand where software certificates are used in the Department's unclassified environments.
DTG 201839Z NOV 08 - November 20, 2008
This Naval message reinforces current Department of the Navy policy aimed at reducing the number and potential impact of lost, stolen or compromised personally identifiable information (PII) to Sailors, Marines, government personnel, dependents and DON contractors.
DON CIO Memo - October 20, 2008
The purpose of this memo is to provide initial guidance for all Navy and Marine Corps commands regarding the use of emerging web tools to facilitate collaboration and information sharing in the Department ofthe Navy. These tools, described in enclosure (I) include wikis, blogs, mash ups, web feeds (such as, Really Simple Syndication and Rich Site Summary (RSS) feeds), and forums, which are often referred to as components ...
DTG 032009Z OCT 08 - October 3, 2008
This Naval message provides updates to the DON policy for digital signature and encryption of email. It also provides updated budget guidance for procurement and use of Smart Card Reader technology to support digital signature and encryption of email from Personal Electronic Devices.
DTG 212100Z AUG 08 - August 22, 2008
This Naval message contains information and outlines actions for NMCI users to prepare for the rollout of GuardianEdge, which will be implemented on all NMCI NIPR computers and removable storage devices (thumb drives, data CD, etc.) used on NMCI.
DoD CIO Memo - July 22, 2008
This Department of Defense memo approves the use of Public Key Infrastructure certificates issued by non-DoD external organizations after successful completion of interoperability testing.
DON Handbook - July 16, 2008
The Department of the Navy DoD Information Assurance Certification and Accreditation Process (DIACAP) Handbook details the baseline DON approach to the DIACAP and the procedures necessary to obtain an accreditation decision for DON information systems undergoing the C&A actions as required under Federal law, and DoD and DON regulations and directives. In addition to this handbook, service unique guidance will be ...
DON Strategy Document - May 13, 2008
A multidisciplinary team from across the Department of the Navy developed this document, which outlines our future vision for a robust and highly interconnected enterprise networking capability in the 2016 timeframe to fully support the needs of our warfighting and warfighting-support organizations and personnel. The vision and strategy outlined in this document shall be used as a guide for ensuring alignment of our ...
DTG 122213Z MAY 08 - May 12, 2008
This Naval message announces increased attention being focused across the Department of the Navy to minimize the use of PKI software certificates.
White House Memo - May 7, 2008
This memo adopts, defines and institutes "Controlled Unclassified Information" (CUI) as the single, categorical designation henceforth throughout the executive branch for all information within the scope of that definition.
SECNAVINST 5239.19 - March 18, 2008
This instruction establishes Department of the Navy incident response policy to align and integrate DON computer incident response and reporting requirements with Department of Defense policy guidance.
DTG 142031Z MAR 08 - March 14, 2008
This Naval message reiterates policy, direction and guidance regarding Continuity of Operations (COOP) planning as it relates to information technology systems. Additionally, this message directs that COOP plans will address connectivity to data and services that reside on Department of the Navy networks and communications considerations; establish-IT related processes and procedures to identify IT damage and ...
DTG 291600Z FEB 08 - February 29, 2008
This Naval message provides Department of the Navy requirements for resolving deficiencies in contingency planning identified by a Department of Defense Inspector General audit and ensuring DON policy aligns with information assurance requirements.
DTG 291652Z FEB 08 - February 29, 2008
This Naval message announces the updated reporting process to be used when there is a known or suspected loss of Department of the Navy personally identifiable information. It includes new and existing requirements for incident reporting recently issued by the Office of Management and Budget and the Department of Defense.
View sample breach notification letter. View
DTG 241518Z JAN 08 - January 24, 2008
This Naval message provides guidance governing the implementation of wireless local area network (WLAN) solutions using the IEEE 802.11 body of standards, commonly referred to as WiFi. The primary focus of this effort is unclassified wireless networking solutions.
Joint DON CIO and CHINFO Memo - October 17, 2007
This policy provides Department of the Navy guidance for governing the registration, content, compliance, and investment of all unclassified DON web sites and their associated Uniform Resource Locators. The policy applies to all DON commands and activities with unclassified web sites (publicly accessible or access restricted) designed, developed, procured or managed by DON activities and/or hosted and managed by their ...
DTG 091256Z OCT 07 - October 9, 2007
This Naval message provides guidance regarding the move to choose an enterprise solution to encrypt sensitive Data at Rest (DAR) and states that commands should hold off on purchasing DAR products and services until an enterprise solution is identified.
ALNAV 070/07: R 042232Z OCT 07 - October 4, 2007
This ALNAV message stresses the seriousness of safeguarding personally identifiable information (PII) across the Department by establishing an annual PII awareness training requirement, as well as completing semi-annual command level PII compliance spot checks.
View PII Spot Check Form.
DON CIO Memo - September 27, 2007
This memo establishes the roles and responsibilities of the Department of the Navy Deputy Senior Information Assurance Officer for Computer Network Defense (DON Deputy SIAO for CND). The DON Chief Information Officer Information Assurance and Network Security Team Lead has been named the DON Deputy SIAO for CND and will report to the DON SIAO.
DTG 202041Z AUG 07 - August 20, 2007
This Naval message provides guidance for the use of personal electronic devices (PEDs). Commands are encouraged to immediately begin transition to PEDs that support digital signature and encryption. Effective March 31, 2008, use of PEDs that are not natively compliant or have not upgraded to meet the requirements will no longer be permitted.
DTG 232026Z JUL 07 - July 23, 2007
This Naval message defines personally identifiable information (PII) and emphasizes the importance of its proper handling following more than 100 incidents of PII loss during the past 18 months.
DoD Memo - July 3, 2007
This memo establishes additional DoD policy for the protection of sensitive unclassified information on mobile computing devices and removable storage media. It applies to all DoD Components and their supporting commercial contractors that process DoD information.
DTG 171952Z APR 07 - April 17, 2007
This Naval message establishes interim policy for the handling of personally identifiable information when stored on government furnished laptop computers, other mobile computing devices and removable storage media (e.g., removable hard drives, thumb drives, blackberries, personal digital assistants, compact discs and DVDs).
DoD Memo - March 9, 2007
This memo authorizes the issuance of CACs to foreign national partners who have been properly vetted and who require access to a DoD facility or network logon access to meet a DoD mission. This would apply to DoD sponsored foreign national military, government, and contractor personnel.
DoD Memo - January 24, 2007
This Department of Defense policy memo requires the review of NIPRNET web sites to ensure proper configuration of mandatory/discretionary access controls on private web servers, web-based applications and web portals. It underscores the need for implementation of access controls for rules-based authorization decisions, in addition to use of Public Key Infrastructure for user authentication.
USD P&R Policy Memo - December 12, 2006
This memo establishes Department of Defense policy for the adoption and use of digital signature as a standard business practice for all Human Resources Management (HRM) and Compensation business processes that require a signature.
OMB Memo 06-16 - June 23, 2006
This memo provides a checklist from the National Institute of Standards and Technology for the protection of remote information. The intent of implementing the checklist is to compensate for the lack of physical security controls when information is removed from, or accessed from outside the agency location. This memo includes additional actions for departments and agencies to take to protect sensitive information.
OMB Memo 06-19 - June 23, 2006
This memo provides update guidance on the reporting of security incidents involving personally identifiable information. It also restates existing requirements and explains new requirements.
DON CIO Memo - June 16, 2006
This memo and enclosures prescribe the Department of Defense and Department of the Navy Privacy Impact Assessment guidance for IT systems that contain information in identifiable form.
DoD CIO Memo - May 5, 2006
This memo provides direction to incorporate standard digital signature profiles into all applications, systems or processes that use digital signatures. This implementation will lead industry toward interoperable digital signature implementations.
DoD Memo - April 18, 2006
This memo provides suggestions on technical means to protect unclassified sensitive information on portable computing devices used within DoD. The measures are in addition to the normal physical security required for such devices so that, if they fall into the wrong hands for any reason, access to the sensitive DoD information they contain will be more difficult.
DON Guidance - March 20, 2006
This guidance document provides a foundation for improving the Department of the Navy's information assurance (IA) posture and outlines courses of action to comply with the requirements of the Federal Information Security Management Act of 2006. The document supports and complements current SECNAV IA Policy (SECNAVINST 5239.3B), bolsters established policies and procedures to ensure FISMA compliance, improves the DON's ...
DoD Guide - March 1, 2006
This guide specifies technical details for implementing interagency PIV I and PIV II National Institute of Standards and Technology Special Publication 800-73v1 requirements in the DoD CAC environment. It documents how the DoD common access card and middleware are implemented with PIV.
FIPS 201-1 - March 1, 2006
This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems.
DoD 5220.22-M - February 28, 2006
This manual prescribes requirements, restrictions, and other safeguards that are necessary to prevent unauthorized disclosure of classified information and to control authorized disclosure of classified information.
SECNAVINST 5211.5E - December 28, 2005
SECNAVINST 5211.5E implements the Privacy Act of 1974 per the Department of Defense Privacy Program Directive and Regulation ensuring that all DON military members and civilian/contractor employees are made fully aware of their rights and responsibilities with regards to privacy. The program attempts to balance the government’s need to maintain information with the obligation to protect individuals against unwarranted ...
DON CIO Memo - December 15, 2005
This memo forwards memorandum from the Department of Defense Biometrics Executive Agent that mandates all new acquisitions or upgrades of electronic biometric collection systems used by DoD components conform with the DoD electronic biometric transmission specifications.
SECNAV M-5239.1 - November 1, 2005
This manual implements the policy set forth in SECNAVINST 5239.3B: Department of the Navy Information Assurance Policy and is issued under the authority of SECNAVINST 5430.7N: Assignment of
Responsibilities and Authorities in the Office of the Secretary of the Navy. It is intended to serve as a high-level introduction to information assurance and IA principles. It discusses common IA controls and associated requirements ...
DoD Memo - September 1, 2005
Organizations outside the Federal Government often approach Department of Defense personnel to obtain updated contact information for their publications, which are then made available to the public. The information sought usually includes names, job titles, organizations, phone numbers and room numbers. The DoD director of Administration and Management issued a policy memo Nov. 9, 2001, that provided greater protection ...
DON Guidance - October 27, 2004
This summary provides the Department of the Navy format for system assessors to use when conducting a Privacy Impact Assessment.
DTG 061525Z OCT 04 - October 8, 2004
This Naval message provides amplifying public key infrastructure implementation guidance.
HSPD-12 - August 27, 2004
This Homeland Security Presidential Directive establishes a government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). This standard will result in enhanced security, increased Government efficiency, reduced identity fraud, and protection of personal privacy.
HSPD-7 - December 17, 2003
This Homeland Security Presidential Directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.
HSPD-8 - December 17, 2003
This Homeland Security Presidential Directive establishes policies to strengthen the preparedness of the United States to prevent and respond to threatened or actual domestic terrorist attacks, major disasters, and other emergencies. It requires a national domestic all-hazards preparedness goal, establishing mechanisms for improved delivery of Federal preparedness assistance to state and local governments, and outlining ...
Department of Defense Charter - April 14, 2000
By direction of Congress, the Secretary of Defense chartered a Smart Card Senior Coordinating Group to develop and implement department-wide interoperability standards for use of smart card technology and a plan to exploit smart card technology as a means for enhancing readiness and improving business processes.
January 17, 2017
The DON IT Conference, West Coast 2017 schedule is now available. The conference will be held Feb. 21-23, 2017, at the San Diego Convention Center in San Diego, CA. Pre-registration is open, and will remain open until Feb. 10, or until the TAD limit is reached. On-site registration will be available for local attendees and those in San Diego on other business only.
January 12, 2017
When using a laptop at work and/or at home, you should be taking a few basic steps to keep your data safe and your system operational.
November 14, 2016
Cybersecurity and Information System Security Awareness Training is a Fiscal Year requirement for all personnel that access information systems on unclassified or secret networks. This means after Oct. 1st of each year, the training needs to be done again for that year. Each person can satisfy the training requirement by completing one of the following: Cyber Awareness Challenge, Cyber Awareness Challenge Intelligence ...
November 8, 2016
Nominations are now being accepted for the DON Information Management/Information Technology (IM/IT) Excellence Awards. Submissions are due by Dec. 5, 2016. The awards recognize the superior efforts of IM/IT projects, teams, and individuals in helping to transform DON information technology.
by DON CIO Privacy Team - November 8, 2016
Privacy Tips are meant to increase awareness about privacy issues that impact the Department of the Navy by highlighting a specific topic. Feedback or suggestions for future topics are welcomed.
November 8, 2016
Registration for the DON IT Conference, East Coast 2017 is open. The conference has been approved for May 16-18, 2017 at the Hilton Norfolk The Main.
November 3, 2016
The following is a list of CHIPS Magazine articles about personally identifiable information (PII) breaches based on factual reports sent to the DON CIO Privacy Office. Incidents such as these will be reported in each subsequent issue of CHIPS Magazine.
by Robert Foster - October 31, 2016
With increasing frequency, we read about computer networks being hacked — in both the public and private sectors. You may have been affected by one of the latest incidents on your own home network, the attack that brought several popular websites, including Amazon, Twitter and Netflix, to a standstill for hours. Though it did not affect our DON network, it is a compelling reminder that cyber intrusions are increasing in ...
by Chris Kelsall - September 14, 2016
Remember Clinger-Cohen and the original Federal Information Security Management Act (FISMA), when it was called the Information Technology, Information Management, Information Resources Management and Information Assurance (IT/IM/IRM/IA) Workforce? That was 10 years ago. Since then, the world has moved on to cyber and cybersecurity, with a lot of workforce definitions and titles coming and going - and staying....
by Chris Kelsall - September 14, 2016
With the publication of DoD Directive 8140.01, "Cyberspace Workforce Management" and Secretary of the Navy (SECNAV) Instruction 5239.20A, "Department of the Navy Cyberspace Information Technology and Cybersecurity Workforce (DON Cyber IT/CSWF) Management and Qualification," a new approach to education, training and Cyber IT/CSWF qualification will occur. ...
June 30, 2016
SECNAV Manual 5239.2, "DON Cyberspace IT and Cybersecurity Workforce Management and Qualification," was signed by the Secretary of the Navy on June 27, 2016. The manual updates Department of Navy workforce policy and responsibilities to support the DON's transition from the Information Assurance Workforce Program to the new DoD Cyberspace Workforce structure.
June 20, 2016
Did you know you can use your personal portable electronic devices in select DON spaces? ...
May 6, 2016
Congratulations to the following Marine Corps team and individual award
winners. They were recognized at the 13th Annual C4 Awards Dinner on April
21, by the Marine Corps Association and Foundation.
by Navy News Service - April 20, 2016
Department of the Navy Chief Information Officer (DON CIO) Robert Foster recognized more than 10 individuals and teams for transforming the Navy and Marine Corps through information technology during a ceremony at the Washington E. Walter Convention Center April 20.
April 19, 2016
Presentations given during the DON IT conference sessions held in Washington, DC, April 20-21 are now available by request. Please submit your request by using the "Contact Us" link located in the DON CIO Information section.
March 4, 2016
The Department of the Navy Chief Information Officer is pleased to announce the winners of the 2016 DON IM/IT Excellence Awards. The awards recognize teams and individuals for various categories of awards related to information management and information technology. The following were selected as the 2016 winners.
by DON Privacy Team - February 26, 2016
The following is a list of CHIPS Magazine articles on the Department of the Navy's (DON's) Social Security Number (SSN) Reduction program and related success stories received by the DON CIO Privacy Office. Additional articles such as these will be reported in each subsequent issue of CHIPS Magazine.
February 12, 2016
This February 12, 2016 memorandum updates existing policy and specifies the acceptable use of DON IT. This policy is a coordinated effort between the Deputy Under Secretary of the Navy for Policy (DUSN(P)) Security and the DON CIO as part of the DON's cyber/traditional security partnership for the protection of national security information and information systems.
View the entire memo
by Rob Foster - February 4, 2016
It is very important to me to spend time meeting with Department of the Navy (DON) stakeholders to maintain active communication and feedback channels. I have made it a point to get out of the Pentagon and visit various Navy and Marine Corps commands to see for myself the excellent IT-related work that’s taking place and hear directly about IT-related challenges and concerns. I have strongly encouraged the DON Chief ...
by Rob Foster - October 29, 2015
While October was designated as National Cybersecurity Awareness month it is always an opportune time to address what the Department is doing to strengthen our security posture as well as reinforce the importance of practicing the utmost care whenever we use a government computer and access a government network. More...
by Cheryl Pellerin, DoD News, Defense Media Activity - April 23, 2015
Defense Secretary Ash Carter today unveiled the Defense Department's second cyber strategy to guide the development of DoD's cyber forces and to strengthen its cyber defenses and its posture on cyber deterrence.
by National Cyber Security Alliance - April 10, 2015
The National Cyber Security Alliance (NCSA) and Better Business Bureau (BBB) say now is the perfect time for a "digital spring cleaning."
In many households, spring cleaning is an annual ritual marked by clearing out closets, basements and garages, de-cluttering cabinets and getting everything spic and span. While making sure your home is in tip-top shape, don’t forget about getting a fresh start with your online ...
February 20, 2015
The Department of the Navy Chief Information Officer is pleased to announce the winners of the 2015 DON IT Awards. ...
October 20, 2014
Attempted intrusions into DoD networks by spear-phishing or a social media based attack occur frequently. While it is legal to access social media sites from your DoD computer, there are precautions that you should take to make both your personal information and our government networks safe from attack. ...
October 9, 2014
National Cybersecurity Awareness Month (NCSAM) – celebrated every October - was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.
September 15, 2014
Personally identifiable information (PII) should only be shared or accessible to those with a need to know. PII includes government email addresses as well as personal email addresses. A best practice when sending emails to a large number of individuals is to use the BCC (blind copy) feature. ...
August 25, 2014
As a result of the implementation of the new Department of Defense Cybersecurity and Risk Management Framework instructions (DoDI 8500.01 and DoDI 8510.01), the term information assurance has been changed to cybersecurity. ...
July 11, 2014
Recent media accounts have reported a breach of the Office of Personnel Management (OPM) network. At this time, neither OPM nor the United States Computer Emergency Readiness Team (US-CERT) has identified any loss of personally identifiable information for any users of OPM's internal or external systems. There is no need for additional action from employees and customers related to this incident.
June 12, 2014
With kids out of school for the summer, it's easy for parents and kids to shift their focus from education to fun. Parents want to make sure their kids are having fun and staying safe at the same time, and this should apply to all activities, from riding bikes, to swimming, to being online. Summer means kids will have more free time, which may mean more time on the computer. June is National Internet Safety Month, a time ...
by Barbara Hoffman - June 9, 2014
It has been a privilege to serve in leadership positions for the Department of the Navy Chief Information Officer, including as Director of both the E-business and Investment Management teams, Principal Deputy for two very talented DON CIOs, and now as the DON CIO (Acting). Our business IT environment has evolved dramatically over this timeframe, in technology advances as well as in operational and fiscal challenges.
May 1, 2014
A significant vulnerability has recently been identified in Microsoft Internet Explorer versions 6 through 11. This vulnerability allows cyber attackers remote access and control of users' systems through websites hosting malicious code. In order to take advantage of this vulnerability, attackers will attempt to lure users to contaminated sites using phishing attacks.
by Robert C. Hembrook - April 11, 2014
Recent news articles have discussed a newly discovered cybersecurity vulnerability given the nickname "Heartbleed." Heartbleed involves the Secure Sockets Layer (SSL), which enables secure transactions across the World Wide Web (e.g., https sites). Without SSL, everything you send over the Internet is sent in clear text, and can be read by anyone on your network. SSL helps encrypt data so that only the sender and ...
May 20, 2013
"Phishing" is a criminal activity in which an adversary attempts to fraudulently acquire sensitive information by impersonating a trustworthy person or organization via email. "Spear phishing," however, takes this email threat to a new level.
April 9, 2013
National Initiative for Cybersecurity Careers and Studies (NICCS) aims to be a single online resource for cybersecurity education and career information. As part of that effort, NICCS houses a Cybersecurity Education and Training Catalog that allows users to find training they need to advance their careers.
December 3, 2012
The Department of the Navy Chief Information Officer Privacy Office reports that 80 percent of all "high-risk" personally identifiable information (PII) breaches involve the Social Security Number (SSN). Recent DON and Department of Defense policy guidance outlines steps that reduce or eliminate the collection, use, display and maintenance of the SSN in DON business practices. As a result, commands are now authorized to ...
November 19, 2012
The upcoming Thanksgiving holiday marks the beginning of the annual holiday shopping season. Every year, more people turn to the Internet as a way to find bargains and conveniently fulfill their shopping list. Before you start your holiday shopping, remember to make sure security measures are in place and you understand the consequences of your actions and behaviors to safely enjoy the benefits of the Internet.
August 24, 2012
The Information Assurance Scholarship Program (IASP), authorized by Chapter 112 Title 10 United States Code, is designed to increase the number of qualified personnel entering the information assurance (IA) and information technology fields within the Department. It also serves as a mechanism to strengthen the IA infrastructure through grants, while assisting the Department in addressing emerging IA/IT issues, and as a ...
August 24, 2012
Scholarships are being offered for Department of the Navy civilian and military personnel through the Department of Defense Information Assurance Scholarship Program to meet the increasing demand for cyber/information technology professionals with a cybersecurity/information assurance (CS/IA) focus. These scholarships for master's and doctorate level work cover the cost of tuition, fees, and books. They can be used for ...
May 30, 2012
The Department of Defense Chief Information Officer has announced a decision to cease the issuance of software Public Key Infrastructure (PKI) certificates to its "Five Eyes" (FVEY) partner nations (Australia, New Zealand, Canada and the United Kingdom). A memo released on May 8, 2012, states that starting May 31, 2012, the FVEY partner nations that interact with the DoD on the Nonsecure Internet Protocol Router Network ...
May 11, 2012
The Navy Marine Corps Intranet (NMCI) continues to improve its security profile by increasing the use of smartcard credentials for network authentication. The network has established interoperability with Personal Identity Verification (PIV) smartcards issued by non-Department of Defense agencies and departments. ...
by Gretchen Kwashnik - January 17, 2012
The federal government's "cloud first" policy, as part of the Federal Chief Information Officer's "25 Point Implementation Plan to Reform Federal Information Technology Management," requires federal agencies to consider cloud computing before making new IT investments and to move at least three applications to the cloud by May 2012.
by Steve Muck - January 12, 2012
The following is a recently reported personally identifiable information (PII) data breach involving the posting of a large number of documents containing PII on an activity's shared drive. Incidents such as this will be reported in CHIPS magazine to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy ...
by Jessica Pelenberg - November 18, 2011
As the quest for cost saving efficiencies rages on, three government officials spoke about the challenges their organizations are facing and their plans to tackle them at the Fifth Annual C5ISR Government and Industry Partnership Conference held Nov. 16, in Charleston, S.C.
by Jennifer M. Ellett - October 27, 2011
Certification and accreditation (C&A) transformation is an initiative to align processes, terminology and frameworks for assessing information security risk across all federal agencies, including the defense and intelligence communities. This effort will provide efficiencies, standardization and support to reciprocity.
by Steve Muck & Steve Daughety - October 27, 2011
The following is a recently reported personally identifiable information (PII) data breach involving a Department of the Navy support contractor who improperly handled PII. Incidents such as this will be reported in CHIPS magazine to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the DON Chief Information Officer Privacy Office.
by Mike Hernon - October 27, 2011
The Department of the Navy anticipates that personnel will begin teleworking in significant numbers when a new telework policy is released shortly. As a result, there will be explosive growth in the number of users who need to connect to the Navy Marine Corps Intranet and other government networks from remote locations, primarily from a home office, but also from other locations via cellular or Wi-Fi networks.
October 10, 2011
The Department of the Navy Chief Information Officer reiterated standing policy on what is considered acceptable use of DON IT resources for official and authorized unofficial purposes with the release of the Oct. 3 message, "Acceptable Use Policy for DON IT Resources."
by Floyd Groce and Karen M. Davis - August 15, 2011
As all personnel within the Department of Defense and across the federal government are well aware, this is an era of increased budget scrutiny. However, with this scrutiny comes a new opportunity to assess and advance how DoD operates and to improve efficiency across a wide variety of business units and operations. As a significant budget item, the massive information technology infrastructure is no exception and offers ...
by Terry Halvorsen - July 27, 2011
The Department of the Navy must change the way it manages its business information technology (IT) systems. It is the reality of these fiscally constrained times; and frankly, it is the right thing to do as good stewards of taxpayer money.
by DON CIO Privacy Team - July 18, 2011
The purpose of this tip is to reinforce existing DON policy regarding digitally signing and encrypting emails that contain personally identifiable information (PII).
July 7, 2011
The Department of the Navy Chief Information Officer released guidance directing the Department's migration to the use of a stronger cryptographic hash algorithm in data security authentication procedures such as CAC logon and digital signatures.
by Terry Halvorsen - May 4, 2011
Why is the Department of the Navy aggressively pursuing information technology efficiencies? There are a number of contributing factors that led to the recent focus on efficiencies, but the primary catalyst is the realization by Department of Defense and DON leadership that from a fiscal perspective we cannot continue to do business the same old way, or it will adversely affect our ability to direct necessary resources ...
May 3, 2011
The process for requesting waivers for systems that have not been properly Public Key Enabled (PKE) has been updated. System owners requesting a PKE waiver must now also assert the system's overall compliance with the DON Enterprise Architecture.
March 28, 2011
Three information technology leaders from the Department of the Navy were among this year's Federal 100 Award winners. Federal Computer Week magazine presents the award to 100 professionals from government, industry and academia who have played pivotal roles in affecting how the Federal Government acquires, develops and manages IT.
by Steve Muck - February 7, 2011
Human error is the cause of 80 percent of the DON's PII breaches. Not knowing or not following guidance, or just being careless can result in the unintended disclosure of privacy sensitive information and potentially adversely affect many personnel.
October 29, 2010
The Department of Defense Deputy Chief Information Officer recently published a memo for Department-wide distribution on DoD acceptance and use of qualified Personal Identity Verification-Interoperable (PIV-I) credentials for access to DoD logical and physical resources.
August 30, 2010
The Department of the Navy Chief Information Officer has signed out SECNAVINST 5239.21: "Department of the Navy Electronic Signature Policy," making electronic signatures the preferred means of conducting business transactions within the Department.
July 8, 2010
To ensure continuous oversight and sustainment of the Information Assurance Workforce Improvement Program, the Department of the Navy signed out a new instruction that further defines cybersecurity and information assurance workforce management and assigns compliance responsibilities.
by Mike Hernon, Tony Soules and Bob Turner - May 22, 2010
Not a week goes by without an inquiry to the Department of the Navy Chief Information Officer or the Navy or Marine Corps Designated Approving Authority (DAA) regarding the desire to bring a commercial wireless device, usually a BlackBerry, into restricted areas where classified information is discussed, stored or otherwise processed.
by James Mauck - May 18, 2010
The Secretary of Defense has embraced public key cryptography as a critical component of defense-in-depth and contributor to the overall Department of Defense information assurance (IA) strategy for protecting its information and networks. DoD Instruction 8520.2, "Public Key Infrastructure (PKI) and Public Key Enabling (PKE)" establishes the requirements for PK-enabling all email, private web servers and networks.
by Christopher Perry - May 18, 2010
Achieving and maintaining information dominance will require continuous and timely advances in both technology and operational processes. Cloud computing is one such rapidly emerging area of technology and operations that the Department of the Navy is already planning for and beginning to pilot. To achieve information dominance, it is vital that all new technologies and processes, such as cloud computing, be thoroughly ...
May 5, 2010
As a result of lessons learned during the first year of its execution, the Department of the Navy Platform Information Technology (PIT) policy has been updated to include several key provisions.
by Steve Muck - March 8, 2010
The following is a recently reported compromise of personally identifiable information (PII) involving the disposal of copiers containing personal information stored on their hard drives. Incidents such as this will be reported to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.
by Mike Hernon - March 4, 2010
For years now, Navy Marine Corps Intranet (NMCI) users have jealously eyed the laptop-wielding, Wi-Fi-connected masses in coffee shops, hotels and airports as they turned idle time into productive time. Barred from full network access, NMCI users on the go had to settle for cellular phones, air cards and Outlook Web Access to provide mobile support. While these capabilities provide some fairly productive mobility tools, ...
by Sonya Smith - February 26, 2010
The December 2008 report written by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, "Securing Cyberspace for the 44th Presidency," began with one central finding: "The United States must treat cybersecurity as one of the most important security challenges it faces."
by DON CIO Privacy Team - February 25, 2010
The Department of the Navy, Department of Defense and Office of Management and Budget (OMB) have mandated the protection of data at rest (DAR) on all unclassified network seats/devices. NMCI is implementing a solution using GuardianEdge Encryption Anywhere and Removable Storage software to meet these requirements. All data in computer storage as well as data written to a removable storage device will be encrypted. This ...
February 17, 2010
Ten information technology leaders from the Department of the Navy were among this year's Federal 100 Award winners. Federal Computer Week magazine presents the award to 100 professionals from government, industry and academia for their efforts in effecting change, progress and efficiency in determining how the Federal Government acquires, develops and manages IT.
by DON CIO Privacy Team - January 1, 2010
ALNAV 070/07 Department of the Navy Personally Identifiable Information (PII) Training Policy states that, "Commanders/Commanding Officers/Officers in Charge will ensure that supervisors conduct a spot check of their assigned area of responsibility, focusing on those areas that deal with PII on a regular basis (e.g., human resources, personnel support, medical, etc.)." The ALNAV also states that the compliance spot check ...
December 28, 2009
The Department of the Navy Chief Information Officer team is mourning the loss of their esteemed colleague Dr. Richard W. Etter, who served more than 34 years in the Department of the Navy, most recently as the DON CIO Director of Cybersecurity and Critical Infrastructure and the DON Deputy Senior Information Assurance Officer for Computer Network Defense. Dr. Etter died of a heart attack Monday, Dec. 21, 2009, while at ...
by Steve Muck - November 29, 2009
The following is a recently reported compromise of personally identifiable information (PII) involving the theft of storage media containing personal information. Names have been changed or removed, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer Privacy Office.
by Christy Crimmins - November 17, 2009
The use of social media has become a popular topic within the Department of the Navy, Defense Department and across the federal government. As agencies begin to venture into this media, whether it is creating an agency Facebook page or updating constituents via Twitter, precautions must be taken and risks should be assessed. While these tools open up many avenues for broader communication and collaboration, they also ...
by Mike Hernon and Bob Turner - November 12, 2009
Delivering a robust enterprise mobility capability to the Department of the Navy workforce requires leveraging various wireless tools at our disposal. One such tool, Short Message Service (SMS), or text messaging, is often overlooked but can provide significant benefits when used appropriately.
by DON CIO Privacy Team - November 4, 2009
A successful command privacy program must include an aggressive records review and disposal component. While hard copy files cannot be ignored, the volume of electronic data files is a much larger issue and must be aggressively addressed by local commands/units.
by DON CIO Privacy Team - October 6, 2009
Two recent personally identifiable information (PII) breach incidents involving the turn in of reproductive office equipment highlight the fact that many people do not know that copiers and printers present information security challenges.
by Tom Kidd - August 19, 2009
Whether wireless voice, video or data, the number of wireless applications are increasing. Wireless capabilities can be as simple as a wireless doorbell system or as complex as a naval unmanned aerial system providing real-time intelligence to forward-deployed Marines and Sailors. While the use of wireless systems is certainly advantageous for mobile requirements, wired systems retain a number of inherent benefits for ...
August 3, 2009
The Department of Defense has recently published the DoD Information Systems Certification and Accreditation (C&A) Reciprocity Memo signed by the DoD Principal Accrediting Authorities - senior officials who represent the interests of the Global Information Grid Mission Areas for C&A.
June 26, 2009
SECNAVINST 5239.3B: "DON Information Assurance Policy" was recently signed establishing IA policy for the Department of the Navy consistent with national and Department of Defense policies. With its 56 references, it provides IA policy for the Department over a broad spectrum, and assigns responsibilities in the DON for developing, implementing, managing and evaluating DON IA programs, policies, procedures and cont
June 19, 2009
Dr. Richard W. Etter, deputy senior information assurance officer, discusses how the Computer Network Defense (CND) Roadmap highlights the direction the Department of the Navy is heading in terms of future CND capabilities in this recent Washington Technology eSeminar. He also discusses the Department's goal to be more advanced, persistent and sophisticated with the CND t
by DON CIO Privacy Team - June 1, 2009
Why should you protect your personal information? To an identity thief, it can provide instant access to your financial accounts, your credit record and your other personal assets. If you think that no one would be interested in your personal information, think again.
May 26, 2009
The Department of the Navy Chief Information Officer recently signed the DON Information Assurance and Certification and Accreditation Concept of Operations (CONOPS).
May 8, 2009
The Department of the Navy Senior Information Assurance Officer (DON SIAO) recently signed the "Department of the Navy Computer Network Defense (CND) Roadmap."
by DON CIO Privacy Team - May 1, 2009
As cell phones and personal digital assistants (PDAs) become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device.
by Steve Muck - April 22, 2009
The following is a recently reported compromise of personally identifiable information (PII) involving the transmission of an un-encrypted e-mail which contained National Security Personnel System (NSPS) performance ratings of employees within a Navy region. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.
by DON CIO Privacy Team - March 6, 2009
If the Department of the Navy eliminated the use of Social Security numbers (SSN) from email, forms, documents and electronic information technology systems, 80 percent of the personally identifiable information (PII) breaches reported in 2008 would never have occurred. The March Privacy Tip of the Month explores the relationship between SSNs and identity theft. It also provides approaches to reducing the display, ...
by Steve Muck - February 20, 2009
The following is a reported loss or breach of personally identifiable information (PII) involving a Department of the Navy information system with lessons learned from the event. Names have been changed or removed, but details are factual and based on reports sent to the DON Privacy Office.
February 2, 2009
The Department of the Navy enterprise solution for protection of sensitive Data at Rest (DAR) on non-NMCI assets is now available. Implementation of this solution enables compliance with DoD and DON requirements associated with protection of personally identifiable information (PII) and other types of sensitive DAR on mobile computing devices and portable storage media.
by DON CIO Privacy Team - February 1, 2009
During the past year, the Department of the Navy has experienced problems relating to turning in excess information technology and office equipment that contain personally identifiable information (PII).
January 13, 2009
The Department of the Navy released its Federal Information Security Management Act (FISMA) Goals for FY09 in Naval message DTG 081605Z JAN 09. This Naval message provides requirements for individual systems to achieve and maintain 100 percent compliance with the required certification and accreditation, annual security review, annual testing of security controls, and annual evaluation of contingency plans.
January 9, 2009
In light of the increased reliability on information systems and an increased visibility of cyber security and number of attacks on systems, the criticality of consistent and thoughtful risk management has been recognized by senior leaders throughout the government.
January 1, 2009
During the past year, the Department of the Navy has experienced a few documented cases of identity theft linked to the loss of government privacy information. The December 2008 Privacy Tip focused on how thieves steal identities, what they do with the personal information they obtain, and general information about identity theft. This Privacy Tip is reproduced from Department of Justice guidance found on its
December 1, 2008
During the past year, the Department of the Navy has experienced a few documented cases of identity theft linked to the loss of government privacy information. This Privacy Tip focuses on how thieves steal identities and what they do with that personal information, as well as general information about identity theft.
November 1, 2008
As outlined in a recently published memo, the Department of the Navy endorses the secure use of Web 2.0 tools to enhance collaboration, streamline processes and foster productivity.
by Yuh-Ling Su - October 29, 2008
Process and Security Improvements Under DIACAP
On November 28, 2007, the most significant change in security policy in 10 years occurred when the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) replaced the DoD Information Technology Security Certification and Accreditation Process (DITSCAP).
The Department of the Navy commenced full transition to DIACAP on March ...
September 8, 2008
The U.S. General Services Administration awarded Blanket Purchase Agreements (BPAs) to assist Federal agencies in protecting the confidentiality of personal credit and payment information, as well as providing a fast and effective solution for Federal agencies needing commercial-off-the-shelf credit monitoring services, according to its web site.
September 1, 2008
Recent personally identifiable information (PII) breach reports highlight the need to conduct searches of shared drives throughout the Department to protect employees’ personal information and reduce the risk of identity theft. PII is found most often in documents related to awards, medals, legal issues, medical records and financial data.
by Steve Muck - August 6, 2008
The following is a synopsis of a recently reported loss or breach of personally identifiable information (PII) that highlights common mishandling mistakes made by individuals within the Department of the Navy.
Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.
August 1, 2008
Peer-to-Peer (P2P) networks, which link computers directly, allowing users to swap digital movies, music and files with other users without centralized security controls or oversight.
July 28, 2008
The recently released Department of the Navy Cyber Crime Handbook provides an overview of the definitions, criminal techniques, electronic laws, incident reporting and responses regarding cyber threats to DON personnel and the Department's global network infrastructure.
July 21, 2008
The DON DoD Information Assurance Certification and Accreditation Process (DIACAP) Handbook provides a comprehensive guide for executing certification and accreditation (C&A) processes within the Department of the Navy.
July 11, 2008
An enterprise solution to encrypt DON data-at-rest (DAR) for non-Navy Marine Corps Intranet (NMCI) networks is anticipated to be available this fall from the Department of Defense Enterprise Software Initiative/SmartBUY Enterprise Software Agreements.
July 1, 2008
Phishing is a criminal activity in which an adversary attempts to fraudulently acquire sensitive information by impersonating a trustworthy person or organization. Examples of such practices include manipulated emails that appear to be from the Department of the Navy, Navy Federal Credit Union, Navy Knowledge Online or other recognizable contacts.
June 13, 2008
Whether due to carelessness or theft, the loss of laptops and other portable electronic devices (especially thumb drives), continues to be one the top contributors to the loss of personally identifiable information (PII).
June 9, 2008
The International Association of Privacy Professionals' (IAPP) mission is to define, promote and improve the privacy profession globally and is the world's largest association of privacy professionals representing more than 5,000 members from business, government and academia across 32 countries. It is the first organization to establish educational and testing credentials for information privacy, i.e., the Certified ...
by Steve Muck - May 14, 2008
The following synopsis of a recently reported loss or breach of personally identifiable information (PII) highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy office.
May 13, 2008
The scenario: You are at the airport waiting for your flight. With time to kill, you are thinking of connecting your laptop to the airport’s Wi-Fi to check your office e-mail, do some personal banking or shop for a gift for your spouse.
However, chances are there is a hacker sitting nearby with a laptop attempting to “eavesdrop” on your computer to obtain personal data that will provide access to ...
April 1, 2008
An instruction that establishes the Department of the Navy’s Computer Network incident response and reporting policy was recently signed out by the DON Chief Information Officer.
by Steve Muck - February 8, 2008
The following is a synopsis of a recently reported loss or breach of personally identifiable information (PII) that highlights common mishandling mistakes made by individuals within the Department of the Navy. Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.
February 10, 2017
Below please find the dial-in conference numbers and DCS URLs for the DON IT Conference sessions being held Feb. 21-23, 2017.
January 30, 2017
Reporting the Loss, Suspected Loss or Compromise of PII
DON CIO Privacy Team
DON CIO Explains Top Focus Areas
The Evolution of Infrastructure
by DON CIO Privacy Team - December 15, 2016
The following privacy presentations are provided for reference and use in developing future presentations and briefings.
November 2, 2015
The Department of the Navy Chief Information Officer has created press-quality posters to help communicate the importance of protecting and properly handling personally identifiable information (PII).
September 23, 2015
When DoD adopted the NIST control catalog (NIST SP 800-53) and published the baselines, the DoD provided values for many of the NIST controls that had organizationally defined values; however, they determined that some values should not be determined at the DoD Enterprise level. This spreadsheet was developed by the DON CIO, in coordination with the DON services, to recommend the roles within the DON that make the value ...
May 21, 2015
The DON Cloud Security Information Impact Level Matrix is intended to assist Mission Owners/Program Managers in determining security information impact levels as they apply to appropriate hosting environments.
by DON CIO Privacy Team - March 24, 2014
The personally identifiable information (PII) brief attached below was presented at the Department of the Navy IT Conference, West Coast 2014 and is provided as a reference and for use in developing other PII presentations.
by DON CIO Privacy Team - March 4, 2013
The Department of the Navy Users Guide to Personally Identifiable Information (PII) is provided as a convenient desk reference that can be printed as a brochure and distributed to increase awareness throughout the Department.
February 21, 2013
The Department of the Navy Information Technology Policy Roundup for fiscal year (FY) 2013 provides a summary of policies affecting IT projects and programs. For more detail, please review the entire policy at the links provided.
February 11, 2013
Section 208 of the E-Government Act of 2002 establishes government-wide requirements for conducting, reviewing and publishing Privacy Impact Assessments (PIA). The PIA directs agencies to conduct reviews of how privacy issues are considered when creating or purchasing new information technology (IT) systems or when initiating new electronic collections of information in identifiable form. A PIA addresses privacy factor
by DON CIO Privacy Team - October 26, 2012
The following is a list of topics with questions that are frequently asked of the Department of the Navy Chief Information Officer Privacy Team. Responses have been provided and, in many cases, there are added references to the guidance that is cited. Please provide the Privacy Team additional questions so they may be added to the list.
September 13, 2012
This toolkit assists individuals in developing, tracking, and managing their careers and facilitates competency management for the information management/information technology and knowledge management (KM) professional at the organizational level.
March 15, 2012
The table below provides FY2013 Unique Investment Identifiers (UIIs), formerly Unique Project Identifiers (UPIs), for Department of the Navy information technology systems. The UII is required when completing a Privacy Impact Assessment (PIA).
January 20, 2012
This checklist is an internal Department of the Navy document to be used by command leadership to assess the level of compliance in the handling of personally identifiable information as delineated by law and/or specific DoD/DON policy guidance. As commands adapt this checklist for their own use, their checklists will be posted here as a resource for others.
by DON CIO Privacy Team - May 31, 2011
The following resources are provided to support the Department of the Navy's annual privacy training and semi-annual compliance spot-check requirements. Note: The GENADMIN (DTG 181905Z DEC 08) training requirement supercedes the ALNAV 070/07 training requirement. The compliance spot check requirements of the ALNAV remain in effect.
by DON CIO Privacy Team - August 5, 2010
The following guidelines are provided for the proper destruction of Department of the Navy hard drives.
August 20, 2009
Following the July release of Assistant Secretary of Defense (Networks and Information Integration) Directive-Type Memorandum (DTM) 08-027: "Security of Unclassified DoD Information on Non-DoD Information Systems," many questions have arisen concerning the requirements for this DTM. Below is a list of the most commonly asked questions and their answers.
by DON CIO Privacy Team - June 23, 2009
Welcome to the Department of the Navy Chief Information Officer Privacy Team recommended reading list. This list will be periodically updated.
by DON CIO Privacy Team - June 19, 2009
The identity theft brief attached below was presented at the 2012 Department of the Navy IM/IT Conference and is provided as a reference and for use in developing other PII presentations.
by DON CIO Privacy Team - June 19, 2009
The Privacy Impact Assessment (PIA) brief attached below was presented during the 2012 Department of the Navy IM/IT Conference and is provided as a reference and for use in developing other PIA presentations.
by DON CIO Privacy Team - May 29, 2009
The following provides the proper routing for Navy and Marine Corps Privacy Impact Assessments (PIAs). The last two signature blocks on the DoD PIA Template (DD FORM 2930 NOV 2008) are reserved for (1) the DON Privacy Act Program Manager (DNS-36) or USMC Privacy Act/FOIA Officer and (2) the DON CIO.
March 2, 2009
An Office of Management and Budget (OMB) Information Collection Number is required when collecting information from 10 or more members of the public in a 12-month period and is used in completing the Privacy Impact Assessment (PIA) Template.
by DON CIO Privacy Team - March 2, 2009
The following resources are provided to assist with the privacy impact assessment submission process.
February 20, 2009
This document attempts to address the common issues encountered as a privacy impact assessment moves its way through the review and approval process. Consider this a "living" document and help us improve its content and usefullness.
February 20, 2009
This document provides examples of possible responses to the privacy impact assessment (PIA) template questions that deal with the risks associated with the electronic collection of personally identifiable information and the ways to mitigate those risks.
February 6, 2009
The Platform Information Technology (PIT) Determination Checklist is provided to assist acquisition program managers in assessing the characteristics of a proposed IT system or component to determine if it is a Platform IT candidate and, therefore, subject to information assurance implementation.
Note: Two versions of the PIT checklist are posted below. The "pdf" version is for manual submission; the "doc" version ...
January 23, 2009
The DON Privacy Quiz highlights basic personally identifiable information (PII) knowledge and policy information that all DON personnel should be familiar. It is recommended that command/unit privacy officials use this quiz (attached below) as a training aid that can be specifically tailored to local use. Please provide feedback on how to make this a better tool by submitting your comments to the DON CIO Privacy Team via ...
January 21, 2009
The following breach-related resources are provided to aid in reporting the loss or suspected loss of personally identifiable information (PII).
January 20, 2009
The attached brief provides background information, the resultant responses and best practices developed by the Bureau of Naval Personnel related to the sensitivity to the loss of personally identifiable information of DON personnel. Also attached is a transcript from the presentation.
December 19, 2008
In addition to the privacy resources and information available on the DON CIO website, the following list of websites provide further information on privacy and identity theft prevention.
November 26, 2008
The new Department of Defense Privacy Impact Assessment Template has been published and is available for use by Army, Navy, Air Force, DISA, OSD/JS, DLA, TMA and DFAS. The link provides access to the Word and fillable PDF versions of DD FORM 2930 on the DoD forms web site.
August 15, 2008
Commands reporting a loss or suspected loss of personally identifiable information (PII) will be contacted by the Department of the Navy Chief Information Officer Privacy Team to determine if individual notifications are required. The decision to notify will be based on the nature of the PII compromised and the resultant level of risk of identity theft. If the command is faced with notifications and cannot locate the ...
July 22, 2008
The DON Table of Potential Consequences and Penalties for the Mishandling/Improper Safeguarding of PII was developed with legal assistance from the Department of the Navy’s Office of Civilian Human Resources and its Workforce Relations and Compensation Division, the Office of the Judge Advocate General, and the Office of the DON CIO.
July 10, 2008
The Department of the Navy Cyber Crime Handbook contains an overview of the definitions, criminal techniques, electronic laws, incident reporting and responses regarding the cyber threats to Department personnel and the global infrastructure we rely on.