The Department of the Navy (DON) continues to issue policy to improve its processes and better ensure that the personally identifiable information (PII) of its employees and the public is protected from compromise. One particular topic of concern is the process of electronic scanning. This is one of the areas recently addressed in the DON Chief Information Officer (CIO) policy message issued DTG 171625Z Feb 12, “Department of the Navy Social Security Number (SSN) Reduction Plan Phase III".
The following scanning restrictions went into effect Oct. 1, 2012. They do not apply to scanners or multifunctional devices (MFD) directly connected to a user's workstation.
- Network-attached MFDs and scanners that employ a "scan to email" function may be used only if the sender can verify that the intended recipients are authorized to access the scanned file (i.e., have an official need to know). The MFD or scanner must also encrypt the email message containing the scanned file.
- Network-attached MFDs and scanners that employ a "scan to file" or "scan to network share" function may be used only if the sender can verify that all users are authorized to have access to the scanned file or network share location. If the "scanned to" location access is unrestricted , as soon as a scanned file arrives at the "scanned to" location, the owner of the document must remove it and save it to a secure location.
When emailing a scanned document, the requirements for any email that contains PII apply. The email must be digitally signed and encrypted, and the body of the email must be marked "FOR OFFICIAL USE ONLY (FOUO) - PRIVACY SENSITIVE. Any misuse or unauthorized disclosure may result in both civil and criminal penalties," and all recipients must have an official need to know. Finally, the subject line of an email should never contain PII because only the body of an email is encrypted when sent.
Steve Daughety provides support to the DON Chief Information Officer privacy team.