ANNISTON ARMY DEPOT, Ala. -- Like technology itself, information technology policies and procedures have changed rapidly. One such change is the frequency of signing the Acceptable Use Policy, or user agreement.
This agreement is the document signed to gain access to the Army network.
In the past, you only had to sign it one time. This was supposed to last you a lifetime of computer usage.
At the time, the signed document was either maintained via hardcopy by the information assurance security officer, the Cybersecurity Office or both.
We have come a long way since those days. Today, the user agreement is signed annually and stored digitally, usually when you do your information assurance training.
It is also tracked. If the document is not signed, the user is not allowed on the network. This is mandated and tracked via multiple layers from NETCOM to TACOM to the local Cyber Office.
Like any regulatory document, the AUP has a multitude of rules we must adhere to.
First, you are “accessing a U.S. government system for authorized use only.” This is pretty self-explanatory. The system belongs to the U.S. Government and, specifically, Anniston Army Depot.
Then, there is the consent portion. If you use a government computer system, the data or information on it is not private and you consent to monitoring, search and seizure.
The systems we have are scanned and monitored constantly, often four or five times per week, by TACOM, NETCOM, 2RCC and ARCyber.
We are also inspected frequently. When teams come here, they scan the network again and use various types of scanning tools looking for specific noncompliant/malicious content.
The consent to monitoring is mentioned several times in the AUP. This is, of course, by design.
Later in the agreement, it states using your government system is a revocable privilege.
Most of us cannot do our jobs without a computer system. What will happen if you lose the privilege and aren’t able to do your job?
Often, people misinterpret the revoking of privileges for an IT system as a disciplinary action. It is not. Discipline is between the user and their supervisor.
When the Directorate of Information Management revokes a privilege, it is always to protect the network.
Maintaining our accreditation is a constant process. If our network is disconnected due to one individual and their malfeasance, imagine the millions of dollars and costs associated. Protecting the network and data is our principal mission.
The AUP also states, “I have a responsibility to safeguard the information contained on the system.”
While the Cybersecurity function is located in DOIM, “the ultimate responsibility for the protection of information lies with the user.”
Cybersecurity has a staff of nine individuals and ANAD computer usage is approximately 3,500 users. The depot’s digital footprint is vast and growing by the week.
We need everyone ensuring data safety and protection. Could you imagine if our payroll records, drawings or other essential documents got lost?
The AUP mentions AR25-2. I encourage you to read this regulation, which can be found on armypubs.army.mil. The AR25-2 is a deep dive on the do’s and don’ts in the IT world. Many of the regulations listed in the AUP, which cross reference to AR25-2, are punishable under Article 92 of the Uniform Code of Military Justice.
Minimum security rules and requirements, stated in paragraph 7 of the AUP, detail what will happen to violators and mandate you sign the AUP and complete IA training.
The AUP also discusses safeguarding your common access card, or CAC. This is a very critical subject.
When an inspector comes from the Defense Information Systems Agency or NETCOM, if they notice an unattended card it is automatically a CAT 1 finding and we fail the inspection.
This is another way you, the user, must assist DOIM in safeguarding your data and systems.
It is possible an inspector may want to go inside one or more of the hundreds of buildings here. If they walk in your building and notice your CAC unattended, the inspection stops immediately and ANAD fails the inspection.
It is a good habit to ensure you take your CAC with you when you leave your area. Another good habit, mentioned in the AUP, is using screen locks or logging out when you leave an area.
I remember a story from the Department of Defense Dependents School in Bahrain, regarding a teacher who left the classroom for a few minutes. While she was gone, a student, using her computer, wrote a scathing email about the principal, superintendent and some of the other teachers and staff and sent it to the worldwide DOD school system.
Obviously, it looked like the teacher sent the email. The teacher was severely reprimanded and the student was expelled. It took some time for the teacher to prove it wasn’t her who sent it. She was fortunate the other students spoke up. The bottom line, again, is please protect your systems and your CAC.
Under section 7.s. (1) in the AUP it says, “I will not use Information Systems for unethical purposes (e.g. Spam, abuse, profanity, sexual misconduct, pornography, gaming, extortion, for-profit activity, partisan political activity).” Again, you risk revocation with any of these violations.
Other key statements in the AUP are:
• “I will not modify the system equipment or software without DOIM authorization, use it in any manner other than it’s intended purpose, introduce malicious software or code, add user configurable or unauthorized software, (for example instant messaging or peer to peer applications.”
• “I will not change Information Systems (IS) equipment or the network connectivity without DOIM authorization…”
The AUP regulations are in place for a reason. I encourage you to read the AUP and follow its guidelines.
You can view the AUP here: https://tacom.aep.army.mil/sites/ANAD/Documents/ANAD%20AUP.pdf.
Remember, it takes all of us to ensure our data and network is safe.
If you have questions or concerns, contact the DOIM Help Desk at Ext. 4357.