IT Rules of Behavior (RoB) and User Agreement for General Users

1. This document describes the responsibilities and expected behavior of all individuals that have access to DOT information resources. DOT personnel are responsible for exercising good judgment regarding the appropriate use of DOT resources in accordance with applicable federal and DOT policies, standards, and guidelines. DOT RoB apply to users at their primary workplace and alternative workplaces, including but not limited to teleworking or remote work sites, satellite sites, and while traveling. By accessing DOT IT resources (networks, systems, websites, applications, databases, information, data, devices, and/or media), personnel agree to adhere to the RoB. The RoB does not create any right or benefit, substantive or procedural, enforceable by law by a party in litigation with the U.S. Government.

2. The RoB must be signed before access is provided to a new user of DOT information and information systems. Thereafter, the DOT RoB must be signed annually by all users of DOT information and information systems. This signature indicates agreement to comply with the RoB, and refusal to sign the DOT RoB will result in a denial or revocation of access to DOT information and information systems. Any refusal to sign the DOT RoB may have an adverse impact on employment with DOT.

3. The RoB may be signed electronically, as part of Security and Privacy Awareness training, or in hard copy. If signed using the hard copy method, the user should initial and date each page and provide the information requested under Acknowledgement and Acceptance.

   
   

   Rules of Behavior for General Users

4. Access to DOT information technology, information, and other computing resources is provided to enable users to perform their official duties and meet the daily operational and mission requirements of the agency. DOT IT resources are intended for official use with limited personal use. Personnel are permitted to have limited personal use of DOT IT resources, including government-furnished equipment (GFE) (e.g., laptops, mobile devices, conference software and other) only when the personal use shall:

   1. Involve no more than minimal additional expense to the government,

   2. Be minimally disruptive to personnel productivity,

   3. Not interfere with the mission or operations of DOT, and

   4. Not violate federal law, mandates (including license agreements), and DOT security and privacy policies.

      
      

5. DOT expects personnel to conduct themselves professionally in the workplace and to refrain from using GFE, DOT email, websites and applications (e.g., DOT social media sites and cloud services, etc.) or other DOT information resources for activities that are not related to any legitimate DOT business purpose, except for the limited personal use stated above. Personnel shall not misuse DOT information and IT resources or conduct unapproved activities using DOT information and IT resources; therefore, DOT strictly prohibits the following activities:

   1. Activities that could cause congestion, delay, or disruption of service to any DOT IT resource (e.g., sending chain letters via email, streaming video not directly related to the DOT mission, games, music, etc.),

   2. Viewing, accessing, downloading, uploading, and/or sharing pornographic and sexually explicit materials or other offensive graphic content,

   3. Using DOT IT resources for activities that violate DOT discrimination and anti- harassment policies or other conduct and ethical rules,

   4. Conducting or supporting commercial “for-profit” activities, managing outside employment or business activity, or running a personal business,

   5. Engaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity,

   6. Creating a website or social media site on behalf of DOT or uploading content to a website or social media site without proper official authorization,

   7. Using personal devices or third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, process DOT information, or conduct DOT business without proper official authorization,

   8. Accessing Sensitive information while in private and/or public spaces where unauthorized individuals or parties can view information,

   9. Using a DOT credentials such as DOT email address, username, password, Personal Identification Verification (PIV) Card and PIV to access non-DOT system services, to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or service, website, or signing up for personal memberships that are not work related unless there is an explicit requirement, and approval to do so by supervisor and Component Information System Security Manager (ISSM).

      
      

      Access and Use of DOT Information Systems

      
      

6. When accessing and using DOT information systems, I must:

   1. Comply with all federal and DOT cybersecurity, privacy, and records management policies,

   2. Have NO expectation of privacy in any records that I create or receive, or in my activities while accessing or using DOT information systems,

   3. Only use DOT-approved devices, systems, software, media, services, and data that I am authorized to use, including complying with any software licensing or copyright restrictions,

   4. Follow established procedures for requesting access to any DOT computer system and for notifying my DOT supervisor or designee when the access is no longer needed,

   5. Only use my access to DOT information and information systems for officially authorized and assigned duties,

   6. Log out of all information systems at the end of each workday,

   7. Log off or lock any DOT computer or console when leaving my workstation,

   8. Connect to DOT resources using DOT virtual private network (VPN).

   9. Use DOT email in the performance of my duties when issued a DOT email account.

7. When accessing and using DOT information systems:

   1. I MUST NOT attempt to probe computer systems to exploit system controls or to obtain unauthorized access to DOT sensitive information,

   2. I MUST NOT engage in any activity that is prohibited by DOT policy,

   3. I MUST NOT configure or attempt to establish dual homing e.g., merging networks with a DOT network connection and a non-DOT network connection, such as a modem or phone line or wireless network card, physically connected to any device at the same time unless the dual connection is explicitly authorized,

   4. I MUST NOT host, set up, administer, or operate any type of Internet server or wireless access point on any DOT network unless explicitly authorized by DOT OCIO.

   5. I MUST NOT use DOT credentials or official email address to create social media accounts or subscribe to services or memberships for personal or non-DOT related activities,

   6. I MUST NOT click links or open attachments received via unsolicited email or text message or access web links received from untrusted sources,

   7. I MUST NOT configure applications or devices to auto-forward email messages to addresses outside the DOT network,

   8. I MUST NOT forward or copy DOT email messages containing sensitive information to any personal email account or addresses outside the DOT network unless explicitly authorized,

   9. I MUST NOT configure email client software to connect to personal email accounts or storage devices without explicit authorization,

   10. I MUST NOT download software to a DOT-owned system that is offered as free trials, shareware, or other unlicensed software from the internet or other publicly available sources,

   11. I MUST NOT disable or degrade software programs used by DOT that install security software updates on computer equipment used to connect to DOT information systems, or used to create, store, or use DOT information,

   12. I MUST NOT connect personal external media or technology to GFE, that could allow the loss of DOT data or unauthorized communication to external sources.

       
       

       Protection of DOT Equipment

       
       

8. To protect DOT-issued devices, I must:

   1. Physically safeguard GFE including mobile devices (e.g., laptops, tablets, smartphones) and approved portable storage media when not in use,

   2. Safeguard DOT authorized portable storage devices containing DOT information, at work and remotely, using DOT approved and validated encryption, and

   3. Immediately report the loss or theft of DOT mobile devices to the DOT’s Security Operations Center (SOC). DOT SOC Phone: 1-866-580-1852, Option 1 DOT SOC Email: reportcyber@dot.gov.

9. To protect DOT-issued devices:

   1. I MUST NOT use DOT-issued mobile phones as my primary personal phone as this is a violation of incidental personal use and I may be personally liable for any costs, e.g., overages on a data plan,

   2. I MUST NOT swap or surrender DOT hard drives or other storage devices to anyone other than an authorized DOT or Federal Law Enforcement,

   3. I MUST NOT reconfigure or modify DOT mobile device manager enabled security features and configuration,

   4. I MUST NOT attempt to override, circumvent, alter, or disable operational, technical, or management security configuration controls unless expressly directed to do so by authorized DOT OCIO personnel.

   5. I MUST NOT configure mobile devices to synchronize or connect to unapproved non- DOT related email or storage services,

   6. I MUST NOT tamper with GFE physical form factor or bypass configured security control measures,

   7. I MUST NOT reconfigure systems and modify GFE, install/load unauthorized/unlicensed software, or make configuration changes without proper official authorization, and

   8. I MUST NOT connect DOT-issued mobile devices to personal computers or personal devices (e.g., USB drives, gaming consoles, music drives, multi-media devices, etc.) for any reason including charging or downloading of images or files.

      
      

      Data Protection

      
      

10. To protect data, I must:

    1. Only use GFE or an authorized alternate device to access DOT IT resources for official DOT business,

    2. Take all necessary precautions to protect DOT IT resources including but not limited to Personally Identifiable Information (PII), federal records, and other DOT information from unauthorized access, use, modification, destruction, theft, disclosure, loss, damage, or abuse,

    3. Disseminate DOT information to the public via email when authorized to do so and in the performance of my duties, using DOT approved methods for encryption,

    4. Handle government records according to the orders, policies, and regulations which govern them; including securely disposing of electronic media and papers that contain sensitive data when no longer needed, in accordance with the DOT Policy for Records Management and federal guidelines.

    5. Only use DOT-owned or approved encrypted storage media or devices to perform DOT work.

       
       

11. To protect data:

    1. I MUST NOT use personal email, storage/service accounts or personal devices to conduct official DOT business or store, transmit, or process DOT data without official authorization,

    2. I MUST NOT transmit DOT sensitive information without encrypting using DOT approved methods.

    3. I MUST NOT store sensitive information in public drives, unauthorized devices/services or other unsecure physical e.g., compact discs (CD), digital video discs (DVD), universal serial bus (USB) flash drives) or external storage devices.

    4. I MUST NOT release information unless specifically authorized to do so, or as required, on a “need-to-know” basis in the proper discharge of official duties,

    5. I MUST NOT divulge any official information obtained through or in connection with my government employment to any unauthorized person or organization.

    6. I MUST NOT use or permit others to use any official information that is not available to the general public for private purposes,

    7. I MUST NOT remove official documents or records from files for personal or inappropriate reasons as DOT prohibits falsification, concealment, mutilation, or unauthorized removal of official documents or records, either hard copy or electronic,

    8. I MUST NOT disclose sensitive information including PII or information contained in Privacy Act records, unless explicitly authorized and in compliance with DOT obligations under the Freedom of Information Act, the Privacy Act, or other Federal law, and

    9. I MUST NOT access, process, or store classified information on DOT office equipment that has not been authorized for such access, processing, or storage.

       
       

       Working Remote (Teleworking and Traveling)

       
       

12. When teleworking or remotely accessing DOT information, systems, and resources, I must:

    1. Safeguard sensitive data at my alternate workplace, follow security practices that are the same as or equivalent to those required at my primary workplace, and comply with telework and remote work policies,

    2. Safeguard any devices in my possession used to access DOT networks, systems, information, and/or data when on working remote and/or official travel for DOT business, in accordance with approved telework and travel agreements and policies.

    3. While traveling, regardless of destination in or outside the United States and territories, ensure all DOT equipment and any devices accessing or containing DOT information remain in my possession or take reasonable precautions to ensure resources are appropriately safeguarded,

    4. Use the DOT approved Virtual Private Network (VPN) to connect and access DOT IT resources. Use the hotspot feature on DOT-issued mobile devices for business-related purposes only; Safeguard information about DOT information technology procedures such as remote access mechanisms, contact information and other sensitive information from unauthorized use and disclosure,

    5. Obtain approval from my supervisor to use, process, transport, transmit, download, print, or store electronic DOT sensitive information remotely (outside of DOT owned or managed environments),

    6. Obtain approval to take GFE or equipment used to access DOT IT resources on business travel outside of the United States and only take equipment that has been approved and designated for such purpose, (Take only the minimum amount of DOT internal information on international travel when information is required to accomplish official duties),

    7. Notify my DOT supervisor or designee prior to and upon return from any international travel with a GFE mobile device (e.g., laptop, smartphone) and comply with any security measures, including using a specifically configured device issued for international travel and/or surrendering the device for inspection or reimaging.

    8. Immediately report the loss or theft of DOT mobile devices to the DOT’s Security Operations Center (SOC). DOT SOC Phone: 1-866-580-1852, Option 1 DOT SOC Email: reportcyber@dot.gov.

       
       

13. When teleworking or remotely accessing DOT information, systems, and resources:

    1. I MUST NOT configure GFE to connect with non-GFE printers, scanners, copiers, or other devices that may disclose DOT data,

    2. I MUST NOT allow any devices used to access DOT IT resources to be used by any other person, without explicit approval,

    3. I MUST NOT connect any device used to access DOT IT resources to open public Wi- Fi networks.

    4. I MUST NOT use the hotspot feature on DOT-issued mobile devices to provide internet service to anyone other than myself,

    5. I MUST NOT take GFE on personal travel within the United States or foreign countries unless authorized by supervisor and in accordance DOT Policy (International Travel with GFE)

    6. I MUST NOT access DOT's internal resources from any foreign country designated as posing a significant threat unless through approved GFE issued by DOT. This prohibition does not affect access to DOT external web applications.

       
       

       User Accountability

       
       

14. I am accountable for my actions and must:

    1. Complete mandatory security and privacy awareness training within designated time frames and complete any additional role-based training required for my role and responsibilities,

    2. Understand that authorized DOT personnel may review my conduct or actions concerning DOT information and information systems and take appropriate action,

    3. Have my GFE or any device in my possession used to access DOT IT resources scanned and serviced by DOT authorized personnel. This may require me to return it promptly to a DOT facility upon demand,

    4. Permit only those authorized by DOT to perform maintenance on IT components, including installation or removal of hardware or software, and

    5. Sign system specific RoBs as required for access to and use of DOT systems. I may be required to comply with a non-DOT entity's RoB to conduct DOT business. While using that system, I must comply with that RoB, in addition to the general DOT RoB.

       
       

       Sensitive Information

       
       

15. When accessing or using sensitive information, I must:

    1. Ensure that all printed material containing DOT sensitive information is physically secured when not in use (e.g., locked cabinet, locked door),

    2. Only provide access to DOT sensitive information to those who have a need-to-know for their professional duties, including only posting sensitive information to web-based collaboration tools restricted to those who have a need-to-know and when proper safeguards are in place for sensitive information,

    3. Recognize that access to certain databases has the potential to cause great risk to DOT, its customers, and employees due to the number and/or sensitivity of the records. I will act accordingly to ensure the confidentiality and security of these data commensurate with this increased potential risk,

    4. Protect DOT sensitive information from unauthorized disclosure, use, modification, or destruction, and will use encryption products approved and provided by DOT to protect sensitive data,

    5. Transmit DOT sensitive information via fax only when no other reasonable means exist, and when either someone is at the receiving machine to receive the transmission, or the receiving machine is in a secure location,

    6. Ensure fax transmissions are sent to the appropriate destination. This includes double checking the fax number, confirming delivery, and using a fax cover sheet with the required notification message included,

    7. Encrypt email, including attachments, that contain DOT sensitive information,

    8. Protect DOT sensitive information aggregated in lists, databases, or logbooks, and include only the minimum necessary Sensitive Personally Identifiable Information (SPII) to perform a legitimate business function,

    9. Report the receipt of unsolicited email messages requesting personal or organizational information or asking to verify accounts or security settings to the DOT Security Operations Center (SOC) immediately, and

       
       

16. When accessing or using sensitive information:

    1. I MUST NOT disclose any information protected by any of DOT’s privacy statutes or regulations without appropriate legal authority. I understand unauthorized disclosure of this information may have a serious adverse effect on agency operations, agency assets, and individuals,

    2. I MUST NOT allow DOT sensitive information to reside on non-DOT systems or devices unless specifically designated and authorized in advance by my DOT supervisor, ISSM, and Information System Owner, or designee,

    3. I MUST NOT make any unauthorized disclosure of any DOT sensitive information through any means of communication including, but not limited to verbal communications, email, text messaging, instant messaging, online chat, social media, and web sites, and

    4. I MUST NOT provide personal or official DOT information in response to an unsolicited email.

       
       

       Identification and Authentication

       
       

17. When identifying and authenticating to a DOT system or resource I must:

    1. Use phishing and impersonation-resistant multi-factor authentication (MFA), including my Personal Identity Verification (PIV) card and Personal Identification Number (PIN) or other approved government smartcard or MFA solution wherever that option is available,

    2. When applications require a password, use passwords or pass phrases meeting DOT minimum requirements.

    3. Protect my PIV card, PIN, passwords, and other access credentials from unauthorized use and disclosure.

       
       

18. When identifying and authenticating to a DOT system or resource:

    1. I MUST NOT share PIV cards, government smartcards, PIN numbers, or passwords with anyone, including supervisors, co-workers, or system administrators,

    2. I MUST NOT use another person’s account, identity, password/passcode/PIN, or PIV card or allow others to use Government Furnished Equipment (GFE) and/or other DOT information resources provided to perform official work duties and tasks, and

    3. I MUST NOT store my passwords or verify codes in any file on any IT system, unless that file has been encrypted using FIPS 140-2 (or its successor) validated encryption, and I am the only person who can decrypt the file. I MUST NOT hardcode credentials into scripts or programs.

       
       

       Incident Reporting

       
       

19. I must report suspected or identified cybersecurity and/or privacy incidents including unauthorized disclosures of DOT information or access to a DOT information system, as well as anti-virus, antispyware, firewall or intrusion detection software errors, or significant alert messages (security and privacy) to DOT’s Security Operations Center (SOC), 1-866-580-1852, Option 1 or email ReportCyber@dot.gov immediately.

    
    

20. I must notify my DOT supervisor, Information System Security Manager (ISSM), or designee via email after I have notified the DOT SOC.

    
    

    Social Media & Networking to Conduct Official DOT Business

    
    

21. When using social media and networking to conduct official DOT business, I must:

    1. Use the DOT intranet wherever possible,

    2. Use approved web-based collaboration and social media tools in accordance with DOT policies,

    3. Limit the personal use of social media/networking sites during workhours, in accordance with DOT policies,

    4. Obtain approval from the Office of Public Affairs (OPA) before establishing a DOT social media account,

    5. Ensure that my use of social media, to conduct DOT business, complies with law, guidance, and DOT policy,

    6. Be professional at all times when posting to DOT-related social media,

    7. Use my best judgment when interacting on social media about matters related to DOT’s mission,

    8. In my capacity as a DOT representative, post only information about which I have actual knowledge,

    9. Identify myself and my roles as a DOT representative only when commenting or providing information on matters related to the DOT’s mission and ensure that my profile and any related content is consistent with how I wish to present myself to colleagues and the general public,

    10. Only post and use content in accordance with applicable ethics, intellectual property, discrimination, records, and privacy laws, regulations, and policies,

    11. Publish a disclaimer that the views are my own and do not represent DOT if content I publish on blogs, wikis, or any other form of user-generated media that might reasonably be perceived as the position of DOT.

        
        

22. When using social media and networking to conduct official DOT business:

    1. I MUST NOT post or comment on DOT mission-related, policy and/or legal matters unless I am the DOT official spokesperson for the matter and have management approval to do so.

    2. I MUST NOT comment or provide information on any matter about which I do not have actual, up-to-date knowledge in my capacity as a DOT representative,

    3. I MUST NOT post information protected by the Privacy Act of 1974, 38 USC 5701, 5705, or 7332, concerning DOT policy on any non-DOT websites, without legal authority and prior approval by an authorized official,

    4. I MUST NOT use profanity, make libelous statements, or use privately created works without the express, written permission of the author, and

    5. I MUST NOT quote more than short excerpts of another person’s work unless the source is properly credited.

       ACKNOWLEDGEMENT AND ACCEPTANCE

23. I acknowledge that I understand and consent to the requirements contained within the DOT IT Rules of Behavior for General Users, understand my responsibilities, and will comply with these provisions when accessing DOT information technology resources.

24. The DOT IT Rules of Behavior provisions are consistent with and do not supersede, conflict with, or otherwise alter the employee obligations, rights, or liabilities created by existing statute or Executive order relating to (1) classified information, (2) communications to Congress, (3) the reporting to an Inspector General of a violation of any law, rule, or regulation, gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety, or (4) any other whistleblower protection. The definitions, requirements, obligations, rights, sanctions, and liabilities created by controlling Executive orders and statutory provisions are incorporated into this agreement and are controlling.

25. I understand that the communications and data stored on DOT information systems are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any U.S. Government-authorized purpose.

26. I understand that willful unauthorized disclosure of sensitive information, including PII and SPII may result in legal liability and consequences for the offender. Individuals who demonstrate egregious disregard or a pattern of failing to comply with the listed requirements will have their authority to access information systems promptly revoked.

27. I understand that the viewing of pornographic or other offensive or graphic content is strictly prohibited on DOT furnished equipment and networks.

28. I understand that visiting, viewing, or participating in gambling, unethical, immoral, or other illegal activities online is strictly prohibited using DOT furnished equipment and networks and non-DOT furnished equipment with access to DOT networks.

29. I understand that failure to comply with the DOT IT Rules of Behavior for General Users or DOT cybersecurity policies and standards may result in disciplinary action and these actions may include oral or written warning, suspension and/or removal of system access, reassignment to other duties, criminal or civil prosecution, suspension from duty, termination of employment, removal from a contract for contractor personnel, or any combination of the foregoing. Consequences of failure to comply will be commensurate with the individual’s level of responsibility and the nature of the violation. I also understand that violation of federal laws, such as the Privacy Act of 1974, copyright law, and 18 USC 2071, which this RoB draws upon, can result in monetary fines and/or criminal charges that may result in imprisonment.

30. I acknowledge that I have read and received a copy of DOT IT Rules of Behavior for General Users.

By signing this document, I understand and consent to the following when I access this Department of Transportation information systems, which includes (1) computer, (2) computer network, (3) all computers connected to this network, and (4) all devices (e.g., tablet, mobile device, etc.) and storage media (e.g., thumb drive, flash drive, etc.) attached to the network or to a computer on DOT network;

• I am accessing a U.S. Government information system that is provided for U.S. Government authorized use only;

• Unauthorized or improper use of the information system may result in disciplinary action, as well as civil and criminal penalties;

• The Government, acting directly or through its contractors, routinely monitors communications occurring on this information system. I have no reasonable expectation of privacy regarding any communications or data transiting, stored on, or traveling to or from this information system. At any time, the government may for any lawful government purpose monitor, intercept, search, and seize any communication or data transiting, stored, or traveling to or from this information system;

• Any communications or data transiting, stored on, or traveling to or from this information system may be disclosed or used for any lawful government purpose.