Networks
(CT:IM-349; 02-04-2026)
(Office of Origin: DT/ES)
5 fam 871 SUMMARY
(CT:IM-349; 02-04-2026)
The Department currently has two enterprise networks managed by the Bureau of Diplomatic Technology (DT): ClassNet and OpenNet. Only Department-issued or approved systems are authorized to connect to Department enterprise networks. DT additionally manages Non_Enterprise Networks (NENs) as described in below in 5 FAM 875.
5 fam 872 policy objectives
(CT:IM-349; 02-04-2026)
5 FAM 870 highlights the general requirements for approval, setup and use of Department of State (DoS) procured and official networks consisting of the ClassNet and OpenNet enterprise systems and NENs available to authorized personnel.
5 fam 873 policy scope
(CT:IM-349; 02-04-2026)
5 FAM 870 provides guidance and regulations for the responsibilities and use of Department-owned and operated official networks by authorized personnel.
5 FAM 874 ENTERPRISE NETWORKS
(CT:IM-349; 02-04-2026)
5 FAM 874.1 ClassNet
(CT:IM-349; 02-04-2026)
a. The Department’s ClassNet provides an internal network for e-mail and other processing of information up to the SECRET level and provides access to the Department of Defense (DoD) Secret Internet Protocol Router Network (SIPRNET).
b. Submit all ClassNet changes (i.e., baseline and modifications) to the Technology Review Board (TRB) for review, evaluation, and decision.
c. Users must not load classified information or Sensitive But Unclassified (SBU) information onto unclassified systems, and any information exchange between classified and unclassified or SBU systems may only occur following established Department guidelines, developed by the Bureau of Diplomatic Security (DS), or with a recommended waiver by DS and approved by the Enterprise Chief Information Security Officer (E-CISO).
d. Users have no expectation of privacy when using Department systems. The system is always monitored for user actions and data classification.
e. Only Department-owned and TRB-approved hardware (including removable media) and software are permitted to be installed or used on classified Department automated information systems (AISs). Computers connected to ClassNet must have all Department-required software patches applied and must have current Anti-Virus software and definitions installed. Additionally, portable computers must not connect to ClassNet systems without explicit approval of the bureau or post Information Systems Security Officer (ISSO). See 12 FAM 630 for additional security requirements.
5 FAM 874.2 OpenNet
(CT:IM-349; 02-04-2026)
a. OpenNet is the Sensitive But Unclassified (SBU) network in the Department. It provides access to standard desktop applications, such as word processing, e-mail, and Internet browsing, and supports a battery of custom Department software solutions and database management systems.
b. Submit all OpenNet changes (i.e., baseline and modifications) to the TRB for review, evaluation, and decision.
c. Users sending personal e-mail out to the internet should make it clear, in an appropriate place in the message, that his or her e-mail is not being used for official business.
d. Users must not load classified information onto unclassified or SBU systems, and any information exchange between classified and unclassified or SBU systems may only occur following established Department guidelines, developed by DS or with a recommended waiver by DS and approved by the E-CISO.
e. Users have no expectation of privacy when using Department systems. The system is always monitored for user actions and data classification.
f. Only Department owned and TRB approved hardware (including removable media) and software are permitted to be installed or used on SBU Department AISs. (All operating system software must be TRB approved.) Computers connected to the OpenNet must have all Department required software patches applied and must have current Anti-Virus software and definitions installed. Additionally, portable computers must not be connected to OpenNet systems without explicit approval of the bureau or post Information System Security Officer (ISSO). See 12 FAM 620 for additional security requirements.
g. For specific guidance on transport and use of portable computers at post, contact the Directorate of Cyber and Technology Security (DS/CTS).
5 FAM 875 Non-enterprise networks (NEN)
(CT:IM-349; 02-04-2026)
A Non-Enterprise Network (NEN) is a Department-procured and locally managed computing environment. NENs are used by a specific entity to meet their mission requirements that cannot be achieved using an Enterprise managed solution.
5 FAM 875.1 DEDICATED INTERNET NETWORKS (DIN)
(CT:IM-349; 02-04-2026)
Effective October 2022, the term “Dedicated Internet Network” (DIN) has been superseded by “Non-Enterprise Network” (NEN).
5 FAM 875.2 NEN Approval and Registration
(CT:IM-349; 02-04-2026)
a. Domestically, Bureau Executive Directors or equivalents are the approving authority for all NENs within their organization area of operation. Overseas, Deputy Chief of Mission (DCM) or equivalent must approve all NENs established within their post or mission. The Approving Authority must ensure NENs are only established for purposes which cannot be accomplished by an Enterprise managed solution, and that NENs are registered, supported, and maintained in accordance with applicable Department policies and standards.
b. All NENs must be registered via the DT NEN registration process by the NEN approving authority or their designees.
c. To retain NEN approval and ensure accuracy of information, NEN registrations must be reviewed and updated at least on an annual basis or when any change that could result in the re-categorization of the NEN Type or the cybersecurity posture of the current accreditation are made.
d. Computing environments that have ANY of the following characteristics require registration, if not excluded by part f:
(1) Procured and managed by the department (reimbursement of personal Internet costs is not applicable),
(2) Located within a department facility (non-official residences are not applicable), and
(3) Supports a department sanctioned mission or use case.
e. All circuits and interconnections utilized by NENs must be registered and associated with the corresponding NEN computing environment as applicable.
f. Endpoint or server systems that connect directly to a Bureau or Enterprise managed system are not considered to be independent computing environments and therefore do not require NEN registration; however, the public IP address must be registered.
5 FAM 875.3 Acceptable Use
(CT:IM-349; 02-04-2026)
a. Sensitive But Unclassified (SBU) / Controlled Unclassified Information (CUI) or Personally Identifiable Information (PII) must only be processed or stored on Type-3 NENs that have met the required security controls and are authorized by DT/CO.
b. SBU/CUI and PII are not permitted to be stored or processed on Type-0, 1, or 2 NENs.
c. NENs must not be used to duplicate Department enterprise services.
d. Any use that violates Department and Federal mandates or directives.
e. See 12 FAM 544.3, Electronic Transmission via the Internet.
5 FAM 875.4 NEN Hardware and Software
(CT:IM-349; 02-04-2026)
a. Hardware and software must be legally procured and fully licensed, according to Department acquisition policies and vendor End User License Agreements. This hardware/software restriction does not apply to NENs approved for use by non-Department users/devices.
b. All Department-purchased IT hardware and software must comply with all federal accessibility laws and policies.
c. Hardware and software approval for NENs must follow the Department’s TRB requirements, or obtain approval from DT/CO. See 5 FAM 862.
d. NEN hardware and software must be configured to Department security configuration baseline standards. When baseline configurations must be adjusted to accommodate business requirements, they must be documented and maintained through the LCCB and ISSO.
e. End of Life hardware and software are not permitted for use on the NEN without written approval in advance from CO/ISSO.
FAM 875.5 NEN Authorization and Controls
(CT:IM-349; 02-04-2026)
a. All NENs must undergo a risk analysis to determine risk level.
b. All NENs must undergo an authorization process in accordance with its risk analysis.
c. NENs must implement the control overlay associated with their determined level of risk as defined by supporting Department security standards.
d. NENs categorized as a low risk (Type-0 or Type-1) can utilize a streamlined self-accreditation process to achieve authorization.
e. NENs must leverage available enterprise controls such as central logging, scanning, and boundary protections. Where Department or Bureau-provided security controls are not available, the NEN owner must supply their own controls to meet security requirements. A list of required security controls can be found on DT/CO’s NEN website.
f. NEN owners must comply with all Department Directives regarding NEN configurations and controls.
g. Every NEN must have a primary and alternate ISSO assigned to ensure required security controls are properly implemented and maintained. ISSOs must also ensure all vulnerabilities are remediated in accordance with Department established timelines.
h. NENs categorized as a Type-2 or Type-3 may be required to obtain a full ATO as determined by DT/CO.
5 Fam 876 DEMILITARIZED zone (DMZ)
(CT:IM-349; 02-04-2026)
a. A DMZ is a perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s information assurance policy for external information exchange and to provide external, trusted and untrusted sources with restricted access as required to releasable information while shielding the internal networks from outside attacks.
b. The processing of Department data and information is subject to adherence to applicable Department and federal compliance standards.
c. DMZs must not be established and/or operated without Chief Information Officer (CIO) authorization. The DT Network Operations Division (DT/EI/NT/NO) maintains governance and oversight with Department DMZs. Data in a DMZ may be accessed by untrusted sources that are not authenticated. Technical administration must be performed by a cleared U.S. citizen, Department or contract employee.
d. Connectivity to, via and from the DMZ, which includes systems, devices, networks, and proxies, is subject to general 5 FAM AIS and 12 FAM 600 cyber security policies and, therefore, must meet and maintain Department and Federal Information Security Compliance, related Department and Federal Information Technology, and data protection requirements and standards.
e. Information and information systems assessed as FISMA high“” are not authorized for storage, processing, or transmitting within or through the DMZ.
f. DMZs must meet the following additional requirements:
(1) Only DT may implement and operate a DMZ network segment between enterprise networks and external networks. All DMZs regardless of ownership will comply with the requirements of this section;
(2) Any data at rest in a DMZ system or application that has been categorized moderate must be encrypted using Department approved U.S. government certified encryption products;
(3) DMZ’s operating between enterprise networks and external networks must meet and maintain Department and federal information technology compliance and data protection standards;
(4) DMZs should be segmented by Federal Information Processing Standards (FIPS)199, Standards for Security, impact levels (moderate or low). Where feasible, applications and systems will be operated on the segment that matches their categorization impact level. Differences will be reconciled through the systems authorization process;
(5) Dual-home devices (e.g., servers with multiple network interface connections) must be approved on an individual basis through the Firewall Advisory Board (FAB); and
(6) Department approved multi-factor authentication is required for users with elevated privileges (e.g., system administrators).
5 FAM 876.1 DMZ Registration
(CT:IM-349; 02-04-2026)
Registration is required for each DMZ enclave (network segment) that will house a department system. Registration is required for systems and applications hosted within a DMZ enclave. An annual renewal of the registration by the system owner is required as part of the process (see 5 FAM 611). An annual Owner Accountability Form from the system owner to DT/CO that certifies operation in accordance with established procedures is also required.
5 FAM 876.2 DMZ Assessment and Authorization
(CT:IM-349; 02-04-2026)
DMZs, systems residing within DMZs, and systems connecting to the DMZ must be authorized in accordance with the provisions of 5 FAM 1060, Information Assurance Management. DT is authorized to disable systems that are deemed non-compliant or pose potential threats and have vulnerabilities that could impact Department information systems' data and networks. Applicable Department security configuration standards must be applied and maintained by the system owners. For more information about security configuration standards, see the DS/CTS and DT/CO OpenNet websites.
5 FAM 876.3 DMZ Hardware and Software
(CT:IM-349; 02-04-2026)
a. All DMZ hardware and software must be approved by the enterprise TRB and align with the Supply Chain Management Division (DT/EI/IM/SCM) approved product list.
b. All IT hardware and software leveraged to support DMZs and the systems contained therein must comply with all federal laws and policies, including all federal accessibility laws and policies.
c. DMZ hardware and software must be configured to Department security configuration baseline standards unless an exception is granted. System owners must submit requests for exceptions to DS/CTS and DT/CO for a recommendation to receive approval for all deviations from approved configuration guides made to DMZ assets, and any deviations from approved configuration guides must be documented. Only the CIO and/or E-CISO approve exceptions.
5 FAM 877 Resources
(CT:IM-349; 02-04-2026)
5 FAM 877.1 Acronyms
(CT:IM-349; 02-04-2026)
AIS (Automated Information System)
CIO (Chief Information Officer)
CO (Cyber Operations)
COM (Chief of Mission)
CTS (Directorate of Cyber and Technology Security)
CUI (Controlled Unclassified Information)
DCM (Deputy Chief of Mission)
DMZ (Demilitarized Zone)
DoD (Department of Defense)
DoS (Department of State)
DS (Bureau of Diplomatic Security)
DT (Bureau of Diplomatic Technology)
E-CISO (Enterprise Chief Information Security Officer)
FAB (Firewall Advisory Board)
FIPS (Federal Information Processing Standards)
ISSO (Information Systems Security Officer)
IT (Information Technology)
LCCB (Local Configuration Control Board)
NEN (Non-Enterprise Network)
SBU (Sensitive But Unclassified)
SCM (Supply Chain Management)
SIPRNET (Secret Internet Protocol Router Network)
TRB (Technology Review Board)
5 FAM 877.2 Definitions
(CT:IM-349; 02-04-2026)
Antivirus software is a security program designed to prevent, detect, search and remove viruses and malware from computer systems.
Automated Information Systems are computer-based collections of data and software that use the input of various resources to automate the management of operations and information, creating useful output that can help make strategic decisions.
Data at Rest in information technology refers to data that is physically stored on computer data storage in any form.
Supply Chain Management is the centralized management of the flow of goods and services to and from the source to the end consumer.
5 FAM 877.3 Authorities
(CT:IM-349; 02-04-2026)
a. Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283, (44 U.S.C. 3551);
b. Federal Information Processing Standards (FIPS) Publication 199
5 FAM 877.4 Exhibits
(CT:IM-349; 02-04-2026)
N/A
5 FAM 877.5 Additional Resources
(CT:IM-349; 02-04-2026)
N/A
5 FAM 877.6 Related FAM/FAH
(CT:IM-349; 02-04-2026)
1 FAM 270 (Bureau of Diplomatic Technology)
5 FAM 110 (Information Technology Management)
5 FAM 1060 (Information Assurance Management)
12 FAM 540 (Sensitive But Unclassified Information)
12 FAM 620 (Unclassified Information System Security Policy)
12 FAM 630 (Classified Automated Information Systems)
5 FAM 878 unassigned