UNCLASSIFIED (U)

5 FAH-2 H-860

ANTIVIRUS PROGRAM

(CT:TEL-68;   06-25-2018)
(Office of Origin:  IRM/OPS/ITI/SI)

5 FAH-2 H-861  POLICY

(CT:TEL-68;   06-25-2018)

a. In accordance with 12 FAM 600, all Department information systems must be protected with approved virus detection and prevention programs.  IRM/FO/ITI/SI/IIB (Systems Integrity Division, Information Integrity Branch) provides antivirus software and documentation to all bureaus and field posts free of charge.  The Setup and Installation Procedures Handbook, included with the software, answers procedural questions about installation.  Contact IRM/FO/ITI/SI/IIB at (202) 203-5172 or visit the Virus Incident Response Team Web site for more information.

b. Employees and contract personnel may obtain antivirus software from their domestic bureau or post's systems office for home usage to prevent malicious code from migrating to the office environment.  Home use of antivirus software procured by the Department is only authorized for Department of State employees.  When employment is terminated, the software must be removed.  Diplomatic privilege and various host-country custom laws may prohibit locally employed staff (LES) or third-country nationals (TCNs) from installing Department of State-procured antivirus software on privately owned PCs.  Also, vendor contracts sometimes require country-custom review.  If not prohibited by host-country law, copies of antivirus software may be requested for FSN/TCN use through the antivirus program.  See the Virus Incident Response Team’s Cables Help Guide Web page.  Licensing, reproduction, and distribution of antivirus software for domestic and post usage abroad are the responsibility of the antivirus program staff, IRM/FO/ITI/SI/IIB.  Information Programs Center (IPC) personnel must install and update antivirus software on all computers maintained by the IPC (i.e., TEMPEST computers and non-TEMPEST classified computers within controlled access areas [CAAs]).

5 FAH-2 H-862  UNCLASSIFIED SYSTEMS

(CT:TEL-37;   08-30-2013)

a. IRM's Antivirus Program Office, Virus Incident Response Team (VIRT), automatically updates antivirus definitions to enterprise (i.e., OpenNet and ClassNet) machines on a daily basis.  Each post/site/bureau is required to have a group update provider (GUP) assigned to properly receive the updated signature files.  A GUP can be a workstation or a server.

b. Unclassified, non-networked, standalone computers (i.e., not connected to any other computer) may be updated by downloading the most current signature file from the antivirus website or the software vendor’s website on the Internet.  The signature file should be copied to removable media that contains no sensitive information.  The local computer hard drive and removable media containing the signature files must be scanned prior to use on any other Department computer.  Scanned removable media may be used to copy the signature update files to other unclassified standalone computers.

c.  Unclassified networked computers not connected to OpenNet (i.e., laptops or computers on a dedicated Internet network (DIN)), or access to the Internet may be updated as stated or automatically from the vendor’s website in the same manner recommended for home users.  At critical technical and/or HUMINT threat posts, consult 5 FAH-2 H-863, Classified Systems.

5 FAH-2 H-863  CLASSIFIED SYSTEMS

(CT:TEL-68;   06-25-2018)

Downloading of updated virus signature files from the Internet or Internet-based bulletin boards for classified systems is strictly prohibited.  Virus signature files and software updates for Department-approved antivirus applications must be downloaded from the Intranet AV Website link for use on classified systems or for unclassified systems at critical technical and/or HUMINT threat posts.  File transfers to classified systems must be done in accordance with 12 FAH-10 H-410.  For all posts abroad, IRM/FO/ITI/SI will send original program and updated antivirus signature files via classified pouch in the care of the information programs officer (IPO), information management officer (IMO), or a cleared U.S. citizen employee.  Upon use, the Department-supplied AV media must be labeled with the highest classification of information processed on the classified system and cannot be returned for unclassified use.

5 FAH-2 H-864  VIRUS INCIDENT REPORTING

(CT:TEL-37;   08-30-2013)

If a virus is discovered, send a report via email to mailto:virus2@state.gov and VIRUS@state.sgov.gov (classified) and a courtesy copy to the Computer Incident Response Team (CIRT) DS/CS/MIRD CIRT at mailto:CIRT@state.gov or cirt@state.sgov.gov.  The report should include the following:

(1)  Name of virus and occurrences;

(2)  Location of computer/network (bureau, post, or office);

(3)  Origin of virus infection;

(4)  Infected equipment type (standalone equipment/devices, networked equipment/device, or peripheral, e.g., thumb drives, CDs, etc.);

(5)  Type of software used to eradicate the virus:

(a)  Specific application version (e.g., SEP or ScanMail);

(b)  Signature file installed (date and/or sequence number); and

(c)  Scan engine installed (date and/or sequence number);

(6)  Losses incurred (defined as loss of equipment, software, or computer system downtime);

(7)  Point of contact for follow-up support; and

(8)  Remarks.

5 FAH-2 H-865  THROUGH H-869 UNASSIGNED

UNCLASSIFIED (U)