5 FAH-2 H-860
ANTIVIRUS PROGRAM
(CT:TEL-92; 08-14-2023)
(Office of Origin: IRM/FO/ITI/SI)
5 FAH-2 H-861 POLICY
(CT:TEL-92; 08-14-2023)
a. In accordance with 12 FAM 600, all Department information systems must be protected with approved virus detection and prevention programs. IRM/FO/ITI/SI/IIB (Systems Integrity Division, Information Integrity Branch) provides antivirus software and documentation to all bureaus and field posts free of charge. The Setup and Installation Procedures Handbook, included with the software, answers procedural questions about installation. Contact IRM/FO/ITI/SI/IIB at (703) 866-7348 or visit the Virus Incident Response Team website for more information.
b. Licensing, reproduction, and distribution of antivirus software for domestic and post usage abroad are the responsibility of the antivirus program staff, IRM/FO/ITI/SI/IIB. Information Programs Center (IPC) personnel must install and update antivirus software on all computers maintained by the IPC, i.e., TEMPEST computers and non-TEMPEST classified computers within controlled access areas (CAAs).
5 FAH-2 H-862 UNCLASSIFIED SYSTEMS
(CT:TEL-92; 08-14-2023)
a. IRM's Antivirus Program Office, Virus Incident Response Team (VIRT), automatically updates antivirus definitions to OpenNet and ClassNet machines on a daily basis. Each post/site/bureau is required to have a group update provider (GUP) assigned to properly receive the updated signature files. A GUP can be a workstation or a server.
b. Unclassified, non-networked, standalone computers, i.e., not connected to any other computer, may be updated by downloading the most current signature file from the antivirus website or the software vendor’s website on the internet. The signature file should be copied to removable media that contains no sensitive information. The local computer hard drive and removable media containing the signature files must be scanned prior to use on any other Department computer. Scanned removable media may be used to copy the signature update files to other unclassified standalone computers.
c. Unclassified networked computers not connected to OpenNet, e.g., laptops or workstations on a dedicated internet network (DIN), or with access to the internet may be updated as stated or automatically from the vendor’s website in the same manner recommended for home users. At critical technical and/or HUMINT threat posts, consult 5 FAH-2 H-863, Classified Systems.
5 FAH-2 H-863 CLASSIFIED SYSTEMS
(CT:TEL-92; 08-14-2023)
Downloading of updated virus signature files from the internet or internet-based bulletin boards for classified systems is strictly prohibited. Virus signature files and software updates for Department-approved antivirus applications must be downloaded from the intranet anti-virus (AV) website link for use on classified systems or for unclassified systems at critical technical and/or HUMINT threat posts. File transfers to classified systems must be done in accordance with 12 FAH-10 H-410. For all posts abroad, IRM/FO/ITI/SI will send original program and updated antivirus signature files via classified pouch in the care of the Information Programs Officer (IPO), Information Management Officer (IMO), or a cleared U.S. citizen employee. Upon use, the Department-supplied AV media must be labeled with the highest classification of information processed on the classified system and cannot be returned for unclassified use.
5 FAH-2 H-864 VIRUS INCIDENT REPORTING
(CT:TEL-92; 08-14-2023)
If a virus is discovered, send a report via email to mailto:virus2@state.gov and VIRUS@state.sgov.gov (classified) and a courtesy copy to the Computer Incident Response Team (CIRT) DS/CS/MIRD CIRT at mailto:CIRT@state.gov or cirt@state.sgov.gov. The report should include the following:
(1) Name of virus and occurrences;
(2) Location of computer/network (bureau, post, or office);
(3) Origin of virus infection;
(4) Infected equipment type: standalone equipment/devices, networked equipment/device, or peripheral, e.g., thumb drives or CDs;
(5) Type of software used to eradicate the virus:
(a) Specific application version, e.g., SEP or ScanMail;
(b) Signature file installed (date and/or sequence number); and
(c) Scan engine installed (date and/or sequence number);
(6) Losses incurred (defined as loss of equipment, software, or computer system downtime);
(7) Point of contact for follow-up support; and
(8) Remarks.
5 FAH-2 H-865 THROUGH H-869 UNASSIGNED