UNCLASSIFIED (U)

5 FAM 580

WIRELESS INFORMATION TECHNOLOGY (IT)

(CT:IM-266;   05-29-2019)
(Office of Origin:  IRM/BMP/GRP)

5 FAM 581  PURPOSE AND SCOPE

(CT:IM-63;   06-06-2005)

a. This subchapter establishes minimum wireless IT policies and applies to wireless IT devices as defined in 5 FAM 583.  These policies also apply to all Department of State personnel, contractors, and visitors (hereinafter referred to as users) who have access to Department facilities (domestic and abroad).

b. Telephones and pagers are addressed in 5 FAM 584 and 5 FAM 526.  Television services are in 5 FAM 571.  Acquisition of IT is covered in 5 FAM 900, Information Technology Acquisition; procurement of IT is in 5 FAM 920.

5 FAM 582  AUTHORITIES

(CT:IM-230;   11-13-2018)

The authorities for these policies are as follows:

(1)  Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283;

(2)  (Office of Management and Budget) OMB Circular A-130, Managing Information as a Strategic Resource;

(3)  Federal Information Technology Acquisition Reform (FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015;

(4)  OMB Memorandum (M-15-14); Management and Oversight of Federal Information Technology;

(5)  National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2 Security Requirements for Cryptographic Modules;

(6)  NIST Special Publication (SP) 800-48 Wireless Network Security 802.11, Bluetooth and Handheld Devices;

(7)  Director of Central Intelligence Directive 6/9, “Physical Security Standards for Sensitive Compartmented Information Facilities,” November 18, 2002, Annex D, Part I, paragraph 2.1.5;

(8)  Rehabilitation Act of 1973, as amended, Section 508 (29 U.S.C. 794d); and

(9)  36 Code of Federal Regulations (CFR) Part 1194, Architectural and Transportation Barriers Compliance Board Electronic and Information Technology Accessibility Standards.

5 FAM 583  DEFINITIONS

(CT:IM-63;   06-06-2005)

Automated Information System (AIS) is defined in 12 FAM 091.

Controlled Access Area (CAA) is defined in 12 FAH-6 H-021 and 12 FAM 091.

Information Technology (IT) is defined in 5 FAM 913.

Information Technology Change Control Board (IT CCB) is defined in 5 FAH-5 H-512.

Sensitive Compartmented Information Facilities (SCIF) is an accredited area, room, group of rooms, building, or installation where sensitive compartmented information may be stored, used, discussed and/or electronically processed.

Synchronize in this subchapter refers to a two-way communication operation.  This communication can be carried out wirelessly or through a physical connection between two wireless IT devices or between a wireless IT device and a computer.

Wireless IT is a system, device, transmitter, or receiver that detects, demodulates, and amplifies transmitted signals.  It is telecommunications in which electromagnetic waves carry a signal or data over all or part of the communication circuit path without a physical connection.  Wireless IT communication can be optical, radio frequency (RF), and audio.  Mice, keyboards, networks, and routers can be types of wireless IT.  Televisions, radios, headsets, microphones, remote controls, telephone, pagers and the like can also be considered wireless IT devices.

Wireless Tail Circuit is a local communication circuit that connects two or more separate compounds, buildings, or locations.  Traditionally, tail circuits have utilized physical cabling, such as copper wire or fiber optic cable.  Technology now supports the use of the wireless tail circuit.  A wireless tail circuit typically utilizes transceivers and antennas that facilitate a wireless signal, instead of physical cabling.

5 FAM 584  TELEPHONE AND PAGER EQUIPMENT

5 FAM 584.1  Cellular Telephones

(CT:IM-47;   01-09-2004)

Cellular telephone policies are covered in 5 FAM 526.

5 FAM 584.2  Pagers

(CT:IM-47;   01-09-2004)

a. One-way pagers are receive-only pagers.  Use of these pagers is permitted in all Department of State domestic facilities.  Use of these pagers is permitted both inside and outside the Controlled Access Area (CAA) at posts abroad.

b. Two-way pagers have the ability to send and receive.  This category includes voice pagers or any pagers that can send an acknowledgement back to the caller.  These pagers may be brought into and used within Department of State domestic facilities but must be turned off when within ten feet from classified processing or discussions as they have active transmitters.  This type of pager may not be brought into or used in a Sensitive Compartmented Information Facilities (SCIF) unless the senior official of the Intelligence Community (SOIC) has approved it for conduct of official duty (Director of Central Intelligence Directives (DCID) 6/9, Annex D, Part I, Paragraph 2.1.5).  These type of pagers are permitted to be brought only into non-CAA spaces of buildings abroad and must be turned off when within ten feet from classified processing or discussions.

5 FAM 584.3  Ancillary Telephone Accessories

(CT:IM-230;   11-13-2018)

a. Use of radio frequency (RF) cordless or wireless telephones is not permitted in areas where classified information is discussed or processed, domestically, or abroad (see 12 FAH-6 H-530).  They may be used domestically or abroad where classified information is neither processed nor discussed.

b. Entry of wireless telephones or handsets using Bluetooth technology is not permitted in any Department of State facility.

c.  Use of cordless headsets is not permitted in close proximity to areas where classified information is discussed or processed, domestically, or in the CAA, abroad.  A Security Engineering Officer (SEO) must perform a survey to determine the proximity issue, besides other security factors.  The exceptions are headsets approved by DS/IST/CMP for people with special needs.  HR/ER/WFP should be contacted to confirm there is a special need.  They will coordinate the exception with DS/IST/ACD and DS/IST/CMP (see 12 FAH-6 H-530).

5 FAM 585  PERSONALLY OWNED WIRELESS IT DEVICES

(CT:IM-63;   06-06-2005)

Personally owned wireless IT devices must not be connected to Department of State systems or networks.  Abroad they must be left outside a CAA.  Domestically, wireless IT devices must be turned off when within the 10-foot Spherical Zone of Control (SZOC) of:

(1)  IT equipment processing classified national security information; and/or

(2)  Areas where persons are conducting classified discussions.

5 FAM 586  DEPARTMENT-OWNED, -APPROVED AND -ISSUED WIRELESS IT DEVICES

5 FAM 586.1  Authorized Use of Department –Owned, -Approved and -Issued Wireless IT Devices

(CT:IM-63;   06-06-2005)

Department-owned, -approved and –issued wireless IT devices may be used to process sensitive but unclassified (SBU) information in Department facilities both domestically and abroad, provided these IT wireless devices are:

(1)  IT CCB approved; and

(2)  Properly configured with the IT CCB approved security software installed.  Users must immediately notify the ISSO (refers to the designated ISSO, the alternate ISSO, or other assigned personnel who have been delegated specific ISSO authorities) and/or Regional Security Officer (RSO)/Post Security Officer (PSO) in the event of any significant security-related abnormal operation.

5 FAM 586.2  Department-Owned, -Approved, and -Issued Wireless IT Device Connection to non-State Owned Computers

(CT:IM-63;   06-06-2005)

Department–owned, -approved, and -issued wireless IT devices that synchronize or interface with the Department’s OpenNet must not have simultaneous connection with any other systems via wired or wireless connection unless approved by the IT CCB.

5 FAM 586.3  Limitations on the Use of Department-Owned, -Approved, and –Issued Wireless IT Devices

(CT:IM-230;   11-13-2018)

a. Department-owned, -approved, and -issued wireless IT devices must use hardware and software approved by the IT CCB.  (Contact the Enterprise Network Management Office (IRM/OPS/ENM) for information and guidance on the currently approved hardware and software standards.)

b. Only a cleared U.S. Citizen system administrator is authorized to reconfigure or update devices allowed in the CAA.  In addition to cleared U.S. citizens, the Information Management Officer (IMO) may authorize Local Employed Staff (LE staff) or Foreign Service National (FSN) system administrators to configure and update devices that are restricted for use outside the CAA only.  All devices must meet Department standards.

c.  Wireless IT devices must neither process nor store classified information.  These devices also must not connect to a classified AIS.

5 FAM 587  GUIDANCE FOR USE OF DEPARTMENT-OWNED, -APPROVED, AND –ISSUED WIRELESS IT DEVICES

5 FAM 587.1  Domestic Use of Department-Owned, -Approved, And -Issued Wireless IT Devices

(CT:IM-63;   06-06-2005)

a. Bureau Executive Directors must approve the distribution and use of Department-owned, IT CCB-approved, wireless IT devices within their Bureaus.

b. Executive Directors have the overall responsibility to ensure that all Department-owned, -approved, and -issued wireless IT devices are maintained in a property inventory.

c.  An ISSO must brief wireless IT device users on appropriate security procedures for handling and use prior to issuing a Department-owned, -approved, and -issued wireless IT device.  The ISSO must maintain a written record and signed user acknowledgement of the briefing.

d. Users must immediately report the loss or theft of a wireless IT device.  A formal written report must be submitted to the property manager, the bureau ISSO, and the Unit Security Officer (USO).  Users must also immediately notify the ISSO in the event of any significant security-related abnormal operation.

e. Department-owned, -approved, and -issued wireless IT devices must not be operated inside a 10-foot SZOC of:

(1)  IT equipment processing classified national security information; and/or

(2)  Areas where persons are conducting classified discussions.

5 FAM 587.2  Use Of Department-Owned, -Approved, and -Issued Wireless IT Devices Abroad

(CT:IM-230;   11-13-2018)

a. The Management Officer (MO) must approve the distribution and use of Department-owned, IT CCB-approved, wireless IT devices at post.

b. The MO has overall responsibility to ensure that all Department-owned, -approved, and -issued wireless IT devices are maintained in accordance with post’s property inventory procedures, including formal receipt as required.

c.  The ISSO must brief wireless IT device users on appropriate security procedures for handling and use prior to issuing a Department-owned, -approved, and -issued wireless IT device.  The ISSO must maintain a written record and signed user acknowledgement of the briefing.

d. The user must immediately notify the ISSO, RSO/PSO, and property manager in writing of the loss or theft of a wireless IT device.  A formal written report must be submitted to the property manager, the bureau ISSO, and the RSO/PSO.  Users must also immediately notify the ISSO or RSO/PSO in the event of any significant security-related abnormal operation.

e. Department-owned, -approved, and -issued wireless IT devices must not be allowed in the CAA unless authorized under Department standards.

5 FAM 588  DEPARTMENT-OWNED AND -APPROVED WIRELESS LOCAL AND WIDE AREA NETWORK AND EQUIPMENT

5 FAM 588.1  Domestic Use of Department –Owned and - Approved Wireless Networks and Equipment

(CT:IM-63;   06-06-2005)

Domestic users of wireless IT network components must use IT CCB-approved wireless network components and network devices.  They must not be connected to or used with any classified equipment or networks.

5 FAM 588.2  Use of Department-Owned and -Approved Wireless Networks and Equipment Abroad

(CT:IM-169;   11-23-2015)

a. Users of wireless IT network components abroad must use IT CCB-approved wireless network components and network devices.  They must not be connected to or used with any classified equipment or networks.

b. Wireless network devices must not be installed inside CAA spaces.

c.  Posts must coordinate the configuration, installation and operations with their Regional Information Management Center (RIMC), the Regional Computer Security Officer (RCSO), the Office of Security Technology (DS/C/ST), and the Office of Computer Cybersecurity (DS/SI/CS) to ensure installation security requirements are met and proper wireless network operations are maintained.

5 FAM 588.3  Use of Department-Owned And -Approved Wireless Tail Circuits And Other Wireless Circuits

(CT:IM-63;   06-06-2005)

a. Wireless tail circuits may be used when physical cable infrastructure is not available or when business requirements dictate.  Wireless tail circuits may also be implemented as temporary backup systems to traditional wired tail circuits.

b. When a backup wireless tail circuit is not in use, power to the circuit equipment, such as the wireless transceiver, must be disconnected.  Additionally, backup wireless tail circuits must only be powered and operated while a primary wired tail circuit is not functional and/or being serviced.

c.  To transit data over a wireless infrastructure, you must use National Institute of Standards and Technology (NIST) accredited and National Security Agency (NSA) approved products to encrypt the data.  In addition, the IT CCB must approve the use of all encryption devices used on the SBU network.

d. Wireless tail circuit requests must be made through the IRM InfoCenter.

5 FAM 589  ACCESSIBILITY REQUIREMENTS FOR PEOPLE WITH DISABILITIES

(CT:IM-266;   05-29-2019)

a. Medical devices are exempt from the policies in 5 FAM 586 through 5 FAM 589.  Medical devices include, but are not limited to, hearing aids, pacemakers, or other implanted medical devices.

b. The Office of Technology, Innovation, and Engineering (DS/CTS/TIE), in coordination with the Countermeasures Program Division (DS/ST/CMP)must approve all wireless accessibility devices for employees with disabilities to be used in a CAA abroad.  All reasonable effort will be made to provide wireless IT devices to employees with disabilities that both:

(1)  Do not pose a risk to the discussion or processing of classified information; and;

(2)  Are compliant with Section 508 of the Rehabilitation Act of 1973 and relevant implementing regulations (36 CFR 1194).

c.  IRM/BMP/GRP/SM/IMPACT (IMPACT office) must be contacted regarding Section 508 questions.  The Work/Life Division (HR/ER/WLD) must be contacted to confirm that a special need exists and answer questions regarding reasonable accommodation for employees with disabilities.  Discussion or approval of any waiver/exception to DS requirements must be coordinated with DS/CTS/TIE and DS/ST/CMP.

UNCLASSIFIED (U)