10 FAM 180

Official Communication Using Social Media

(CT:PEC-38;   08-24-2017)
(Office of Origin:  R/PPR)

10 FAM 181  SOCIAL MEDIA INTRODUCTION

(CT:PEC-38;   08-24-2017)

Digital Diplomacy is an important tool of public diplomacy.  A key element of digital diplomacy is social media.

10 FAM 181.1  Official Use of Social Media

(CT:PEC-38;   08-24-2017)

a. Department organizations and personnel may access and contribute unclassified content (both original entries and responses to entries) on social media platforms in their official capacity.  Department personnel must obtain and document all required approvals prior to creating a social media account used for official Department business (not personal use).  Official Department social media accounts must follow federal rules and regulations guiding their use by federal agencies and associated personnel.

b. To engage on social media in an official capacity, personnel must use an account created specifically for official use that is separate from an account used for private, personal use.

c.  Employees must adhere to the public information dissemination clearance requirements found in 3 FAM 4170 and 10 FAM 120.

d. Supervisors may not compel personnel either to create a personal account or personal profile at any social media site or to post personal entries at any public site.  Personnel enrolled in training programs that utilize social networking programs may be required to create a personal account for the duration of the training for the purpose of instruction.  Personnel may retain or delete the account or profile at their sole discretion upon the end of the training program.

10 FAM 181.2  Creating an Official Public Social Media Site or Application

(CT:PEC-38;   08-24-2017)

a. Official Department social media sites and content must be clearly labeled and identifiable as such.  Naming conventions and disclosure statements may vary in form and/or content depending on the account's documented purpose, as well as the governance framework guiding use of the account for official Department business.  Please see the Social Media Hub for platform-specific guidelines for naming and properly disclosing official Department social media assets and/or projects.

b. Domestically, creation of social media sites for official purposes must have management approval at the Deputy Assistant Secretary (DAS) level or above, and be cleared through the Bureau of Public Affairs in accordance with 3 FAM 4175.1.  At post, creation of official accounts must be approved by the Public Affairs Officer (PAO).  The creation of a new official account necessarily involves accepting the underlying terms of service for the account’s platform or service.  Terms of service can be problematic and must be carefully reviewed by personnel with contracting authority or by the Office of the Legal Adviser before a decision is made to accept them.  Creation of new accounts may also be subject to specific requirements within the bureau.

d. All Department social media sites used for official public communications must be registered by visiting the Social Media Account Registry on Diplopedia.

10 FAM 181.3  Social Media Advertising

(CT:PEC-38;   08-24-2017)

a. Management officers may authorize expenditures (using a government credit card or otherwise) for “social media advertising”, i.e., paid promotions of official social media content or accounts.

b. All federal and Department ethics rules and regulations continue to apply to social media advertising, including the prohibition on improper endorsements (5 CFR 2635.702), fundraising (5 CFR 950) and the Hatch Act on prohibited political activities.

c.  See 10 FAH for additional guidance in using social media advertising.

10 FAM 182  OFFICIAL COMMUNICATION USING SOCIAL MEDIA

(CT:PEC-38;   08-24-2017)

a. Senior officials and other employees whose positions make it appropriate for them to engage in official communications on behalf of the Department over social media (“Department social media spokespersons”) must not use personal social media accounts to do so.  They must use official social media accounts, created and owned by the Department.

(1)  Department social media spokespersons must be instructed before they begin their positions that they will not be able to use their personal social media accounts for official communications, and that content on personal social media accounts must comply with 3 FAM 4176.  Forwarding, linking to, or otherwise reposting official content on a personal social media account will not ordinarily constitute official communications if the content was first released on an official platform, provided that it is clear from the circumstances that the personal social media account is not being used to communicate on behalf of the Department.

(2)  When Department social media spokespersons begin their positions, they are provided access to official social media accounts, and they will lose access to those accounts when they leave that position.  Whenever possible, the same account is passed from one incumbent in a position to the next.  As such, account names include only the office or position (e.g., @USEmbConsularManila, @USAmbManila); they do not include personal names.

(3)  Missions, bureaus, or offices must maintain a list of their authorized official social media accounts and the credentials for those accounts.  Accounts are created in accordance with 5 FAM 793.

b. In order to put a “human face” on the Department’s social media presence, Department social media spokespersons are authorized, but not required, to post certain kinds of personal content to their official accounts (e.g., posts about family news, pictures of pets, discussions of hobbies).  This personal content may be considered official communications and must comply with, among other things, restrictions on partisan political activities, endorsements of commercial goods or services, fundraising and solicitations, official actions affecting financial interests, and the publication of information that could compromise the security of the individual or others.  See 3 FAM 4175.2, Content of Official Capacity Public Communications, for additional guidance on content of official communications.

c.  All accounts that have been used for official communications are considered Department accounts, and are either retained by the Department for use by the next incumbent or retired in accordance with applicable records disposition schedules, as appropriate.  The content of such accounts is also retired in accordance with applicable records disposition schedules.

10 FAM 183  Social Media Site Management

(CT:PEC-38;   08-24-2017)

a. All social media sites require ongoing oversight to ensure proper management.  In addition, the sites require sufficient maintenance and a commitment of resources.  Department personnel should be aware of these commitments, before requesting supervisory approval.

b. Supervisors are responsible for ensuring social media sites under their purview are actively used to deliver an appreciable return on investment that advances organizational strategic goals.

c.  Responsibilities for social media site management should be included in position descriptions and staff work requirements, as appropriate.

d. Social media sites that no longer advance the strategic goals of the Department and/or fail to meet performance objectives should be retired from use.  Any social media account, site, platform, or other asset type eligible to be retired must follow Department procedure for retiring social media accounts and their content.

10 FAM 184  Impersonations on Social Media

(CT:PEC-38;   08-24-2017)

a. Impersonations, or the creation of an account that is intended to be mistaken for another account, are not permitted on most major U.S.-based social media platforms, including Facebook and Twitter.  International Information Programs' (IIP's) Digital Support and Training Division is responsible for coordinating with U.S.-based third-party social media platforms to assist Department personnel in addressing situations where sites or accounts are impersonating official U.S. Government sites or accounts, including seeking removal of imposter accounts in an expedited manner.  Impersonation accounts are not the same as parody accounts.  Parody accounts pretend to be another account but for humor, satire, or other reasons that rely upon the viewer’s ability to tell that the account is not real, and they are generally permitted under platforms’ Terms of Service.

b. If you determine that there is an impersonation account on Facebook, you must file a ticket with Facebook and then email IIP’s Digital Support and Training Division at IIPSMS@state.gov with relevant details for documentation so that the ticket may be elevated with Facebook.

c.  If you determine that there is an impersonation account on Twitter, you must report the imposter to Twitter using this form and forward the autoreply email from Twitter, including the ticket number, to IIPSMS@state.gov to expedite the removal process with Twitter.

d. If you determine there is an impersonation account on another platform, you must follow that platform’s reporting guidelines and notify IIPSMS@state.gov.

e. You must not interact with or acknowledge the impersonator to avoid encouraging further activity.

10 FAM 185  Terms of Use/Terms of Service

(CT:PEC-38;   08-24-2017)

a. Department accounts should make clear that members of the public opting to use official Department sites must abide by both the Terms of Service of the hosting commercial or third-party platform and the Department's Terms of Use.

b. “Terms of Service” refers to a contract between the users and the providers of a service.  Pertaining to the Department's use of social media, “terms of service” define the contractual relationship between the Department as the holder/owner of the account itself, and the social media platform on which that account has been established.  Social media platforms often require users to agree to Terms of Service (also known as User Agreement or End User License Agreements) in order to use the service or platform.  This acceptance binds the Department of State to the terms outlined in the Terms of Service agreement.  To accept Terms of Service on behalf of the Department, the individual accepting the agreement must be a direct-hire Department of State employee. Acceptance can take place only after review and approval of the Terms of Service by personnel with contracting authority or by the Office of the Legal Adviser.

c.  “Terms of Use” is a very similar concept, but the Department uses it to refer to an agreement between the Department and the non-Department social media users who are accessing State Department accounts or sites.  Because social media users often access information and post commentary on official Department social media sites, those sites must include a Terms of Use statement that defines the site as a "limited public forum" for engagement between the U.S. government and the public, and explains responsibilities of site administrators and site users, rules of behavior, privacy policies, and other terms.  If the user must create an account just for the State Department social media site, agreement to the Terms of Use should be a requirement for registration.  Site administrators must post the Terms of Use before opening the site to the public.  When users follow or subscribe for updates from official social media accounts, they are requesting additional information from the Department, constituting an information service provided to the public by the government.

d. Department personnel are authorized to notify commercial or third-party platforms of violations of those platforms' Terms of Service by users, which may result in the removal of content or banning users (per the platforms' Terms of Service).  Such notification is required in the case of impersonations of U.S. government officials or entities per 10 FAM 184.

e. Department personnel are authorized to remove content users post to an official site (as they are able, given the features of the platform) that is found to violate the Department-posted Terms of Use.  Department personnel are further authorized to ban users who repeatedly post content violating the Terms of Use.

10 FAM 186  Protecting Government Social Media Accounts

(CT:PEC-38;   08-24-2017)

Bureaus and posts must authenticate all official Facebook, Twitter, and other social media accounts in the Department’s standard social media management tool, Hootsuite Enterprise.  Further guidance can be found on IIP’s Social Media Hub Tag.

The following are required practices when administering official Department social media accounts:

1.   Secure Passwords:  Using unique, complex password is essential to protecting official Department accounts.  Passwords must be unique to the account (not used for other accounts), at least 12 characters long, and must include a mix of uppercase and lowercase letters, numbers and symbols.  Good passwords should not be based around words or phrases that are easy to guess.  You must change the password regularly: at least every 60 days, or sooner if there is any indication an account may be compromised, or following employee transitions.  Users are required to implement these password policies both for their Hootsuite and platform-specific credentials, as both can be used to access a social media account.

2.   Do not share official social media account passwords with anyone outside the Department.

3.   Protect against Credential Harvesting:  Credential harvesting occurs when a malicious actor obtains a victim's username and password in order to access the victim’s email, banking, or social media accounts.  This may be accomplished through social engineering to trick the victim into sharing this information voluntarily, or a malicious actor may send a spear phishing message by email, text message, or on social media.  A link in the spear phishing message would direct the target to a malicious Web site impersonating the login page for the social media platform.  Believing they are logging into the real Web site, the victim would enter their credentials, and the malicious actor would be able to access or hijack the victim's account.

To protect against credential harvesting, always verify the legitimacy of the sender when a message asks you to open a link or attachment.  If you receive notice of suspicious activity, manually navigate to the account settings on that social media platform instead of clicking the link provided in the e-mail.  When entering credentials online, verify that the URL of the Web page displays the prefix “https,” not “http”; this will help identify malicious pages impersonating the legitimate login page.  If you suspect credential harvesting activity, contact the Cyber Incident Response Team at CIRT@state.gov and the local ISSO.

4.   Use multi-factor authentication (also known as two-factor authentication).When two-factor authentication is enabled for an account, the user will be required to enter an additional piece of information besides a password when logging in (usually a short numeric code that can only be used once).  Two-factor authentication must be used whenever available and practicable.  When feasible, it is strongly recommended to use app-based two-factor authentication services.

5.   Secure email accounts:  Posts and bureaus must use a ".gov" email address as the primary e-mail account for managing an official Department social media account.  If (and only if) the social media platform requires using a personal social media or e-mail account for authentication purposes, you may use, but are not required to use, personal accounts to manage official social media accounts.  The same security precautions, including password requirements and two-factor authentication, must be used for any non-".gov" email address used to administer an official social media account.  When using a personal Facebook account to manage an official Department Facebook page, “register” the personal account / email address using Hootsuite so as to be able to act in the event of a cyber incident.

6.   Protect endpoint devices:  Where possible, anti-virus software must be installed on any non-OpenNet device (including personally-owned devices) you use to access Department accounts.  These devices should be properly patched, including the operating system and all applications and software.  When entering credentials online, always ensure connections to social media sites display the prefix “https,” not “http.” At the end of a session, ensure the session is ended by logging out of the service platform and closing the browser, not just the browser tab.

7.   Limit access:  Posts and bureaus must limit the number of individuals with access to their official social media accounts.  Grant access to as few Department personnel as feasible to manage the account effectively.

8.   Use Hootsuite Enterprise:  Every official Department Twitter and Facebook account must be integrated into and accessible via the Hootsuite Enterprise social media management tool.  This tool allows for centralized control of accounts in the event of a crisis at post, providing posts backup support from Regional Digital Coordinators, Consular Affairs’ New Media Unit and other authorized offices and users in Washington.  Guidance on how to authenticate official media accounts in Hootsuite Enterprise is available on IIP’s Social Media Hub.

a. Register individual accounts:  Hootsuite Enterprise users must register their individual user accounts using their individual official .gov email address.  Access will not be granted to group or shared Hootsuite or email accounts or non-.gov accounts.  Exceptions may be granted on a case-by-case basis by submitting a thorough explanation of the need for an exception to IIP’s Digital Support and Training division at IIPSMS@state.gov.

b. Use multi-factor authentication:  In addition to using multi-factor authentication to secure official social media accounts when accessed directly (10 FAM 186.4), multi-factor authentication must also be used when accessing official government social media accounts via the social media management tool, if technically feasible.  A mobile app for multi-factor authentication can be used to generate codes without the use of text messaging and should be used for this purpose; such apps can also be used to sign into other third party sites such as Facebook.

c.  For additional information on Protecting Government Social Media Accounts, refer to 16 State 5974 and DS Awareness Social Media.

d. Refer questions to IIP’s Digital Support and Training Division at IIPSMS@state.gov.