5 FAH-8 H-100
WEB DEVELOPMENT HANDBOOK
5 FAH-8 H-110
WEB DEVELOPMENT
(CT:WEB-33; 09-24-2024)
(Office of Origin: DT/OPS/SIO)
5 FAH-8 H-111 PURPOSE
(CT:WEB-1; 09-29-2005)
This handbook prescribes the basic procedures and practices for developing websites/pages domestically and abroad. It is intended:
(1) For the use of officers, supervisors, or other personnel who are directly or indirectly responsible for management of website programs;
(2) For the design, development, and maintenance of the web pages; and
(3) To establish the base standard, not to limit the developer's creativity.
5 FAH-8 H-112 SCOPE
(CT:WEB-25; 04-14-2023)
a. This handbook contains specific guidelines for design, development, and maintenance of the web pages. It also presents guidance on managing web development programs. Web based platforms that do not allow site administrators to make the changes necessary to comply with the FAH are out of scope.
b. Information contained in this handbook is relevant to web pages on all Department of State enterprise networks, including but not limited to:
· OpenNet
· ClassNet
· The Internet
· Cloud Environments
It is applicable to SIPRNet except where requirements of this handbook conflict with Department of Defense requirements for SIPRNet.
c. As a minimum, the requirements in 5 FAH-8 H-500, Accessibility and Usability, apply to web-enabled applications.
d. Although individual websites do not require approval of the IT Configuration Control Board (IT CCB), web-based applications may be of sufficient scope as to meet IT CCB criteria. Web applications development staff should consult with their bureau IT CCB representative when making this determination.
e. Requirements and policies for approval of content are outside the scope of this handbook. Refer to post/bureau procedures for obtaining appropriate approvals.
f. Issues not addressed within this handbook are omitted by design rather than oversight.
5 FAH-8 H-113 CODE EXAMPLES AND TYPOGRAPHICAL CONVENTIONS
(CT:WEB-31; 07-10-2024)
5 FAH-8 H-113.1 Code Examples
(CT:WEB-16; 07-24-2017)
Examples of hypertext markup language (HTML) and cascading style sheet (CSS) code shown in this handbook are not the only way to meet the various requirements for website development. They have been tested on a computer configured in accordance with the Directorate of Cyber and Technology Security (DS/CTS) specifications and are provided for the benefit of website developers who may not know how to implement the feature being described.
5 FAH-8 H-113.2 Typographical Conventions
(CT:WEB-1; 09-29-2005)
Code examples are shown in fixed pitch Courier typeface. The constant width property of the characters allows the reader to distinguish between single and multiple spaces.
5 FAH-8 H-114 AUTHORITIES
(CT:WEB-25; 04-14-2023)
a. Authorities for this handbook are:
(1) Executive Order 13526 as amended — Classified National Security Information;
(2) Americans with Disabilities Act of 1990, 42 U.S.C. 12101 note et seq.;
(3) Rehabilitation Act of 1973, 29 U.S.C. 794d (Section 508);
(4) Children's Online Privacy Protection Act, 15 U.S.C. 6501 et seq.;
(5) Government Paperwork Elimination Act, 44 U.S.C. 3504;
(6) Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), Public Law 104-106, Division E;
(7) Federal Information Security Management Act (FISMA) of 2014, Public Law 113-283;
(8) OMB Directive M-15-13, Policy to Require Secure Connections Across Federal Websites and Web Services;
(9) OMB Memorandum M-99-18, Privacy Policies on Federal Websites;
(10) OMB Circular A-130, Management of Federal Information Resources, 61 Federal Register 6428 (1996);
(11) OMB Memorandum M-05-04, Policies for Federal Agency Public Websites, December 17, 2004;
(12) OMB Memorandum M-00-13, Privacy Policies and Data Collection on Federal Websites, June 22, 2000;
(13) United States Information and Educational Exchange Act of 1948 (Smith-Mundt Act), as amended, 22 U.S.C. 1461; and
(14) 36 CFR 1194.22, web-based intranet and Internet information and applications.
b. Consider adding these authorities:
(1) Plain Writing Act of 2010;
(2) Integrated Digital Experience Act;
(3) OMB Final Guidance on Implementing the Plain Writing Act of 2010 (M 11-15) ;
(4) Recent EOs and regulations on the digital.gov Policies and Regulations page;
(5) OMB memorandum M-17-06;
(6) CISA’s Binding Operational Directives.
5 FAH-8 H-115 ROLES AND RESPONSIBILITIES
(CT:WEB-33; 09-24-2024)
a. A successful design and production of a website requires an interdisciplinary team which may be comprised of FTE personnel and, when determined to be effective, contractors. The composition and overlap of duties of the web program team will vary, depending upon the needs of the website, available budget, and the availability of expertise. However, most websites require expertise in three distinct groups: content, graphic design, and technology.
b. There are many different titles for the various roles and responsibilities of a web team. The responsibilities associated with each role must be performed regardless of the title assigned to the role:
(1) Content manager: Responsible for defining the content of part or all of a website. The content manager will focus on the use of language throughout the website. Tasks may involve proofreading and editing copy, ensuring content has a consistent voice for the site, and creating new content. The content manager is responsible for ensuring the information provided on the website is current and accurate. The content manager is also responsible for ensuring information forbidden by 5 FAM 776.3 is not included on the website;
(2) Database administrator: If a database is used to maintain information displayed on a website, a database administrator will be responsible for ensuring high degrees of data integrity and data quality are maintained;
(3) Developer: Responsible for creating the website to meet the requirements and specifications of the website development program. The development team works closely with the content manager and database administrator to produce a website that meets these goals. Depending on the size of the program, this may be a team consisting of:
(a) Information architect: Responsible in broad terms deciding how to structure, select, and present information (inclusive of information architecture, information visualization, and information retrieval);
(b) Writer/editor: Responsible for routine, ongoing organization of content; writing/editing names of links, titles, and other web page text; editing documents and defining appropriate breakdowns due to page length; reading document and selecting appropriate metatags, etc.; and
(c) Graphic designer: Responsible for the graphic design and page layout that defines the graphic identity or look of the website;
(4) Program manager: An individual who may require program manager certification and who has overall responsibility for the initial development and operational maintenance of the website. The program manager is responsible for coordinating the requirements with those organizational elements that will use the site to convey information; and
(5) Technical (web administration): Responsible for the server administration and the development or integration of site production tools and website applications. Provides advice regarding technology-related opportunities and limitations.
c. Website asset owners must certify their websites are configured and maintained to comply with the HTTPS requirements in accordance with OMB directive M-15-13. The website asset owner will verify that the websites are listed in the Integrated Management, Analytics, and Technology Resource for Information, Exchange (iMATRIX) application within the HTTPS compliance field, along with all the appropriate architectural details. iMATRIX is located at: Welcome to iMatrix (sharepoint.com)
d. Websites must employ Department-issued PKI certificates for implementing HTTPS session authentication and encryption. Contact the PKI Program Office in DT/FO/ITI/SI/IIB at PKIRegistrationCenter@state.gov to obtain Department PKI certificates.
e. Websites must demonstrate that the cryptographic modules used for HTTPS have been validated under FIPS 140-2. Information on validated cryptographic modules is available at http://csrc.nist.gov/groups/STM/cmvp/.
5 FAH-8 H-116 DEFINITIONS
(CT:WEB-33; 09-24-2024)
For the purposes of this Handbook, the following definitions apply:
Accessibility: The degree to which the content of a website is available to everyone, including persons with disabilities.
Authentication: Providing a password or using an encryption key to prove you are who you say you are.
Bandwidth: The amount of data that can be transmitted in a fixed amount of time. For digital devices, the bandwidth is usually expressed in bits per second (bps) or bytes per second. For analog devices, the bandwidth is expressed in cycles per second (cps), or Hertz (Hz).
Baud rate: Rate at which packets of data are sent and received through the network. These rates are defined in terms of bps. The higher the baud rate, the faster the connection.
Deprecated: In the context of this document, deprecated is used in its specific technical meaning to describe a feature that has been phased out or is in the process of being phased out, and/or is no longer recommended for usage.
Development network: A dedicated standalone network used exclusively for developing websites and local applications.
DMZ: A DMZ, demilitarized zone, is a subnetwork that sits between a trusted internal network and an untrusted external network.
Domain names: The plain-language address that points to a numeric internet protocol (IP) address. A fully qualified domain name includes a top-level, second-level, and third-level component. Domain name structure is:
(1) Top-level: The extension or country code located at the right of the domain name. Top-level domain names that do not include a country code are assumed to be in the United States. Examples: .gov for government, .fr for France;
(2) Second-level: The top-level combined with a name which describes the company or organization. Example: state.gov;
(3) Third-level: The second-level combined with the name of the host server where web-based services can be located. Examples: www.state.gov identifies the web server at the Department of State within the Federal government; www2.state.gov might identify a second web server in the Department of State; and
(4) Sub-domain: A further division of the second-level. Example: statedept.webex.com points to a host server named "webx" on subdomain "dt" of domain "state.gov."
E-zine: An electronic magazine, online magazine, or journal.
Extensible Markup Language (XML): A simplified subset of Standard Generalized Markup Language (SGML), XML is a very extensible markup language used to describe many kinds of data, with the end of making such data easier to share across systems and over the Internet.
Extranet: Is a network that is partially accessible to users outside of the business or agency, usually requiring an additional level of authentication from users.
Graphical interchange format (GIF): GIF files support 8-bit or 256-bit colors and are best used for illustrations and flat graphics.
Home page: The first page of a website that commonly acts as a menu to other pages. A web portal is an example of a home page.
HyperText Mark-up Language (HTML): The language used to describe web pages. Browsers interpret HTML documents and display the text and graphics represented in the code.
iMATRIX: The Department's IT portfolio management tool that serves as the single authoritative source for information on Department technology investments, programs, projects, and assets. It merged and replaced two legacy repositories, ITAB and eCPIC.
Information architecture: The content organization of a website (similar to the outline for a book with chapters, subchapters, cross-references, index).
Internet (upper-case I): The commonly accepted name for the vast collection of interconnected networks that all use the TCP/IP protocols and that evolved from the ARPANET of the late 60’s and early 70’s. The Internet has no access controls and is publicly accessible.
Internet (lower-case i): Any time you connect 2 or more networks together, you have an internet.
Internet Protocol (IP) address: An identifier for a computer or device on a network employing Transmission-Control Protocol/Internet Protocol (TCP/IP). Networks using the TCP/IP protocol route messages based on the IP address of the destination.
Intranet: A private network inside a company or organization that, at a minimum, resides behind a firewall and requires a user authentication.
IP protocol: A guaranteed delivery protocol within the TCP family of protocols. Individual packets that compromise a communication may be transmitted by different routes through the network to reach their destination. IP ensures:
(1) Each packet reaches the destination; and
(2) The packets are reassembled in the correct sequence (see also UDP protocol).
Java: A powerful programming language originally developed by Sun Microsystems that is used by software developers to build a variety of applications, including web pages.
Joint Photographic Expert Group (JPEG): A method of compressing bitmapped images that allows for variable degrees of compression (low, medium, high, and maximum quality). There is some loss of image quality when a compressed image is decompressed.
.Net Core: Open-source version of ASP.NET, a web-development framework used for to create web applications on the Microsoft .NET platform.
OpenNet+: A physical and logical global network that uses Internet Protocol (IP) that links the Department of State’s domestic and Local Area Networks (LANs) abroad. The physical aspect of the network uses Diplomatic Telecommunications Service (DTS) provided X.25 circuits for posts abroad, FTS-2001 provided X.25 circuits, leased lines and dial-up public switch networks. This includes interconnected hubs, routers, bridges, switches, and cables. The logical aspect of the network uses Network Management System (NMS) and TCP/IP software, and other operational network applications.
Portable Document Format (PDF): Adobe's file format for creating documents that are independent (hence, portable) from the original software, operating systems and hardware used to create them. In addition to open-source readers for many platforms, Adobe also provides the free Acrobat Reader software for viewing PDF files.
Portable Network Graphics (PNG): A bitmap image format used largely on the World Wide Web. PNG allows for greater bit depth (more colors per image) than GIF yet, unlike JPEG, is a lossless compression format, meaning that there is no loss of image quality when an image is compressed or decompressed.
Script: Also called a macro or batch file, a script is an ordered list of commands that can be executed as a unit without user interaction. During execution, a script can require a response from a user.
Search engine: Usually means a website or web application which searches the Internet for pages and content matching a text search. Can also indicate a program which performs searches against specific databases, or web sites which search for content based non-textual input, like songs.
TCP/IP: An acronym for Transmission Control Protocol/Internet Protocol: The set of rules that allows computers to communicate on a network.
UDP protocol: A nonguaranteed delivery protocol within the TCP family of protocols. Individual packets that comprise a communication may be transmitted by different routes through the network to reach their destination. UDP is used when lost packets are tolerable, such as periodic readings from an outdoor weather station (see also IP protocol).
Uniform Resource Locator (URL): The address of a website that includes the protocol used to reach the target server (http, https, ftp, etc.) and the host system (domain name) on which the document resides. The URL may also include the directory path to the document, and the document filename. The URL https://www.state.gov identifies the protocol http and the domain name www.state.gov. The absence of a path and filename cause the host system to use locally assigned default values.
Upgrade: A new version of a website, software program, or application which replaces a prior version. For websites, the only version a user sees is the current one, whereas for a software program earlier version may still exist which does not contain the same features.
Usability: The ease with which a user can locate information on a website.
Web browser: Software which translates computer code (HTML, CSS, XML) into web pages and views for the user. Browsers also offer alternative interface technologies to, for example, assisting the vision impaired.
Web portal: term used to describe a website that is intended to be the first place people see when using the web. Typically, a "portal site" has a catalog of websites, a search engine, or both. A portal site may also offer e-mail and other service to entice people to use that site as their main "point of entry" (hence "portal") to the web. A web portal is commonly referred to as simply a portal.
Website: A website is a collection of web pages typically related by a topic, an organization, a commercial interest, or a government agency. It may contain text, images, videos, audio files, and other content, all of which is delivered under the same base URL (e.g., companyname.com, office.gov, orgname.org). First appearing in the form of HTML-based files, websites have grown exponentially in size and capability. Successful sites have clear navigation options, fresh contents, and efficient performance.
World Wide Web Consortium (W3C): An association of corporations, research groups, nonprofit organizations, and governmental agencies that are working together to define a web infrastructure based on open, interoperable standards.
5 FAH-8 H-117 THROUGH H-119 UNASSIGNED