USDA Information Technology Services (ITS) Security Policy Manual

Office of the Chief Information Officer (OCIO)

  • 118 pages
  • For Official Use Only
  • November 29, 2004


1. Purpose

This policy manual establishes policy for the management and administration of information technologies for the United States Department of Agriculture (USDA) Office of the Chief Information Officer (OCIO), Information Technology Services (ITS) that supports the Farm Service Agency (FSA), Natural Resources Conservation Service (NRCS), and Rural Development (RD) including Large Offices (Beltsville, Fort Collins, Fort Worth, Kansas City, Lincoln, Portland, Salt Lake, St. Louis, and Washington D.C. — hereafter referred to as “Large Offices”) and Service Centers (including State, District, Area, County, and Local Field Service Offices — hereafter referred to as “Field Offices”), and their partners.

2. Scope

This policy manual is directed to and applies to all Federal employees, partners, Government
contractors, and all others responsible for managing, administrating, supporting, or accessing
information technology for the OCIO-ITS which supports the Service Center Agencies (SCA)
including Large Offices, Field Offices, and their partners. Any persons having a position or title
listed in the Roles and Responsibilities, Section 8, is required to read, understand, and comply
with the content of this policy manual. For the purposes of this policy manual, the Service Center
Agencies includes the Farm Service Agency (FSA), Natural Resources Conservation Service
(NRCS), and Rural Development (RD) agencies including each of these agencies’ Large Offices
and Field Offices. The Service Center Agency partners include conservation districts, state
conservation agencies, farmer-elected committees, county extension agents, co-operatives,
lenders, realtors, growers associations, and agriculture industry groups.

This policy establishes the acceptable use of USDA Office of the Chief Information Officer
(OCIO), Information Technology Services (ITS) information systems that support the Service
Center Agencies (SCA) including Large Offices, Field Offices, and their partners. This includes
the use of information systems, Internet access, and electronic mail (e-mail). OCIO-ITS
information systems provide critical support to the Service Center Agencies. Using OCIO-ITS
information resources for inappropriate, unauthorized, or unlawful activities can seriously
undermine the ability to accomplish the organizational function. Users shall make every effort to
employ OCIO-ITS information resources in an appropriate and acceptable manner, according to
the guidelines defined in this policy.

(2). For Official Use Only (FOUO) Information Protection

(a). For Official Use Only (FOUO) is a document designation that is used to identify
information or material which, although unclassified, may not be appropriate for public
release. There is no national policy governing use of the FOUO designation. FOUO
information is unclassified sensitive information that is or may be exempt from public
release under the FOIA.

(b). The OCIO-ITS shall define what information shall be protected as FOUO and how this
protected information shall be handled. FOUO information may be disseminated as
necessary in the conduct of official business. FOUO information may also be released
to officials in other departments and agencies in performance of a valid government

(c). Unclassified documents and material containing FOUO information shall be marked as

1. Documents will be marked FOR OFFICIAL USE ONLY at the bottom of the front
cover (if available), the title page (if available), the first page, and the outside of the
back cover (if available).

2. Pages of the document that contain FOUO information shall be marked FOR
OFFICIAL USE ONLY at the bottom.

3. Each paragraph containing FOUO information shall be marked with the
abbreviation FOUO in parentheses at the beginning of the FOUO portion.

4. Material other than paper documents (i.e., slides, computer media, films, etc.) shall
bear markings which alert the holder or viewer that the material contains FOUO

(d). FOUO information shall be safeguarded as follows:

1. FOUO information should be handled in a manner that provides reasonable
assurance that unauthorized persons do not gain access.

2. During working hours, reasonable steps should be taken to minimize risk of access
by unauthorized personnel. After working hours, FOUO may be stored as a
minimum in a locked desk, file cabinet, bookcase, locked room, or similar place.

3. FOUO documents and material may be transmitted via first class mail, parcel post,
or, for bulk shipments, via fourth class mail.

4. Fax or e-mail transmission of FOUO information (voice, data, or facsimile) should
be made via encrypted communications systems whenever practical. FOUO
information may be put on an Internet web site only if access to the site is limited to
a specific target audience and the information is encrypted.

5. FOUO documents may be destroyed by shredding or tearing into pieces and
discarding the pieces in a regular trash container unless circumstances recommend a
need for more careful protection.

Share this: