R 162000Z AUG 19 FM COMNAVRESFOR NORFOLK VA TO NAVRESFOR INFO COMNAVRESFORCOM NORFOLK VA COMNAVRESFOR NORFOLK VA BT UNCLAS ALNAVRESFOR 014/19 // MSGID/GENADMIN/COMNAVRESFOR NORFOLK VA// SUBJ/NAVY RESERVE FORCE IT POLICY FOR PERSONAL EMAIL ADDRESSES, APPLICATION AND SYSTEM DEVELOPMENT AND USE, AND COMMERCIAL CLOUD SOLUTIONS// REF/A/MEMO/SECDEF/16JAN18// REF/B/DOC/SECNAVINST 5720.44C CH-1/21FEB12// REF/C/DOC/CNRFINST 5300.5B/12FEB19// REF/D/DOC/DODI 8510.01 CH-2/12MAR14// REF/E/MSG/R 181624Z JAN 19 SECNAV WASHINGTON DC// REF/F/DOC/DODI 8170.01/31DEC18// NARR/REF A PROVIDES POLICY ON PERSONAL EMAIL USE. REF B PROVIDES POLICY AND GUIDANCE FOR INFORMATION RELEASE. REF C IS THE NAVY RESERVE INFORMATION TECHNOLOGY INSTRUCTION. REF D ESTABLISHES IT SYSTEM AUTHORIZATION CRITERIA, RISK MANAGEMENT AND PROCEDURES FOR DOD SYSTEMS AND NETWORKS. REF E PROVIDES SECNAV EXPECTATIONS AND GUIDANCE FOR PROTECTING INFORMATION. REF F PROVIDES SECDEF EXPECTATIONS AND GUIDANCE FOR PROTECTING INFORMATION// POC/MR. CLINT WADSWORTH/GS15/COMNAVRESFOR DEPUTY N6/TEL: 757-322-6643/EMAIL: CLINT.D.WADSWORTH(AT)NAVY.MIL// POC/MR. MARVIN ATKINS/GS14/COMNAVRESFOR ISSM/TEL: 757-322-6661/EMAIL: MARVIN.R.ATKINS(AT)NAVY.MIL// 1. PURPOSE: THIS MESSAGE PROVIDES GUIDANCE FOR THE USE OF PERSONAL EMAIL ACCOUNTS, COMMAND WEBSITES, APPLICATION DEVELOPMENT AND USE, AND COMMERCIAL CLOUD SOLUTIONS FOR RESERVE FORCE MEMBERS (MILITARY, GOVERNMENT CIVILIANS, AND CONTRACTORS). 2. BACKGROUND: RESERVE FORCE MEMBERS STRIVE FOR PROCESS IMPROVEMENT AND INNOVATION. THIS ATTITUDE SHOULD BE COMMENDED AND ENCOURAGED SO LONG AS IT ADHERES TO VETTED AND ESTABLISHED POLICY, DOCTRINE AND PROCEDURES. IN OUR DRIVE FOR MISSION ACCOMPLISHMENT, WE SOMETIMES SEEK SOLUTIONS THAT MAY LEAVE US VULNERABLE TO CYBER THREATS. INFORMATION TECHNOLOGY IS AN ESSENTIAL ENABLER OF RESERVE FORCE SUPPORT TO THE NAVY AND A DIRECT CONTRIBUTOR TO FORCE LETHALITY. RESERVE FORCE MEMBERS HAVE HISTORICALLY RELIED UPON PERSONAL EMAIL ACCOUNTS AND HOME GROWN IT (NON-SECURE COMMAND WEBSITES AND APPLICATIONS THAT HAVE NOT BEEN VETTED THROUGH THE PROPER PROCUREMENT AND SECURITY PROCEDURES) TO CONDUCT OFFICIAL BUSINESS. IN OUR CURRENT CYBER ENVIRONMENT, THE USE OF PERSONAL EMAIL AND NON-VETTED IT SOLUTIONS ARE CONTRARY TO GOOD OPSEC AND INFORMATION SECURITY PRACTICES. 3. ACTION: PER REFERENCES A AND F, THE USE OF PERSONAL EMAIL ACCOUNTS TO CONDUCT OFFICIAL BUSINESS IS PROHIBITED WITH VERY FEW EXCEPTIONS. AS SUCH, PERSONAL EMAIL MAY BE USED FOR PUBLICALLY RELEASABLE INFORMATION PUSHES ONLY (E.G. GOV-DELIVERY). IF INFORMATION PUSHES REQUIRE A REPLY FROM RESERVE FORCE MEMBERS, RESPONSES MUST BE MADE THROUGH THEIR .MIL DOMAIN EMAIL ACCOUNTS. IF AN EXTRAORDINARY OR URGENT SITUATION ARISES WHERE A SERVICE MEMBER HAS NO OTHER MEANS TO CONDUCT BUSINESS EXCEPT THROUGH A PERSONAL ACCOUNT, THEIR .MIL ACCOUNT SHALL BE CARBON COPIED ON ANY AND ALL CORRESPONDENCE. SAID MEMBERS COMMAND/UNIT WILL ALSO REPORT TO THEIR NEXT HIGHER RESERVE ECHELON COMMAND THAT THEIR NON-NMCI EMAIL WAS USED FOR OFFICIAL BUSINESS AND THE CIRCUMSTANCES THAT REQUIRED ITS USE. RCC COMMANDERS HAVE THE AUTHORITY, WITH CNRFC GUIDANCE, TO ADJUDICATE WARRANTED CIRCUMSTANCES TO SET/IMPLEMENT ENFORCEMENT MEASURES WHEN NON-NMCI EMAIL IS USED. AS AN EXAMPLE BEST PRACTICE, A NOSC COMMANDING OFFICER CAN SEND AN EMAIL TO HIS/HER UNIT OFFICERS IN CHARGE TO THEIR PERSONAL EMAIL ACCOUNTS SIMPLY ADVISING THEM TO CHECK THEIR NAVY.MIL (NMCI) ACCOUNTS FOR AN URGENT ITEM. PER REFERENCE D, HOME GROWN WEBSITES AND COMPUTER APPLICATIONS WITHOUT AN EXPLICIT AUTHORITY TO OPERATE (ATO) ISSUED BY THE NAVY AUTHORIZING OFFICAL (NAO) SHALL NOT BE USED. THIS INCLUDES, BUT IS NOT LIMITED TO, COMMAND-HOSTED WEBSITES, APPLICATIONS, AND NON-NAVY NOSC WIFI NETWORKS. COMMANDS WITH IT AND APPLICATION NEEDS NOT CURRENTLY PROVIDED BY CNRFC OR THE NAVY ENTERPRISE MAY SUBMIT IDEAS AND REQUESTS THROUGH CNRFC N6 AT THE FOLLOWING WEBSITE: HTTPS://PRIVATE.NAVYRESERVE.NAVY.MIL/CNRFC/N- CODES/N6/PAGES/SUPPORTREQUESTTFS.ASPX PER REFERENCE C, COMMERCIAL CLOUD SOLUTIONS, SUCH AS GOOGLE DOCS OR DROP BOX, AND COMMAND SOCIAL MEDIA ACCOUNTS MAY BE USED, PROVIDED ONLY RCC APPROVED PAO HAVE VETTED AND AUTHORIZED THE PUBLICALLY RELEASABLE INFORMATION AND IS THEN POSTED WITH ECHELON V OR ABOVE COMMANDING OFFICER APPROVAL. NON-DOD COMMERCIAL CLOUD SOLUTIONS SHALL NOT BE USED TO STORE OPERATIONAL INFORMATION OR FILES CONTAINING PERSONALLY IDENTIFIABLE INFORMATION (PII). PUBLICLY RELEASABLE INFORMATION GUIDANCE CAN BE FOUND IN REFERENCE D. THE CNRFC FORCE PAO HAS FINAL AUTHORITY AS TO WHAT CONSTITUTES PUBLICALLY RELEASABLE INFORMATION FOR THE NAVY RESERVE FORCE. NAVY RESERVE COMMANDS ARE REQUIRED TO ENFORCE THIS POLICY. SAFEGUARDING INFORMATION IS AN ESSENTIAL WARFIGHTING TENANT OF FORCE PROTECTION AND WINNING FUTURE CONFLICTS. IAW REF E, ALL HANDS MUST BE ALERT TO PREVENT UNAUTHORIZED DISCLOSURE OF NON-PUBLIC INFORMATION FOR ANY REASON, WHETHER BY IMPLIED KNOWLEDGEMENT OR INTENTIONAL RELEASE. MISCONDUCT CANNOT BE TOLERATED, AND SUSPECTED OR CONFIRMED DISCLOSURE MUST BE REPORTED TO YOUR CHAIN OF COMMAND AT ONCE. 4. EXCEPTIONS: NONE 5. THIS GENADMIN WILL REMAIN IN EFFECT UNTIL CANCELLED OR SUPERSEDED. 6. RELEASED BY RADM T. W. LUSCHER, DEPUTY COMMANDER, NAVY RESERVE FORCE.// BT #0019 NNNN