As a WHD Security Officer, I would like the system to show the user a System Use Notification banner on entrance to the application

[jmmcnj]

This story potentially affected by login/EIN workflow. Story/Design not ready...

Descripition: In Ref to NIST Control AC-8, WHD approved verbiage will be provided for the warning banner/system use notification, which must be displayed upon accessing the information system.Approving Official”, “Authorizing Official” and “System User”.

Use language provided by Liz in below comment, with functionality similar to cloud.gov (https://login.fr.cloud.gov/login)

Acceptance Criteria

• [x] banner must contain approved verbiage provided by Liz in below comment
• [ ] banner functionality must be similar to cloud.gov (https://login.fr.cloud.gov/login)
• [ ] banner page is 508 compliant.
• [x] logged out user or first user is able to review banner and understand notification.
• [ ] DOL header/footer must be present on banner page but not the popup.

Tasks

• [x] DOL needs to provide approved banner text.
• [ ] Implement UX based on functionality described below.
• [ ] Create a UI Dev story that is dependent on this story

Functionality

• [ ] The banner should come before the user logs into the system (similar to cloud.gov implementation).
• [ ] Banner page shows summary view by default and clicking on details link displays the complete text in a details view. Clicking on "Hide Details" reverts back to summary view. See: https://login.fr.cloud.gov/login
• [ ] Only upon clicking "AGREE AND CONTINUE" on banner page, user is redirected to the login page,

Tasks:

• [ ] Front end implementation of wireframes and messaging
• [ ] Testing for 508 compliance

[afrimpong]

We Need to confirm if the banner is 508 compliant

[mgwalker]

The cloud.gov use/consent banner begins with a shorter, overview version of the banner and then gives the user the chance to view the whole thing if they want. You can look at it here: https://login.fr.cloud.gov/login

From a user experience perspective, this is much nicer - instead of a wall of scary legalese, there's a plain language overview and the option to see the full text. The exact text would probably need review from DOL's legal counsel, but the text on cloud.gov was approved by GSA OGC.

This may go into the next buy, but is also a candidate for a micropurchase.

[mgwalker]

Here's the issue where the cloud.gov tracked the creation of their consent banner: https://github.com/18F/cg-uaa/issues/15

Note that there's a link in the "full text" banner that defines in greater detail what "intended uses" are. This is the sort of thing you'd work out with your OGC, but it seems like the "intended uses" of this 14c system are way more limited than the intended uses of an IaaS. 😄

[binwang89]

@EStriegel Please confirm attached banner language is ok with business.

[EStriegel]

@binwang89 @mmurthydol The communications branch has a few questions about this requirement. Will set up a meeting with us and the comms branch chief to discuss. Anyone from security I should include? I think this was their requirement..

[binwang89]

@EStriegel @mmurthydol please invite @afrimpong her email address is Frimpong-rhin.Akosua@dol.gov and also the contractor Benjamin Gordon, Benjamin Gordon.Benjamin@dol.gov

[EStriegel]

@binwang89 Thanks! Invite sent.

[phirefly]

Per email discussion, here are comments from OPA on the text and placement in chronology: Also noted -- The banner need so show before the login page, requiring the user to agree to the terms before logging in / creating an account.

Here is a link to a page using the required warning

https://vets4212.dol.gov/vets4212

You are about to access a U.S. Government computer/information system. Access to this system is restricted to authorized users only. Unauthorized access, use, or modification of this computer system or of the data contained herein, or in transit to/from this system, may constitute a violation of Title 18, United States Code, Section 1030 and other federal or state criminal and civil laws. These systems and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in this system by a user.

If monitoring reveals possible misuse or criminal activity, notice of such may be provided to supervisory personnel and law enforcement officials as evidence.

Anyone who accesses a Federal computer system without authorization or exceeds their access authority, and by any means of such conduct obtains, alters, damages, destroys, or discloses information, or prevents authorized use of information on the computer, may be subject to fine or imprisonment, or both.

I understand that I am personally responsible for my use and any misuse of my access including my system account and password. I understand that by accessing a U.S. Government information system that I must comply with the prescribed policies and procedures. I acknowledge receipt of, understand my responsibilities, and will comply with the rules of behavior for this system.

[mgwalker]

Gads government consent banners are terrifying (the DOD ones are even longer - they call out exemptions, like communications with clergy). @phirefly or @EStriegel Do you think OPA or OLC (maybe both?) would sign off on having a smaller, friendlier version that could be expanded to the full text? I refer back to an earlier comment about the way cloud.gov does it

[phirefly]

@mgwalker We'll take the cloud.gov approach and send that over to be approved.

[phirefly]

Per email thread from @binwang89, the banner should come before the user logs into the system.

[binwang89]

Confirmed from OPA:

1. The banner should come before the user logs into the system.
2. If the verbiage is a lot, we can provide smaller, friendlier version that could be expanded to the full text on click. See the cloud.gov example. https://login.fr.cloud.gov/login
3. For the verbiage, we can send them suggested text, and they will let us know if it is acceptable.
4. DOL header footer required to display on every page. However, If the banner detail is in pop-up, (like the example from cloud.gov), you do not need to use the header/footer for a pop up page.

OPA security provided additional guidance below for NIST 800-53-rev4:

The information system: a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording; b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and c. For publicly accessible systems:
5. Displays system use information [Assignment: organization-defined conditions], before granting further access;
6. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
7. Includes a description of the authorized uses of the system. Supplemental Guidance System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

[EStriegel]

@mmurthydol @phirefly Is there anything in the VETS language (pasted below) that is inaccurate/not appropriate for the 14(c) system? Since the language is already posted on the DOL website, I don't think it makes much sense for me to edit. Plus, using already cleared language should make SOL clearance pretty simple.

Will wait to hear from you before I reach out SOL.

---

You are about to access a U.S. Government computer/information system. Access to this system is restricted to authorized users only. Unauthorized access, use, or modification of this computer system or of the data contained herein, or in transit to/from this system, may constitute a violation of Title 18, United States Code, Section 1030 and other federal or state criminal and civil laws. These systems and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in this system by a user.

If monitoring reveals possible misuse or criminal activity, notice of such may be provided to supervisory personnel and law enforcement officials as evidence.

Anyone who accesses a Federal computer system without authorization or exceeds their access authority, and by any means of such conduct obtains, alters, damages, destroys, or discloses information, or prevents authorized use of information on the computer, may be subject to fine or imprisonment, or both.

I understand that I am personally responsible for my use and any misuse of my access including my system account and password. I understand that by accessing a U.S. Government information system that I must comply with the prescribed policies and procedures. I acknowledge receipt of, understand my responsibilities, and will comply with the rules of behavior for this system.

[mmurthydol]

@EStriegel Liz, generic approved verbiage sounds perfect!

[phirefly]

Per discussion with @EStriegel, please move forward with this content while we are getting final approval.

[mmurthydol]

@phirefly I would prefer to leave some indication that requirements are still needed though story is unblocked. We might think some other label to this effect...

[binwang89]

Updated my previous comment about the header/footer for the pop-up banner detail that I just confirmed with DOL/OPA today.

[EStriegel]

@binwang89 @mmurthydol

I received a response from SOL and they provided me a link to the DOL Computer Security Handbook. The handbook first provides DOL's required minimum standards on displaying an approved, system use notification message. The standards are similar to what OPA provided to Michelle:

1. The information system must display to anyone attempting to gain access, an approved system use notification message or banner, before granting access to the system, that provides privacy and security notices, as applicable, consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: a. Users are accessing a U.S. Government information system b. Information system usage may be monitored, recorded, and subject to audit c. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and d. Use of the system indicates consent to monitoring and recording.

2. The information system use notification messages must remain on the screen until the user acknowledges the usage conditions and takes explicit actions to log onto or further access the information system.

3. For publicly accessible systems (including but not limited to, websites): a. The system use information must be available and when appropriate, is displayed before granting access b. Any references to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities c. The notice given to public users of the information system must include a description of the authorized uses of the system

The handbook also provides a sample notification and states, "It is recommended that the ISO and/or system owner consider implementing the following system use notification for all systems; however, it is not a DOL requirement." (pasted below)

WARNING….WARNING….WARNING….WARNING….WARNING

You are accessing a U.S. Government information system that is owned and operated by the Department of Labor. THERE IS NO EXPECTATION OF PRIVACY WHEN ACCESSING THIS SYSTEM. The Department of Labor information systems are provided for the processing of official U.S. Government information only, and are therefore, owned by the Department of Labor. Authorized users are responsible for the proper handling of the Government data equipment and resources which they access.

USE OF THIS SYSTEM BY ANY USER AUTHORIZED OR UNAUTHORIZED CONSTITUTES A CONSENT TO THIS MONITORING, RECORDING, DISCLOSURE, AND ACCEPTS THAT USE OF THE SYSTEM IS SUBJECT TO AUDIT BY AUTHORIZED PERSONNEL.

Fraud and related activity in connection with computers is prohibited by Title 18, U.S. Code Section 1030. Furthermore, this law states that intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information from any department or agency of the United States is prohibited and subject to civil and criminal penalties, including (but not limited to), punishment by fine and/or imprisonment. Additionally, DOL may provide law enforcement with any potential evidence of a crime found on aforementioned systems in order for them to investigate such offenses.

WARNING….WARNING….WARNING….WARNING….WARNING

While I think the VETS language meets the minimum requirements, I also don't see a problem with using the example notification - better safe than sorry? Let me know what you think?

[binwang89]

@EStriegel @mmurthydol I think the old legacy application banner language must followed the security hand book (with WARNING….WARNING….WARNING….WARNING….WARNING), Yes, i think it will better safe than sorry.

[EStriegel]

@simplyshang This is the final text to use:

---

Warning

You are accessing a U.S. Government information system that is owned and operated by the Department of Labor. There is no expectation of privacy when accessing this system. The Department of Labor information systems are provided for the processing of official U.S. Government information only, and are therefore, owned by the Department of Labor. Authorized users are responsible for the proper handling of the Government data equipment and resources which they access.

Use of this system by any user authorized or unauthorized constitutes a consent to this monitoring, recording, disclosure, and accepts that use of the system is subject to audit by authorized personnel.

Fraud and related activity in connection with computers is prohibited by Title 18, U.S. Code Section 1030. Furthermore, this law states that intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information from any department or agency of the United States is prohibited and subject to civil and criminal penalties, including (but not limited to), punishment by fine and/or imprisonment. Additionally, DOL may provide law enforcement with any potential evidence of a crime found on aforementioned systems in order for them to investigate such offenses.

[simplyshang]

Prototype w/updates for Log in: https://preview.uxpin.com/156b163e281315ec13eaea4e197a7ce1ad82bb90#/pages/76967294/simulate/no-panels?mode=i

[jmmcnj]

spin off implementation into separate user story and add this to dependencies @jmmcnj

[jmmcnj]

implementation story create and referenced back here #388

[phirefly]

Moving to Done since all relevant stories for implementation have been created.