Closed jmmcnj closed 6 years ago
We Need to confirm if the banner is 508 compliant
The cloud.gov use/consent banner begins with a shorter, overview version of the banner and then gives the user the chance to view the whole thing if they want. You can look at it here: https://login.fr.cloud.gov/login
From a user experience perspective, this is much nicer - instead of a wall of scary legalese, there's a plain language overview and the option to see the full text. The exact text would probably need review from DOL's legal counsel, but the text on cloud.gov was approved by GSA OGC.
This may go into the next buy, but is also a candidate for a micropurchase.
Here's the issue where the cloud.gov tracked the creation of their consent banner: https://github.com/18F/cg-uaa/issues/15
Note that there's a link in the "full text" banner that defines in greater detail what "intended uses" are. This is the sort of thing you'd work out with your OGC, but it seems like the "intended uses" of this 14c system are way more limited than the intended uses of an IaaS. 😄
@EStriegel Please confirm attached banner language is ok with business.
@binwang89 @mmurthydol The communications branch has a few questions about this requirement. Will set up a meeting with us and the comms branch chief to discuss. Anyone from security I should include? I think this was their requirement..
@EStriegel @mmurthydol please invite @afrimpong her email address is Frimpong-rhin.Akosua@dol.gov and also the contractor Benjamin Gordon, Benjamin Gordon.Benjamin@dol.gov
@binwang89 Thanks! Invite sent.
Per email discussion, here are comments from OPA on the text and placement in chronology: Also noted -- The banner need so show before the login page, requiring the user to agree to the terms before logging in / creating an account.
Here is a link to a page using the required warning
https://vets4212.dol.gov/vets4212
You are about to access a U.S. Government computer/information system. Access to this system is restricted to authorized users only. Unauthorized access, use, or modification of this computer system or of the data contained herein, or in transit to/from this system, may constitute a violation of Title 18, United States Code, Section 1030 and other federal or state criminal and civil laws. These systems and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in this system by a user.
If monitoring reveals possible misuse or criminal activity, notice of such may be provided to supervisory personnel and law enforcement officials as evidence.
Anyone who accesses a Federal computer system without authorization or exceeds their access authority, and by any means of such conduct obtains, alters, damages, destroys, or discloses information, or prevents authorized use of information on the computer, may be subject to fine or imprisonment, or both.
I understand that I am personally responsible for my use and any misuse of my access including my system account and password. I understand that by accessing a U.S. Government information system that I must comply with the prescribed policies and procedures. I acknowledge receipt of, understand my responsibilities, and will comply with the rules of behavior for this system.
Gads government consent banners are terrifying (the DOD ones are even longer - they call out exemptions, like communications with clergy). @phirefly or @EStriegel Do you think OPA or OLC (maybe both?) would sign off on having a smaller, friendlier version that could be expanded to the full text? I refer back to an earlier comment about the way cloud.gov does it
@mgwalker We'll take the cloud.gov approach and send that over to be approved.
Per email thread from @binwang89, the banner should come before the user logs into the system.
Confirmed from OPA:
OPA security provided additional guidance below for NIST 800-53-rev4:
The information system: a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
@mmurthydol @phirefly Is there anything in the VETS language (pasted below) that is inaccurate/not appropriate for the 14(c) system? Since the language is already posted on the DOL website, I don't think it makes much sense for me to edit. Plus, using already cleared language should make SOL clearance pretty simple.
Will wait to hear from you before I reach out SOL.
You are about to access a U.S. Government computer/information system. Access to this system is restricted to authorized users only. Unauthorized access, use, or modification of this computer system or of the data contained herein, or in transit to/from this system, may constitute a violation of Title 18, United States Code, Section 1030 and other federal or state criminal and civil laws. These systems and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in this system by a user.
If monitoring reveals possible misuse or criminal activity, notice of such may be provided to supervisory personnel and law enforcement officials as evidence.
Anyone who accesses a Federal computer system without authorization or exceeds their access authority, and by any means of such conduct obtains, alters, damages, destroys, or discloses information, or prevents authorized use of information on the computer, may be subject to fine or imprisonment, or both.
I understand that I am personally responsible for my use and any misuse of my access including my system account and password. I understand that by accessing a U.S. Government information system that I must comply with the prescribed policies and procedures. I acknowledge receipt of, understand my responsibilities, and will comply with the rules of behavior for this system.
@EStriegel Liz, generic approved verbiage sounds perfect!
Per discussion with @EStriegel, please move forward with this content while we are getting final approval.
@phirefly I would prefer to leave some indication that requirements are still needed though story is unblocked. We might think some other label to this effect...
Updated my previous comment about the header/footer for the pop-up banner detail that I just confirmed with DOL/OPA today.
@binwang89 @mmurthydol
I received a response from SOL and they provided me a link to the DOL Computer Security Handbook. The handbook first provides DOL's required minimum standards on displaying an approved, system use notification message. The standards are similar to what OPA provided to Michelle:
The information system must display to anyone attempting to gain access, an approved system use notification message or banner, before granting access to the system, that provides privacy and security notices, as applicable, consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: a. Users are accessing a U.S. Government information system b. Information system usage may be monitored, recorded, and subject to audit c. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and d. Use of the system indicates consent to monitoring and recording.
The information system use notification messages must remain on the screen until the user acknowledges the usage conditions and takes explicit actions to log onto or further access the information system.
For publicly accessible systems (including but not limited to, websites): a. The system use information must be available and when appropriate, is displayed before granting access b. Any references to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities c. The notice given to public users of the information system must include a description of the authorized uses of the system
The handbook also provides a sample notification and states, "It is recommended that the ISO and/or system owner consider implementing the following system use notification for all systems; however, it is not a DOL requirement." (pasted below)
WARNING….WARNING….WARNING….WARNING….WARNING
You are accessing a U.S. Government information system that is owned and operated by the Department of Labor. THERE IS NO EXPECTATION OF PRIVACY WHEN ACCESSING THIS SYSTEM. The Department of Labor information systems are provided for the processing of official U.S. Government information only, and are therefore, owned by the Department of Labor. Authorized users are responsible for the proper handling of the Government data equipment and resources which they access.
USE OF THIS SYSTEM BY ANY USER AUTHORIZED OR UNAUTHORIZED CONSTITUTES A CONSENT TO THIS MONITORING, RECORDING, DISCLOSURE, AND ACCEPTS THAT USE OF THE SYSTEM IS SUBJECT TO AUDIT BY AUTHORIZED PERSONNEL.
Fraud and related activity in connection with computers is prohibited by Title 18, U.S. Code Section 1030. Furthermore, this law states that intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information from any department or agency of the United States is prohibited and subject to civil and criminal penalties, including (but not limited to), punishment by fine and/or imprisonment. Additionally, DOL may provide law enforcement with any potential evidence of a crime found on aforementioned systems in order for them to investigate such offenses.
WARNING….WARNING….WARNING….WARNING….WARNING
While I think the VETS language meets the minimum requirements, I also don't see a problem with using the example notification - better safe than sorry? Let me know what you think?
@EStriegel @mmurthydol I think the old legacy application banner language must followed the security hand book (with WARNING….WARNING….WARNING….WARNING….WARNING), Yes, i think it will better safe than sorry.
@simplyshang This is the final text to use:
Warning
You are accessing a U.S. Government information system that is owned and operated by the Department of Labor. There is no expectation of privacy when accessing this system. The Department of Labor information systems are provided for the processing of official U.S. Government information only, and are therefore, owned by the Department of Labor. Authorized users are responsible for the proper handling of the Government data equipment and resources which they access.
Use of this system by any user authorized or unauthorized constitutes a consent to this monitoring, recording, disclosure, and accepts that use of the system is subject to audit by authorized personnel.
Fraud and related activity in connection with computers is prohibited by Title 18, U.S. Code Section 1030. Furthermore, this law states that intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information from any department or agency of the United States is prohibited and subject to civil and criminal penalties, including (but not limited to), punishment by fine and/or imprisonment. Additionally, DOL may provide law enforcement with any potential evidence of a crime found on aforementioned systems in order for them to investigate such offenses.
Prototype w/updates for Log in: https://preview.uxpin.com/156b163e281315ec13eaea4e197a7ce1ad82bb90#/pages/76967294/simulate/no-panels?mode=i
spin off implementation into separate user story and add this to dependencies @jmmcnj
implementation story create and referenced back here #388
Moving to Done
since all relevant stories for implementation have been created.
This story potentially affected by login/EIN workflow. Story/Design not ready...
Descripition: In Ref to NIST Control AC-8, WHD approved verbiage will be provided for the warning banner/system use notification, which must be displayed upon accessing the information system.Approving Official”, “Authorizing Official” and “System User”.
Use language provided by Liz in below comment, with functionality similar to cloud.gov (https://login.fr.cloud.gov/login)
Acceptance Criteria
Tasks
Functionality
Tasks: