AC-8 Compliance for ReportStream Login

[ronaldheft-gov]

Problem statement

The ReportStream login page is not AC-8 compliant for a government system.

What you need to know

AC-8 compliance text must appear on the login page.

Acceptance criteria

• The following text must appear below the sign-in page < https://reportstream.cdc.gov/log-in/ >:

This is a U.S. government service. Your use indicates your consent to monitoring, recording, and no expectation of privacy. Misuse is subject to criminal and civil penalties. By logging in, you are agreeing to our terms of service.

• From the Terms of Service page < https://reportstream.cdc.gov/terms-of-service/ >, a section should be added to the top of the Terms of Service (not part of the TOS) with the following text:

You are accessing a US Government information system, which includes (1) this computer, (2) this computer network, (3) all computers connected to this network, and (4) all devices and storage media attached to this network or to a computer on this network. This information system is provided for US Government-authorized use only. Unauthorized or improper use of this system may result in disciplinary action, as well as civil and criminal penalties. By using this information system, you understand and consent to the following: You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system. At any time, and for any lawful government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system. Any communication or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose.

You can see an example of both text added to SimpleReport's login page and TOS.

[ronaldheft-gov]

@Bisonburger The CDC rejected the AC-8 compliance change for the following reasons:

1) The CDC logo on the Okta sign-on page is served from clearbits.com and not a CDC.gov domain. The logo used should be the newer version, as we have shown in the footer of the site. (i.e. https://reportstream.cdc.gov/assets/img/cdc-logo.svg)

2) The words "Terms of Service" should be linked to the TOS page in the following text on the login page:

This is a U.S. government service. Your use indicates your consent to monitoring, recording, and no expectation of privacy. Misuse is subject to criminal and civil penalties. By logging in, you are agreeing to our terms of service.

3) If the AC-8 text can be not be placed within the Okta box, as has been done on the SimpleReport login page, it needs to be placed above the Okta login box.

4) On the Terms of Service page, the AC-8 text must appear separate from the Terms of Service. It only lives on the page and it not part of the Terms of Service. It should be placed about the header "Terms of service – PRIME ReportStream".