Issued 05/30/96; Effective 05/17/96
SECTION 1. PURPOSE.
This Order provides National Oceanic and Atmospheric Administration (NOAA) resource management and operational policy guidance for Internet access acquisition, Internet Protocol (IP) addresses, and Domain Name Services to improve the overall quality and effectiveness of NOAA information resources presented on the Internet. It sanctions the ongoing development of more specific guidance by interdisciplinary NOAA organizational entities and working groups as necessary, to be issued separately.
SECTION 2. SCOPE.
This Order applies only to mailing lists containing non-DOC free subscribers. When a mailing list contains both paid and free subscribers, only the free portion is affected by this Order. A review is not necessary for mailing lists containing fewer than twenty-five (25) addresses.
SECTION 3. BACKGROUND.
.01 The Internet interconnects computer networks that are accessible by most of the nation's computers. It is responsible for the greatest change in how information is disseminated since the television and, as such, is a tremendous resource for NOAA as an information agency.
.02 Dedicated Internet service may be acquired competitively from a commercial source or through a cooperative arrangement with a university or another government agency. Until recently, most NOAA Internet service was provided at no charge by another agency such as NASA or a university with which NOAA has a professional research relationship. As the Internet is becoming privatized, NOAA is acquiring dedicated service through a number of commercial Internet Service Providers.
.03 Because of the rapid growth in demand for Internet service and because of limitations in how Internet Protocol addresses were structured, the existing address structure that permits relatively unique, easily recognized and communicated addresses is fast becoming inadequate. Despite a number of innovations designed to extend the useful life of the current system, new addresses can only be acquired after rigorous justification, and existing space is extremely limited. When implemented, a next generation structure, Ipv6, will alleviate the problem.
.04 Development of agency-wide guidelines and standards will facilitate use of Internet products and services in management and decision-making processes, ensure compliance with Federal laws and regulations, reinforce security safeguards, increase confidence in NOAA's Internet products, and allow all NOAA users to be recognized within and outside NOAA by reasonable addressing schemes that, in themselves, represent a NOAA resource.
SECTION 4. POLICY/OBJECTIVES.
.01 NOAA's Internet services represent a corporate resource that shall be managed in a consistent and cost-effective manner according to existing formal guidance referenced in Section 8, References.
.02 NOAA's Internet names and addresses shall be managed in a coordinated, consistent manner to facilitate user access to and within NOAA.
.03 NOAA shall endeavor to protect and secure its network resources.
SECTION 5. RESPONSIBILITIES.
.01 The Network Advisory Review Board (NARB):
Facilitates inter-program cooperation and Internet resource sharing within NOAA.
.02 The Information Systems Office (ISO):
- a. implements policies for sharing and disseminating information;
- b. implements network security policy and guidelines;
- c. coordinates electronic address management policy; and
- d. tracks Internet access points.
.03 Network Information Center (NIC):
- a. serves as the Domain Name System (DNS) Administrator for the "noaa.gov" domain;
- b. serves as the registrar for NOAA subdomain names;
- c. resolves and disseminates status information for all "noaa.gov" DNS problems identified by NOAA network staff;
- d. monitors all aspects of NOAA DNS activity for problems and undertakes corrective action;
- e. serves as the registrar for NOAA Internet Protocol (IP) network addresses;
- f. serves as the information center for NOAA Internet connections; and
- g. is responsible for system operation and coordinated use of the regional network servers that provide secondary name resolution for "noaa.gov" (Silver Spring, MD; Ann Arbor, MI; Miami, FL; Boulder, CO; Seattle, WA).
.04 Campus Network Managers or Campus Network Operating Centers.
- a. coordinates IP Network addresses in Campus Network Operating Centers;
- b. coordinates DNS activity on the campus, including table accuracy and server use;
- c. coordinates Internet connections for the campus and keeps ISO informed;
- d. maintains and advises on using campus network backbones; and
- e. coordinates with the NIC to provide DNS information, IP network addresses, Internet connections, and other information for central availability.
- a. advise ISO of Internet connections according to formal IRM guidance;
- b. assure adequate security for Internet-connected systems and services;
- c. manage IP address space; and
- d. administer Domain Name System subdomains, e.g., NESDIS.NOAA.GOV, and provide local name resolution as required.
.04 NOAA officials responsible for maintaining mailing lists containing non-DOC free subscribers shall review their mailing lists annually and shall report to the review coordinator as described in this Order.
SECTION 6. PROCEDURES/REQUIREMENTS.
.01 NOAA shall coordinate its Internet infrastructure, including communications access, Internet names, IP addresses, and Domain Name Services for economy and security reasons.
a. All commercial Internet connections shall be approved prior to acquisition by the Office of Finance and Administration in accordance with guidance contained in the IRM Staff's "The New NOAA IT Planning System," Part 3, March 7, 1995, and "Requirements Analysis: Telecommunications and ADP Security Branch IT Policy Guidance, Telecommunications, Procurement Analysis for Internet Access," dated March 13, 1995. Where Internet access is provided through a cooperative agreement with a landlord or a local sponsor, prior approval is not required; however, information about that access shall be provided to ISO, TASB.
b. NOAA's review will identify opportunities to aggregate existing services locally or through regional hubs to meet functional and performance requirements, and evaluate whether the proposed solution is economical and provides coordination necessary to minimize security risks or routing ambiguities.
.02 All NOAA systems that use the Internet shall have properly registered IP addresses.
a. All new NOAA Internet network addresses shall be registered with the NIC to ensure interoperability, unambiguous access to NOAA's data resources, and current information about those resources. All requests to the InterNIC for Internet addresses shall be submitted by the NIC. The NIC shall allocate IP Addresses to NOAA offices or regions. All involved parties will concur in any reallocation of IP addresses.
b. NOAA offices and regions and/or Campus Network Administrators or NOCs are responsible for management of blocks of IP addresses assigned to them. NOAA offices with existing address blocks may reallocate segments of that address space to subordinate subnetworks.
c. Systems administrators should register their existing network IP address with the NIC so the address can be coordinated among NOAA sites and the address can be incorporated into inclusive security lists or for reverse address resolution, as appropriate.
.03 All NOAA Internet systems should be part of the "noaa.gov" domain, identify a primary and secondary name server, and be registered with the NIC, which will coordinate with the appropriate regional server in accordance with NIC DNS registration guidance. The primary and secondary servers for "noaa.gov" are managed by the NIC.
.04 Ultimately, responsibility for securing systems falls on the systems administrator and owner rather than the network.
a. Because the Internet is an open network and any information transmitted can potentially be read by persons other than the addressee, sensitive information transmitted over the Internet shall be encrypted.
b. Adequate care should be taken to assure NOAA passwords are secure. Transmission of reusable passwords in clear text should be avoided where feasible. Passwords should be selected to inhibit automated guessing.
c. Information servers such as Web or Gopher servers should be outside network firewalls and disallow root privileges.
d. Generally, Internet information systems shall comply with NAO 212-13 and other ISO policy guidance.
SECTION 7. DEFINITIONS.
.01 Internet Service Provider (ISP). Any organization that provides access, whether dedicated or switched, to the Internet. ISPs may also provide certain value-added services including, but not limited to, remote logon, news feeds, Domain Name System administration, electronic mail, etc.
.02 IP Address. A thirty-two bit address that uniquely identifies each host computer on the Internet. Addresses are typically represented in decimal form as four octets separated by periods: "22.214.171.124," as an example.
.03 IP Network Address. The IP address that identifies a network or subnet. These are distributed as Class B (such as 161.55.x.x) or Class C (such as 192.55.161.x) networks. Class C blocks have 254 available addresses; Class B blocks have approximately 65,000. Large, autonomous networks typically use a Class B license, while smaller networks or more remote sites use one or more Class C addresses. IP network addresses are distributed by the Internet's national InterNIC and are in short supply.
.04 Domain Name System (DNS). A hierarchical, alphanumeric naming system for network domains, not hosts and other devices within those domains. DNS includes both a name syntax and a distributed computing system that maps these names to IP addresses. DNS identifiers consist of a series of names separated by dots that can be translated into an IP address; e.g., "ns.noaa.gov." The name is formed from the concatenation of a domain (or subdomain) name to a host name. In the above example, the domain name “noaa.gov” was concatenated to the host “ns” to yield “ns.noaa.gov.”
.05 Sensitive Information. Information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration or destruction, including any data requiring protection under the Privacy Act.
SECTION 8. REFERENCES.
.01 NAOs (formal guidance):
- a. NAO 212-14, Use of the Internet, dated (being established).
- b. NAO 212-10, Telecommunications Planning, Acquisition, and Management, dated August 13, 1992.
- c. NAO 212-13, Information Technology Security Management, dated August 6, 1990.
- d. NAO 212-12A, Telecommunications Standards: NOAA Interoperability Profile, dated July 16, 1993.
- e. NAO 212-12B, Telecommunications Standards: Names, Addresses, and Gateways in Electronic Mail Systems, dated September 24, 1993.
.02 Informal NOAA guidance:
- a. Unix Security Measures, issued by the Information Systems Office, Systems Division, Telecommunications and ADP Security Branch, dated April 6, 1995.
- b. The New NOAA IT Planning System, Part 3, issued by the Information Systems Office, IRM Staff, dated March 7, 1995.
- c. Requirements Analysis: Telecommunications and ADP Security Branch IT Policy Guidance, Telecommunications, Procurement Analysis for Internet Access, dated March 13, 1995.
- d. Report to the NOAA Deputy Under Secretary for Oceans and Atmosphere on Internet Information Policy prepared by the Internet Information Policy Task Group dated October 16, 1995.
SECTION 9. EFFECT ON OTHER ISSUANCES.
Chief Financial Officer/Chief Administrative Officer
Office of Primary Interest:
Office of Finance and Administration
Information Systems and Finance Office
Telecommunications and ADP Security Branch