Federal CIOs and Social Media: Followup

I talked to the CIOs today at another agency. Very good discussion.

I used many of the ideas people gave me here on GovLoop and on Twitter. And then I used that experience as an example when I was talking, of the concept that “everyone is smarter than anyone.”

They asked some intelligent questions and seemed genuinely interested. It helped that the new White House website has a blog (albeit without commenting) and talks about communications, transparency, and participation. Presidential interest can’t be the only driver, but it can show where the gov’t will be going. And, of course, the new president is right in emphasizing those things.

I also discussed that it’s a matter of using all the tools available to us to achieve our goals. We don’t do Web 2.0 just to do it, but rather because it’s often a part of the best mix for the job.

And I mentioned how EPA is writing guidelines for how to represent the agency online. Current thinking is that they’ll only be about a page long and focus on facts, citations, and clearly labeling yourself as an EPA employee when you’re doing it on work time. Oh, and your manager has to approve what you’re doing (spending the time and the content of what you’re writing as a blog comment, editing in a wikipedia article, etc.).

The CIOs also raised a couple of interesting issues.

First, if you do use gov’t time and identify yourself as a gov’t employee in a comment on someone else’s blog, how does records retention come into play? It would seem reasonable to think your comment, and the thing you’re commenting on, are valid federal records (your writing, anyway, but it’ll lack context without the original article).

Second, someone mentioned security threats from viruses embedded in videos. That’s the second time I’ve heard this claim, but I’ve never heard any more detail. Can anyone shed light on this question?

Some really good news is that no one thought wasting time on social media sites was a security issue; they recognized it’s a management problem. So they’re now working on opening up access to these sites.

All in all, I’m quite happy with how it went, and I think we now have some interested folks who’ll be doing their own research and starting some social media projects.

Mission accomplished! 😉

I did whip up a few PowerPoint slides, although as usual, the discussion was more detailed than the slides alone. But if you’re curious, I posted the file on slideshare, and you’re welcome to look, download, and use. Many thanks to Jeremy Caplan at the Dept. of Commerce for the big circle image on the second-to-last slide.

Leave a Comment


Leave a Reply

Christopher Ensey


Might want to check out this article on the Video malware links…

Our research team has also found ways that malicious payload execution can be injected in files like MP3’s etc by use of exploiting the rendering (sometimes as hypertext) of the metadata in the files artist, track names, etc.


I am a huge proponent of the Web 2.0 social media push coming to government as long as our rapid adoption doesn’t put the users at undue risk. Using tools like Flash and Ajax when not properly tested for security issues and weakness can be a dangerous thing, and not only be a potential for data leakage but also derail the adoption of these powerful tools. We are working across the board in Federal to help drive best practices like the new SANS top 25 to help in the software assurance space and improve the applications we will rely on to do government business in the near future.


I hadn’t thought of that records retention issue. It seems like it could be a ton of work to track and maintain all of these comments. I would be interested in what IBM does as they have pretty good policies around representing IBM online and they have a number of Sarbanes-Oxley record retention rules as well.

And I like the idea of the rules but getting your manager to approve the time online sounds horrendous. I can just imagine those conversations, utter confusions, and complete denial. At an old job, we spent months and thousands of dollars of staff time trying to figure out if people really got a 30 minute lunch or 60 minute (30 plus 2 15 minute breaks) because one manager wanted to clock lunch breaks.

Lovisa Williams

These are some of the things I am currently working on with our Legal, Privacy Office, IT Security and physical security guys (don’t ask!). Here’s the progress we have made on these issues and how we are attempting to address some of these issues. None are easy!

– Regarding the records retention issue, we are leaning towards thinking of Government employees and contractor content to be conversational in nature (we compare operating in social media to a cocktail party that is recorded) and therefore does not meet the criteria for record retention. This covers comments. If we are creating or re-purposing content for a social media site the original is what we would archive and there should already be a retention schedule in place. No need to be redundant! This may change, but. this is where we are leaning to date.
-I think the virus issue is an education issue. Just like we have made a point through FISMA and other initiatives we have educated our employees and contractors on how to identify and not access items which may put our networks in jeopardy. When we know we are accessing something that does have a client download or may not be able to meet our level of security we conduct these functions on separate Internet connections. We are definitely taking a risk mitigation approach instead of risk aversion approach to the use of social media. After all, we do have a mission to be where the people we want to engage are located.
-We do need to be careful about what we retain for administrative purposes. In some cases this information can constitute an information collection and worse include PII information. This information would be FOIA-able and potential have a records retention component too. And here you thought you were just doing a good job as a Community Manager!
-We don’t make it mandatory for our employees or contractors to participate in any social media site due to the potential union issues. We strongly encourage people to discuss their desires to use social media in their professional capacity and we say they should have this work added to their evaluations as part of their work portfolio. Managing a community and creating content is work and takes time and effort. These type of activities will always need to be approved by Management.

There are lots of pitfalls to be aware of when using social media. Some policies/laws will have to change. We are held to a higher standard than the private sector and rightly so. We need to find the right balance between the spirit of the current laws/policies and what makes sense for the mission and our collective resources. These issues will continue to evolve as the new Administration comes aboard and we all learn what the right balance is.

Joe Flood

With so much of Web 2.0, you learn by doing. There’s no class to teach you how to Twitter or a book to tell you what pictures to put on Flickr. It’s a creative, ever-changing medium that makes rules and regulations quickly outdated. So, dive in! Use your common sense and experience. But expect to make mistakes along the way. Then communicate what works and what doesn’t to your agency. This may be a pat answer but if whitehouse.gov can find a way to make social media work, then certainly the rest of the government can too.

Jeffrey Levy

Joe, I forgot to say so in the post, but absolutely! I specifically told them to give stuff a shot and be up front about it being an experiment. If it fails to meet expectations, shut it down and start something else, learning along the way. I even used the Edison cliche about not failing 10,000 times to make a working light bulb, but rather finding 9,999 ways that didn’t work.

Stephen Buckley

Jeff — I don’t know if it sunk in, but your suggestion to the CIOs about being “up front about it being an experiment” may be the most profound (and useful) thing that any potential innovator could take away from that meeting. Perhaps every new project should have the following standard “disclaimer” prominently displayed:

“This is a Pilot Project that is still in the Experimental Stage. Existing evidence indicates that this approach has some potential of success and, therefore, is worth testing. The only way that this experiment can fail is if nothing can be learned from its results. The Project’s Managers invite the public to review and comment on the experiment’s design and/or interpretation of results.”

Language like that is an *innoculation* against the common reaction (both inside AND outside the government) of “it-didn’t-work-so-it-was-a-complete-waste-of-time-and-money”. I think it’s safe to say that the average person does not have the same intellectual curiosity of someone like Edison. However, the average person will give you some slack when you say, right up front, “Hey, this is just a test to see what happens.”

Until their leadership makes it okay for potential innovators to “innoculate” themselves with standard prefacing language like that, then they will continue to be shot-down (inside and outside of government) by the people whose only question about success/failure is “Did it work?”