Alice M. Fisher

I like Steve’s response to this overall. “The only thing I would have done differently is that I would have liked to see GovLoop and the blogger use this as a teaching opportunity with the government employee and his/her boss. “

This is a great question all around on many levels.

  1. First you have an external social site and a Federal agency dynamics.
  2. Then you have the boss vs. employee dynmaics
  3. Then have a policy question for each entity,
  4. Then a personal vs professional behavioral question and
  5. Ultimately a communication policy question for both sides

My personal unprofessional opinion is: Publically published content created for public consumption that was created with tax payer dollars should be allowed as it already went through some official vetting and approval processes to be online, right? And, if there were no disparaging comments, slander, or malicious intent toward or about a public official or public figure then is the content not publically consumable and useable?

One could do the Google test and search for it? If you can find it on Google, is it not public?

Conversely, there are a multitude of Federal, State agencies all with differing social media policies which no one single person can memorize and act upon in same standardized way, given that everything continues to change from a technical standpoint as well as with each individual agency. That would be hard from an external perspecitive.

1) But, if the agency is known, one could look up said the agency social media policy and discuss said issue with the agency CIO.

2) There is a great read by the CIO.gov site http://www.cio.gov/Documents/Guidelines_for_Secure_Use_Social_Media_v01-0.pdf

3) If a similar problem takes place, I suggest reviewing Ning.com’s social media policy and also going through the proper channels through the said agency CIO.

4) Consider from the Federal standpoint, what is their AUP and the agency CIO policy for the agency?

Social media use is a two way street, but we must always respect each agencies policies, where ever applicable.

Determining what the risk of the posting is to the agency is also important.

Re: Policy Controls

(Re posted from the link above: Guidelines for Secure Use of Social Media by Federal Departments and Agencies (Page 12)

representation, commitments on behalf of Government, and security recommendations from this document.)

Social media presents a new set of tools for interactive dialog. However, users may make themselves vulnerable by trusting circles of friends and colleagues and disclosing personal facts more readily. Additionally the same phishing, social engineering, and Web 1.0 threats (worms, trojans, etc.) may be used to exploit a friend’s trust.

The safe use of social media is fundamentally a behavioral issue, not a technology issue.

Policy addressing behavior associated with protecting data would likely cover current social media technologies as well as future technologies. Policies for Web 2.0 technologies, blogs, wikis, social media sites, mash-ups, cloud computing, Web 3.0, outsourced e-mail, and other new technologies will remain extensible and applicable. A policy specific to Web 2.0 or social media might be too narrowly focused; rather, procedures should be used to address the “how” question to help mitigate specific risks and provide specific solutions.

The risk of using social media tools should be addressed by policies and procedures focusing on information confidentiality, integrity and availability, and user behavior, both personal and professional, when accessing data or distributing information. Federal agencies should follow the guidelines below.


The senior technology official at each federal agency should develop a social media communications strategy, with the support of their communication office, that accurately addresses the guidelines in this document in conjunction with government-wide policy[5].


Follow NIST Special Publication 800-39 risk management principles[25]. . Follow NIST Special Publication 800-53R3 controls, especially those for external information systems (AC-20)[26].


Follow NIST FIPS Publication 199 to categorize information posted on social media websites and guide application of SP800-53R3 and SP800-60. For example, data posted to the public, the security categorization should be NA for Confidentiality (all public information) and no greater than LOW impact for Integrity and Availability[27].


Follow the NIST Special Publication 800-60 categorization of the information based on the mission-based information type and intended use of the new technology[28]. Social media websites may be used for different purposes, such as outreach to the public, communication among a community of interest, or collaboration within a select group of individuals. Each scenario calls for different risk management scenarios.


Update current policies for privacy and security in accordance with recommendations adopted from this document, including technical controls and user training.


Update current policies for content filtering and monitoring to address functional areas of system administration and user behavior, including limiting specific activities or traffic disallowed, such as the addition of third party applications.


Update current Acceptable Use Policies (AUP) to cover user behavior for new media technologies. User behavior includes personal use of government equipment and professional use of internal facing, public facing, and external resources. A complete AUP should address a wide array of issues, including password reuse, department

Alice M. Fisher, Unlimited PR & Associates, LLC