1 2007 Webshop Web Policies and Requirements Carla Steinborn, OCIO November 13, 2007

1

2007 Webshop

Web Policies and Requirements

Carla Steinborn, OCIO

November 13, 2007

2

Web Sites• webshop.noaa.gov

– slides, updates, announcements• osec.doc.gov/webresources

– DOC Web Policies– DOC Web Best Practices– definitions for policies– helpful resources– WAG Charter

• cio.noaa.gov/webpolicies.html– NOAA Web Policies– will probably be moved

3

Web SitesRole of webcontent.gov

• Makes recommendations to OMB• Recommendations become mandatory only

when adopted in OMB directives, which are implemented through DOC policies.

• An excellent resource for understanding background of policies and best practices in government

• ...but not the official source for DOC or NOAA Web policies.

4

Annual Web Site Certification

• Required by Department of Commerce

• Count all your sites

• Certify compliance with all DOC Web policies

• [Also includes server certification.]

5

Annual Web Site Inventory• Name and classify your sites• Name Web site contact persons, etc.• Database

– All site names (incl. alias & redirect)– Already exists in beta– Anyone with LDAP directory will be able to

review what is in there.– Depending on your role, you may be able to

enter and update data yourself.

6

What are Web Policies?• Organization-level rules for Web sites

• Official

• Mandatory: must be followed

7

Where do policies come from?

• Most flow down from the top:– Laws– Presidential directives– Government-wide committees

• Some policies are made to support other policies.– Ex.: Content Management Policy– Ex.: Annual Web Site Certification

8

Policy Sources: Laws• Section 508 of the Rehabilitation Act • Freedom of Information Act• No Fear Act• Information Quality Act• E-Government Act of 2002• Government Paperwork Elimination Act

(GPEA)• And more....

9

Policy Sources: Directives• Executive (Presidential) Orders

• OMB– Domain names– Privacy policies– Agency-wide linking policies– Security mandates

• And more....

10

Laws, Directives → Policies

How are laws, Presidential Orders,

and OMB Directives

translated into Web policies?

11

Web Advisory Group - DOC• DOC Web Advisory Group (WAG)

– Representatives from Operating Units– Four voting members from NOAA

• WAG drafts (and explains) implementing policies– Mostly interpreted and drafted by WAG– Parts may be lifted verbatim from laws – Parts may be prepared by legal staff– Uses W3C guidance– Considers Web Content Managers Advisory Council guidance

• Recommends final drafts to DOC CIO Council• DOC CIO Council adopts

12

Web Advisory Group - NOAA• NOAA Web Committee (NWC)

• Process is similar to WAG process except:– NOAA/NWC Web policies are usually based

on existing administrative orders and general government laws, or designed to implement effective management control.

– NWC recommends final drafts to NOAA CIO Council.

– NOAA CIO Council adopts

13

Web Managers – LO, office• Your Line Office (NWS, NMFS, OAR,

NESDIS, NOS, OMAO, Staff Offices) – may have Web officials who make policies– For LOs, this function is likely to be in the

Office of the LO CIO

• Your Division or Branch Office may have Web managers.

14

LO, Office Web Policies: NMFS

• Web guidance:– http://home.nmfs.noaa.gov/ocioweb/

webguide/policies.shtml

• Public directives system:– http://reefshark.nmfs.noaa.gov/f/pds/

publicsite/index.cfm

15

LO, Office Web Policies: NWS• Check your Line Office and Regional/Lab

requirements. • Example: The NWS Directives follow the DOC

policy for off-site notifications, which requires notification only when linking to non-Federal agency page. However, some of the NWS regions have a more strict requirement that their pages will have off-site notification for any link outside of NOAA.

16

LO, Office Web Policies: Library

• The NOAA library has guidelines posted on their intranet.

• https://intra.nodc.noaa.gov/Information/Teams/ncl_info/Webguide/webguide.htm

17

LO, Office Web Policies• It is up to your LO or Staff Office or local

Web management to – make sure you are aware of whatever specific

Web guidance they have established, and– enforce it.

• NOAA will only enforce NOAA-wide and Department of Commerce Web policies.

18

What are the Policies?

19

DOC Web Policies• osec.doc.gov/webresources• Lists all DOC Policies (and Best Practices)• Entire site is being reviewed and revised. Look

for changes and updates.• Listserv: Get on it. • Definitions of special terms

• “Major Web site”• “Major point of entry”• “Home page”• “Web site owner,” etc.

– Why all these variations?

20

DOC Web Policies - 1• Content Management Policy • Required Links Policies:

– Links to DOC Home Page – Links to Organizational Home Pages – Required Administrative Links

• Identification of Web Site Owner • Web Site Contact Information • Domain Names • Web Site Accessibility for Persons with Disabilities • Privacy of Visitors to DOC Web Sites • Endorsement Disclaimer Policy • Offsite Notification Policy • Lobbying Prohibited • Annual Web Site Certification • Searchable Web Pages

21

DOC Web Policies - 2Two New Policies Coming

• Evaluation of Information

• Removing Hidden Data

22

DOC Best Practices(Recommended)

• Identification of Content Source • Process in Support of the Annual Web Site

Certification • Testing Web Site Accessibility for Persons with

Disabilities • Making Web Pages XHTML Compliant • Universal Web Pages

23

What are Best Practices?• Department-recommended guidance.

• The best way to do things.

• Should be followed whenever feasible and practical:– “feasible”: capable of being accomplished or

brought about; possible.

• Not enforced by DOC or NOAA (up to you and your boss).

24

NOAA Web Policies• Department of Commerce Web Policies

• Web Content Management

• Provision of Internet Services

• Coordination of Web Site Names

25

A Walk Through the

DOC Policies

26

Content Management• Web sites of Department of Commerce

organizations shall be related to the mission, goals, and objectives of the Department and be subject to appropriate management controls.

• Purpose is really accountability.

27

Required Links Policies• Links to DOC Home Page

– Applies only to www.noaa.gov

• Links to Organizational Home Pages – Requires stairway to noaa.gov

• Required Administrative Links– Requires a bunch of boilerplate links. – Per definition of “Major Web Site,” applies only to:

• http://www.weather.gov • http://www.nos.noaa.gov/• http://www.nesdis.noaa.gov/• http://www.omao.noaa.gov/• http://www.nmfs.noaa.gov/• http://www.oar.noaa.gov/

28

Identification of Web Site Owner• All Department of Commerce organizations' Web

pages shall identify the "Web site owner." • “Web site owner”

– The organization that manages a Web site. – always a Department of Commerce organization.

• Applies to Web pages (not just sites)• Grandfathers old pages and pages that are part

of larger documents.• Doesn’t say how to do it, but it must be clear.

29

Web Site Contact Information• Every Web site of a Department of

Commerce organization shall provide an electronic method for comments, inquiries and accessibility issues.

30

Domain Names• All Web sites of Department of Commerce

organizations shall have .gov or .fed.us as the top level domain

• Only NOAA CIO can grant exceptions.

31

Accessibility• Web Site Accessibility for Persons with Disabilities

– Blind individuals– Low vision individuals (may need large type, high contrast)– Colorblind individuals– Hearing-impaired individuals– Individuals with impaired motor skills

• Applies to internet and intranet sites• Policy has links to specific and detailed mandatory rules.• Policy has extensive resources to help you comply.• Notes:

– If you use a text substitute, be sure a blind individual can actually “see” the link to it.

– There were quite a few certification lapses on accessibility.– More on accessibility later from Ron Jones.

32

Privacy of Visitors to DOC Web Sites• Three parts:

– Privacy Statements and Information Collection– Persistent Cookies (or any “persistent tracking technology”)– E-Gov Act

• Version currently posted is very difficult to understand.– Two parts written first, then added to and modified by E-Gov Act.– You need to follow all the links. Some information is buried.– Policy will get a revamp for clarity but provisions are not

expected to change.• Does not apply to intranet sites. • Has special provisions relating to children.• Not the only privacy requirement for Web sites. There

are others (Privacy Act, PRA) outside the Web policies.

33

Privacy Statements and Information Collection - 1

• Applies to – “major points of entry” (LO home pages)– “any page where information is collected.” This phrase is a plain English term intended to be all inclusive

and is not limited to personally identifiable information (but is not triggered by collecting generic Web statistics if not PII).

– NOT COVERED: non-public sites or pages.• Requires “Privacy Policy” statement

– Must be called that and only that.– If you link to a boilerplate Privacy Policy statement, make sure it

is actually correct for your site.– If you jump around with links, make sure you don’t end up on a

page with different privacy attributes but no PP statement.• Note the FAQ at the very bottom.

34

Privacy Statements and Information Collection - 2

• Other laws may require additional statements.– Paperwork Reduction Act (PRA) applies to sites that

use on-line forms to collect standardized information (other than contact information) from ten or more individuals outside the Government (e.g., applications, surveys, questionnaires, or registration forms that collect more than basic contact information).

– A "Privacy Act Statement" is required when information is stored or retrievable by a personal identifier (e.g., name, social security number) Privacy Act System of Records.

35

Privacy Policy statement -1• Must cover, if applicable:

– the kinds of information collected, – how long the information is retained, – how it is used, – the conditions under which the information may be

shared, – who it might be shared with, – the conditions under which the information may be

made available to the public, and – whether information is collected from children.

36

Privacy Policy statement - 2• Must always specifically address:

– how email is handled, and – the use of "cookies" and the extent to which

information gathered through the use of "cookies" is safeguarded.

• Must be updated when anything changes.• Forms

– On one-page forms, the Privacy Policy link must be viewable without scrolling, OR must be next to the SUBMIT button.

– On multi-page forms, the Privacy Policy link must be viewable without scrolling on the first page AND next to any SUBMIT buttons.

37

Persistent Cookies +• No persistent cookies unless

– there is a compelling need; – there are appropriate safeguards in place; – the use is personally approved by the Secretary of

Commerce; and – there is clear and conspicuous notice to the public. – Must follow specific approval process.

• Applies not just to cookies but to any “persistent tracking technology.” (changed by E-Gov Act)

• No exceptions.

38

E-Gov Act requirements - 1Overview

• Adds to Privacy Policy statement– Use Attachment A if site not associated with a

Privacy Act System of Records.– Use Attachment B if site is associated with a

Privacy Act System of Records.

• Adds to policy on cookies

• Adds P3P implementation

39

E-Gov Act requirements - 2Additional Privacy Policy Statement Requirements• Must be called “Privacy Policy.”• Notify Web site visitors of their rights under the Privacy Act (B: ...or other

applicable privacy-protecting laws).• Inform users how to grant consent to use of voluntarily-provided information. • If requestint voluntary information, must explicitly inform the user that

providing the information is voluntary. • Include, in clear language, information about management, operation, and

technical controls ensuring the security and confidentiality of personally identifiable records (B: ... and information about any additional safeguards).

• B: Explain what portion of the information is maintained and retrieved by name or personal identifier in a Privacy Act System of Records and provide a Privacy Act Statement.

• B: Privacy Act Statements must notify users of the authority for and purpose and use of the collection of information subject to the Privacy Act, regardless of whether providing the information is mandatory or voluntary, and of the effects of not providing all or any part of the requested information.

40

E-Gov Act requirements - 3Cookies & Persistent Tracking Technology• The policy on use of persistent cookies is extended to

include any persistent tracking technology. • Privacy Policy statement must also specify:

– the purpose of the tracking (e.g., site customization);– that accepting the customizing feature is voluntary;– that declining the feature still permits the individual to use the site;

and – the privacy safeguards in place for handling information collected.

• Password access is still permissible, as long as it does not involve persistent cookies or other similar technology.

• Tracking for site customization, regardless of the method used, is treated like tracking with persistent cookies.

41

E-Gov Act requirements - 4P3P Implementation• Requires use of machine readable technology that alerts

users automatically about whether site privacy practices match their personal privacy preferences.

• Often done at the server level so if you just submit pages or are on the Web farm, you probably don’t have to worry about it.

• If you do manage a server, be sure you don’t drift out of compliance. This has happened and the Department pinged us on it.

• WAG site has resources on how to do it at www.osec.doc.gov/webresources/policies/privacy_p3p.htm

42

Endorsement Disclaimer• Requires disclaimer stating that links to non-Federal

Government Web sites do not imply endorsement. • Exception does not apply in NOAA.• Has often been violated.

– You must have a mission-related purpose for all links.– If you must have a link to a commercial site, make sure your

disclaimer is where it will be seen.– Downloads (Adobe, Microsoft, etc.) require a disclaimer.– Disclaimers should be as prominent as what they are

disclaiming.– If you’re not sure, seek advice.

43

Offsite Notification• Any link to a non-Federal site must be

accompanied by a clear notification that the visitor is going to a non-Fed site.

• Does not apply to intranet sites.• Resources are provided on WAG site

– Some of the examples are a bit strange in that they involve links that don’t leave Federal Webspace.

– These methods are not guaranteed to be compliant.– Methods 1 (clear surrounding text), 3 (single

prominent notice) and 4 (intermediate page) are probably best.

44

Lobbying Prohibited• No direct or indirect lobbying.

• No links to Web pages that engage in direct or indirect lobbying.

• “Lobbying” means encouraging members of the public to contact Congress about pending legislation.

45

Annual Web Site Certification • Time of data call varies.

– Data call usually comes out in April/May.– Usually due in August.– Due date in NOAA is earlier.– WAG site says due in April. Incorrect.

• Must certify that all Web sites comply with all DOC Web policies.

• If any deficiencies exist, each LO CIO must provide a plan to bring the sites into compliance. Sites can be shut down.

• In NOAA, call is combined with annual server certification and Web site inventory.

46

Searchable Web Pages• “Major Web Sites” (LO home pages &

noaa.gov) must:– have a search function (& sensitive information must

be excluded). – use six Dublin core tags: Title, Description, Creator,

Date Created, Date Reviewed, Language (effective Dec. 31, 2007)

• Every page must have <title> tag to describe page content.

• WAG site has lots of resources.

47

Two New DOC Policies Coming• New Policies

– Evaluation of Information– Removing Hidden Data

• These are things you should already be doing.

• Resources will be provided to assist you.

48

Draft: Evaluation of Information• Before publishing information on Web sites, ensure that

– the content is appropriate for dissemination, and that – the proposed level of access (internet, extranet, intranet) is

appropriate to the content. • Must always have mission-related purpose.• Balance the purpose against the risk.• Think before publishing information about people,

infrastructure, plans, procedures, or programs. • Use special care for: personal, proprietary, confidential,

sensitive, For Official Use Only, For Internal Use Only, operational or planning information, business-identifiable, or copyrighted information.

• Make the level of access appropriate to the information.

49

Draft: Removing Hidden Data• Before publishing to the Web, ensure that

no hidden information is inadvertently included.

• Often happens with MS Office files.• For Office 2003 (widely used in NOAA),

get Remove Hidden Data download form Microsoft.

• For current MS Office, use Document Inspector.

50

End

of

Walk Through

DOC Policies

51

DOC Best Practices• Identification of Content Source

– If the source of the content of a Web page is not the "Web site owner," the source of the content should be identified.

• Process in Support of the Annual Web Site Certification

• Testing Web Site Accessibility for Persons with Disabilities – Provides more resources. May be out of date.

• Making Web Pages XHTML Compliant – Supports variety of platforms better

• Universal Web Pages

52

BP: Universal Web Pages • Information should be in standard hypertext mark-up language

(HTML, XHTML, or XML). • Exceptions (not exhaustive):

– Historical documents, where appearance and format may be as important as content

– Legal or other documents that require accurate reproduction of page numbering, line numbering, or other formatting

– Documents that, for security purposes, require a specific format – Special animation, sound, or video presentations or other non-universal

format, if the nature of the information content requires the use of a special format

– Legacy systems that serve pages in non-universal formats • In others words, if you can use HTML, you should use HTML.• The WAG site provides lots of very good resources, including why

this is important, and guidance on exceptions (hopefully uncommon).

53

NOAA/OCIO Web Policies• Four Policies:

– Department of Commerce Web Policies– Web Content Management– Provision of Internet Services – Coordination of Web Site Names

• Some policies have been removed because they had become dated or were never fully implemented

• The policies there now are being and will be enforced.

54

Department of Commerce Web Policies

• Compliance with the DOC Web policies is mandatory for all NOAA Web sites. – Helps to make sure people are aware of DOC

Web policies.– DOC policies would be mandatory regardless.

• DOC Best Practices should be followed where feasible and practical. – “feasible”: capable of being accomplished or

brought about; possible.

55

Web Content Management• A Web Content Management Plan must be in place

and ensure the following:– Managerial controls are in place. All content is reviewed

annually.– Web content supports NOAA’s mission. – Web sites comply with the Information Quality Act. – Sensitive information is protected. – NOAA Web sites are treated as government property and the

noaa.gov domain is used only for sites that are fully compliant with all applicable law and policy.

• Applies to all Web sites (internet and intranet).• Except for the explicit requirement of a plan, all of this

would be required even if the policy didn’t exist but some of the LOs have found the policy helpful to internal enforcement.

56

Provision of Internet Services - 1• Agreement between participating organizations is

required if:– NOAA provides Internet services for an external organization, or– an external organization provides Internet services for NOAA.

• Internet Services– hosting of Web pages– hosting of Web sites– hosting of Internet discussion forums– list servers– email-based collaboration services, etc.

• Agreement can be MOU, MOA, JPA, Economy Act agreement, or even procurement contract.

57

Provision of Internet Services - 2The agreement must:• be reviewed and approved by the NOAA Office of the General

Counsel and, in some cases, will require the review and approval of the Department of Commerce General Counsel;

• be reviewed and approved by the NOAA Chief Information Office; • be authorized under applicable transactional and programmatic

legal authorities; • for Joint Project Agreements, demonstrate a mutual interest, and

that costs are equitably apportioned; • for Economy Act Agreements, show that the services being

obtained from the agency could not be obtained from a private source for a lower cost;

• clearly delineate sources of information to be provided; • address how content will be managed by the parties; and • comply with all applicable laws and directives.

58

Provision of Internet Services - 3

• Many people are not aware of this policy.

• Often applies to partnership sites.

• Can’t use noaa.gov unless it’s a NOAA site.

• If you are unsure, seek assistance.

59

Coordination of Web Site Names - 1

• New policy.

• Effective Oct. 9, 2007.

• Names that require a new or changed DNS (or other server) entry must be approved by the NOAA CIO.

• Anything outside noaa.gov domain also requires DOC approval (was always true).

60


• Purpose is to clear up confusing and overlapping site names.

• Applies to any name– that requires a new or changed entry in a

DNS or similar server, and– is intended to be used by the public.

• Includes alias names and redirect names.• Includes names of partnership sites

(although other policies might not apply).

61

Coordination of Web Site Names - 3Does not apply to:• names that are acquired solely to prevent others from

registering, trafficking in, or using a domain name with bad-faith intent,

• names that are acquired to prevent confusing or conflicting use,

• names that are acquired to prevent spoofing of a government Web site,

• names that are acquired to prevent misuse of a trademark or other name belonging to another, or

• names used for technical reasons only and not intended to be used by the public.

62


Examples:• http://oceanexplorer.noaa.gov/

– If new, requires approval.– if pre-existing, must be registered but not approved.

• http://oceanexplorer.noaa.gov/coasts.html – Does not require approval if oceanexplorer.noaa.gov

already exists.

• http://coasts.oceanexplorer.noaa.gov/ – Requires approval either way.

63


• Pre-existing names that would be covered if new– must be registered within 3 months unless

included in the last Web site inventory;– do not need to be approved.

• Exceptions – may be granted at the discretion of the CIO; – follow same approval process as new

applications.

64


Process

• Easier than it looks.

• Has been in use informally for months.

• NWC coordinates process. Best to work with your NWC rep.

• Template provided.

• Expedited approvals are available.

65

Coordination of Web Site Names - 7Process:• Requester

– prepares Web Site Name Request Form,– presents it to the NWC at least 21 days before intended use, and– submits it by email to the NOAA CIO, with cc to NWC and LO CIO.

• NWC– determines whether any consistency problems are present,– checks that the proposed name is consistent with this policy, and– within 14 calendar days recommends to the NOAA CIO whether the

Request should be approved or not.• NOAA CIO

– within 21 days of presentation to NWC, approves or disapproves, – informs LO CIO, and– if disapproving, gives reason.

• Process may be expedited if needed.

66


Factors for names in the noaa.gov domain:

• Cross-cutting

• Coordinated across NOAA

• Does not cause confusion or overlap

• Does not perpetuate organization-based naming

• Does not create a false impression

67


Factors for names outside the noaa.gov domain:

• Government-wide

• Facilitates intuitive access.

• Not for a NOAA-only site.

68

The End(Bet you thought it would never come.)