Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites.
References: NIST Special Publication 800-18.
NIST 800-53 (r5) Discussion:
Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.
38North Guidance:
Meets Minimum Requirement:
Rules of behavior document is signed by all privileged and non-privileged users
Rules of behavior document contained verbiage with explicit restrictions on the use of social media/networking sites and posting organizational information on public websites (especially when conducting official business or when accessing sites from an organizational information system)
Best Practice:
Include instant messaging, texting, and tweeting in the social media acceptable use policy.
Include explicit restrictions in the social media acceptable use policy.
Include contributive content sites in the social media acceptable use policy
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Rules of Behavior document that is signed by all privileged and non-privileged users
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse