GSA Telecommunications Guide

GENERAL SERVICES ADMINISTRATION Washington, DC 20405

CIO G 10000 CHGE 1 August 23, 2019

GSA GUIDANCE

1. Purpose. This guide establishes the General Services Administration’s (GSA) guidance regarding the use of GSA-provided employee telecommunications equipment, systems and services to facilitate information sharing and communications inside and outside of the Agency for conducting Government business. This guide amplifies CIO 2165.2 GSA Telecommunications Policy.

2. Cancellation. This Guide cancels and supersedes CIO G 10000, GSA Telecommunications Guide, dated February 27, 2014.

3. Explanation of Change Paragraph. Changes made to Chapter 2, Section 3 to update requirements for recording meetings.

Table of Contents

Chapter 1: Introduction ...... 1 Chapter 2: Authorized Use ...... 2 Chapter 3: Emergency Usage Reductions ...... 6 Chapter 4: Commercial Telephone Facilities ...... 7 Chapter 5: Wireless Devices ...... 8 Chapter 6: Privacy, Confidentiality and Security ...... 10 Chapter 7: Waste, Fraud and Abuse ...... 12 Chapter 8: Use of Personal Equipment ...... 14 Chapter 9: Records Management, Retention, and Archiving ...... 15 Chapter 10: Usage Reports and Accounting ...... 16 Chapter 11: Monitoring ...... 17 APPENDIX - Definitions ...... 19

Chapter 1: Introduction

1. Scope. Telecommunications equipment includes but is not limited to employee desktop computers and laptops connected to the network, desk phone sets, and cellular phones, smartphones and air cards. Telecommunications systems include GSA voice and data networks, and private branch exchanges (PBXes) and UC voice systems (IP PBXes). Telecommunications services include local and long-distance wireline voice services and telephone calling cards, the data wide-area network (WAN) connecting GSA offices, wireless voice and data services contracted by GSA and GSA IT Help Desk services.

2. Applicability. This guide applies to all GSA employees, contractors/subcontractors as specified in Memorandum of Understanding (MOUs) or other agreement vehicles, government agencies, individuals, corporations, or other organizations that process or handle any GSA-owned information, data, or IT system equipment. Contracting Officers must include compliance with this guide in the Statement of Work (SOW) for contractor employees. This policy becomes effective immediately subject to any necessary bargaining obligations. This guide applies to the Office of Inspector General (OIG) to the extent that the OIG determines this guide is consistent with the OIG’s independent authority under the IG Act and it does not conflict with other OIG policies or the OIG mission.

3. Background. Voice, data and wireless telecommunications technologies and services continue to evolve quickly, including the rapid evolution of carrier access and transport networks towards an all-IP (Internet protocol) environment. There now are many alternative broadband connectivity options for GSA employees inside and outside the agency – such as DSL, cable modem, fiber optics, Ethernet, 3G cellular, public WiFi, 4G WiMax and Long Term Evolution (LTE) technologies and services. This proliferation of new telecommunications technologies and services indicate a need for GSA to continuously optimize management of GSA-provided employee telecommunications equipment, systems and services, while offering employees unprecedented choices to improve productivity. Use of these technologies and services must follow the current laws and guidelines that govern avoiding and reporting waste, fraud and abuse, privacy, confidentiality, and security.

Chapter 2: Authorized Use

1. Voice Telephony: GSA-provided employee voice telecommunications systems include networks and end-user equipment, systems and services purchased by GSA; voice mail, unified communications (UC) voice/IP telephony systems (integrated IP audio/video/Web conferencing, unified messaging (UM), etc.); wireline and wireless local and long distance voice services; and telephone calling card services that are paid for by GSA for employee use inside and outside of the agency for conducting official business.

a. This includes but is not limited to voice calls placed using a GSA-provided desktop phone or a softphone client installed by GSA IT on the user’s desk computer or laptop, or using a wireless device such as a cellular phone or smartphone for wireless voice communications; toll-free calls; teleconferencing calls, and telephone calling card calls.

b. Official business telephone calls include regular Government business calls, emergency calls, and other calls determined to be in the interest of the Government.

c. Emergency calls and other calls determined to be in the interest of the Government.

(1) Examples include:

a. An employee places a call using GSA paid facilities to notify family, doctor, etc., in the case of illness or if injured on the job.

b. An employee traveling on Government business is delayed due to official business or transportation delay, and calls to notify family of a schedule change.

c. An employee who is traveling for two or more nights on Government business (within in the United States or overseas) makes a brief call to his or her residence (but not more than an average of one call per day with a total duration of ten minutes or less).

d. An employee is required to work overtime without advance notice and calls within their local commuting area (i.e., the area from which the employee regularly commutes) to advise his or her family of the change in schedule or to make alternate transportation or dependent care (e.g., child, senior or disabled family member care) arrangements.

e. An employee makes a brief daily call to locations within their local commuting area to speak to his or her spouse or children (or those responsible for them, e.g., school or day care center) to see how they are.

f. An employee makes brief calls to locations within their local commuting area that can be reached only during working hours, such as local government agencies, banks, or physicians.

g. An employee makes brief calls to locations within their local commuting area to arrange for emergency repairs to his or her residence or automobile.

(2) An emergency call or a personal call during working hours that is determined to be in the interest of the Government must meet one or more of the following criteria:

a. It must not adversely affect the performance of official duties by the employee or the employee's organization.

b. It is of reasonable duration and frequency.

c. It could not have reasonably been made at another time.

d. It is provided for in the NFFE or AFGE Government collective bargaining agreement.

d. Personal non-business calls. Use of GSA-provided employee telecommunications equipment, systems and services for personal non-business calls should be restricted to emergency calls and other calls determined to be in the interest of the Government. Additionally, personal non-business calls should not be made using a commercial telecommunications network or service (see Chapter 5).

(1) Personal calls using commercial telephone services (i.e., services that are not provided under GSA’s standing wireline and wireless telecommunications service contracts) may be placed only if they meet the criteria in Chapter 5, and also meet one of the following criteria:

a. Charged to the employee's home phone number or another non-Government phone number (third-number calls).

b. Placed to a commercial toll-free (800) number.

c. Charged to the called party if originating on a non-Government number (collect call).

d. Charged to a personal telephone calling card or a personal credit card.

(2) Employees who place personal calls using GSA-provided telecommunications equipment, systems or services must reimburse GSA for the full cost of these calls. Reimbursement will be based on the value of the call, computed on the basis of GSA’s actual cost.

(3) GSA supervisors are responsible for the application and monitoring of these guidelines with respect to personal calls within their area of responsibility.

2. Data and Internet: In addition to GSA-provided network connectivity and systems (including UC audio/video/Web conferencing, unified messaging, etc.), this includes but is not limited to wireline and wireless Internet communications such as conducting Internet searches, participating on social media websites, accessing personal email accounts, and attending external Web conferences.

a. Business data and Internet communications. This includes accessing Government information and databases using GSA systems or via a secure remote-access connection using leased lines, broadband (e.g., home DSL, cable modem, public WiFi) or public cellular networks to a GSA virtual private network (VPN). It also includes Internet access to non-Government websites and information, such as for conducting research or transferring non-Government data while conducting official business or in the interest of the Government.

b. Personal Internet. This includes the use of GSA-provided employee equipment, systems and services to access non-Government (external) Internet website or to transfer personal data and such use may be subject to reimbursement requirements or disciplinary sanctions. Examples of 3

personal, non-business communications determined to be in the interest of the Government are as follows:

(1) An employee uses GSA-provided equipment to access the Internet for a short period of time during working hours to search for or transfer public information for personal use – such as looking up local public transportation schedules (bus, train, shuttle services), reading online news updates or weather reports, conducting a short-session of personal banking, retrieving or completing and submitting an insurance claim, or retrieving or sending school-related information.

(2) Reasonable personal Internet use at work is determined and monitored by the employees’ supervisor.

(3) Broadband for Teleworkers. GSA does not provide broadband service for Teleworkers with exceptions as outlined in HRM 6040.1A GSA Workforce Mobility and Telework Policy.

(4) Wireless Internet. Employees connecting to the Internet using a GSA- provided wireless device such as a smartphone (either standalone or tethered) or an air card (a wireless modem connected to a laptop that connects to a cellular network) for personal use at any time must reimburse GSA for the cost of all associated wireless data usage charges as incurred by GSA.

3. Monitoring, Recording, and Transcribing Meetings: Meetings conducted with GSA information or communications technologies (such as web conferences, video teleconferencing, and audio-bridges or conference calls) may only be monitored, recorded, or transcribed with advance notification to and prior consent from all parties. The requirements of this paragraph do not apply to law enforcement activities of the Office of Inspector General.

a. Advance notification and prior consent. Before monitoring, recording, or transcribing a meeting, the following steps shall be followed to provide advance notice and obtain prior consent:

(1) The meeting organizer shall decide in advance whether the conversation will be monitored, recorded, or transcribed.

(2) If the meeting organizer decides that the meeting will be monitored, recorded, or transcribed, the meeting organizer shall provide notice of the intention to monitor, record, or transcribe in the meeting invitation. Acceptance of the invitation constitutes that attendee’s prior consent to the monitoring, recording, or transcribing.

(3) At the beginning of the meeting, the meeting organizer shall announce that the meeting will be monitored, recorded, or transcribed, with any associated details such as the name of the individual conducting the monitoring, recording, or transcribing and the purpose for which the monitoring, recording, or transcribing is being undertaken. This announcement shall be repeated to any participant who joins the meeting after the initial announcement was made.

(4) If any meeting participant has consented by accepting a meeting invitation that includes the notice required above but subsequently indicates that he or she does not consent to the monitoring, recording, or transcribing in part or whole, either the meeting will not be monitored, recorded, or transcribed in accordance with that participant’s preference or the participant may opt out. The organizer may provide that non-participant the recording afterward.

b. Prior consent from all parties is not required for designated Town Hall meetings or official GSA training sessions; however, where practicable, the organizer shall provide advance notice to 4

participants that the designated Town Hall meeting or GSA training session will be monitored, recorded, or transcribed.

c. Meeting participants. All offices, locations, and individuals participating in a meeting shall identify themselves in the meeting registration system and to the meeting organizer.

d. Speakerphones. When speakerphones are being used, all parties present should always identify themselves as participants, whether they speak during the conversation or not.

e. Teleconferences. For internal Government audio and video teleconference calls, including intra-agency and inter-agency multiparty calls, all participating offices or locations should be identified to the registration system. Individual participants should provide their full name when registering and signing in, and on audio teleconferences also should identify themselves to the call host.

f. Web conferences. For internal Government Web conferences, including both intra- and inter-agency virtual meetings, attendees should provide their full names when registering and also when signing in to the conference session.

Chapter 3: Emergency Usage Reductions

Requirement: To assist in the functioning of essential Government services during emergency situations (e.g., a winter storm, local power outage, etc.), employees should reduce or if possible, eliminate entirely their use of Government voice telecommunications systems during emergencies. When essential calls are placed from an employee user station or wireless device (either GSA-provided or personal devices), the call should be as short as possible. Business and non-business (personal) calls that are unrelated to the emergency should be delayed whenever possible. Additionally, outgoing call connections from employee user stations may be automatically denied for non-essential Government telephone lines during an emergency situation. This does not include employees who have been assigned GSA Wireless Priority Services (WPS) such as with the Government Emergency Telecommunications Service (GETS) card (see Appendix - Definitions).

Chapter 4: Commercial Telephone Facilities

1. Purpose: Guidelines for using commercial telephone services. GSA-provided local and long- distance voice telecommunication services must be used where they are available. GSA-provided wireless services should be used for wireless local and long-distance calls if access to GSA- provided wireline telecommunications service is not available. GSA employee telephone calls that are placed over non GSA systems – that is, using commercial facilities - incur usage costs to GSA. Authorized employee telephone calls using commercial telecommunications facilities are restricted to official Government business, emergency calls, or for calls that are determined to be in the interest of the Government only.

2. Commercial Long-Distance Services: Alternative long-distance commercial facilities may only be used by GSA employees when:

a. Non-accessibility. Regular GSA-provided wireline local and long-distance voice services and GSA-provided wireless services both are not accessible.

b. Busy and urgent. The GSA voice telecommunications system is busy, and the business call is determined to be of an urgent or emergency nature, and must be placed immediately.

c. Destination unreachable. The call destination number cannot be reached over the Government telecommunications system, or using GSA-provided wireless service.

3. Commercial Operator Assisted Calls: Outgoing commercial telephone operator assisted long- distance calls should be avoided. Incoming operator-assisted-collect calls, should not be accepted unless placed by a Government employee who does not have access to the Government telecommunications system or who is placing the call in an emergency situation.

4. Commercial Directory Assistance Service: A flat-rate user charge applies for commercial directory assistance calls (“411” calls) – either per call or per telephone number requested. GSA employees should use free online directory assistance websites as much as possible to locate telephone numbers.

Chapter 5: Wireless Devices

1. Wireless Device Requests: Authorized users must request wireless devices and services through the Service Catalog Request.

2. Information Ownership: All documents, images and video messages, and emails and attachments that are composed, sent, received or stored on a Government owned wireless device assigned to an employee or on an employee’s personal device (PC or laptop) for conducting Government business are and remain the property of the Government. They are not the private property of any employee, and employees have no reasonable expectation of privacy in any email, Internet messages or material sent or received on such devices..

3. Security: GSA-provided wireless data devices (smartphones) undergo a security review and are approved by the Designated Approving Authority (DAA), with concurrent notification provided to the GSA Office of the Chief Information Security Officer (IS) before being assigned to an employee.

a. Encryption. The GSA Office of the Chief Information Office (OCIO) has imposed encryption on any mobile device (smartphone or tablet) enrolled into GSA Mobile Device Management (MDM) solution and hence any information stored on micro SD Card and on the device itself.

b. Passwords. All cellular phones and smartphones used for Government business – whether GSA-provided or personal - must be password protected as managed by MDM or the current configuration policies for each device.

c. Time-out and lock-out. GSA-provided wireless data devices and GSA-provided or personal cellular phones used when conducting official business should be set to time-out after a maximum of fifteen (15) minutes of inactivity, following which the user will have to re-enter their password. After ten (10) failed attempts to re-enter the user password, the device should be set to lock-out the user from any additional attempts. (All GSA-provided and most personal wireless devices are preconfigured to automatically do this.) Once locked out of their GSA-provided device, the user must contact the GSA IT help desk to restore service to the device. See CIO-IT Security-13-67 “Securing Mobile Devices and Applications” for details.

4. Wireless Facilities Management: The GSA OCIO has sole responsibly for operating the Government’s server software used to support authorized wireless applications. The GSA OCIO also has sole responsibility for operating servers to support nonstandard and experimental wireless services.

5. Support: The GSA OCIO is responsible for providing user support for all GSA-provided wireless devices used by employees, including end-user help desk services, which are available by calling 1-866-450-5250, sending an email to [email protected], posting a question in the “Ask IT” group on Chatter, or by creating a ticket at ServiceDesk.gsa.gov.

6. Wireless Services: GSA employee wireless services are provided under the GSA wireless contract. Use of the contracted wireless service is mandatory for all GSA offices and employees unless a waiver has been obtained.

a. Waiver requests. A waiver request to use a commercial wireless service other than GSA’s wireless contract must be made by the employee to their DAR for review and approval. Considerations in reviewing a waiver request include, but are not limited, to a) availability of GSA 8

wireless service in the geographical area of the employee; b) quality of GSA wireless service voice call reception; and c) availability of usage and accounting reporting from the commercial wireless carrier. The Wireless Program Office will respond in writing within 30 days of receipt of the request from the DAR.

b. Commercial wireless services. Wireless voice and data services for which a waiver to GSA wireless service has been approved must be reported by the employee’s SSO annually, by fiscal year. The report is due 60 days after the end of the fiscal year, and it should provide all of the following information (as an annual total by registered user for each user under contract):

 Wireless telephone number;  Organizational identifier;  User name;  Monthly basic access fees;  Monthly feature charges (e.g., call waiting, call forwarding, caller ID);  Total airtime minutes;  Total airtime charges;  Total domestic roaming charges;  Total international roaming charges;  Total long-distance toll charges;  Wireless device upgrade or replacement charges;  All charges (all inclusive);  Number of wireless voice calls (local and long-distance), and  Name of service provider.

Chapter 6: Privacy, Confidentiality and Security

1. Private and Confidential Information: Privacy is the ability of an individual or group to stop information about themselves from becoming known to people other than those they choose to give the information to. Private information and confidential information are essentially one and the same. Privacy and confidentiality can be seen as an aspect of security. (Nothing in this Chapter applies to law enforcement activities by the Office of Inspector General.)

2. Information Handling: If Government telecommunications equipment, systems and services are used to enter, store and view private, confidential information, the employee handling it must take all possible steps to ensure that the information is not made public. In addition to following established policies and guidelines (see HCO 2180.1 GSA Rules of Behavior for Handling Personally Identifiable Information (PII)) CIO P 2180.1 GSA Rules of Behavior for Handling Personally Identifiable Information (PII), this includes actual physical measures, such as the use of privacy screens or otherwise covering areas that are displaying this information when in a public place. Government employees should make an effort not to access private and confidential information in a public place. Employees who use GSA-provided equipment such as a laptop or wireless device when traveling or working outside the agency should limit the amount of information being entered, accessed or stored on the device to that which is required for that specific session, workday, trip, etc. in order to reduce the risk of exposing private information and lessen the chance for a security breach.

3. Information from Unknown Sources: Employees who are using GSA-provided telecommunications equipment, systems and services should not open email messages or attachments if the identity of the sender is unknown to them. GSA IT shall issue from time to time alerts or announcements about computer viruses and destructive software that could compromise Government systems. Employees will be held responsible and accountable for monitoring and abiding by all such alerts and announcements related to use of GSA equipment, systems and services.

4. Passwords: Government telecommunications equipment that is used by employees to access Government information must be protected using passwords, PIN-Code or biometric recognition; and IT password configurations must not be altered. Employees may use passwords only as authorized and must not use any password for any type of unauthorized access to Government equipment. All passwords are the property of the Government.

5. Anti-virus and Firewalls: Government IT provided anti-virus and firewall protection must be activated at all times on Government equipment, including wireless devices. Employees who deactivate this anti-virus and firewall protection will be subject to disciplinary sanctions.

6. Encryption: All Government information that is transferred to and from or stored on GSA- provided employee telecommunications equipment including desk PCs, laptops and wireless devices is encrypted.

7. Lost Equipment: If employee-assigned Government equipment such as a laptop or wireless device (cellular phone, smartphone, cellular air card, etc.) is lost or stolen, the user must contact their ISSO and the IT Service Desk as soon as possible.

8. Applications: Only those software applications that have been validated as by the GSA OCIO as compliant or certified may be installed on Government owned telecommunications equipment 10

(desk PC’s, laptops and wireless devices). A registry of all compliant and certified applications – and also of noncompliant applications – for GSA-provided employee telecommunications equipment is maintained by the GSA OCIO at ea.gsa.gov.

9. Intellectual Property: Government telecommunications equipment, systems and services must not be used to send (upload) or receive (download) any copyrighted materials, trade secrets, proprietary financial information, or similar materials in a manner that compromises Government’s or any third-party’s rights. Only material with appropriate copyrights may be stored in GSA- provided equipment (e.g. material that has been purchased by GSA). The ease of copying and propagating data from many sources on the Internet makes it very easy to unintentionally breach copyright laws. Care must be taken by supervisors to ensure that employees are aware of and consider existing intellectual property and copyright laws when downloading or distributing content using Government systems.

Chapter 7: Waste, Fraud and Abuse

1. Vigilance and Reporting: It is the responsibility of all GSA employees to report cases of waste, fraud, and abuse when it occurs. Cases should be reported to their supervisor or the Office of the Inspector General (a written report is preferred), and identity of the person providing the information will be kept confidential. Supervisors also should periodically update users on the established guidelines to prevent or correct misuse of Government telecommunications systems.

2. Personal and Commercial Services Usage: Local and long-distance calls, commercial directory assistance requests, and operator-assisted calls including collect calls placed by employees using non GSA-provided commercial wireline or wireless networks must be minimized and used only for official Government business or be previously determined to be in the best interests of the Government. Supervisors are required to report violations to the GSA OCIO in writing.

3. Large Data Transfers: Government telecommunications equipment, systems and services are intended to be used only for conducting official business. Downloading, sharing, and storage of large binary files that are unrelated to official Government business using GSA- provided telecommunications equipment, systems and services is not allowed. (Binary files include, but are not limited to, images, audio files, and video files.)

4. Computer Viruses and Destructive Programs: Employees must not use GSA-provided equipment, systems or services to develop or distribute any computer virus or destructive software programs. Employees who witness abuse of this guideline should report it to their supervisor and also to GSA IT by sending an email to [email protected] or calling 1-866-450-5250. The identity of the person making these reports will be treated as strictly confidential.

5. Annoying and Offensive Communications: Employees should make every effort to discourage annoying or obscene callers and senders of offensive email messages. Employees who witness abuse of this guideline should report it to their supervisor and also to GSA IT by sending an email to [email protected] or calling 1-866-450-5250. The identity of the person making these reports will be treated as strictly confidential.

a. Annoying or obscene calls and email.

(1) Employees who receive an annoying or obscene telephone call should hang up promptly at the first obscene word or if the caller refuses to speak; do not speak or slam down the phone receiver as this may only lead to a repeat call.

(2) Employees who receive annoying or offensive email communications should not open attachments, send a reply to the sender, or forward them to other persons.

(3) Annoying and offensive telephone calls and email communications should be reported immediately to a supervisor and [email protected].

(4) Supervisors should report cases of repeated (the same employee reports multiple incidents or a group of employees reports one or multiple incidents) annoying or offensive communications directed to an individual or group of employees to the GSA Office of the Inspector General.

(5) Employees must cooperate fully with management investigation of such communications.

b. Distribution of offensive or disruptive messages. Government equipment, systems and services must not be used to create or communicate messages that include material or Internet website addresses or hyperlinks to websites containing sexually explicit content, racial or ethnic slurs, or other comments that offensively address someone’s age, sex, sexual orientation, religion, national origin, ancestry, or disability.

6. Solicitation: GSA-provided telecommunications equipment, systems and services must not be used to solicit personal or any commercial ventures, religious or political causes, external agencies, or other solicitations that are not specifically job-related.

7. Lobbying: United States statute 18 USC 1913 prohibits the use of appropriated funds for purposes of lobbying a member of Congress. The use of appropriated funds may extend to the payment of employee salaries, equipment, office space, etc. Employees using GSA owned telecommunications equipment, systems or services should be mindful of US USC 1913, because a violation or attempt to violate the statute may result in a fine or imprisonment, as well as removal from Government employment.

8. Unlawful Use: GSA-provided employee telecommunications equipment, systems and services must not be used to commit any crime, e.g., obscene or threatening phone calls, obscene or defamatory email messages, political activities in violation the Hatch Act, etc..

Chapter 8: Use of Personal Equipment

1. Use of Personal Equipment: Employee owned equipment such as personal laptops, netbooks, tablets, cellular phones, Flash memory devices or digital cameras, with rapidly increasing central processing unit (CPU) and memory storage capacity are proliferating. Employees increasingly are using them at work, sometimes as a substitute for GSA-provided employee telecommunications equipment that may have less capability. GSA does allow employees to connect their own PC’s and laptops to its networks; however, employees are not allowed to connect their own wireless devices (smartphone) to GSA systems. The GSA will regularly review its policies respecting the use of personal devices. Refer to Chapter 4.2 (GSA’s Bring Your Own Device (BYOD) Policy) of CIO-IT Security-13-67, “Securing Mobile Devices and Applications” for additional information.

a. Theft and damage of personal property. GSA is not responsible for an employee’s personal property. The employee has the sole responsibility to protect his or her personal property, including personal telecommunications equipment used when conducting official business. GSA is not responsible for covering the theft or damage of personal property owned by GSA employees – inside or outside of the agency. This applies to personal items stolen or damaged on Government property or while traveling on Government business. GSA also will not reimburse employees for any costs associated with purchasing, maintenance, replacement, spare parts, etc. of personal equipment, and IT Help Desk support will not be provided for any personal equipment.

b. Information storage and transmission. Employees should avoid using personal equipment for manipulating, storing or transmitting Government information. Personal telecommunications equipment that is used for conducting official business, that involves carrying or transferring Government information, must be treated in the same way as if the equipment were GSA owned respecting the protection of information, security, auditing, and handling. Employees have no reasonable expectation of privacy in any personal equipment used to manipulate, store or transmit Government information.

Chapter 9: Records Management, Retention, and Archiving

1. Requirement: When using GSA-provided employee telecommunications equipment, systems or services, the regulations that govern proper management, archival of records, and release (Freedom of Information Act) apply. GSA OCIO works on an ongoing basis with the Records Management Officer in order to determine the most appropriate methods to capture and retain records on both Government-provided servers and technologies hosted on non-government hosts. GSA’s record management directions are contained in OAS P 1820.1 GSA Records Management Program.

Chapter 10: Usage Reports and Accounting

1. Usage Reports and Accounting: The GSA OCIO has responsibility for GSA employee telecommunications usage reports and accounting.

a. Reports.

(1) The GSA OCIO Telecommunications Division receives and reviews monthly usage, volume and accounting reports from the service providers with which GSA has telecommunications services contracts.

(2) The OCIO Telecommunications Division regularly reviews these reports with the aim to confirm that user names are correct; to verify that new service orders and service cancellations have been completed and properly billed; and to confirm that requested records correction requests to the service providers with which GSA has contracts have been made.

(3) Telecommunications service providers with which GSA has contracts may be requested from time to time to produce ad hoc reports regarding an individual user’s records for investigations. Service providers also may be requested to provide scheduled summary reports that are used by GSA for planning purposes.

(4) Requests for specific employee or group usage, volume and accounting reports may be made to the OCIO telecommunication division by a supervisor, program official or investigating officer within their area of responsibility.

(5) Employees may request reports on their own usage from their regional DAR.

(6) The following information must be submitted to the GSA OCIO Telecommunications Division to request reports:

a. The individual or set of wireline or wireless telephone number(s) (for individual users), or the office correspondence symbol or SSO (for organizational reports).

b. Dates and/or times (or other parameters) of calls or data sessions (circuit switched and wireless) requested.

c. Type of information needed - e.g., destination telephone numbers, cost summaries, abnormal duration calls, or calls placed at specific off-hour times.

d. Point of contact (The Requester’s name, service name, telephone number, email address and personal or work postal address).

Chapter 11: Monitoring

1. Monitoring: To monitor GSA Telecommunications Policy compliance, GSA reserves the right to intercept, access, and disclose email messages sent or received by GSA employees, including attachments, and any voice or video communications messages or authorized transcripts of conversation that have been created, received, or sent using GSA-provided employee telecommunications equipment, systems or services. (This also includes logs of any websites visited and/or files downloaded onto GSA-owned equipment.) Employees have no reasonable expectation of privacy in any item created on a GSA-issued device or in connection with any item used to conduct GSA business.

a. GSA uses a variety of Government-owned software tools to monitor employee voice and data/Internet usage. Some of the tools used generate automated alert notifications to GSA and regional DARs when suspected or potentially inappropriate or unauthorized usage is detected.

(1) All Government-owned equipment, systems and services are monitored on an ongoing basis, whereas employee personal devices that connect to a GSA-provided system also may be monitored from time to time and without a requirement to notify the employee. GSA and regional DARs may bypass user passwords.

(2) Usage monitoring might involve tracking and recording voice mail and e-mail messages sent and received by employees along with external and agency websites visited by employees.

(3) Employee usage of GSA-provided wireless devices also is monitored on an ongoing basis. If an employee is found to have been negligent or intentionally non-compliant with the GSA Telecommunications Policy, particularly regarding secure and acceptable usage of wireline and wireless voice and data/Internet networks and systems, GSA may require the user to return the assigned equipment.

(4) GSA and regional DARs actively monitor and enforce employee responsibilities to comply with statutory and other regulations currently in force respecting information privacy and data protection, including reporting illegal activities to local authorities where an offense has been committed. Employees traveling to foreign countries on official business should not assume that U.S. statutes and regulations take precedence over local rules respecting use of telecommunications equipment (e.g., laws pertaining to unauthorized access to or modification of computer material, electronic reproduction and distribution of copyright material, online defamation of individuals and foreign authorities’ powers to investigate allegations of these activities including the power to seize individual property in the course of an investigation).

2. Employee Responsibilities: GSA employee responsibilities related to using GSA- provided telecommunications equipment, systems and services include being aware of and complying with the GSA Telecommunications Policy.

3. Relation of the GSA Telecommunications Policy to Other Policies and Standards: Employees must use GSA-provided telecommunications equipment, systems and services to conduct official business in a manner that is consistent with the GSA Telecommunications Policy. Personal equipment that is used when conducting Government business also must be used in a manner consistent with that policy.

a. Policy consistency. The GSA Telecommunications Policy is intended to be consistent with other GSA policies, including without limitation those covering IT Security.

b. Policies and standards regarding employee behavior. Employees using a GSA system when conducting Government business inside or outside the agency must adhere to the Standards of Ethical Conduct for Employees of the Executive Branch. These standards cover topics of prohibited activities such as engaging in vulgar and abusive language, personal attacks, or offensive terms targeting individuals or groups. Employees have no expectation of privacy when engaging in verbal or written communication with internal or external persons.

Existing policies covering employee behavior on acceptable personal usage can be found in ADM 7800.11A, Personal Use of Agency Office Equipment, , CIO 2104.1A CHGE 1 GSA Information Technology (IT) General Rules of Behavior, and HRM 9751.1 Maintaining Discipline.

4. Disciplinary actions: GSA employees must monitor and abide by changes and/or clarifications to this policy issued by GSA. Disciplinary actions for intentional non-compliance with this policy range from a verbal warning to fines, suspension, termination of employment, and possible legal action against the employee.

5. Clarification and Contacts: Employees who need help understanding the GSA Telecommunications Policy or this Guide should send an email GSA IT at [email protected] or call 1-866-450-5250.

Appendix - Definitions

Air card – An external data modem (such as a USB-stick) that forms a wireless access point connecting a personal computer (PC) to the Internet via wireless network access.

Anti-virus – Software installed on a user device such as a PC, laptop or smartphone, that is used to prevent, detect and remove malware such as computer viruses, worms, Trojan horses, adware and spyware.

Binary Files - Binary files include, but are not limited to, images, audio files, and video files such as those posted on You Tube, etc.

Cable modem – Cable modems use a range of frequencies originally intended to carry RF television channels. A modem (modulator-demodulator) is a device that modulates a carrier signal to encode digital information and also demodulates the signal to decode the transmitted information. The goal is to produce a signal that can be easily transmitted and decoded to reproduce the original digital data.

CPU - Central Processing Unit: The main element or processor of a computer system, it executes the instructions of a computer element to carry out the computer’s operational functions.

DAR – The GSA’s Designated Agency Representative (DAR).

Desk phone - A desktop telephone that may be a traditional analog or digital device, or may be IP- based for VoIP.

DSL – Digital Subscriber Line: A technology family that provides wireline digital data transmission access. DSL broadband access service is provided by telcos and alternative local access service providers over copper wires, using the same access line as voice telephony. Data throughput of regular DSL access ranges from 384 kbps to 20 Mbps depending on the DSL technology (e.g., ADSL, SDSL).

Email – Electronic mail: A method of exchanging digital messages across the public Internet or other computer networks such as a corporate WAN. Email systems are based on a store-and- forward model in which the email server computer system accepts, forwards, delivers and stores messages on behalf of users. The user only needs to connect to the email server with a network- connected device for the duration of message submission or retrieval.

Encryption – The process of transforming information using an algorithm that makes it unreadable to anyone except those provided a software key to decrypt it and make the information readable again.

Flash memory – Computer storage technology that can be reprogrammed and electronically erased. It is used in memory cards and solid state drives for general storage, and also for transferring data between computers and other digital devices. It is non-volatile, so no power is needed to maintain the information stored on the chip, and it is extremely durable – able to withstand intense pressure, etc.

Firewall – Part of a computer system or network that is designed to block unauthorized access while permitting authorized communications based upon a set of rules and other criteria. Firewalls

are either hardware or software, or a combination, and they are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially enterprise intranets. All messages entering or exiting the intranet pass through the firewall, which examines each and blocks those that do not meet the security rules or other criteria.

IP - Internet Protocol – An protocol standard that is used for communicating data across packet- switched networks using the Internet Protocol Suite (TCP/IP). It is the main protocol of the Internet Layer of the suite, and its task is to deliver distinct protocol datagrams or packets from the source host computer to the destination host computer based solely on their IP addresses. It defines addressing methods and structures for datagram encapsulation, the first version of which is IPv4, whose successor is IPv6.

Laptop PC – A personal computer (PC) designed for nomadic or mobile use, which is small and lightweight. It integrates the typical components and features of a desktop PC, including a display monitor, a keyboard, a pointing device or touchpad, speakers, and also has a multi-hour rechargeable battery that can be charged from an AC adapter. Laptops normally are notebook shaped and have a flip form factor to protect the monitor and keyboard when being carried.

LTE – Long Term Evolution: A 4G wireless radio access connection technology with its origins in GSM/EDGE and UMTS/HSPA 2G and 3G technologies used in most cellular networks worldwide. LTE is expected to allow maximum data transfers up to 100 Mbps for mobile access and up to 1 Gbps for stationary access.

Mobile Device Management (MDM) - MDM software secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablets, ruggedized mobile computers, mobile printers, mobile POS devices, etc.

Netbook – Has similar functions and features as a laptop PC but with a much smaller monitor and lower processing power and memory.

PBX – Private Branch Exchange (PBX): These systems are premise-based legacy TDM voice systems. GSA is replacing legacy voice systems and user stations with IP-based systems (IP PBX, IP phone sets, softphone client on PCs).

PC – Personal Computer: May be a desktop or a laptop, a netbook or a tablet.

PSTN – Public Switched Telephone Network: The global network of public circuit-switched telephone networks operated by telcos. It includes standards based wireline telephone access and transport links - fiber optic cables, microwave, cellular, communications satellites, and undersea cable systems - connected via switching centers. The combination of the interconnected telco networks and a single numbering plan administered by the International Telecommunication Union make it possible for any telephone worldwide to connect with any other.

Smartphone – Voice and data handheld devices based on five main operating systems (OS): Apple’s iPhone, Google’s Android, Nokia’s Symbian, Palm (HP), Microsoft’s Windows Mobile/CE, and Research In Motion’s BlackBerry.

Softphone – A VoIP software client installed on a user’s PC for the purpose of placing and receiving voice calls through a LAN (local area network) to an IP PBX or over the Internet. Typically

a softphone is designed to appear as the image of a phone on the user’s PC monitor, with a display panel and buttons with which the user interacts. It usually is used with a headset connected to the sound card of the PC, or with a USB connected phone set.

Tablet – Has similar functions and features as a laptop PC, but usually is smaller and lighter weight, and also often is equipped with a stylus or touch screen.

TDM – Time Division Multiplexing: A legacy circuit switched voice network technology used in the PSTN.

Telecommunications – An umbrella term that encompasses technologies and services related to using voice, data and Internet communications technologies and services.

Telephone Calling Cards – Physical or virtual cards associated with a user telephone number for billing purposes that is provided by GSA to individual employees for either U.S. only long-distance calling, or U.S. and International long-distance calling.

Telephony – An umbrella term that encompasses the general use of hardware and software to provide voice communication over distances, such as by connecting telephones to each other.

UC – Unified Communications: A framework of middleware for integrating IP based communications applications technologies including but not limited to: IP voice telephony, unified messaging (UM), presence and instant messaging (IM)/chat, and integrated IP audio/video/Web- based conferencing. UC involves real time redirection of a voice, video, text or e-mail message to the device closest to the recipient at any given time, based on the recipient’s self-selection of the device or format on which they want to receive them.

VoIP – Voice over Internet Protocol: VoIP is a family of communications protocols and transmission technologies used to deliver voice telephony and multimedia sessions over IP networks such as the public Internet and site-to-site MPLS (Multiprotocol Label Switching) IP VPN WANs. VoIP systems use session control protocols to control the setting up and tearing down of voice call sessions, and audio codecs to encode speech to allow its transmission over an IP network as digital audio via an audio stream.

VPN – Virtual Private Network: A network that uses the public Internet or private telecommunications infrastructure operated by a telco or alternative network operator to provide remote offices or individual users with secure access to the corporate network. Secure VPNs use tunneling and encryption protocols to block packet sniffing, allow sender authentication, block identity spoofing, and prevent message alteration. Standards based secure VPN technology protocols include IPSec (Internet Protocol Security) and SSL (Secure Socket Layer), which can tunnel an entire network’s traffic or secure an individual connection. It encapsulates data transfers between two or more networked devices to keep the transferred data private from other devices on one or more intervening local or wide area networks.

WAN – Wide-Area Network: The underlying site-to-site network infrastructure connecting an enterprise’s business locations to its data center or other sites for the purpose of transferring data traffic between them. A converged WAN is used to transfer voice, video and data traffic between sites. The most common WAN technologies used today are Internet VPN, MPLS VPN and TDM leased-line or private-line point to point networks. At each end, a router connects to the site local area network (LAN) on one side and a hub within the WAN on the other.

WiFi – Wireless local area network (WLAN) technology that includes products based on the IEEE.802.11 standards.

WiMax – Worldwide Interoperability for Microwave Access: A 4G standards based broadband access protocol that provides fixed and mobile Internet access, as an alternative to cable modem and DSL broadband access. WiMax theoretical data throughput rates are up to 40 mbps with the IEEE 802.15m updated expected to offer up to 1 Gbps in stationary or fixed usage mode.

Wireless device – Typically a handheld device or tablet that connects to the Internet using WiFi or cellular access technologies.

Wireless Priority Service (WPS) - WPS supports national leadership; Federal, State, local and tribal governments; and other authorized national security and emergency preparedness (NS/EP) users. It is intended to be used in an emergency or crisis situation when the wireless network is congested and the probability of completing a normal call is reduced.

3G – Refers to public mobile/cellular wireless networks and services that allow IP data transfers to and from individual wireless devices, including multimedia formats such as photos and video messages, Internet downloads and uploads, and streaming audio and video. The maximum theoretical data transfer rate using 3G technology is 1 Mbps, although actual user experience is likely to be a maximum of 385 kbps or less.

4G – Refers to public fixed and mobile wireless networks and services based on WiMax or LTE technologies that allow considerably faster data transfer speeds, such as at theoretical data rates for WiMax of 75 Mbps per channel (in a 20 MHz channel using 64QAM ¾ code rate). LTE 4G technology is expected to allow maximum data transfers up to 100 Mbps for mobile access and up to 1 Gbps for stationary access.