FDA STAFF MANUAL GUIDES, VOLUME III - GENERAL ADMINISTRATION
OFFICE OF INFORMATION RESOURCES MANAGEMENT
WEB PROGRAM OPERATIONS
Transmittal Number 00-71 -- Date: 05/22/2000
Effective Date: 06/01/2000
|8. Effective Date|
This guide provides the policies and procedures for the Food and Drug Administration's (FDA) support of a comprehensive web program. The policy describes the requirements of a web program to meet the basic goal of providing the FDA with a viable and effective web presence. This web program, as described in this Staff Manual Guide (SMG), will guide the FDA Website Program Manager in the Office of Public Affairs, FDA Webmaster in the Office of Information Resources Management (as delegated by the Chief Information Officer), and Center/Organization Program and Technical Managers in managing the FDA web resources.
Internet Technology provides a solution to one of Information Technology's (IT) most difficult and costly problems -- connecting people easily and quickly to distributed information. The result has been an information explosion with many new challenges of its own. As FDA provides more program-related information to its customers, their information needs and expectations also grow. In addition, the number of people requesting information from FDA is growing as FDA presents itself to a worldwide audience. The FDA Internet web site provides critical health information to the public. The site offers information of interest to health professionals, patients, consumers, industry, state and local officials, as well as many others. The FDA Intranet web provides access to FDA databases and administrative and scientific information to FDA employees in a user friendly, easily accessible manner. Platform independence, one interface, common protocols, a rich information environment, and the relative low cost of implementation, are encouraging organizations within FDA to create internal Web sites and web-enable their applications. For these reasons, the FDA web presence, both Internet and Intranet, is a valuable FDA resource that must be protected and appropriately managed.
A. These documents and those attached to this document may be found via the Intranet web site at http://intranet.fda.gov/ocio/webmaster/Policy/default.htm
- Computer Security Act of 1987
- Paperwork Reduction Act of 1995
- Clinger-Cohen Act of 1996
- Freedom of Information Act of 1996
B. Related FDA Staff Manual Guide
- FDA Staff Manual Guide 3250.5, Office of the Chief Information Officer, Reporting Computer Security Incidents (superseded by SMG 3252.3)
- FDA Staff Manual Guide 3291.4, Procedures for Implementation of the Privacy Act (Renumbered as SMG 3297.4).
- FDA Staff Manual Guide 3291.5, Procedures for Implementing the Freedom of Information Act (superseded by SMG 3297.1 and SMG 3297.2).
A. Browser. A type of software that allows navigation of information on the Internet. Examples are Netscape Navigator and Microsoft Internet Explorer.
B. DNS. This is an acronym for Domain Name Server. DNS refers to a database of Internet names and addresses that translates the names to the official Internet Protocol numbers and vice versa.
C. Firewall. This term refers to security measures designed to protect a networked system from unauthorized or unwelcome access.
D. FTP. File Transfer Protocol is a protocol that allows the transfer of files from one computer to another. FTP is also a verb used to describe the act of transferring files from one computer to another.
E. HTML. An acronym for HyperText Markup Language, HTML is the language used to tag various parts of a Web document so browsing software will know how to display that document´s links, text, graphics and attached media.
F. Search Engine. This term refers to a program that helps users find information on web sites.
G. Server. A computer system that manages and delivers information for client computers.
H. Service Level Agreement. An agreement between two or more parties regarding the specific services, tasks and responsibilities of each.
I. T-1 / T-3. High speed data line connection. T-1 operates at 1.45 Mbps, T-3 at 45 Mbps.
J. URL. This is the abbreviation for Uniform Resource Locator, the addressing system used in the World Wide Web and other Internet resources. The URL contains information about the method of access, the server to be accessed and the path of any file to be accessed.
K. Webmaster. This term refers to the person in charge of administrating a World Wide Web site.
L. World Wide Web. Also known as WWW or W3, the World Wide Web is a hypertext- based Internet service used for browsing Internet resources.
A. It is the policy of FDA to implement and maintain an Internet web site and Internet program to provide information to the public via the Internet. As such, FDA Internet Web Program Representatives shall adhere to the following Administrative, Quality Control, Technical, and Security policies as related to the Internet:
1. Internet Administrative
a. Establish an FDA Internet Web Council with the FDA Website Program Manager as chairperson as a forum for bringing together agency-wide Internet developers to address content, policy and technical issues involved in providing a unified and effective FDA web presence on the Internet.
b. Delegation of the management of content of the FDA public web site shall be governed by a document referred to as "FDA Internet Website" Guidelines developed by the FDA Website Management Staff in OPA through the Internet Web Council. Include instructions for preparing documents to contain document management information and include instructions for dealing with moved documents, official records, older publications and superceded but still useful information to avoid confusing and misleading the public.
c. Establish an Internet Technical Working Group coordinated by the FDA Webmaster to provide a forum for discussing the management of the technical aspects of the web program, recommending Internet standards, and for identifying new technical requirements.
d. Establish Service Level Agreements between the FDA Internet Program Manager, the FDA Webmaster, and Content and Technical Leaders in each center/organization on all FDA Internet Web Servers to assure that content and technical roles and responsibilities are understood.
2. Publication of Information on the Internet
Assure that publication of information on the public Website is appropriate for a public audience. This includes assuring that no offensive or harassing material is made available via FDA public Websites. Note that information placed on the Website is subject to the same Privacy Act restrictions as when releasing non-electronic information. The clearance rules for publications are the same whether a publication is published in printed form or on the Internet. Contact the Website Program Manager in OPA for further guidance.
3. Internet Technical
a. Register any FDA Internet web servers in an overall agency web server registry prior to being referenced in a domain name server (DNS) in FDA or before utilizing any .gov extension for a web site supported by FDA. In addition, follow the standard format identified in the Procedures section of this document for FDA Internet web server Domain Names.
b. Identification of new requirements which will result in the need to implement new Web technologies shall be presented to the IRM Council, chaired by the CIO and presented by the FDA Program Manager, the FDA Webmaster and the initiating component (OC/ORA or Center) web representatives.
c. Web-enabled applications shall be approved by the Center Director or delegated authority and the Center/OC/ORA web representatives before being presented to the FDA Webmaster and the FDA Website Program Manager for implementation on the FDA Internet. Funding for development, implementation, maintenance, bandwidth, and infrastructure shall be in place prior to beginning implementation of any Internet web-enabled databases. The FDA Webmaster shall determine determination of the costs for implementation on the Internet infrastructure.
d. No Internet servers may be implemented outside of the FDA shared infrastructure without a completed Business Case including rationale for implementing the server outside of the shared infrastructure, a completed Return on Investment and CIO approval. System Administrators/webmasters of Internet servers other than those in the FDA consolidated web server data center shall respond in a timely manner to data calls as necessary to allow the FDA Webmaster to provide a consolidated response for FDA.
e. All requirements regarding installation of software and/or new requirements on FDA web servers shared by more than one Center, OC, and ORA shall be documented and sent to the web server system administrator/ webmaster and the Internet/Intranet Technical Committee.
4. Internet Security
a. No sensitive, confidential, and/or private data may be placed on servers intended to provide public data to the public. Appropriate protections at the application, server, and network level and authentication will be maintained for access to sensitive, confidential, and private data maintained outside of the FDA firewall.
b. Connect only those servers to the Internet that have a firewall between the Web server and internal FDA network. Any internal WWW servers supporting critical applications must be protected by internal firewalls.
c. Establish detailed Security Procedures for each web environment with specific steps concerning handling of security incidents in the manner specified in the FDA policy document, SMG 3250.5.
d. Web server software, and the software of the underlying operating system, shall contain all appropriate manufacturer recommended patches for the version in use within 48 hours of their release from the manufacturer when these patches address security vulnerabilities.
B. It is also the policy of FDA to implement and maintain an Intranet and Intranet program with the FDA network to provide information to FDA employees via the Intranet. As such, FDA Intranet Web Program Representatives shall adhere to the following Administrative and Site Management/Quality Control policies as related to the Intranet:
1. Intranet Administrative
a. Establish an Intranet Web Council as a forum for bringing together agency-wide Intranet developers to address content and policy issues involved in providing a unified and effective FDA web presence on the Intranet.
b. Establish Content Guidelines to assure that the information on the FDA Intranet is accessible to all FDA employees which includes instructions for dealing with moved documents, official records, older publications and superceded but still useful information to avoid confusing and misleading FDA employees.
c. Establish an Intranet Technical Working Group coordinated by the FDA Intranet Webmaster to provide a forum for discussing the management of the technical aspects of the web program, recommending Intranet standards, and for identifying new technical requirements.
2. Publication of Information on the Intranet
Assure that no offensive or harassing material is made available via FDA Intranet Web sites. No personal information or personal web pages shall be placed on the FDA Intranet.
3. Intranet Technical
Register any FDA Intranet web servers in an overall agency-web-server registry prior to being referenced in an FDA domain name server (DNS). In addition, follow the standard format identified in the Procedures section of this document for FDA Intranet web server Domain Names.
A. Office of the Chief Information Officer
1. Chief Information Officer (CIO). Establishes and implements the web program technical policies and procedures and determines the agency-wide web technical support strategy and investment in new web technologies. Provides technical operational support and identifies an FDA Webmaster in the Office of Information Resources Management (OIRM) for the day-to-day operations of the FDA web program.
2. FDA Webmaster. Manages the day-to-day technical operations of the shared Internet and the central Intranet web infrastructure, provides technical leadership concerning web activities agency-wide, represents the agency at web-related government technical meetings, and implements the technical policies and procedures on behalf of the CIO.
B. Office of Public Affairs
FDA Website Program Manager. Provides overall direction, strategic planning assistance, and management coordination on agency Website programs. It also provides Web-related information management strategy input through a collaborative effort with the FDA OIRM and the Web managers in the centers and ORA.
1. Management and Strategy: Delivers the Agency´s messages to the public through the Agency´s Website. With the centers, ORA and other components of the Office of the Commissioner, designs, develops, implements, monitors, and manages information and interactive functions on the Agency´s Website. Serves as an advocate for the FDA´s Web presence and as a catalyst for creative use of the Web by the Agency. Works closely with the FDA OIRM, which is responsible for the technical operations of FDA´s Website. Also works closely with Website contacts in the centers/offices to plan, coordinate, execute and evaluate the agency´s Website operations. Serves as the focal point and contact with the Agency, Department and other Federal Government non-technical Website programs and operations.
2. Web Page Design and Development: Designs, develops and manages the FDA home page and other top-level agency pages. Coordinates with center/office Website management and content providers on pages and subsites that address crosscutting issues.
3. FDA Website Guidelines: With the FDA Internet/Intranet Council, develops, manages, interprets and monitors the implementation of the agency´s Internet Website Guidelines, standards and policies for information published on the Agency´s Website. Ensure conformance with these Guidelines.
4. Office of the Commissioner Support: Provides site management and design support to other components of the Office of the Commissioner. Provides overall content approval and management for all OC Web pages.
1.Center/Office Directors. Designates a content and technical representative to represent the center/office in web-related matters and to be responsible for following the policies and procedures outlined in this document and the FDA Website Guidelines. Approves center/office content to be distributed to the public via the web.
2. Center/Office Content Representative. Determines the content, design, and user interface of the Center/Office portion of the web site and under their Center/Office information exchange polices and within the Internet Guidelines prepared by the Internet/Intranet Council chaired by the FDA Web Program Manager.
3. Center/Office Technical Representative. Provides technical guidance to the Center/Office Content Representative, provides technical support concerning web activities agency-wide, represents the agency at FDA web-related technical meetings, and implements the technical policies and procedures for the Center/Office. Provides technical support for any Center/Office dedicated servers.
D. Work Groups
1. Internet/Intranet Web Council. Chaired by the FDA Website Program Manager, this group has overall responsibility for determining the structure, style and content of the website, the for developing the FDA Website guidelines, and for addressing issues related to usability of the website by the members of the public.
2. Internet/Intranet Technical and Standards Committee. To recommend standards for the FDA Internet/Intranet, to investigate new web technologies, to plan for the strategic growth of the FDA Internet and Intranet technology, to provide guidance to the agency concerning the Internet and Intranet, and to address technical problems and issues with the FDA Internet and Intranet.
The following are procedures to be followed in support of the Policies identified for the FDA Internet Web Program:
A. Internet Administrative
1. Web Council meetings will be held no less than every two months and will be called by the FDA Website Program Manager and include the center/office content and technical web representatives. The group will establish procedures for operation of the group and communication of the group.
2. The Web Site Guidelines document shall be voted on and approved by the officially- designated center/office representatives, the FDA Website Program Manager, and the FDA Webmaster. This document is a working document and as such shall be changed as needed. At a minimum, the document shall include a statement of the official purpose of the web site, web design standards, standard web site graphics, graphic and document size limitations, and information about the structure and style of the web site. The document shall include document management information such as meta tags, author, expiration date, etc. The Website Guidelines shall also include instructions for dealing with moved documents, official records, older publications, and superseded, but still useful, information. In addition, the guidelines shall address the mechanism for assuring compliance to the guidelines. Attachment B is the current version of the FDA Website guidelines.
3. An Internet Technical Working Group shall be established to plan for the strategic growth of the FDA Internet, recommend agency Internet technical standards, prepare and negotiate Service Level Agreements, investigate new technologies, and address technical issues and problems. This group shall provide the status of all group decisions to the overall Internet Council chaired by the FDA Program Manager and provide Internet -related recommendations on standards to the overall Infrastructure Standard Architecture (ISA) Technical Working Group (TWG). Technical Operations Guidelines for each Internet web server shall be specified through the Service Level Agreements which shall be prepared through this committee. Membership on this committee shall include the FDA Webmaster, the FDA Program Manager, and the officially designated content and technical representatives from each Center, OC, and ORA. The group shall meet at least every two months and identify by-laws for the operation of the group. The FDA Webmaster shall coordinate the group but leadership of the group shall be open to the technical representatives in each of the centers/OC/ORA.
4. Service Level Agreements (SLA´s) between the FDA Webmaster and FDA Website Program Manager and the Center Program and Technical Directors will be written clarifying the specific duties of each and to outline where additional funding and resources are required. SLA´s will be reviewed every six months and modified as necessary and as the technology and responsibilities change.
B. Publication of Information on the Internet
Anyone delegated with the responsibility for placing content on the FDA web site shall be familiar with the FDA Website Guidelines, the FDA Staff Manual Guide 3291.4, Procedures for Implementation of the Privacy Act, the FDA Staff Manual Guide 3291.5, Procedures for Implementing the Freedom of Information Act, and work closely with the FDA Office of Public Affairs and the communications groups within the agency's centers and offices.
C. Internet Technical
1. Domain Name Server(s) Registration (DNS). All FDA Internet web servers that are registered in the DNS shall be documented in an overall agency web server registry on the FDA Intranet. Network Administrators shall assure that server administrators document their web servers in the web server registry prior to being referenced in any domain name server in FDA. This is to assure FDA's ability to respond to data calls concerning Internet/Intranet servers and to encourage sharing of resources across the agency. Top Level Domain (TLD) names shall be approved by FDA Center Director responsible for the content, presented to the Internet/Intranet Work Group and the CIO, and approved by the Commissioner's office prior to being sent to HHS for approval. FDA Internet web sites not under the www.fda.gov domain shall be registered in the domain name server according to the following standard:
Web-enabled applications shall be required to follow those procedures currently in place for clearance of documents for distribution on the Internet Web site, as well as those procedures regarding Information Technology development activities. In addition, a document outlining the procedures and guidance in preparing web-enabled applications for the shared environment shall be prepared by the FDA Webmaster. Developers shall be required, when using the shared infrastructure and resources, to follow the guidance outlined in the document described to assure continuity and to protect the shared environment. The current version of this document, "Instructions for Adding and Maintaining Web-Enabled Applications on the Shared FDA Internet Infrastructure," is provided as Attachment C.
2. Initial Investigation of New Technologies may be undertaken by the Technical Committee or any member of the Technical Committee. Preparation of a brief white paper signed by the FDA Website Program Manager and the FDA Webmaster shall be prepared outlining the technology and the main alternatives and requesting further effort to be dedicated to this activity to implement the technology in a full production environment. This white paper shall be prepared for the FDA IRM Council. Once approval by the IRM Council to proceed with further efforts in investigating and, in some cases, piloting this new technology is received, the Internet/Intranet Technical Committee shall prepare a Business Case according to the current Information Technology Investment Review Board (ITIRB) process. Prior to submission, members of the Technical Committee, the FDA Website Program Manager and the FDA Webmaster shall approve this business case.
3. A limited amount of space and support shall be available equally to each Center/Office for Internet Web-Enabled Databases on the infrastructure in the FDA consolidated Internet data center. Space and support for web-enabled Internet databases shall be requested of the FDA Webmaster in advance. The FDA Webmaster shall facilitate this process by preparing an easily accessible form for FDA developers that reflects the current policies regarding development. The current form is provided as Attachment D. Once shared resources and space are expended, Centers/Offices are expected to pay for additional infrastructure requirements of these web-enabled databases. Cost estimates shall be based upon specific requirements of the system and shall be prepared by the FDA Webmaster with input from the Center/Office technical manager.
4. Addition of Internet Web Servers. Internet servers operating an FDA public website or fully paid for by FDA resources may exist outside of the FDA consolidated Internet data center operated by the FDA Office of Information Resources Management (OIRM), but must have the following in place and adhere to the following guidelines:
a. An Information Technology Business Case supporting the business and technical rationale for placing a web site outside of the consolidated data center presented to the CIO for informational purposes.
b. Approval by the Center Director and/or organizational leader responsible for the Center setting up the IT Web Server and for the resources necessary to maintain the server.
c. Security Plan (including Physical security of the facility where the equipment is located) and Contingency Plans are required for all Internet and Intranet servers. In addition, the Security Plan must include the specific steps in the event of a security incident as specified in the policy document, SMG 32505.5.
d. Backup Procedures
e. Maintenance of the Information in the Web Server Registry to allow efficiency in responding to data calls from the Department and other Government agencies.
f. Server logs must be supplied to the FDA Webmaster every month in a format that can be used by the agency Website´s statistical software to generate an all inclusive Agency-wide usage reports.
g. Contracts or other procurements requiring web development activities or requests for web-enabled databases to be placed on the FDA Internet web site must be presented to the Center/Office web program manager and/or technical manager and the Center/Office IRM manager for review. This will allow planning for growth of the web site and will assure that any problems can be identified prior to significant investments being made. Center/Office program managers and webmasters will be responsible for communicating with the FDA Internet Program Manager and the FDA Internet Webmaster.
5. New Software Installed and Used on Shared FDA Web Servers. All requirements regarding installation of software on FDA web servers shared by more than one Center, OC, and ORA shall be documented and sent to the web server system administrator/webmaster and the Internet/Intranet Technical Committee. This does not include new versions of existing software which will be implemented as necessary to assure security of the system and which will require any necessary changes to existing software by web representatives. In general, all software products installed on FDA Internet Production server(s), i.e., site management tools, etc., including those listed as ISA standards, shall be approved by the system administrator/webmaster in conjunction with the members of Internet Technical Committee who utilize that server. This coordination is to ensure that all requirements are documented and addressed and to assure that the tool is appropriate given the demands on that server, i.e., high traffic, high content site; and to assure that the tools are able to work together without causing instability or security problems on the web site. In the event that a tool causes a production server to become unstable or present security problems, the web server system administrator/webmaster has the right to remove the product from the server. The web server administrator/webmaster shall provide an alternative means of meeting the user requirements in this event wherever possible.
1. Location of Internet Web Servers. Internet Web Servers must be placed outside of the FDA firewall. The purpose of the FDA firewall is to protect the FDA Internal Network. Notify the CIO in writing prior to the operation of any web server outside of the FDA shared environment to be connected to the Internet.
2. Security Documentation. Prepare a document with Security Procedures for each web environment with specific steps concerning handling of security incidents in the manner specified in the FDA policy document, SMG 3250.5. Security Documentation will include at a minimum the procedures for:
- Installation and Testing of Software Security Patches
- Changing the passwords (account access procedures) and closing all known software holes, trapdoors, and backdoors, including unneeded file server ports, that could be exploited by knowledgeable hackers
- Monitoring (Router Monitoring, Packet Filtering Routers, Network Monitoring, Security Incidence Responses, Proactive Security Measures)
- Security Awareness and Physical and Environmental Protection
b. Intranet Administrative
1. The Intranet Web Council will be incorporated into the Internet Web Council, making it the Internet/Intranet Web Council.
2. The Intranet Web Site Guidelines document shall be voted on and approved by the officially- designated representatives and the FDA Webmaster. This document is a working document and as such shall be reviewed every six months and change as the requirements and technology changes. At a minimum, the document shall include a statement of the official purpose of the web site, web design standards, standard web site graphics, graphic and document size limitations, and information about the common look and feel of the web site. The document shall include document management information such as meta tags, author, expiration date, etc. The Web Site Guidelines shall also include instructions for dealing with moved documents, official records, older publications and superceded but still useful information. In addition the guidelines shall address the mechanism for assuring compliance to the guidelines. Attachment B is the current version of the web guidelines document.
3. An Intranet Web Technical Working Group shall be established to plan for the strategic growth of the FDA Intranet web, recommend agency Internet standards, prepare and negotiate Service Level Agreements, investigate new technologies, and address technical issues and problems. This group may be combined with the Internet Technical Working Group making it the Internet/Intranet Technical Working Group. This group shall coordinate with the Network Managers Group when investigating the implementation of technologies that may affect the FDA network.
c. Intranet Technical
Intranet Domain Name Server Registration. All FDA Intranet web servers that are registered in the DNS shall be entered into the overall agency web server registry via an on-line web-enabled form on the FDA Intranet. Network Administrators shall assure that server administrators document their web servers in the web server registry prior to being referenced in any domain name server in FDA. This is to assure FDA's ability to respond to data calls concerning Internet/Intranet servers and to encourage sharing of resources across the agency.
FDA Intranet web sites shall be registered in the domain name server according to the following standard:
intranet.*.fda.gov where * represents the organization.
If the site appears on the Intranet.fda.gov web server, the site will be referenced as intranet.fda.gov/*. Existing sites are grandfathered in and requests to deviate from the standard will be presented to the Internet/Intranet Work Group for a vote.
June 1, 2000.