U.S. Department of Transportation
Federal Highway Administration
1200 New Jersey Avenue, SE
Washington, DC 20590
|Personal Digital Assistants|
|Classification Code||Date||Office of Primary Interest|
|1370.12A||March 22, 2006||HAIM-40|
What is the purpose of this directive? This directive establishes the Federal Highway Administration (FHWA) policy for the purchase and use of Personal Digital Assistants (PDAs). PDA is a term for any small mobile hand-held device that provides electronic information storage and retrieval capabilities for personal or business use. PDAs are often used for storing and retrieving schedule, calendar, and address book information.
Does this directive cancel an existing FHWA directive? Yes. This directive cancels Order 1370.12, Personal Digital Assistants, dated February 11, 2005.
What authorities govern this directive?
The U.S. Department of Transportation (DOT) standard for PDAs is specifically outlined in the DOT Personal Digital Assistant and Wireless Technology Security Implementation Standards, dated January 20, 2004.
The official information stored on PDAs can constitute Federal records and must be treated accordingly. Refer to Title 44, U.S. Code (U.S.C.), Section 3301 for a definition of Federal records and Title 36, Code of Federal Regulations (CFR), Part 1234 for information on electronic records management.
What is the PDA selection policy?
(1) Washington Headquarters offices. The Palm operating system running on the PalmOne brand of PDA is the only configuration approved for use in the Washington Headquarters offices.
(2) Federal Lands Highway Division offices. Federal Lands Highway Division offices may select any PDA operating systems and brand of PDA hardware deemed necessary. The operating systems and hardware brands may be mixed within a Federal Lands Highway Division office.
(3) Field offices other than Federal Lands Highway Division offices. Field offices other than Federal Lands Highway Division offices may select either the Palm operating system or the PocketPC operating system. Once the operating system has been selected, the field office can select one brand of PDA. All PDAs procured by that office in the future are required to use the selected operating system and the selected brand of PDA. If a field office does not have a preference for a PDA operating system, it should select the Palm operating system. If a field office selects the Palm operating system and does not have a preference for a specific PDA hardware brand, it should select PalmOne hardware.
In addition to the PDAs selected under the selection policy stated above, individuals who have been designated eligible by the Associate Administrator for Administration can use Blackberry wireless PDAs running the Blackberry operating system. Blackberry is the only PDA and operating system approved for wireless e-mail integration with Microsoft Exchange.
What is the selection policy for existing and privately owned PDAs?
The PDA selection policy does not apply to PDAs that were owned by FHWA as of February 11, 2005. Each office can keep the FHWA-owned PDAs they had as of February 11, 2005, including those that do not conform to the standard operating system and hardware brand for that office. The PDA selection policy applies only to PDAs procured after February 11, 2005. By June 30, 2005, existing PDAs were required to undergo a security certification process (see paragraph 6b).
Privately owned PDAs should not be connected to any FHWA network, desktop, laptop, server, or information system.
What are the security prerequisites for PDA selection?
A security certification is required prior to purchase of all PDAs anywhere in FHWA, including Federal Lands Highway Division offices. The certification is based on brand, model, and operating system; the manner in which the PDA will be used; the information stored, processed, or transmitted using the PDA; other software that will be used; and compliance with DOT policies. Each office that is considering the purchase of PDAs must submit a “PDA Certification Request” to the Information Technology Division (HAIM-40) and obtain a PDA Certification approval before purchase.
PDAs that were already in use as of February 11, 2005, should have undergone the certification process by June 30, 2005, i.e., FHWA offices must have submitted a “PDA Certification Request” to HAIM-40.
What are the minimum requirements for PDAs used within the FHWA environment or used to store FHWA data?
The minimum requirements for PDAs used within the FHWA environment or used to store FHWA data are as follows:
(1) PDAs must be approved for use by the FHWA Information Systems Security Officer (ISSO) in HAIM-40.
(2) Anti-virus software must be installed on the PDAs.
(3) PDAs must require a power-on password.
(4) All PDAs must be physically labeled to show that they are FHWA property, and the label must include the appropriate contact information. The user or FHWA Information Technology (IT) representative can provide and apply the label to the PDA. The contact information should include a contact name or office and a contact telephone number, labeled such as the following:
Agency: Federal Highway Administration
(5) Each PDA must have an FHWA bar code attached. The bar code will be provided by the FHWA property management staff at the FHWA site. All PDAs are considered to be sensitive FHWA property items and must be bar coded regardless of their purchase cost.
(6) PDAs must be configured with screen-locking timeouts. After a few minutes of inactivity a password must be required to reactivate the PDA.
(7) Unless otherwise approved by the FHWA ISSO, any PDA wireless capabilities such as Wireless Fidelity (Wi-Fi) and beaming (infrared) or other infrared capabilities must be disabled during use.
(8) All PDA users must read and sign a PDA Terms and Conditions of Use Agreement, which will be provided by HAIM-40 upon security approval. The user signature on this document will constitute the user’s agreement to abide by these terms and conditions.
Additional controls may also be required based on the types of data to be stored on the PDA or the methods in which the PDA will be used to access data or systems. These include, but are not limited to, the following:
(1) PDAs must be equipped with encryption software to encrypt sensitive data.
(2) PDAs must be configured with firewall software that blocks all incoming connection attempts.
How do I request approval for using a PDA within FHWA?
To request approval for using a PDA within FHWA, complete and submit the Requester Information Form FHWA-1568 located at the following address: http://intra.fhwa.dot.gov/informs/adobeforms/fhwa1568.pdf
After the Requester Information Form is completed, submit it to the FHWA ISSO in HAIM-40. The form may be submitted via e-mail to ITSECUREFHWA@fhwa.dot.gov or by Fax to (202) 366-3999.
Michael J. Vecchietti