Draft Order. Draft U.S. Government Accountability Office GAO INFORMATION SYSTEMS RULES OF BEHAVIOR TBD

Transcription

1 U.S. Government Accountability Office Draft Order Draft Subject: GAO INFORMATION SYSTEMS RULES OF BEHAVIOR Chapter 1. Introduction Purpose and Scope Supersession Authority Definitions Security Web Page. 3 Chapter 2. Requirements General Requirements Virtual Desktop Infrastructure (VDI) Making Changes to GAO IT Resources Passwords Physically Protecting GAO IT Resources Using GAO IT Resources Away from GAO Using the Internet Using Using Personally Owned Hardware and Software Using Compact Discs, USB Drives, and other Removable Media Printing Running Into Problems. 8 Chapter 3. Enforcement and Penalties Penalties Accountability for Personal Use of GAO IT Resources Authority to Recover and Restore GAO IT Resources Authority to Monitor Use of GAO IT Resources. 9 Appendix 1. References Appendix 2. Description of Changes Distribution: GAO Intranet Initiated by: Information Systems and Technology Services (ISTS)

2 Draft Chapter 1. Introduction 1. Purpose and Scope. a. This order provides instructions regarding permitted and prohibited activities when using Government Accountability Office (GAO) Information Technology (IT) resources and accessing GAO information, generally referred to as Information Systems Rules of Behavior. b. This order applies to GAO employees (referred to as covered persons ). The requirements herein shall apply to contractor personnel and other nongovernment employees by the inclusion of references in contracts or memorandums of agreement as conditions for using GAO office equipment and space. c. This order does not apply to GAO IT resources that are authorized for processing, maintaining, or communicating classified national security information (referred to as classified information ). See GAO Directive , Information Security Requirements for Classified Information. 2. Supersession. This order supersedes GAO Directive , GAO Information Technology Rules of Behavior, dated September 15, Authority. a. This order is issued under the authority of GAO Order , Information Systems Security Policy, and GAO Order , GAO Security Program. b. This order is consistent with (and related guidance can be found in) (1) GAO Order , Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet; (2) GAO Order , GAO's Telework Program and GAO Order , Telework for Non-Bargaining Unit Employees; and (3) GAO Order , Control of Capitalized and Other Accountable Personal Property. 4. Definitions. a. For purposes of this order, GAO information is all information used in the course of GAO authorized work, whether for mission or administrative purposes. This includes information relating to audits and investigations, and internal personnel and financial management. It includes information on internal and external Web sites maintained by GAO, computer hard drives, and USB drives and other mobile storage devices. Examples include word processor and spreadsheet documents, business related , internal Web application and Web page contents, and logs from computer systems. b. Sensitive information refers to any information under the authority or control of GAO that is not classified national security information (referred to as classified information ), but that requires protection to ensure that it is not released to the public or any other individual or organization not under the authority or control of GAO without further review because it may be exempt from such disclosure. Examples of sensitive information include: 2

3 Draft personally identifiable information (PII), national security information, law enforcement information, proprietary commercial rights, and internal agency decision-making (GAO Order Information Security Requirements for Sensitive Information). c. GAO IT resources include all IT under the authority or control of GAO, including hardware (e.g., smartphones, computers, tablets, servers, etc.), software, and the GAO network. d. GAO network is the IT infrastructure (hardware and software) that provides information processing and communications capabilities to GAO covered persons. This includes information processing at user workstations, access to the Internet, and internal GAO Web sites, Web applications, , and printing. The GAO network provides this access to covered persons at GAO facilities and remotely, via the Internet, to covered persons at home and on travel. e. Hardware is physical IT resources. This includes laptops, workstations, and other technology, including computer peripherals such as monitors, keyboards, mice, docking stations, mobile storage devices (such as portable hard drives, USB drives, CD-ROMs, and DVDs), and mobile communications devices (such as smartphones and tablets). f. Software is digital (nonphysical) IT resources, not including information. This includes operating systems, applications running on a laptop or desktop computer, and applications accessed via the GAO network. Examples of software include Microsoft Windows, Microsoft Word, Microsoft Outlook, as well as engagement-support applications such as EAGLE, the Engagement Management System (EMS), and the various security tools installed on GAO user workstations. g. Personally owned hardware and software is hardware or software owned by the user. Examples of personally owned hardware and software include a personal home computer, an MP3 player, a non-gao smartphones, and software such as productivity suites, video games, and communications tools purchased by the user rather than GAO. h. Third-party devices are hardware not owned by the user and not under the authority or control of GAO. Examples of third-party devices include hotel wireless access points, computers in Internet cafes and similar settings, and equipment owned by other agencies. i. Users (also known as covered persons) are all GAO employees. 5. Security Web Page. The IT Security Policy webpage on GAO s intranet contains updates to GAO information systems security guidance. Chapter 2. Requirements 1. General Requirements. a. Users must understand that there is no expectation of privacy as any information on or transmitted through GAO IT resources may be monitored, recorded, or copied by authorized personnel, and such information may be provided to law enforcement officials. b. Use of GAO IT resources is permitted by authorized persons only. 3

4 Draft (1) All users are responsible for understanding current GAO policies and procedures relating to the use of GAO IT resources, including the GAO Information Systems Rules of Behavior, as specified in this order. (2) All users shall immediately report any unauthorized disclosure of sensitive information to a supervisor and to the GAO Help Desk, as provided in Directive , GAO Information Security Incident Response. (3) Authorized use of GAO IT resources requires the user to c. Users shall (a) sign an acknowledgement of the GAO Information Systems Rules of Behavior as a precondition to authorization, and (b) receive annual training on the GAO Information Systems Rules of Behavior. (1) behave in an ethical, proficient, informed, and trustworthy manner, as required by GAO Order , Code of Ethics; (2) use GAO IT resources for the purpose and in the manner they are intended; and (3) protect GAO IT resources from theft, destruction, or inappropriate use. d. Users shall know the sensitivity of the information they are working with, including whether it is classified information, and protect it consistent with GAO policies and procedures, as required by Order GAO Security Program, Directive , Information Security Requirements for Classified Information, and Directive , Information Security Requirements for Sensitive Information. Users shall: (1) Limit personal use of GAO IT resources so that the use does not interfere with the conduct of official business, diminish productivity, or involve inappropriate activity that could adversely reflect on GAO, as required by GAO Order , Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. (2) Log out of and turn off GAO laptop and desktop computers daily. (3) Be aware of and comply with any relevant system-specific rules of behavior. e. The Chief Information Officer (CIO) may grant waivers for any portion of this order on a temporary or permanent basis. Such waivers may be general or apply to specific users, groups, projects, technologies, and may be based on any factors deemed appropriate by the CIO. 2. Virtual Desktop Infrastructure (VDI). VDI automatically enforces some of the rules/policies described in the following sections. Whether using a physical or virtual device to connect to the GAO Network, these practices will be enforced when connecting to VDI. a. Slim Client Standard desktop image placed on new laptops issued to staff. (1) There is no storage supported on the physical computer. (2) There are no applications (software) on the physical computer. b. All VDI desktops are shut down/recycled every night. 4

5 Draft c. Data download to removable media requires coordination and approval. d. Support for two-factor authentication using RSA token. e. Connection to VDI only requires endpoint (e.g., computer, tablet, or smartphone) to support Citrix Receiver. 3. Making Changes to GAO IT Resources. GAO uses a least privileged policy when building computer images (meaning that users are given enough privileges to be able to do their work, but users should not modify the configuration provided on their assigned computer.) a. Making changes to GAO IT resources without authorization is prohibited. (1) Users shall not change the configuration of GAO IT resources without coordination with, and authorization by, Information Systems and Technology Services (ISTS). (2) Users shall not install software without coordination with, and authorization by, ISTS. (3) Users shall not attempt to override or circumvent security mechanisms, such as login screens and desktop management software. b. No changes may be made to GAO IT resources in a manner inconsistent with GAO Order , Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. 4. Passwords. For most password requirements, GAO supports two-factor authentication using the RSA token. Users should follow the guidance below and the guidance available in the ISTS Technology Guidance section on the GAO Intranet. a. When creating passwords, users shall follow the ISTS secure password guidelines. b. Users shall not share passwords or personal identification numbers (PIN) with others. c. Users should not save passwords to files on computers except for ISTS-approved password storage applications. d. Passwords should never be written down or stored online, except in an ISTS-approved password application. 5. Physically Protecting GAO IT Resources. It is the responsibility of users to safeguard assigned IT equipment from loss or damage. a. Users shall lock their computer screen (start the screensaver) when leaving the workspace and shut the computer down at the end of the work day. b. Users shall physically secure their RSA SecurID token. When leaving work, precautions include locking it in a cabinet or drawer, or taking it home. It is strongly recommended that users take their token home with them each night to facilitate working from home, if needed. c. Users shall position monitors so that screen contents cannot be seen by individuals who may not have authorization to view them. Whenever possible, monitors should not face doors, windows, or heavily traveled areas. 5

6 Draft Using GAO IT Resources Away from GAO. GAO s solution for accessing the GAO Network when away from the office is primarily to support telework but also supports network access when on travel. a. Users shall not remove GAO IT resources from GAO facilities, except under the following circumstances. (1) Users are authorized to take their GAO non-classified laptops, mobile storage, and/or communications devices home, on travel, or otherwise away from GAO facilities, as needed to perform GAO work. (2) Use of GAO IT resources away from GAO facilities must be consistent with GAO Orders , , , , and associated directives and guidance. b. Upon removal of GAO IT resources from GAO facilities, users are responsible for (1) keeping those resources secure, and (2) complying with the GAO Information Systems Rules of Behavior, as specified in this order. c. Users shall not leave GAO IT resources unattended or unsecured when away from GAO facilities. (1) It is not acceptable to leave GAO IT resources in plain view, unsecured in a room, such as a locked hotel room where persons unknown to the user may have access to the room. Users shall ensure that the resource is secured to the greatest extent possible. (2) Acceptable techniques for securing IT resources should be applied while teleworking. However, the determination of the particular technique to use while teleworking is at the discretion of the individual teleworking, who is responsible for safeguarding GAO assets and information. d. Users are permitted to use GAO IT resources to connect remotely to the GAO Network as needed to perform GAO work. All such work must comply with the requirements set forth in GAO Order , GAO s Telework Program and GAO Order , Telework for Non-Bargaining Unit Employees. e. Use of wireless networks at home, on travel, and at other locations such as coffee shops is permitted for telework purposes and limited personal use. f. The following best practices are strongly recommended when working from home, on travel, or otherwise away from GAO. (1) When working in public spaces, users should be aware of any individuals attempting to read screen contents. (2) Users should consider the security protections of a third-party device before using it for GAO work. Users often want to perform remote access from third-party devices, such as checking from a kiosk computer at a conference or connecting via a wireless access point at an Internet café. Users shall not use third-party devices for GAO work involving sensitive information. See GAO Directive , Information Security Requirements for Sensitive Information. 6

7 Draft (3) Users who use their wired or wireless home networks for telework should ensure that they are securely configured and that all attached devices are securely configured. 7. Using the Internet. Web browsers (e.g., Internet Explorer and Firefox) installed on various GAO IT resources ensure that users are able to access the Internet. Users are also able to use their personal computer s web browser to access the GAO Network. a. When using GAO IT resources, from any location, to access the Internet, the user must comply with existing limited personal use restrictions. (1) The following uses are prohibited except when specifically authorized to perform GAO work: (a) Accessing, downloading, storing, viewing, displaying, or printing sexually explicit or suggestive text or images, or other offensive material; (b) Accessing, downloading, storing, viewing, displaying, or printing violent or haterelated content; (c) Accessing online gambling; and (d) Using peer-to-peer file sharing (P2P). (2) Further requirements and guidance are provided in GAO Order , Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. 8. Using . It is the responsibility of users to safeguard GAO data that is being transmitted via . a. Users shall exercise caution when conducting GAO business via . (1) Users shall not send official correspondence from a non-gao address without receiving authorization to do so from the CIO and the GAO Records Officer. (2) Users shall not auto-forward GAO information to personal addresses. b. Users are permitted to forward individual s to personal accounts, provided that any data sent is protected commensurate with the sensitivity of the data contained therein. c. Business-related s that meet the definition of a GAO record (see GAO Order , GAO Records Management Program) must be saved into the electronic records management repository in order for the appropriate records retention policy to be applied. d. Further requirements and guidance for protecting sensitive data are provided in GAO Directive , Security Requirements for Sensitive Information. 9. Using Personally Owned Hardware and Software. a. Approval is required from ISTS for use of personally owned hardware (e.g., computers, portable music players, portable hard drives, USB drives, or other peripherals) connecting to the GAO network or their assigned GAO laptop or desktop computer. (Users can initiate this request via the ISTS Helpdesk at (202) ) b. Users are not permitted to load personally owned software on their assigned GAO laptop or desktop computer. GAO uses a least privileged policy when building computer images 7

8 Draft (meaning that users are given enough privileges to be able to do their work but users should not modify the configuration provided on their assigned computer without assistance from ISTS.) c. GAO-issued equipment is preferred for use away from GAO. However, users are permitted to use personally owned hardware and software to connect remotely to the GAO network, as needed, to perform GAO work. All such work must comply with the requirements set forth in GAO Order , GAO s Telework Program and GAO Order , Telework for Non-Bargaining Unit Employees. d. Users are permitted to connect GAO laptops to home and third-party networks for work purposes and limited personal use. All Information Systems Rules of Behavior apply. See chapter 2, paragraph Using Compact Discs, USB Drives, and other Removable Media. a. Users are permitted to store GAO information on GAO-provided writable CDs/DVDs, USB drives, and other removable media, provided that when doing so, they shall (1) Be aware of the sensitivity level of information being stored and protect the media commensurate with the sensitivity level of the information on it. See GAO Directive , Information Security Requirements for Sensitive Information. If unsure, consult a manager. (2) Adhere to secure disposal procedures for media containing GAO information. For more information, visit the Office of Security Web page on the GAO Intranet. (3) Ensure that the removable media does not contain any executable files (.exe). (4) GAO business-related information that meets the definition of a GAO record (see GAO Order , GAO Records Management Program) must be saved into the electronic records management repository in order for the appropriate record retention policy to be applied. b. With using VDI, staff must gain approval from their SES management and coordinate with the Help Desk when they want to store GAO information on removable media. For more information, visit the Downloading to External Devices in VDI webpage on the GAO Intranet. 11. Printing. a. When printing documents, users shall be aware of the sensitivity level of information being printed. Users shall protect the documents commensurate with the sensitivity level of the information. See GAO Directive , Information Security Requirements for Sensitive Information. b. Use of printers is subject to GAO Order , Limited Personal Use of Government- Provided Office and IT Equipment, Including Internet. 12. Running Into Problems. For problems with IT resources, unless noted otherwise below, contact the ISTS Helpdesk at (202)

9 Draft a. Users shall not attempt to perform physical maintenance on GAO IT resources. In the event of damage to GAO IT resources, users shall contact the ISTS Helpdesk. b. In the event that GAO IT resources are stolen, lost, or damaged, (1) users shall notify the GAO Helpdesk as soon as practicable; and (2) the discoverer of the loss, theft, or damage of GAO IT resources shall provide written notification (with a description of the circumstances) to the Director, Security and Emergency Management (SEM), the Director of Facility Management and Services (FMS), and the CIO, as required by GAO Order , and GAO Directive , Protection Services Program. c. Users shall report any incidents of suspected fraud, waste, or misuse of GAO IT resources to the Office of Inspector General at (866) Also, see the OIG fraud web page, Fraud, Waste, and Abuse, on the GAO Intranet. d. Users shall report any condition that might constitute a breach of system security and unusual network, hardware, and software behavior to the ISTS Helpdesk. e. For general problems and questions, users should contact the ISTS Helpdesk. Chapter 3. Enforcement and Penalties 1. Penalties. Users who do not comply with the rules of behavior defined in this order are subject to penalties imposed under existing requirements, as provided in GAO Order , Discipline and Adverse Actions. 2. Accountability for Personal Use of GAO IT Resources. Although GAO does not prohibit all use of GAO IT resources for personal purposes, users will be held accountable for acts deemed inappropriate or negligent. (See GAO Order , Limited Personal use of Government-Provided Office and IT Equipment including Internet.) 3. Authority to Recover and Restore GAO IT Resources. In the event that user-installed software or devices are determined to be the cause of system failure or loss of functionality, GAO reserves the right to erase the hard drive and restore hardware to its original state as it was issued. 4. Authority to Monitor Use of GAO IT Resources. Any information on or transmitted through GAO IT resources may be monitored, recorded, or copied by authorized personnel, and such information may be provided to law enforcement officials. 9

10 Draft Appendix 1. References This appendix lists the GAO orders and directives that are pertinent to this order. a. GAO Order , GAO Information Systems Security. b. GAO Order , GAO Security Program. c. GAO Directive , Information Security Requirements for Sensitive Information. d. GAO Order , GAO Privacy Program. e. GAO Order , GAO Records Management Program. f. GAO Directive , Protection Services Program. g. GAO Order , Control of Capitalized and Other Accountable Personal Property. h. GAO Order , Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. i. GAO Order , GAO's Telework Program and GAO Order , Telework for Non-Bargaining Unit Employees. j. GAO Order , Discipline and Adverse Actions. 10

11 Draft Appendix 2. Description of Changes The directive has been changed to an order. Therefore, all relevant references to directive have been replaced with order. In addition to editorial changes, the following changes were made: a. Title Section The Title was changed to GAO Information Systems Rules of Behavior to be consistent with the Information Systems Security Policy and to be more inclusive of privacy information. b. Chapter 1 (1) In section 1a, added and accessing GAO information and replaced IT with Information Systems. (2) In section 1b, deleted consultants, contractors, subcontractors, and their employees, and any other persons who have been granted access to GAO IT resources and added The requirements herein shall apply to contractor personnel and other nongovernment employees by the inclusion of references in contracts or memorandums of agreement as conditions for using GAO office equipment and space. (3) Added section 2, Supersession. (4) In section 3b(2), added GAO Order , Telework For Non-Bargaining Unit Employees. (5) In section 4a, added for purposes of this Order and is all. (6) In section 4b, added Sensitive information refers to any information under the authority or control of GAO that is not classified national security information (referred to as classified information ), but that requires protection to ensure that it is not released to the public or any other individual or organization not under the authority or control of GAO without further review because it may be exempt from such disclosure. Examples of sensitive information include: personally identifiable information (PII), national security information, law enforcement information, proprietary commercial rights, and internal agency decision-making (GAO Order Information Security Requirements for Sensitive Information). (7) In section 4c, added (e.g., smartphones, computers, tablets, servers, etc.), to hardware examples. (8) In section 4e, replaced Blackberry with smartphones and cell phones with tablets. (9) In section 4f, deleted the GAO Meeting Room Booking System and JIS and added the Engagement Management System (EMS), and as well as. (10) In section 4g, changed cell phone to smartphones. (11) In section 4i, deleted consultants, contractors, subcontractors, and their employees, and any other persons who have been granted access to GAO IT resources. 11

12 Draft (12) In section 5, updated the reference to the GAO intranet webpage. c. Chapter 2 (1) In section 1a, added must understand that there is no expectation of privacy as; and updated may be monitored, recorded, or copied and added by authorized personnel, and such information may be provided to law enforcement officials. These modifications were made to emphasize the fact that users should have no expectation of privacy when using GAO IT resources. (2) In section 1b(1), updated IT to Information Systems and changed directive to order. (3) In section 1b(2), the following statement was added to ensure that readers know how to report unauthorized disclosure of sensitive information: All users shall immediately report any unauthorized disclosure of sensitive information to a supervisor and to the GAO Help Desk, as provided in Directive , GAO Information Security Incident Response. (4) In section 1b(3) a and b, replaced IT with Information Systems. (5) In section 1d, added Users shall: In section 1d(1) deleted does not and replaced it with or. (6) Section 2 on VDI is new. (7) In section 3 (former section 2), the following clarifying language was added to this section: GAO uses a least privileged policy when building computer images (meaning that users are given enough privileges to be able to do their work, but users should not modify the configuration provided on their assigned computer. (8) In section 4 (former section 3), the following clarifying language was added to the beginning of the section: For most password requirements, GAO supports two-factor authentication using the RSA token. Users should follow the guidance below and the guidance available in the ISTS Technology Guidance section on the GAO Intranet. (9) In section 4d, deleted users are discouraged from writing down passwords. If written down, passwords must be physically and visually secured to ensure they are not used by anyone else and added passwords should never be written down or stored online, except in an ISTS-approved password application. (10) In section 5 (former section 4), the following clarifying language was added: It is the responsibility of users to safeguard assigned IT equipment from loss or damage. (11) The following sentence from former section 4 was deleted: Users shall secure their assigned GAO laptop in the docking station with the provided security cable. (12) In section 6 (former section 5), the following clarifying language was added: GAO s solution for accessing the GAO Network when away from the office is primarily to support telework but also supports network access when on travel. (13) In section 6a(1), added /or to and. 12

13 Draft (14) In section 6a(2), added (15) In section 6b(2) replaced IT with Information Systems. (16) In section 6c, parts 1 and 2 were reversed. In 6c(1), Users shall was added. In 6c(2), the following was added: should be applied while teleworking. However, the determination of the particular technique to use while teleworking is at the discretion of the individual teleworking, who is responsible for safeguarding GAO assets and information. (17) In 6d, added the reference to GAO Order (18) In section 6f(3), deleted the following statement: For additional information, review tips for working outside the office. (19) In section 7 (former section 6), added the following clarifying language to this section: Web browsers (e.g., Internet Explorer and Firefox) installed on various GAO IT resources ensure that users are able to access the Internet. Users are also able to use their personal computer s web browser to access the GAO Network. (20) In section 7a, added from any location language to ensure users know that the limited personal use restrictions apply in all situations. (21) In section 7a(1), replaced as with when and deleted as needed. (22) In Section 7a(1)(d), added P2P acronym and deleted (i.e., Kazaa, BitTorrent, or Napster). (23) In section 8 (former section 7), added the following clarifying language to this section: It is the responsibility of users to safeguard GAO data that is being transmitted via e- mail. (24) In section 8b, deleted All business related s must be saved into the electronic records management repository so that records retention policies will be applied. (25) In section 8c, modified the sentence deleted in 8b to read: Business-related s that meet the definition of a GAO record (see GAO Order , GAO Records Management Program) must be saved into the electronic records management repository in order for the appropriate records retention policy to be applied. (26) In section 9b, added GAO uses a least privileged policy when building computer images (meaning that users are given enough privileges to be able to do their work but users should not modify the configuration provided on their assigned computer without assistance from ISTS.) (27) In section 9c, added and GAO Order , Telework for Non-Bargaining Unit Employees. (28) In section 9d, updated the reference from chapter 2, paragraph 5 to chapter 2, paragraph 6. Also replaced Technology with Systems. (29) In section 10a(1), added For more information, visit the and on the GAO intranet and deleted a link to the GAO Office of Security. 13

14 Draft (30) In section10a(4), added that meets the definition of a GAO record (see GAO Order , GAO Records Management Program), in order for the appropriate, and policy. (31) Added section 10b: With using VDI, staff must gain approval from their SES management and coordinate with the Help Desk when they want to store GAO information on removable media. For more information, visit the Downloading to External Devices in VDI webpage on the GAO Intranet. (32) In section 11, deleted former section 10b: Users shall follow disposal procedures for paper containing GAO Information. See the Office of Security Web page: GAO Office of Security. (33) In section 12 (former section 11), added: For problems with IT resources, unless noted otherwise below, contact the ISTS Helpdesk at (202) Deleted the Helpdesk phone number from the rest of section 12. (34) In section 12b(2) updated the title of the Director of Office of Security (OS) to Director, Security and Emergency Management and Director of Facilities and Property Management to Director of Facility Management and Services (FMS). (35) In section 12c, added on the GAO Intranet and in 12d deleted generally. d. Chapter 3 (1) In section 1, the only order that pertains to penalties is GAO Order ; therefore, the other orders were deleted. Updated title of order to Discipline and Adverse Actions. (2) In section 2, added a reference to GAO Order , Limited Personal use of Government-Provided Office and IT Equipment including Internet. (3) In section 4, deleted GAO reserves the right to monitor, record, or copy any information on or transferred through GAO IT resources and added Any information on or transmitted through GAO IT resources may be monitored, recorded, or copied by authorized personnel, and such information may be provided to law enforcement officials. e. Appendix 1. References (1) Titles of references were updated, as necessary. Dates were deleted. (2) GAO Order , Safeguarding Personnel Records and File (Aug, 23, 2005) and a reference to this order were deleted. (3) Added, GAO Order , GAO Privacy Program (4) Added, GAO Order , GAO Records Management Program (5) Added GAO Directive , Protection Services Program. (6) In section i, added and GAO Order , Telework for Non-Bargaining Unit Employees. 14