R 172020Z FEB 22
MARADMIN 058/22
MSGID/GENADMIN/CMC DCI IC4 WASHINGTON DC//
SUBJ/MARINE CORPS CYBERSECURITY RESPONSIBILITY REMINDER//
REF/A/DoDI 8500.01/14 Mar 14, CHG 1//
REF/B/DoDI 8530.01/25 Jul 17, CHG 1//
REF/C/DoDI 8531.01/15 Sep 20//
REF/D/DoDI 8510.01/29 Dec 20, CHG 3//
REF/E/CJCSI 6211.02d/4 Aug 15//
REF/F/CJCSI 6510.01f/9 Jun 15//
REF/G/MCO 5239.02b/5 Nov 15//
POC/R. A. LETTEER/CIV/DEPUTY, COMPLIANCE BRANCH/DCI IC4/TEL: 571-256-8859/EMAIL: RAY.LETTEER@USMC.MIL//
GENTEXT/REMARKS/1.  In light of potential increase of adversary activity against us cyber capabilities, this MARADMIN reminds the total force of required actions, as well as a list of prohibited activities, for end-users who use and must protect Marine Corps network resources.  An end-user is defined as any military, government civilian, or contractor who has authorized access to the DoD information network (DODIN) or Marine Corps Information Technology (IT)/Operational Technology (OT) located on Marine Corps networks or provided to the Marine Corps via cloud or commercial services.  This is a DC, I (IC4) and Marine Forces Cyberspace Command (MARFORCYBER) coordinated message.
2.  End-users must comply with refs (A) through (G) and other cybersecurity directives, policies, and guidance as established by higher headquarters.  Supplemental cybersecurity guidance, updates, or revisions will be provided through Enterprise Cybersecurity Manuals (ECSM), official message traffic, MARADMIN messages, and MCBULs.
2.a.  Users must mark, label, and safeguard all media, devices, peripherals, and information systems at the security level for which they are intended and in accordance with DoD, DoN, and Marine Corps policies and procedures.  Dissemination must only be made to individuals with a valid need-to-know and clearance level at or above the classification level of the shared media, device, or peripheral.
2.b.  End-users must protect all media, devices, peripherals, and information systems located in their respective area of responsibility in accordance with physical security and data protection requirements.
2.c.  End-users must practice safe intranet and internet operating principles and take no actions that threaten the integrity of the system or network.
2.d.  End-users must report incidents or suspicious events regarding suspected intrusions or unauthorized access; circumvention of security procedures; presence of suspicious files or programs; receipt of suspicious email attachments, files, or links; spillage incidents; and malicious logic (e.g., viruses, trojan horses, worms, spamming, phishing, chain letters, etc.) to the ISSM, ISSO, or SYSADMIN.
2.e.  End-users must report the receipt or discovery of unfamiliar or unauthorized removable media (e.g., CD-ROM, thumb drives, external hard drives, etc.) to the ISSM, SYSADMIN, or NTWKADMIN.
2.f.  End-users must report suspicious, erratic, or anomalous information systems operations; missing or added files; and non-approved services or programs to the SYSADMIN or NTWKADMIN in accordance with local policy and cease operations on the affected information system until authorized to start operations again by higher authority.
2.g.  End-users must comply with cryptographic log-in requirements and password or pass-phrase policy directives, and protect information systems from unauthorized access.
2.h.  End-users must logoff and secure the information system and work environment (i.e., controlled unclassified [CUI] media, remove CAC, etc.) at the end of each workday or when out of the immediate area.
2.i.  End-users must access only data, controlled information, software, hardware, and firmware for which they are authorized access and have a need–to-know. Assume only authorized roles and privileges.
2.j.  End-users must ensure government-provided and installed cybersecurity products (e.g., anti-virus, virtual private networks [VPNs], personal firewalls, etc.) will not be altered, circumvented, or disabled on Marine Corps information systems.
2.k.  End-users must digitally sign and encrypt all sensitive information on external media or in email exchanges, using federal information processing standard (FIPS) 140-2/3 validated encryption (e.g., DoD CAC, DoD alternate token).  Such information includes marked CUI information, financial data, contract-related information, health information, personally identifiable information, network or technical diagrams with identifiable labels (e.g., IP addresses) or other information that may have an operational security impact if compromised.
3.  Prohibited Actions.
3.a.  End-users will not use any personally owned devices on the MCEN, or use official government information systems for commercial gain or conduct illegal activities or in any manner that interferes with official duties, undermines readiness, reflects adversely on the Marine Corps, or violates standards of ethical conduct.
3.b.  End-users will not intentionally send, store, or propagate sexually explicit, threatening, harassing, prohibited partisan political, or unofficial public (e.g., “SPAM”) communications.
3.c.  End-users will not participate in on-line gambling or other activities inconsistent with public service.
3.d.  End-users will not participate in, install, configure, or use unauthorized peer-to-peer (P2P) technologies.
3.e.  End-users will not release, disclose, or alter information without the consent of the data owner, the original classification authority (OCA), the individual’s supervisory chain of command, freedom of information act (FOIA) official, public affairs officer (PAO), or the disclosure officer’s approval.
3.f.  End-users will not attempt to strain, test, circumvent, or bypass security mechanisms, perform unauthorized network line monitoring or keystroke monitoring, share personal accounts and passwords, or allow remote access to non-privileged users.
3.g.  End-users will not modify system or software, use it in any manner other than its intended purpose, introduce malicious software or code, add user-configurable or unauthorized software, disable or remove security or protective software or mechanisms, or misuse/abuse a privileged account.
3.h.  End-users will not relocate or change information system equipment or information system equipment, or change network connectivity without proper security authorization.
3.i.  End-users will not acquire commercial or unauthorized internet service provider (ISP) network access into Marine Corps operational facilities, or implement commercial wireless components (e.g., access points, base stations, clients, etc.) without approval from the Marine Corps AO.
3.j.  End-users will not use wireless technologies for storing, processing, and transmitting unclassified information in areas where classified information is discussed, stored, processed, or transmitted without the express written consent of the Marine Corps AO.
3.k.  End-users will not auto forward email from government accounts to commercial ISP email services, engage in the creation or forwarding chain mail, or open email attachments or internet links received from unknown sources.
3.l.  End-users will not use removable secondary storage media on government is without prior written approval from the G-6.  This includes, but is not limited to:  removable flash media, thumb drives, smartphones, camera memory cards, and external hard disk drives, or any device that is capable of being inserted into and removed from an IS that can store data.
3.m.  End-users will not connect any is to a network of higher or lower classification than the IS’s own classification level, commonly known as a cross domain violation, without using an approved cross domain solution.
3.n.  End-users will not introduce classified information onto an IS of a lower classification level, commonly known as a spillage, or expose personally identifiable information to unauthorized recipients, commonly known as a breach.
4.  Commanders must personally address the risks and individuals’ roles in protecting our force from malign threats via our information systems and networks.
5.  For additional information contact, HQMC_DCI_IC4_ICC_CY_Executive@usmc.mil.
6.  Released authorized by BGen Joseph A. Matos, Director, Information, Command, Control, Communications, and Computers (IC4), Washington, D.C.//