This policy is substantially revised. Please visit this page for more information.
All IEW site managers:
We are still waiting for coordination from our forms and cybersecurity sections on our forms policy. They are swamped six ways from Sunday. Meanwhile, you all need some information.
Here is the gist of our coming policy. It may (I'd expect it to) change before it is finally published. But until then, use this as your guidelines:
1. Both Web forms (those filled in directly on the page) and downloadable/fillable forms (such as .pdfs or Word documents for users to fill out and send in) are of concern.
2. Most Web forms are simple contact instruments requesting name, email and occasionally a phone number, plus one more field asking for a message. These are OK as long as all fields are optional. Most organizations, including ARCYBER and HQDA do not use a privacy statement for these forms. We may distribute a Privacy Advisory (per DODI 8170.01 3.27) or a Privacy Act Statement at a later date.
3. We do not discourage the use of forms as a way to solicit feedback, reduce workload, improve efficiency and serve our customers. We ask everyone using forms to follow this order of preference:
a. Check for a suitable existing DA, DD, or IMCOM form (this will be the easiest route).
--Go to the Army Publishing Directorate https://armypubs.army.mil/ or the IMCOM publishing program https://home.army.mil/imcom/index.php/Organization/human-services/g1-personnel/administrative-services.
--If the form works as-is, consider linking directly to the form on APD.
--If you need to partially fill in or customize the form (such as adding a button to send the form by email, you can host it as a downloadable file on IEW.
--DO NOT upload completed forms (that is, containing PII) to IEW.
b. Produce an authorized local downloadable form. The office needing the form must work with a forms manager (we'll need a note of approval). They will probably simply take the document you use already and put a form number and privacy statement on it. The advantage here is once you work it out, you can collect different PII than IEW will allow you to. If required, the forms manager will work with the requesting office to set up the required privacy controls.
C. Web forms are still an option. However, they have to be built or changed here at headquarters and be approved by the CMS manager (me), AND YOUR LOCAL Privacy office and the Cybersecurity cell. We have locked down editing for web forms we've been able to find and disabled all forms creation tools. I am also working on Privacy Act Statements or Privacy Advisories for those forms that need them.
THE DRIVER behind all of this is IMCOM's goal to achieve FISMA compliance, something we've neglected too long. More specifically, we need to maintain a certain level of cyber Risk Management, including handling personally identifying information according to the rules.
YOU can help by policing up downloadable forms that are not official or authorized. If it's just a questionnaire uploaded without a "Fort Sumthin Form" number, chances are it's unofficial. See point b -- it shouldn't be difficult to make it official, if it's useful. And engage your tenants and directorates: if they want to gather the info, let them follow the maze.
Again, this is the temporary guidance. Stay tuned.
IMCOM Public Affairs
210-466-0116 DSN 450-0116