The technical note IT-950-TN01 outlines the requirements for all Smithsonian Institution (SI) websites, both public and internal-facing, focusing on standard navigation and necessary policy links. It applies to all SI staff and contractors involved in web content management. The OCIO Web Development Team is responsible for maintaining compliance with policy guidelines including the Terms of Use, Privacy Statement, and Vulnerability Disclosure Policy, which must be linked on relevant web pages. Each public website must link to the home page of the Smithsonian (http://www.si.edu), while internal sites are to link to the Prism home page (http://prism.si.edu). The note has undergone several revisions to refine the responsible offices, include the Vulnerability Disclosure Policy, and update related policies. This document ensures consistent communication of essential information and legal compliance across SI's digital platforms, reflecting a commitment to transparency and security in web practices.

The technical note IT-950-TN03 issued by the Office of the Chief Information Officer outlines the procedures for requesting and managing public FTP server accounts within the Smithsonian Institution's network (SInet). These accounts facilitate the exchange of large files among Smithsonian staff and external individuals, supporting various institutional activities. To obtain an FTP account, requests must be sponsored by a permanent Smithsonian staff member and align with museum or recognized project missions. The note details the roles of various parties involved, including the FTP Account Holder, Account Manager, OCIO Help Desk, and Internet Coordinator. The procedures for requesting, using, and maintaining accounts are specified, emphasizing that accounts are meant solely for temporary file storage, with clear restrictions against sensitive or offensive material. Account maintenance protocols dictate routine deletion of files beyond certain time limits, with provisions for exceptions if necessary. The document serves to ensure the effective and compliant use of FTP resources by outlining responsibilities, necessary procedures, and account management strategies, reflecting the Smithsonian’s commitment to efficient information exchange and operational integrity within its missions.

The Office of the Chief Information Officer (OCIO) issued Technical Note IT-950-TN04, establishing procedures for developing, redeveloping, and maintaining public websites and web-based applications at the Smithsonian. The note emphasizes compliance with institutional standards to ensure proper infrastructure support and security for web content. It applies to all units, staff, contractors, and consultants involved in such projects, requiring adherence to Smithsonian Directive 950 and other related documents. Key responsibilities include oversight by various bodies like the Change Control Board (CCB), Information Technology Security Staff (ITSS), and the OCIO Web Services Division (WSD). The development process mandates project planning that includes stakeholder collaboration, documentation maintenance, and adherence to review and approval processes before deployment. New or redeveloped projects must follow defined procedures for infrastructure requirements, testing, and domain name registration. Post-deployment, units are responsible for maintaining accurate documentation, addressing any issues arising from the website, and funding associated costs. The note underscores the need for ongoing surveillance of existing web content to resolve infrastructure or operational challenges while affirming units' accountability for sustaining their public web presence within established standards.

The technical note IT-950-TN02 outlines the standards and procedures for registering internet domain names related to the Smithsonian Institution. It aims to address the complexities and costs of managing numerous individual domain accounts across various Smithsonian units. This regulation applies to all Smithsonian employees and contractors requiring a domain name. The Digital Platforms Domain Coordinator oversees the registration process, while the Network Operations Center maintains the domain name servers. The document emphasizes the importance of using the primary domain si.edu to uphold the Smithsonian's brand integrity and minimize confusion, recommending that new sites, except for e-commerce and special projects, utilize this subdomain. Various alternative domains (.com, .museum, .us, etc.) are defined with specific guidelines for registration and usage, ensuring compliance with security, privacy, and content standards. Additionally, procedures for renewing and managing domains are established, including protocols for expiring or unneeded domains to prevent association with unrelated parties. The note underscores the Smithsonian's commitment to maintaining a cohesive online presence aligned with its mission while adhering to IT best practices.

The technical note IT-950-TN07 outlines the Smithsonian Institution's accessibility policies for websites and digital media, ensuring they are usable by individuals with disabilities. It mandates compliance with WCAG 2.1 AA standards for all digital content published after January 1, 2018, while content from before this date must meet WCAG 2.0 AA standards. The note details accessibility validation processes, responsibilities of various stakeholders, and the procedures for remediation of identified accessibility issues. Regular reviews, both automatic and manual, are required to maintain compliance, and a Plan of Action and Milestones (POAM) must document any remediation actions. Furthermore, it emphasizes that no waivers for accessibility compliance will be granted, ensuring an inclusive digital experience across the institution. The document underscores the ongoing commitment of the Smithsonian to provide equitable access to its resources, aligning with federal regulations and contemporary best practices in digital accessibility.

The Smithsonian Institution is soliciting proposals for Phase III of the digital exhibition experience initiative at the National Museum of African American History and Culture (NMAAHC). This project aims to enhance the online experience of the Museum's Slavery and Freedom exhibition and other permanent exhibitions. Offerors must meet minimum qualifications, including a dedicated team with various roles and prior experience developing similar products. Proposals must align with strict terms and conditions, particularly regarding intellectual property, which will remain with the Smithsonian as "work-made-for-hire." The anticipated contract will last six months, with various option periods for further development. Successful contractors will provide comprehensive web development services and improve the Searchable Museum platform's accessibility and user engagement. Deliverables include user experience enhancements, audience research, and effective content management strategies. Regular collaboration with the Museum's staff is expected, adhering to established timelines and performance standards. Proposals must be submitted electronically by May 21, 2025, ensuring compliance with federal procurement procedures. The project underscores the Smithsonian's commitment to providing accessible educational resources about African American history to diverse audiences, both digitally and in-person.

The Smithsonian Institution's Visual Identity Program, established through Smithsonian Directive 104, aims to unify the various graphic identities created by its numerous museums, research institutes, and education units. This initiative arose from confusion caused by the disparate identities of these units, which obscured their relationships and the overall array of the Institution's activities. The program introduces graphic design standards featuring a new Institutional logotype based on the Smithsonian seal of 1966, incorporating the sunburst symbol of enlightenment along with the institution's name. Guidelines distributed to all units dictate consistency in the visual identity across all printed materials, advertisements, signage, and merchandise. Compliance with these guidelines is mandatory for all staff and contractors to ensure a cohesive representation of the Smithsonian Institution. The directive is now subject to review every 24 months to maintain its relevance.

The Smithsonian Directive 814 outlines the management and responsibilities associated with Official Smithsonian Social Media Accounts. Its purpose is to guide employees in creating and maintaining these accounts while ensuring compliance with institutional policies, protecting the Smithsonian’s reputation, and engaging the public effectively. The directive highlights the significance of social media in furthering the Smithsonian's mission and necessitates adherence to various policies regarding conduct, privacy, and acceptable content. Key responsibilities are assigned to various offices, including the Office of Public Affairs (OPA), which oversees brand management and compliance, and the Office of Contracting and Personal Property Management (OCon&PPM), which reviews social media provider agreements. The directive emphasizes that only authorized Smithsonian employees may manage these accounts, with stringent requirements for content that prohibits partisan, discriminatory, or confidential material. User-generated content is monitored for appropriateness, and privacy policies are strictly enforced. Violations of the directive can result in severe penalties, including account closure and disciplinary actions. Overall, this document serves to ensure that all social media interactions remain consistent with Smithsonian values and legal obligations while promoting effective communication and outreach.

The Smithsonian Directive 940 serves as a governance framework for the acquisition of information technology (IT) products within the Smithsonian Institution. It outlines a Technical Reference Model (TRM) which designates preferred IT products to ensure a standardized and effective IT infrastructure. The directive emphasizes the importance of using these preferred products unless a compelling case for non-preferred alternatives is presented, which must be approved through a technology waiver process. Such waivers require an assessment of cost-effectiveness, operational supportability, architectural consistency, and security compliance. Responsibilities are assigned to various units, including directors and IT managers, to ensure adherence to the TRM, availability of funding for IT products, and proper procurement verification practices. The directive ultimately aims to enhance operational efficiency, customer service, and IT security while supporting the overall mission of the Smithsonian through informed technology decisions. The compliance structure allows for adjustments to technologies in response to evolving needs while safeguarding IT integrity.

Smithsonian Directive 950 outlines the management policies for the Smithsonian Institution's web presence, ensuring that all public-facing websites provide accessible, reliable, and secure information. The directive encompasses various aspects, including content development, security, privacy, and accessibility, establishing clear roles and responsibilities among the Office of the Chief Information Officer, Office of Communications, and individual units within the Institution. Key components include the requirement for each unit to develop a Web Management Plan, adherence to security standards for protecting sensitive information, and maintaining compliance with privacy laws. Additionally, the directive emphasizes the importance of providing a user-friendly experience for all visitors, including those with disabilities, and mandates regular assessments of website usability and content relevance. Websites must adhere to best practices such as providing privacy notices and utilizing appropriate tracking technologies. The directive serves as a comprehensive framework to safeguard the integrity and enhance the effectiveness of the Smithsonian's digital outreach, supporting its mission to provide educational resources and increase public engagement.

The Smithsonian Institution's Privacy and Security Clause outlines stringent regulations governing the handling of sensitive data by contractors. Primarily, the Smithsonian retains sole ownership of any data collected, including personally identifiable information (PII), requiring contractors to maintain strict confidentiality and limit data access to authorized personnel only. Contractors must inform the Smithsonian of any incidents affecting data security within 24 hours and cooperate fully during investigations. Public-facing software developed must comply with privacy standards, and PII collected from California residents is regulated under the California Consumer Privacy Act. Moreover, contractors dealing with cardholder data must demonstrate compliance with Payment Card Industry standards. Contractors are mandated to maintain security for IT systems and cloud services and must provide necessary documentation for security assessments. Insurance coverage is a requirement during the contract and for three years afterward, focusing on cybersecurity liabilities. Overall, this comprehensive framework emphasizes the importance of data security and privacy in contracts with the Smithsonian, ensuring compliance with federal regulations and industry best practices, as critical for governmental RFPs and grants.