Update prohibited-hardware-and-software.md (#1274)

* Update prohibited-hardware-and-software.md * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Daniel Mundra <[email protected]>
CivicActions · Sep 21, 2023 · d062f3b · d062f3b
1 parent 07d6c36
commit d062f3b
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/company-policies/prohibited-hardware-and-software.md b/company-policies/prohibited-hardware-and-software.md
@@ -2,7 +2,7 @@
 
 ## Summary
 
-CivicActions has established a list of hardware and software that is prohibited to use for CivicActions activities in order to comply with Federal Acquisition Regulation (FAR) requirements for work on federal contracts.
+CivicActions has established a list of hardware and software that is prohibited to use for CivicActions activities in order to comply with requirements for work on federal contracts.
 
 ## Requirements
 
@@ -20,13 +20,15 @@ The following is the list of hardware and software that is prohibited to use bas
 
 ## Policy
 
-CivicActions employees will not use any hardware or software listed in the requirements section for any CivicActions activities or to access CivicActions resources such as email, Slack, GitHub, GitLab, or client project resources. This includes:
+1. CivicActions employees will not use any hardware or software listed in the requirements section for any CivicActions activities or to access CivicActions resources such as CivicActions email, Slack, GitHub, GitLab, or client project resources. Specifically, this includes:
 
--   Installing Kaspersky antivirus software on devices used for CivicActions activities
--   Using Huawei or ZTE mobile devices to access CivicActions resources
--   Using camera systems branded as Hikvision, Dahua, or Hytera on the same network as devices used to access CivicActions resources
--   Installing or accessing TikTok on devices (including mobile devices such as cell phones) used for CivicActions activities or accessing CivicActions resources.
+    - Installing Kaspersky antivirus software on devices used for CivicActions activities
+    - Using Huawei or ZTE mobile devices to access CivicActions resources
+    - Using camera systems branded as Hikvision, Dahua, or Hytera on the same network as devices used to access CivicActions resources
+    - Installing or accessing TikTok on devices (including mobile devices such as cell phones) used for CivicActions activities or accessing CivicActions resources.
 
-In the event of the discovery of prohibited hardware or software being used for CivicActions activities, CivicActions will follow each individual FAR reporting requirement and if appropriate the sanction policy to address the finding.
+2. An exception are personal devices that are **not** used for CivicActions activities but may be used for two-factor authentication such as phone call or SMS code. These devices should **not** have any access to CivicActions and/or client resources.
 
-As part of the CivicActions onboarding process, and periodically thereafter, all CivicActions employees must complete the Security Questionnaire to document the current state of compliance to the requirements and to address any gaps in compliance.
+3. In the event of the discovery of prohibited hardware or software being used for CivicActions activities, CivicActions will follow each individual FAR reporting requirement and if appropriate follow CivicActions sanction policy to address the finding.
+
+4. As part of the CivicActions onboarding process, and periodically thereafter, all CivicActions employees must complete the Security Questionnaire to document the current state of compliance to the requirements and to address any gaps in compliance.