Guidance

JSP 740 Acceptable Use Policy (AUP) for Information and Communications Technology and Services (ICT&S)

Updated 11 December 2025

Scope

This Acceptable Use Policy (AUP) applies to everyone who uses any of the following for work or personal use:

• MOD devices, for example laptops, tablets, cameras and phones
• MOD systems and networks
• MOD provided Wi-Fi
• MOD communication channels such as email, instant messaging and voice calls
• MOD devices for any type of content capture, including videos and photographs
• All MOD provisioned IT services and software, including Internet and intranet
  (Referred to collectively in the following as MOD ICT)

This AUP applies if you are:

• performing Defence-related activities of any kind, including normal work, training, and official trade union business.
• on detached duty and using ICT supplied by another authority for your work for Defence, or if you are a contractor or occasional user of MOD-issued ICT.
• using welfare Wi-Fi provided for personal use on MOD premises.

If you break any of these rules, you may face disciplinary action or a criminal investigation.

General Rules for MOD ICT

When conducting MOD business, you must only use MOD-managed or MOD-approved devices and services. This includes software applications and generative AI tools.

When using MOD devices and services you must:

• use appropriate equipment in line with the classification of information, as well as additional sensitivities and handling requirements.
• use all ICT in accordance with Security Operating Procedures (SyOPs).
• ensure passwords, PINs and authentication devices and tokens (including smartcards) are protected and not shared.
• protect passwords at the highest level of the system to which they allow access.
• make sure passwords are strong, not stored on personal devices and not reused for private accounts.
• change your password if you believe it has been compromised.
• lock all screens whenever devices are left unattended.
• adhere to rules about where PEDs and laptops can be used when on MOD establishments in accordance with JSP 440 Part 2 Leaflet 4E.

General Behaviour

You must not:

• request, create, access, store or send offensive, pornographic, indecent, or illegal material.
• send information to, or work on MOD Information on your personal device^{[footnote 1]}.
• breach copyright, licence agreements or data privacy rules, including but not limited to piracy and illegal streaming.
• use any MOD ICT where it can be viewed, overheard, or overlooked by anyone not authorised to see it.
• use MOD devices to capture QR codes of unknown origin or from MOD devices, except for Multi-Factor Authentication setup in line with JSP 440, Leaflet 5B.
• remove, disable or change operational components, safety or security settings.
• try to gain unauthorised access to information.
• conceal information without authority.
• release information without proper authority.
• bring MOD into disrepute or obstruct its business.
• be negligent in protecting MOD devices and services or the information you access.
• break the law^{[footnote 2]}, or encourage or enable others to break the law.
• travel outside the UK with a MOD-managed device unless for work purposes and with the appropriate permissions.

Personal use of MOD ICT

The MOD does not accept any liability for any loss, damage, or inconvenience you may suffer as a result of personal use of MOD-issued ICT.

You may use MOD-issued equipment for limited personal use^{[footnote 3]}; however you must not:

• use any MOD equipment as a replacement for a personal device.
• take part in or promote personal commercial activity, including single or multilevel marketing.
• undertake any or promote share dealing, crowdfunding or fundraising (unless MOD supported).
• take part in or promote any gambling or lottery (except those run by Defence and CSSC and Single Service sports lotteries).
• take part in or promote petitions or political campaigns.
• use any password you have used for work to sign up to public websites or services.
• use any MOD-specific information (for example, MOD email address or PUID), if signing up for websites and services for personal use.
• undertake any form of crypto mining or use the device for hard wallet storage of cryptocurrency and/or keys.
• use MOD services and processing power for anything other than its intended use.

Personal use: Telephony

You may use MOD telephones (desk phones, mobile phones and voice calls on laptops) for personal calls on the following occasions:

• in an emergency.
• you need to change personal arrangements because of unexpected work commitments.
• you are away from your normal place of work and it is not practical to wait until you return home (calls within the UK only and keep them as brief as possible to convey the necessary information).
• for inbound personal calls.
• personal calls from outside the UK are permitted for emergency use only (unless local rules or orders apply).

Emails

You must not:

• configure email to auto-forward or create rules to bulk-forward mail to non-MOD email addresses.
• transmit SPAM (electronic junk mail) or chain mail.
• list non-work, or an individual person’s MOD email addresses in external out of office notifications^{[footnote 4]}.

Social media, Internet and AI tools

You must not:

• share or confirm any information about your own or anyone else’s security clearance on social media or messaging apps.
• share, confirm or discuss MOD business, including command and control activities or any discussion leading to decisions, on personal social media accounts or messaging apps.
• record, livestream, distribute or forward images, video, messages, or data that will likely bring the MOD into disrepute.
• share or confirm on social media any information classified above OFFICIAL.
• share or confirm on social media any information that compromises the operational security or personnel security of MOD or its allies.
• download or interact with any suspicious links or attachments received.
• promote a charity cause not supported by Defence; personnel must use profiles that are their own private accounts not connected to their MOD roles.

You must not enter MOD information into public Internet-facing search engines or AI apps and tools.

If using generative AI as a productivity aid for work purposes, only use tools provisioned or authorised by MOD.

Messaging apps such as WhatsApp or Signal

Closed messaging apps are permitted on MOD-issued devices for keeping in touch purposes only (for example, letting colleagues know you are running late).

Messaging Groups. All personnel should take care to understand who is in their messaging groups. They should also regularly review this list to ensure that any persons who no longer need access to the information are removed.

Closed messaging apps must not be used to share or confirm any information classified above OFFICIAL, or any information covered in the paragraph above on Social Media^{[footnote 5]}.

Devices, Systems and Networks

You must not:

• connect unauthorised devices to MOD ICT or networks, including but not limited to MOD-issued or personal mobile devices, vaping devices, wearables, and gaming consoles for any reason including charging.
• use public USB charging ports.
• connect MOD-issued mobile devices to unauthorised computers.
• connect MOD-issued or personal mobile devices to MOD ICT devices via a wireless connection other than to use the mobile hotspot.
• connect personal mobile devices to MOD ICT via Bluetooth; only MOD provided peripherals may be connected.
• download, use, store or distribute software or unauthorised^{[footnote 6]} applications.
• attempt to misuse, gain unauthorised access to (or prevent legitimate access to) any equipment, network, system, service, or account.
• sync your MOD phone contacts to shared vehicles, including MOD fleet vehicles and MOD-provided hire cars.

Working from Home

When working from home, you must not:

• connect any private wireless or Bluetooth equipment (including headsets, keyboards and speakers).
• connect any private printers, Smart TVs or Smart monitors.
• use tools on your private device to target any MOD device connected to a non-MOD network.

When working from home on a MODNET OFFICIAL laptop you may:

• connect your personal screen using VGA, HDMI or DisplayPort wired connection.
• connect a wired personal keyboard and wired mouse via a USB connection.

Do not connect any item of ICT equipment to your MOD laptop if you have security concerns about it.

Monitoring of MOD-issued ICT

The MOD monitors its ICT and networks. More information about the personal data held by the MOD can be found in the MOD privacy notice.

Reporting Incidents

You must report any activity that you think is in breach of the rules in this guidance via a Security Incident Report Form (SIRF).

You must not remove any personal data after being told your MOD-issued device is the subject of an investigation nor must you delay the return of that device when asked to do so by the MOD investigating authority.

Coherence with other Policy and Guidance

You must abide by the Security Operating Procedures (SyOPs) for the equipment you are using. You must also follow JSP 440 and 441, the MOD Corporate Standards Guide and your Service Code of Conduct at all times.

Related JSPs

• JSP 440: The Defence Manual of Security
• JSP 441: Information, Knowledge, Digital and Data in Defence

Further Advice and Feedback – Contacts

Comments, queries and feedback are welcome via the Cyber Defence and Risk (CyDR) Governance, Risk and Compliance (GRC) Policy Team: UKStratComDD-CyDR-InfoCyPol@mod.gov.uk

Equality Analysis Statement

This JSP has been Equality Analysis Impact Assessed in accordance with the Department’s Equality Analysis Impact Assessment (EQIA) Tool against: Part 1 – Assessment only, no diversity impact found.

The policy is due for review in September 2027.

Welsh Language Analysis Statement

This JSP has been assessed for its impact on the Welsh language and the Welsh-speaking public in Wales, in accordance with the Department’s Devolved Assemblies Impact Assessment; no impact has been found.

Copyright Statement

© Crown Copyright 2025

This work is Crown copyright and the intellectual property rights for this publication belong exclusively to the Ministry of Defence (MOD). No material or information contained in this publication should be reproduced, stored in a retrieval system, or transmitted in any form outside MOD establishments except as authorised by the sponsor and MOD where appropriate.

1. The use of personal devices for multi-factor authentication is permitted. If the personal device is compromised a SIRF must be raised. This will not lead to an investigation of the personal device; it is for advisory purposes so that the authenticator application from that device can be disabled. ↩

2. Unless, in exceptional cases, your role and Terms of Reference have been authorised as one where a specific exemption stipulated in current legislation is applied. ↩

3. Although this can be stopped at any time at the MOD’s discretion. ↩

4. For more information, see JSP 441: Using out of office (OOO) notifications effectively_notifications_effectively). ↩

5. For more information, see JSP 441: Using Non-Corporate Communication Channels. ↩

6. For further information see: Ordering Defence Digital Services. ↩