The best part is that, in trying to comply with this guidance, the government chose Telemessage to provide the message archiving required by the Federal Records Act.

The only problem is that Telemessage was wildly insecure and was transmitting/storing message archives without any encryption.

Recommendations to the private sector don't condone violating security and retention laws for people working in the public sector.

I don't think I agree with the following from this guide:

> Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different use case.

Come on, man. We're talking about classified information, not general OPSEC advice. I worked in a SCIF. Literally every piece of equipment, down to each ethernet cable, has a sticker with its authorized classification level. This system exists for a reason, like making it impossible to accidently leak information to an uncleared contact in your personal phone. What Hegseth did (and is doing?) is illegal. It doesn't even matter what app is used.