GSA POLICY AND PROCEDURE. SUBJECT: Document Security for Sensitive But Unclassified Building Information
|
|
- Amberlynn Holmes
- 8 years ago
- Views:
Transcription
1 GENERAL SERVICES ADMINISTRATION Washington, DC PBS P GSA POLICY AND PROCEDURE SUBJECT: Document Security for Sensitive But Unclassified Building Information 1. Purpose. This directive describes GSA s policy to protect sensitive but unclassified (SBU) building information for GSA-controlled space. GSA-controlled space includes owned, leased, and delegated Federal facilities. Not all building information is automatically considered sensitive but unclassified. Only specific applicable information, marked with SBU designations, needs to be controlled in accordance with this policy. GSA will use SBU terminology and markings on all building information in all formats (see Appendix B). Both legacy SBU and new SBU building information will be subject to the terms of this directive. 2. Background. GSA has been marking and managing sensitive but unclassified building information and has issued several updates to the policy since the bombing of the Alfred Murrah Federal Building in Executive Order 13556, signed on November 4, 2010, establishes a program for managing Controlled Unclassified Information, with the National Archives and Records Administration (NARA) serving as the executive agent. This Executive Order emphasizes the openness and uniformity of Government-wide practice. GSA has been working with NARA in developing Controlled Unclassified Information (CUI) standards and best practices. Upon completion of NARA s CUI efforts and directives (with expected implementation to start April 2016), GSA s SBU designation will be replaced with the NARA CUI designation and this directive will be updated to reflect the new CUI requirements. 3. Cancellation. PBS A Document Security for Sensitive but Unclassified Building Information, issued June 1, 2009, is cancelled, effective immediately. 4. Scope and Applicability. This directive applies to the access to and generation, dissemination, storage, transfer and disposal of all SBU building information related to GSA-controlled space and to procurements to obtain, alter, or manage space, either Government-owned or leased, including GSA space that is delegated to other Federal agencies. a. All sensitive building information shall be marked and managed as SBU in accordance with this directive.
2 i. General Services Administration Information Technology (GSA IT), along with PBS business lines, will develop a system to track project SBU building information, to be implemented in a phased approach and completed within five years of the issuance date of this directive. b. Existing SBU documents shall be controlled under this directive when procuring and contracting for design and construction services for renovations to existing facilities. For new facilities, the building drawings and other related building information will be reviewed and may be designated SBU, as appropriate. This designation applies at the time SBU building information is turned over by the Architect-Engineering (A-E) personnel to the Government as part of the final construction control documents. However, not all building information will be designated as SBU. THIS DIRECTIVE DOES NOT APPLY TO CLASSIFIED BUILDING INFORMATION, which is governed by Executive Order Classified National Security Information. 5. Policy Objectives. This directive has three principal objectives: a. To diminish the potential that building information will be available for use by a person or persons with an interest in causing harm, and b. To allow access to this information to those recipients who have a legitimate business need to know such information. c. To ensure a Business Need to Know exists. All individuals must have a legitimate purpose to handle SBU building information. They must use good judgment, common sense and take reasonable care to ensure that sensitive building information is protected in accordance with this directive. 6. Definitions. a. SBU building information is information related to GSA-controlled space that is sufficiently sensitive to warrant some level of protection from full and open public disclosure, but does not warrant classification. This information requires safeguarding and dissemination controls in order to diminish the potential that building information will be accessible to a person or persons with an interest in causing harm. Appendix A provides a list of examples of SBU building information. This list is for illustrative purposes and is not comprehensive. b. A Business Need to Know exists when access to SBU building information is necessary for the conduct of official GSA business. Some examples of individuals who may have a legitimate business need to know are GSA project managers, staff from the Office of the Inspector General (OIG), authorized vendors, utilities, state and local fire department personnel, among others. This directive does not describe all instances of a legitimate business need to know.
3 7. Clarification of GSA Order CIO P All building drawings or building information should not be designated, automatically, as SBU. Refer to Appendix A of this document for guidance. GSA Order CIO P provides the policy and procedures for issuing and maintaining GSA credentials. Chapter 2, Section 4.b.(4) of GSA Order CIO P states, Those individuals whose duties require a higher degree of trust, such as IT system administrators, those who handle financial transactions, or those who deal with PII, and other sensitive information (e.g., building drawings, etc.), will continue to require investigations associated with higher levels of trust such as the Minimum Background Investigation (MBI) or the Limited Background Investigation (LBI). These requirements shall not be used to restrict access to SBU building information further than as clarified in Section 4 (Applicability) of this directive. Access to sensitive building drawings may be granted on a 'Business Need to Know' basis (as concurred on by the respective GSA business line) without regard to the credentialing cited above. 8. Signature. /S/ September 2, 2014 NORMAN DONG Commissioner Public Buildings Service
4 PBS P Document Security for Sensitive But Unclassified Building Information Table of Contents GENERAL REQUIREMENTS AND RESPONSIBILITIES 1 SPECIFIC REQUIREMENTS AND RESPONSIBILITIES...2 Appendix A. Examples of Sensitive But Unclassified Building Information..A-1 Appendix B. Sensitive But Unclassified Marking Information. B-1 Appendix C. SBU Contract Clause.C-1
5 GENERAL REQUIREMENTS AND RESPONSIBILITIES The principles governing the management of SBU building information are as follows for all GSA personnel and contractors: 1. SBU building information shall be controlled so that building information in electronic and hard copy formats are made available only to individuals who have a legitimate business need to know (see Appendices A and B). 2. Adequate controls shall be used to monitor access to and dissemination of SBU building information. 3. SBU building information shall be safeguarded during use and either properly destroyed or returned to GSA after use. 4. SBU information shall not be presented in public forums. 5. The SBU designation of each building s information (for design, construction bidding, facility management, etc.) shall be based on the specific information s level of sensitivity and the physical security level of the building itself. 1
6 SPECIFIC REQUIREMENTS AND RESPONSIBILITIES 1. Public Buildings Service. The Public Buildings Service (PBS) is ultimately responsible for protecting SBU building information from unauthorized use and for making the initial determination of whether an entire building, or portion thereof, is considered sensitive. 2. PBS Regional Commissioners (RCs). PBS RCs or authorized designee (or in the case of delegated buildings, agency officials), make the initial determination regarding whether a building s documents/information or portion thereof are/is considered sensitive. That determination shall in turn trigger an action on the part of the PBS Project Manager or Program Manager to mark the necessary related building information as SBU. a. RCs shall consider the physical security level of the building itself, as well as comparable building types and occupants in making the determination whether or not a building s documents/information or portion thereof are/is sensitive. b. The RC shall designate an individual responsible for controlling SBU building information. c. RCs must implement this directive within their Regions in a uniform, consistent manner so that all items containing SBU building information are marked and handled appropriately. d. In the case of a new building in the planning stages, for a single tenant, the RC in consultation with the tenant will hold decision-making authority in determining the appropriate sensitivity of building information. e. In the case of a new building in the planning stages, for multiple tenants, the RC in consultation with all planned tenants will hold decision-making authority in determining the appropriate sensitivity of building information. 3. Tenants. In the case where the tenant or tenants require/s a greater sensitivity designation than for comparable building types and occupants, this tenant or group of tenants will be required to pay any extra costs associated with higher security requirements and less competition in procurement. The tenant/s will agree to fund such costs via rent, Reimbursable Work Authorization, etc., as applicable. Extra costs may be due to limits on Architect-Engineering (A-E) personnel access, bidding restrictions, reduced competition for construction or facility management, or other factors. The RC or designee will assist the tenant in identifying the cost of higher security requirements. Within a Federal campus, the SBU designation may apply to one or more buildings as needed, but will not automatically apply to all buildings within the same campus if any particular building(s) is (are) designated as SBU. 4. PBS Project Manager or Program Manager (PM). The PBS PM is responsible for reviewing all building documents, identifying and marking SBU building information, and 2
7 including instructions in Statements of Work (SOWs) for contractors to mark documents as SBU, if appropriate. a. The PBS PM shall identify and mark as SBU, in electronic or paper formats, only the building information that meets the criteria for SBU, which must be controlled, as stated herein. The PBS PM shall refer to Appendix A of this directive for further guidance. b. The PBS PM shall coordinate with various groups (tenants, stakeholders, the Facility Security Committee, etc.) on all matters pertaining to building information. c. The PBS PM, in consultation with the Facility Security Committee (FSC), is responsible for reviewing all building information at every milestone where there is a change in the physical space or tenant, to validate SBU markings are correct and current. d. If building information designation is found to be incorrectly marked or no longer required, the PBS PM shall follow the instructions related to Mandatory Review in paragraph 11 below. 5. Facility Security Committee (FSC). After construction is complete, FSC or its current equivalent, as established by the standards of the Interagency Security Committee (ISC), shall advise the PBS PM regarding specific building information where SBU markings are necessary. a. When a building is not designated as sensitive, the FSC, or its current equivalent, may still determine that some specific building information must be controlled. In this case, the FSC shall advise the PM to mark only that specific building information as SBU. The FSC shall refer to Appendix A of this directive for further guidance. 6. Disseminators. Disseminators of SBU building information must comply with the all policy principles and requirements of this directive. SBU building drawings that are part of a procurement must be issued in accordance with FAR 5.102(a)(4) on the secure side of the FedBizOpps website ( or any successor system, with proper document control protocols to allow legitimate registered vendors access to the documents for proposing and pricing the procurements. 7. Contracting Officers (COs). COs shall include the clause in Appendix C, or a similar updated clause per the General Services Administration Acquisition Manual (GSAM), in all solicitations (including Solicitations for Offers (SFOs)) and in all building contracts and/or final leases that may contain, require access to, or cause the generation of SBU building information. This applies to all contracts issued after issuance of this directive and implementation of the rule making process, whichever occurs later. a. Examples of such contracts are A-E design, construction, facility management contracts, and related professional service contracts such as construction manager as agent (CMa) and Commissioning Agent (CxA) contracts. 3
8 b. COs must take appropriate action when they become aware that contractors have not fulfilled contractual obligations regarding the protection of SBU building information. Such action may include an investigation, referring the contractor for suspension or debarment proceedings, and/or terminating the contract for default. 8. GSA Employees. GSA Employees may disseminate SBU building information only after a proper review and the imprinting or affixing of a mark, as required by this directive (see Appendix B for marking guidance), and after determining that the recipient of SBU building information is authorized to receive such information before dissemination of that information. 9. General Counsel. The Office of General Counsel (OGC) provides legal advice concerning Freedom of Information Act (FOIA) requests that apply to SBU building information. OGC also provides counsel regarding the application of this directive. 10. All PBS Regional Commissioners, Assistant Commissioner and Deputy Assistant Commissioners must make their respective personnel aware of the requirements in this directive and require that their staffs be trained in the proper application of this directive, including encryption software applications available to GSA personnel and contractors: 11. Mandatory review. For building projects (for design, construction, facility management, etc.), the PBS PM is responsible for reviewing all building information which does or may contain SBU building information at regular milestones (such as change in use, configuration or tenant); the PBS PM is responsible for identifying and validating that SBU markings are correct and current. If building information designation is found to be incorrectly marked or no longer required, the PBS PM will correct the marking immediately or ensure that action is taken promptly to change or remove the marking. 12. Marking information. For any electronic or printed SBU building information created after the issuance date of this directive, pages containing SBU building information must have the markings shown in Appendix B imprinted or affixed. 13. Limiting dissemination to authorized recipients. SBU building information may be disseminated only after it is determined by GSA personnel that each recipient is authorized to receive it. The criterion to determine whether a recipient is authorized to receive SBU building information is that the recipient must have a legitimate business need to know, as further described in Section 4 (Scope and Applicability) of the transmittal for this directive. a. Federal, State, and local government entities. GSA must provide SBU building information for the performance of official Federal, State, and local government functions, such as inspections, OIG audits, code compliance reviews and issuance of building permits, among other purposes. Public safety entities such as fire departments may require access to SBU building information on a need to know basis. This directive must not prevent or encumber the dissemination of SBU building information to public safety entities. 4
9 b. Vendors, Nongovernment entities and utilities. Unless the action is exempt under FAR , all disseminators are responsible for verifying that a contractor or contracting firm is currently registered as "active" in the System of Award Management (SAM) database at and also has a legitimate business need to know SBU building information before releasing it to any contractor or firm. Nongovernment entities and/or utility companies may also require access to SBU building information for the performance of work on GSAcontrolled space on a need to know basis and do not necessarily need to register within the SAM database. 14. Electronic transmission of SBU building information. GSA employees, who electronically transmit SBU building information outside of the GSA network, must encrypt the data with an approved NIST algorithm, such as Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES), in accordance with Federal Information Processing Standards Publication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules. As outside of the GSA network is not encrypted, GSA personnel working within the GSA network may only transmit SBU building information using GSA-approved encryption procedures. ( Within the GSA network means inside the firewall, including Citrix and GSA VPNs.) 15. Dissemination of SBU building information in non-electronic form or on portable electronic data storage devices. Portable electronic data storage devices include but are not limited to CDs, DVDs, and USB drives. Non-electronic forms of SBU building information include paper documents. a. By mail. GSA employees must utilize only methods of shipping that provide confirmation of receipt of the SBU building information, such as track and confirm, proof of delivery, signature confirmation, or return receipts. b. In person. GSA employees must provide SBU building information only to authorized representatives of Federal, State, local government entities, SAMregistered firms, and others that have a legitimate business need to know such information. 16. Safeguarding SBU building information. GSA employees must not take SBU building information outside of GSA facilities, except as necessary for the performance of a GSA project. If a GSA employee takes SBU building information outside of a GSA facility, access to the information must be limited to those with a legitimate business need to know. Such information must be returned to a GSA facility or destroyed when no longer needed for the performance of a GSA project. GSA employees must not store or retain SBU building information on any electronic device or media not owned by GSA. 17. Destroying SBU building information. When SBU information, in any format, is no longer needed, SBU building information must be destroyed such that the information is rendered unreadable and incapable of being restored, in accordance with GSA CIO IT 5
10 Security 06-32, Media Sanitization Guide and Appendix A of NIST Special Publication , Guidelines for Media Sanitation. Alternately, the SBU building information may be returned to the CO. 18. Freedom of Information Act (FOIA) requests. SBU markings do not control the decision of whether to disclose or release the information to any entity that files a FOIA request. Any determination to disclose SBU building information, in accordance with a FOIA request, must be made after consultation with the servicing legal office. 19. Reporting incidents of concern. Any actual or suspected unauthorized disclosure of SBU information must be reported immediately to the CO for the related contract or the appropriate RC. RCs are required immediately to notify the FSC for the building involved. Any incident involving suspected computer or cyber security breach or attack, as defined by NIST Special Publication , Computer Security Incident Handling Guide, must be reported in accordance with the current version of GSA CIO P , Information Technology (IT) Security Policy Order and GSA CIO IT Security Procedural Guide: CIO-IT Security-01-02, Incident Response (IR). 6
11 Appendix A. Examples of Sensitive But Unclassified Building Information Not all building information is automatically considered Sensitive But Unclassified (SBU). After the PBS Project Manager (PM) has reviewed, identified, and marked SBU building information, then access to the information must be controlled. SBU building information may be contained in any document (including drawings, specifications, virtual modeling, reports, studies, analyses) and in any format with information pertaining to: 1. Location and details of secure functions or secure space in a building, location or space. Examples include: a. Prisoner or judges secure circulation paths or routes (both vertical and horizontal). b. Detention or holding cells. c. Sally ports. d. Security areas, including but not limited to control rooms and incident command centers e. Building automation systems. f. Telephone and riser closets 2. Location and type of structural framing for the building, including any information regarding structural analysis. Examples include information related to: a. Progressive collapse. b. Seismic. c. Building security. i. Blast mitigation. ii. Counterterrorism methods taken to protect the occupants and the building. 3. Risk assessments and information regarding security systems or strategies of any kind. Examples include: a. Camera locations. b. Nonpublic security guard post information (e.g., number, location, operations, etc.). Note: In the case of building information related to a specific suite, room/space, or other component that is designated as SBU (i.e. Building Automation System (BAS) diagram, security camera layout, etc.), the SBU designation does not necessarily carry over to the entire building, or to the entire campus. Note: Building information for a stand-alone steam plant facility or similar service facility and its associated tunnels shall be designated SBU when it services a building that is designated SBU. A-1
12 Appendix B. Sensitive But Unclassified Marking Information 1. Any electronic or printed document, pages containing SBU building information must have the following markings: SENSITIVE BUT UNCLASSIFIED (SBU) PROPERTY OF THE UNITED STATES GOVERNMENT FOR OFFICIAL USE ONLY Do not remove this notice Properly destroy or return documents when no longer needed 2. The following mark must be affixed to the cover or first page of any document (such as the cover page on a set of construction drawings). SENSITIVE BUT UNCLASSIFIED (SBU) PROPERTY OF THE UNITED STATES GOVERNMENT COPYING, DISSEMINATION, OR DISTRIBUTION OF THIS DOCUMENT TO UNAUTHORIZED RECIPIENTS IS PROHIBITED Do not remove this notice Properly destroy or return documents when no longer needed 3. The previous two markings must be prominently labeled in bold type in a size appropriate for the document or portable electronic data storage device or both, if applicable. On a set of construction drawings, for example, the statements must be in a minimum of 14 point bold type or equivalent. 4. The SBU markings must be used regardless of the medium through which the information appears or is conveyed. B-1
13 Appendix C. SBU Contract Clause Contracting Officers (COs) shall include the following clause, or a similar updated clause per the General Services Administration Acquisition Manual (GSAM), in: (1) all solicitations containing SBU building information (including Solicitations for Offers (SFOs)); and shall include the following clause in: (2) contracts and/or final leases that may contain, require access to, or cause the generation of SBU building information. [Begin clause] Safeguarding and Dissemination of Sensitive But Unclassified (SBU) Building Information This clause applies to all recipients of SBU building information, including offerors, bidders, awardees, contractors, subcontractors, lessors, suppliers and manufacturers. 1. Marking SBU. Contractor-generated documents that contain building information must be reviewed by GSA to identify any SBU content, before the original or any copies are disseminated to any other parties. If SBU content is identified, the Contracting Officer (CO) may direct the contractor, as specified elsewhere in this contract, to imprint or affix SBU document markings to the original documents and all copies, before any dissemination. 2. Authorized recipients. a. Building information designated SBU must be protected with access strictly controlled and limited to those individuals having a legitimate business need to know such information. Those with a need to know may include Federal, State and local government entities, and nongovernment entities engaged in the conduct of business on behalf of or with GSA. Nongovernment entities may include architects, engineers, consultants, contractors, subcontractors, suppliers, utilities, and others submitting an offer or bid to GSA, or performing work under a GSA contract or subcontract. Recipient contractors must be registered as active in the System for Award Management (SAM) database at and have a legitimate business need to know such information. If a subcontractor is not registered in the SAM and has a need to possess SBU building information, the subcontractor shall provide to the contractor its DUNS number or its tax ID number and a copy of its business license. The contractor shall keep this information related to the subcontractor for the duration of the contract and subcontract. b. All GSA personnel and Contractors must be provided SBU building information when needed for the performance of official Federal, State, and local government functions, such as for code compliance reviews and for the issuance of building permits. Public safety entities such as fire and utility departments may require access to SBU building information on a need to know basis. This clause must C-1
14 not prevent or encumber the dissemination of SBU building information to public safety entities. 3. Dissemination of SBU building information: a. By electronic transmission. Electronic transmission of SBU information outside of the GSA network must use session encryption (or alternatively, file encryption). Encryption must be via an approved NIST algorithm with a valid certification, such as Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES), in accordance with Federal Information Processing Standards Publication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules per GSA policy. b. By nonelectronic form or on portable electronic data storage devices. Portable electronic data storage devices include, but are not limited to CDs, DVDs, and USB drives. Nonelectronic forms of SBU building information include paper documents, among other formats. i. By mail. Contractors must utilize only methods of shipping that provide services for monitoring receipt such as track and confirm, proof of delivery, signature confirmation, or return receipt. ii. In person. Contractors must provide SBU building information only to authorized recipients with a need to know such information. Further information on authorized recipients is found in Section 2 of this clause. 4. Record keeping. Contractors must maintain a list of all entities to which SBU is disseminated, in accordance with sections 2 and 3 of this clause. This list must include at a minimum: (1) the name of the State, Federal, or local government entity, utility, or firm to which SBU has been disseminated; (2) the name of the individual at the entity or firm who is responsible for protecting the SBU building information, with access strictly controlled and limited to those individuals having a legitimate business need to know such information; (3) contact information for the named individual; and (4) a description of the SBU building information provided. Once as built drawings are submitted, the contractor must collect all lists maintained in accordance with this clause, including those maintained by any subcontractors and/or suppliers, and submit them to the CO. For Federal buildings, final payment may be withheld until the lists are received. 5. Safeguarding SBU documents. SBU building information (both electronic and paper formats) must be protected, with access strictly controlled and limited to those individuals having a legitimate business need to know such information. GSA contractors and subcontractors must not take SBU building information outside of GSA or their own facilities or network, except as necessary for the performance of that C-2
15 contract. Access to the information must be limited to those with a legitimate business need to know. 6. Destroying SBU building information. When no longer needed, SBU building information must be destroyed so that marked information is rendered unreadable and incapable of being restored, in accordance with guidelines provided for media sanitization within GSA CIO IT Security 06-32, Media Sanitization Guide and Appendix A of NIST Special Publication , Guidelines for Media Sanitization. Alternatively, SBU building information may be returned to the CO. 7. Notice of disposal. The contractor must notify the CO that all SBU building information has been returned or destroyed by the contractor and its subcontractors or suppliers in accordance with paragraphs 4 and 6 of this clause, with the exception of the contractor's record copy. This notice must be submitted to the CO at the completion of the contract to receive final payment. For leases, this notice must be submitted to the CO at the completion of the lease term. The contractor may return the SBU documents to the CO rather than destroying them. 8. Incidents. All improper disclosures of SBU building information must be immediately reported to the CO at <insert address and contact information>. If the contract provides for progress payments, the CO may withhold approval of progress payments until the contractor provides a corrective action plan explaining how the contractor will prevent future improper disclosures of SBU building information. Progress payments may also be withheld for failure to comply with any provision in this clause until the contractor provides a corrective action plan explaining how the contractor will rectify any noncompliance and comply with the clause in the future. 9. Subcontracts. The contractor and subcontractors must insert the substance of this clause in all subcontracts. [End of clause] C-3
16 (Contractor Guide for external use)
17 General Services Administration Table of Contents Introduction and background... 2 Escort Policy Escort Policy (flow chart) Short-Term Contractor Policy (Less than 6 months) 6 Short-Term Contractor Policy (flow chart) Long-Term Contractor Policy (Greater than 6 months) Long-Term Contractor Policy (flow chart) Obtaining HSPD-12 Credentials. 16 Returning/ Reporting lost or stolen a HSPD-12 credential. 19 Obtaining an HSPD-12 Credential (flowchart).. 21 Obtain a Building Identification Badge. 22 Previously Cleared Contractors (Reciprocity) 23 Child-care worker security clearance process 24 Child-care worker security clearance process (flowchart) 27 Appendix: Appendix A. HSPD-12 Presidential Directive 28 Appendix B. Instructions for completing CIW. 30 Contractor Information Worksheet (CIW) sample.. 32 Appendix C. Encrypting Personally Identifiable Information instructions.. 34 Appendix D. Instructions for completing the e-qip invitation.. 38 Appendix E. Instructions for completing the SF85P. 39 Appendix F. FD-258 Fingerprint Card Instructions Appendix G. Instructing for completing GSA Form 176 (child care only). 43 Appendix N. Additional Resources. 45 Appendix O. Terms and Acronyms.. 46 GSA Region 10 Security Contact Information. 47 1
18 General Services Administration GSA Region 10 Security Clearance Process Introduction The purpose of this guide is to establish a uniform procedure for access and background security clearances for the General Services Administration (GSA) Northwest/Artic Region 10 contract employees. Wide variations in security policies allow unauthorized individuals the ability to gain access to secure facilities and increase the likelihood of a security breach. This guide provides GSA Region 10 s officials and service centers a common set of criteria to ensure that all individuals given routine access to all GSA s government space have submitted to the correct level of personnel security investigation in order to complete their work. Background This guide standardizes the security clearance process for all contractors across GSA s Region 10 and ensures that all of our offices and personnel are following the same common criteria and policies. It is intended to provide a greater sense of security, increase efficiency, reduce fraud and to protect the personal privacy of our customer agencies and contract companies. Our security policy reflects the policy of the United States government as issued by the Homeland Security Presidential Directive-12 (HSPD-12) Policy for a Common identification Standard for Federal Employees and Contractors, to create a consistent policy on access and credentialing of contract employees. This policy requires that all contract employees who require routine access to GSA s controlled facilities or its information systems to have a personnel security investigation. This guide provides an overview of these personnel security investigations, step by step instructions for each type of security clearance, and supplementary information to answer any additional questions and concerns that you may have. Our hope is to make the security clearance process a simple but thorough screening of all individuals requiring routine access into GSA s controlled space which in turn will provide a safer and more dependable environment for our customer agencies, contractors and the general public. Security Clearances GSA s Region 10 has two types of personnel security investigations depending on how long the contractor employee is required to be on site, except for contractors requiring access to the GSA IT network; all contractors requiring network access require the long-term NACI clearance. The type of security clearance is based upon the length of time the contract employee will be working within the controlled space not upon the duration of the contract. This guide explains what you need to know to get contractors on the site and working as quickly as possible. Regardless of the type of background check required, a satisfactory law enforcement check called Entry of Duty (EOD) determination, allows unescorted physical access to facilities for all contractors. The type of contractor determines which personal history form is required to be submitted. In either case, fingerprints and a Contractor Information Worksheet (CIW) are also required. The CIW form must be initiated by the GSA Requesting Official (example: Project Manager). A brief explanation of the security clearance processes follows below however each process is later explained in more detail. 1. Short-term contractor clearance This type of security clearance are for those who require routine access to federally controlled space for a period of six (6) months or less. This security clearance requires either a National Agency Check (NAC) or one must be escorted at all times. For 2
19 General Services Administration unescorted access, a CIW, SF85P and two (2) sets of FD-258 (fingerprint cards) must be submitted to the Security Office. The CIW may be ed to r10pbssecurity@gsa.gov. This initiates FPS to send an SF85P application via to complete online. The signature pages from the SF85P application and fingerprint cards may be mailed to: GSA, PBS Security Office, th ST, SW, Auburn WA A. Escorts are permitted for temporary contractors for very short duration; jobs ten days or less. Escorts may be government employees or long term contractors (including contract guards) who have received an EOD and whose NACI is in process. Escorts must maintain control of those they are escorting at all times. 2. Long-term contractors This type of security clearance is required for those who require access to federally controlled space for more than six (6) months. This security clearance requires a National Agency Check with written Inquiries (NACI) and one must submit a SF85P. To begin this process, a CIW form must be completed and ed to the GSA security office at r10pbssecurity@gsa.gov. The CIW is obtained from the GSA Requesting official. This will initiate the security clearance process, and the Federal Protective Service will the applicant an invitation to enter e-qip (OPM s secure portal for security clearances). The applicant will then fill out the SF85P through e-qip, print out signature pages, and mail them along with two sets of FD258 fingerprint cards)to the GSA, PBS Security office at th St SW, Auburn, WA Additional Assistance This guide will also assist to identify the correct clearance procedure to follow when starting a new construction project or building repair and alteration (R&A) project. It will assist the Lease Administration Managers with differentiating the correct security clearance process in Leased Space (Level 4 & Level 3 100% Government Occupied Space and Leased Space in Level 3 not 100% Government Occupied and any space will a facility security level under 3. It includes the security clearance procedures for applicants applying for child-care work in GSA controlled facilities. GSA s commitment to protect Personally Identifiable Information (PII) Informing Applicants of Data Collected: All forms used in the security clearance process have a Privacy Act statement included that indicates what PII is collected, the purpose of its collection, whether it is optional or required, and the consequences of not providing the requested information. Securing Information Technology (IT) Systems: All GSA IT systems must store and transmit data securely and have a completed a Privacy Impact Assessment (PIA) filed with the Privacy Office. The PIA ensures that the IT system complies with federal and GSA privacy regulations, including the Privacy Act. Instructions for encrypting and transmitting PII are included in this guide. Securing Paper Forms: All paper forms containing PII data must be stored and transmitted in accordance with the GSA IT Security Policy and be protected from any unauthorized disclosure. Designating Staff: All security related staff must be specifically designated to handle security clearance related PII data. All GSA staff are required to have completed privacy training and abide by the GSA IT Security Policy. 3
20 General Services Administration Escort Policy Security Clearance Process To provide a means for GSA Officials to complete emergency repairs, minor alterations, etc., GSA Region 10 has established a region wide policy whereby short-term contractor employees who perform work for no more than ten (10) consecutive days or require only intermittent (irregular) access are not required to undergo a personnel security investigation, provided the contractors are accompanied by a fully adjudicated escort. All Escort situations must have prior approval by a GSA Official. Escort Policy Requirements 1. A contract employee may be escorted up to ten (10) days (days may be separated), by a fully favorable adjudicated contractor, federal employee, or security guard. Note: For contractors that exceed the ten (10) day time frame or who require frequent or routine access to a federal space, see applicable short-term or long-term security clearance process. 2. A maximum of five (5) individuals may be escorted at anytime (ex. Ten (10) contract employees require two (2) fully favorable adjudicated escorts). 3. The GSA Requesting Official must ensure appropriate approval from building manager and/or any other agency security requirements. 4. The escort must maintain control, physical proximity, or other means of control of the escorted contract employee at all times. When performing escort duties, the responsible individual must maintain control of the contractor(s) at all times, unless the contractor leaves the building or facility. An example of maintaining control is a contractor who is running cable through multiple rooms and is three rooms away from their fully adjudicated escort. However, a contractor who is working on the roof of a thirty-two story building while the fully adjudicated escort is on the first floor would not be considered to have control of the contract employee. 5. The escorted contract employee must wear an escort badge at all times. No photo is required on the escort badge. 4
21 General Services Administration Escort Policy (owned space) Security Clearance Process Flowchart A Escort Policy Owned Space Security Clearance Process Escort Policy Is the job less than 10 days? Yes GSA Region 10 Escort Policy Requirements Contract employee may be escorted up to ten (10) days (days may be separated), by a fully favorable adjudicated contractor, federal employee, or security guard. No A maximum of five (5) individuals may be escorted at anytime (ex. Ten (10) contract employees require two (2) fully favorable adjudicated escorts). Ensure appropriate approval from building manager and/or any other agency security requirements. See applicable short-term or long-term process Escort must maintain control, physical proximity, or other means of control of the escorted contract employee at all times. Escort Badge with no photo required. 5
22 General Services Administration Short-Term Contractor (Less than 6 Months) Security Clearance Process When a GSA Requesting Official determines a contactor will require access to federal space for more than ten (10) days but less than six (6) months the contract employee is required to submit to a National Agency Check (NAC) personnel security investigation. To receive a NAC clearance, a Contractor Information Worksheet (CIW) version 2, SF85-P form through e-qip submission, two sets of FD-258 fingerprint cards and signed signature pages are required for each employee. This level of personnel security investigation is not HSPD-12 compliant. Also this type of personnel security investigation may not be used for persons requiring access to GSA computer systems. Contractors requiring access to information technology (IT) systems must complete a NACI, regardless of the duration of the contract or how long the individual will require access to a federal facility. For contract employees requiring IT access, refer to the submission process section for long-term clearances in this guide. Short-Term Contractor submission procedures 1. When a National Agency Check (NAC) personnel security investigation is required, the GSA Requesting Official completes the Contractor Information Worksheet (CIW) sections 2, 3, 4 and 5, and then forwards via to the contract company. The GSA Requesting Official has the overall responsibility to ensure that the CIW is complete and correct. Special attention should be given in the case of subcontractors to ensure the subcontract company s information is correct. The contract company representatives, as well as the contract employee are normally required to provide assistance in the completion of this form. Please refer to Appendix E for detailed instructions on how to complete the CIW. 2. The contract company representative completes the Contractor Information Worksheet (CIW) section 1 and any remaining portions of section 2 and then submits via to the GSA Region 10 Security Office (r10pbssecurity@gsa.gov). The GSA requesting official must be copied on the or the contractor may submit the CIW per the instructions provided by the GSA requesting official (ex. sends completed CIW to requesting official). The CIW serves as the requesting official s acknowledgment that the contract employee is related to the project and that a security clearance is required. Contractor Information Worksheet (CIW) completion guidelines a. The CIW must contain a valid address for the contract employee in Section 1. This can be a personal or business address, but needs to be one that the contract employee or a contract company representative has regular access to. If the contract employee, doesn t already have an address the employee may use one of the many free providers (ex. MSN s hotmail.com account). All notifications during the e-qip process will be sent to this address. b. The complete CIW must be typed and saved as a Microsoft Word document and then sent electronically as an attachment to the GSA Security Office address. Please refer to Appendix G for directions on encrypting the document to prevent release of Personally Identifiable Information (PII). 6
23 General Services Administration c. The CIW may be submitted to the GSA Security Office by either GSA requesting official or the contract company representative. If submitted by the contract company representative directly to GSA s Security Office, the requesting official must be copied on the . Submissions which do not include the GSA requesting official s address will not be accepted. d. An incorrect or incomplete CIW will be returned to the sender for corrections. 3. After the CIW is ed to GSA s Security Office, the information is inputted into GSA s security database and forwarded to the Federal Protective Service (FPS) a agency within the Department of Homeland Security (DHS). 4. FPS receives the CIW from the GSA Security Office and creates a user profile for the contract employee. This initiates e-qip invitation to the contract employee that is sent to the address as provided in Section 1 of the CIW. Included in the invitation is an instructional reference guide to assist the applicant in the completion of the e-qip file. The contract employee has: a. Seven (7) days to initially log into the e-qip system before being considered delinquent. b. Seven (7) days to complete the form in e-qip before being considered delinquent. c. If a contract employee is terminated from the e-qip system the personnel security investigation has not yet begun therefore, no notice of initial adjudication will be made. Failure to complete the forms via e-qip prohibits the contract employee from routine access on or in a federal facility. 5. The e-qip invitation can be accessed from any computer connected to the internet. Included in the e-qip invitation is the standard Form 85P, Questionnaire for Public Trust Positions (SF-85P) forms. The invitation includes an instructional reference guide however additional assistance for e-qip completion has been included below and later in this guide. e-qip invitation completion assistance a. The e-qip frequently asked questions website: b. If the contract employee is unable to access the e-qip website or experiencing other technical problems, the individual may contact the OPM Help Desk at The hours of operation are 6:30am 10:30pm, Monday through Friday and 7:30am 3:00pm on Saturday, all times are Eastern Standard Time. c. For other problems such as golden question reset or general e-qip assistance call the FPS regional adjudicator. Points of contact and phone numbers are provided on all e-qip related s sent by FPS. d. Once the on-line form is completed and validated, the contract employee needs to print out and sign all signature pages. 5A. In addition to completing the e-qip invitation the contract employee must submit (2) two sets of FD-258 fingerprint cards. 1. The contract employee will need to obtain two sets FD-258 fingerprint cards. FD-258 fingerprint cards may be obtained from the GSA Security Office by request or at a local law enforcement agency. GSA has the Livescan electronic fingerprint system available at several 7
24 General Services Administration GSA Service Centers, please verify with the GSA requesting official (ex. contracting officer, COR) the use and availability. Also, some law enforcement agencies provide fingerprinting services as part of the fee, others do not. The only acceptable fingerprint card is the FD-258; no other card types will be accepted. 2. The personal information on both of the FD-258 fingerprint cards should be left blank until the fingerprints are recorded on the cards. Some organizations have electronic means to take fingerprints and the system will print the personal data on the card, while other providers do not have this capability, which results in the applicant having to hand-write the personal information on the cards in black ink only. Regardless of the method utilized to obtain the prints, the applicant is responsible for ensuring all personal information is filled out. Step-bystep instructions on how to properly fill out the personal information portion of the FD-258 card is available in Appendix J. 3. The contract employee must then deliver or mail the signature pages and two (2) sets of FD- 258 fingerprint cards to the Region 10 GSA Security Office, th Street SW, Room Northeast, Auburn, WA Receipt of the required signature forms and fingerprint cards are logged into the security database. The GSA Security Office then forwards to DHS FPS. Hard Copy Submittal: The GSA Security Office will accept hard copies submittals of the standard form 85P, however this method is discouraged and requires prior approval by the Security Office; it is highly recommended to complete the forms and submit via the e-qip invitation. The GSA Regional Security Office is not permitted to make any changes to any of the personnel security investigation forms. Therefore, if discrepancies are noted during this review, the entire personnel security investigation package will be returned to the applicant s company representative. Included will be a discrepancy form listing all noted errors and what actions are required to correct the deficiencies. Although the GSA Regional Security Office provides a discrepancy list with each returned package, this is no guarantee the GSA Security POC will note all necessary corrections to the forms being sent to the FPS regional adjudicators. If additional corrections are noted by the FPS adjudicators, the package would once again be sent back to the contract company s representative further delaying the process. 7. FPS will perform a review of the e-qip packet or the hard copy personnel security investigation package, return for any corrections or accept it. The contract employee will need to monitor their account. If FPS detects any errors in the e-qip submission, they will provide instructions on how to correct them via only. Failure to initially log into e-qip, complete the form, or correct identified discrepancies, may result in the contract employee being terminated from the e- QIP system. If at any time the contract employee reenters their personal data on the e-qip system (i.e. to make corrections or changes) the entire e-qip file will need to be revalidated. The contract employee must then print out, sign and date new signature pages. If new signature pages are required the second set of signature pages with a legible signature may be scanned and submitted electronically to r10pbssecurity@gsa.gov or faxed to the GSA Security Office at Each time e-qip is accessed, the system automatically assigns a new control number. The control number from e-qip and the signature sheets must match or the personnel security investigation will be rejected. Hard copy submissions requiring corrections or additional information are returned to the GSA Security Office and mailed back to the point of contact in Section 2 of the CIW, usually the contract company representative via FedEx. 8
25 General Services Administration 8. Upon receipt of a completed personnel security package, FPS starts the process of adjudication. A Notice of Initial Adjudication (NIA), stating the enter on duty (EOD) date is ed to the contract company and to the GSA Security Office. Once the personnel security investigation is accepted by FPS, they will begin the process of providing an initial suitability determination. When either a favorable or unfavorable initial suitability determination has been made, normally within five (5) business days, FPS will make notification of the decision via to the contract employee and GSA s Security Office. If an unfavorable notification the contract employee will not be allowed to access federal facilities and space. When a favorable notification is received the GSA Security Office forwards NIA to applicable requesting official, building manager and other required point of contacts to create a building identification/access card. 9. At project completion or at any time by request of a GSA official, the building identification must be returned to the General Service Administration (GSA). The GSA requesting official collects any issued building identification and notifies the GSA Region 10 Security Office of contractors no longer working and the project completion date via to r10pbssecurity@gsa.gov. 10. The Security Office updates contract employee s status to inactive in the security database and destroys any returned badges. 9
26 General Services Administration Short-Term Contractor Clearance (Less than 6 months) Security Clearance Process Flowchart B Short-Term Contractor Security Clearance Process Short-Term Contractor (working less than six months) NAC background investigation required 1. GSA Requesting Official completes CIW (sections 2, 3, 4 & 5), then forwards ( s) to contract company (2 business days) 2. Contract Company completes CIW (sections 1 & any remaining portion of 2), then submits ( s) CIW to Security Office box r10pbssecurity@gsa.gov and cc s GSA Requesting Official (2 business days) 3. Security Office receives CIW and enters into GSA security database, forwards CIW to DHS/FPS (1 business day) 4. DHS/FPS receives CIW and initiates e-qip invitation* (via ) to contract employee (3 business days) 9. At project completion the GSA Requesting Official collects any issued building identification and notifies GSA Security Office via at r10pbssecurity@gsa. gov of collected badges and project completion date (1 business day) 8. Security Office forwards NIA to applicable building manager to create building identification (1 business day) 10. Security Office updates contract employee status in security database (1 business day) 7. DHS/FPS begins investigation and s NIA date to Security Office and contract employee* (5 business days, pending receipt of completed security packet) Security clearance complete 6. Security Office receives forms, logs receipt in GSA security database and forwards to DHS/FPS (1 business day) 5A. In addition to e-qip contract employee must submit two sets of FD258 fingerprint cards. Fingerprinting services are provided by GSA Livescan and local police departments (within the 7 business days of e-qip invitation) 5. Contract employee completes SF85P through the e- QIP, prints and signs signature pages (7 business days) Acronyms: CIW: Contract Information Worksheet e-qip: Office of Personnel Management s secure portal to complete and submit security forms. NAC Clearance: good for six months NIA: Notice of Initial Adjudication *If NIA is unfavorable contract employee not allowed to work in GSA controlled facilities. On Occasion: Other Agencies may require access into GSA s controlled space (ex. phone closets). GSA cannot do clearances on other agencie s contractors. The coordination of these contractors should be coordinated with the GSA Property Management. *If DHS/FPS finds errors, incomplete information or requires additional documentation, they send new e-qip invitation. Contract employee must make needed updates/changes and resubmit new signature pages to Security office. Responsibility: GSA Requesting Official: GSA Government Official, ex. CO, COR, Property Manager or Project Manager Contract Company GSA Region 10 Security Office DHS/FPS: Department of Homeland Security/Federal Protective Service Contract employee: contracted by Contract Company 10
27 General Services Administration Long-Term Contractor Clearance (Greater than 6 months) Security Clearance Process When a GSA Requesting Official determines a contactor will require access to federal space for period greater than six (6) months the contractor is required to submit to a National Agency Check with written inquiries (NACI) personnel security investigation. The NACI is required by contractors who require routine access for more than six (6) months, those who need Information Technology (IT) access (regardless of how long they will be working on a GSA contract) and also applies to those contractors for whom the GSA Requesting Official determines may be needed on multiple contracts, and thus cannot be cleared using the procedures for short-term contractors described on the previous pages. This level of personnel security investigation is HSPD-12 compliant. To receive a NACI clearance, a Contractor Information Worksheet (CIW) version 2, SF85-P form through e-qip, two sets of FD258 fingerprint cards and signed signature pages are required. Long-Term Clearance submission procedures 1. When National Agency Check with written inquiries (NACI) personnel security investigation is required, the GSA Requesting Official completes the Contractor Information Worksheet (CIW) sections 2, 3, 4 and 5, and then s to contract company representative. The GSA Requesting Official has the overall responsibility to ensure the CIW is complete and correct. Special attention should be given in the case of subcontractors to ensure the subcontract company s information is correct. The contractor s company representatives, as well as the contract employee are normally required to provide assistance in the completion of this form. Refer to Appendix A for detailed instructions on completing the CIW. 1A. ARRA Projects: If the contract employee is working on a project associated to the American Recovery and Reinvestment Act (ARRA), the comments/note section at the bottom of the CIW must be notated: ARRA contract employee. 2. The contract company representative completes the Contractor Information Worksheet (CIW) section 1 and any remaining portions of section 2 and then submits via to the GSA Region 10 Security Office (r10pbssecurity@gsa.gov). The GSA requesting official must be copied on the or the contractor may submit the CIW per the instructions provided by the GSA requesting official (ex. sends completed CIW to requesting official). The CIW serves as the requesting official s acknowledgment that the contract employee is related to the project and that a security clearance is required. Contractor Information Worksheet (CIW) completion guidelines a. The CIW must contain a valid address for the contract employee in Section 1. This may be a personal or business address, but needs to be one that the contract employee or a contract company representative has regular access to. If the contract employee, doesn t already have an address the employee may use one of the many free providers (ex. MSN s hotmail.com account). All notifications during the e-qip process will be sent to this address. b. The complete CIW must be typed and saved as a Microsoft Word document and then sent electronically as an attachment to the GSA Security Office address. Please refer to Appendix G for directions on encrypting the document to prevent release of Personally Identifiable Information (PII). 11
28 General Services Administration e. The CIW may be submitted to the GSA Security Office by either GSA requesting official or the contract company representative. If submitted by the contract company representative directly to GSA s Security Office, the requesting official must be copied on the . Submissions which do not include the GSA requesting official s address will not be accepted. f. An incorrect or incomplete CIW will be returned to the sender for corrections. 3. After the CIW is ed to GSA s Security Office, the information is inputted into GSA s security database and forwarded to the Federal Protective Service (FPS) a agency within the Department of Homeland Security (DHS). 4. FPS receives the CIW from the GSA Security Office and creates a user profile for the contract employee. This initiates e-qip invitation to the contract employee that is sent to the address as provided in Section 1 of the CIW. Included in the invitation is an instructional reference guide to assist the applicant in the completion of the e-qip file. The contract employee has: a. Seven (7) days to initially log into the e-qip system before being considered delinquent. e. Seven (7) days to complete the form in e-qip before being considered delinquent. f. If a contract employee is terminated from the e-qip system the personnel security investigation has not yet begun therefore, no notice of initial adjudication will be made. Failure to complete the forms via e-qip prohibits the contract employee from routine access on or in a federal facility. 5. The e-qip invitation may be accessed from any computer connected to the internet. Included in the e-qip invitation is the standard Form 85P, Questionnaire for Public Trust Positions (SF-85P) forms. The invitation includes an instructional reference guide however additional assistance for e-qip completion has been included below and later in this guide. e-qip invitation completion assistance a. The e-qip frequently asked questions website: b. If the contract employee is unable to access the e-qip website or experiencing other technical problems, the individual may contact the OPM Help Desk at The hours of operation are 6:30am 10:30pm, Monday through Friday and 7:30am 3:00pm on Saturday, all times are Eastern Standard Time. c. For other problems such as golden question reset or general e-qip assistance call the FPS regional adjudicator. Points of contact and phone numbers are provided on all e-qip related s sent by FPS. g. Once the on-line form is completed and validated, the contract employee needs to print out and sign all signature pages. 5A. In addition to completing the e-qip invitation the contract employee must submit (2) two sets of FD-258 fingerprint cards. 1. The contract employee will need to obtain two sets FD-258 fingerprint cards. FD-258 fingerprint cards may be obtained from the GSA Security Office by request or at a local law enforcement agency. GSA has the Livescan electronic fingerprint system available at several 12
29 General Services Administration GSA Service Centers, please verify with the GSA requesting official (ex. contracting officer, COR) the use and availability. Also, some law enforcement agencies provide fingerprinting services as part of the fee, others do not. The only acceptable fingerprint card is the FD-258; no other card types will be accepted. 2. The personal information on both of the FD-258 fingerprint cards should be left blank until the fingerprints are recorded on the cards. Some organizations have electronic means to take fingerprints and the system will print the personal data on the card, while other providers do not have this capability, which results in the applicant having to hand-write the personal information on the cards in black ink only. Regardless of the method utilized to obtain the prints, the applicant is responsible for ensuring all personal information is filled out. Step-bystep instructions on how to properly fill out the personal information portion of the FD-258 card is available in Appendix J. 3. The contract employee must then deliver or mail the signature pages and two (2) sets of FD- 258 fingerprint cards to the Region 10 GSA Security Office, th Street SW, Room Northeast, Auburn, WA Receipt of the required signature forms and fingerprint cards are logged into the security database. The GSA Security Office then forwards to FPS. Hard Copy Submittal: The GSA Security Office will accept hard copies submittals of the standard form 85P, however this method is discouraged and requires prior approval by the Security Office; it is highly recommended to complete the forms and submit via the e-qip invitation. The GSA Regional Security Office is not permitted to make any changes to any of the personnel security investigation forms. Therefore, if discrepancies are noted during this review, the entire personnel security investigation package will be returned to the applicant s company representative. Included will be a discrepancy form listing all noted errors and what actions are required to correct the deficiencies. Although the GSA Regional Security Office provides a discrepancy list with each returned package, this is no guarantee the GSA Security POC will note all necessary corrections to the forms being sent to the FPS regional adjudicators. If additional corrections are noted by the DHS/FPS adjudicators, the package would once again be sent back to the contract company s representative further delaying the process. 7. FPS will perform a review of the e-qip packet or the hard copy personnel security investigation package, return for any corrections or accept it. The contract employee will need to monitor their account. If FPS detects any errors in the e-qip submission, they will provide instructions on how to correct them via only. Failure to initially log into e-qip, complete the form, or correct identified discrepancies, may result in the contract employee being terminated from the e- QIP system. If at any time the contract employee reenters their personal data on the e-qip system (i.e. to make corrections or changes) the entire e-qip file will need to be revalidated. The contract employee must then print out, sign and date new signature sheets. If new signature pages are required the second set of signature pages with a legible signature may be scanned and submitted electronically to r10pbssecurity@gsa.gov or faxed to the GSA Security Office at Each time e-qip is accessed, the system automatically assigns a new control number. The control number from e-qip and the signature sheets must match or the personnel security investigation will be rejected. Upon receipt of a completed personnel security package, FPS starts the process of adjudication. A Notice of Initial Adjudication (NIA), stating the enter on duty (EOD) date is ed to the contract company and to the GSA Security Office. 13
30 General Services Administration Hard copy submissions requiring corrections or additional information are returned to the GSA Security Office and mailed back to the point of contact in Section 2 of the CIW, usually the contract company representative via FedEx. 8. Once the personnel security investigation is accepted by FPS, they will begin the process of providing an initial suitability determination. When either a favorable or unfavorable initial suitability determination has been made, normally within five (5) business days, FPS will make notification of the decision via to the contract employee and GSA s Security Office. If an unfavorable notification the contract employee will not be allowed to access federal facilities and space. When a favorable notification is received, the GSA Security Office forwards NIA to applicable requesting official, building manager and other required point of contacts to create a building identification/access card. 9. After FPS has issued an initial suitability determination the personnel security investigation is forwarded to the Office of Personnel Management (OPM) to complete the written inquiries portion of the investigation. 10. At this time if an HSPD-12 credential is required, the GSA Requesting Official or Contract Company may request an HSPD-12 credential sponsorship form by ing the GSA Security Office at (r10pbssecurity@gsa.gov). The contract company representative must compile the required information for each GSA contract employee meeting the requirements for a HSPD-12 credential and send to the GSA R10 Security Office address. There are specific instructions enclosed with this spreadsheet, on how to fill it out, how to find the building number the contractor works at, and how to encrypt the spreadsheet prior to ing back to the GSA Security Office. The encrypting process is to ensure the integrity of the private information is not compromised. 11. At project completion or at any time by request of a GSA official, the building identification must be returned to the General Service Administration (GSA). The GSA requesting official collects any issued building identification and notifies the GSA Region 10 Security Office of contractors no longer working and the project completion date via to r10pbssecurity@gsa.gov. The Security Office updates contract employee s status to inactive in the security database and shreds any returned badges. 14
31 General Services Administration Long-Term Contractor Clearance (Greater than 6 months) Security Clearance Process Flowchart C Long-Term Contractor Security Clearance Process 15
32 General Services Administration Obtaining an HSPD-12 Credential Homeland Security Presidential Directive-12 (HSPD-12), signed on August 27, 2004, requires the development and implementation of a mandatory, government-wide standard for secure and reliable forms of identification for Federal employees and contractors. See Appendix A for HSPD-12 Presidential Directive. The new Personal Identity Verification (PIV) card is a secure, smart card that meets HSPD-12 requirements and provides one standard credential for identification, building access, network access, and privacy protection. All current GSA contractors who require routine access to GSA facilities or IT systems must have a suitable personnel investigation completed or in process in accordance with HSPD-12 guidelines. To find out whether you have a personnel investigation completed or in process, contact your Contracting Officer (CO) or Contracting Officer s Technical Representative (COTR). Which contractors require an HSPD-12 card? HSPD-12 cards are required for all contractors who meet any one of the criteria in the checklist table below. Check Box Criteria GSA contractor requires routine access to one or more GSA-controlled facilities for more than 6 months. GSA contractor requires routine access for more than 6 months to a GSAcontrolled facility that is under construction, and the facility is considered to be substantially complete. GSA contractor requires routine access for more than 6 months to a GSAcontrolled facility that is in a repair and alteration project where the facility does not have isolated access for construction contractors and other workers. GSA Lessor and/or Lessor staff that requires routine access for more than 6 months to the GSA government leased space within a facility security level 3 100% government occupied or level 4 leased facilities. GSA contractor requires access to one or more GSA-controlled information systems (including GSA Lotus Notes ) or networks, regardless if the contractor is a long-term (more than 6 months) or short-term (6 months or less) and regardless of the employee or contractors physical location from which an accesses the GSA IT system or network. 16
33 General Services Administration 1. After a determination is made that an HSPD-12 credential is required an HSPD-12 credentialing sponsorship spreadsheet, must be completed. The HSPD-12 credentialing sponsorship spreadsheet may be obtained by contacting the GSA Region 10 Security Office. The completed HSPD-12 sponsorship spreadsheet may be ed to r10pbssecurity@gsa.gov or to your Region 10 Security POC. 2. The security office will contact the HSPD-12 Program Management Office with the list of individuals to be sponsored. The GSA Security Office will sponsor individuals on a weekly basis. When sponsorship status is has occurred each individual contract employee will receive an stating that they have been sponsored. Individuals must enroll within thirty (30) days of being sponsored. After 30 days the contractor/employee will receive a reminder via . If action is not completed within 60 days the GSA Contracting Officer/Contracting Officer Representative is notified. If not enrolled after 90 days, access to GSA s Federal Space will be denied and/or IT use prohibited. 3. This sponsorship will be sent to the addressed noted on the HSPD-12 credential sponsorship sheet submitted to the GSA Security Office by the contract company representative. The will instruct the contractor to disregard the card pick up location information because it is incorrect but retain the PIN and use the link to schedule their card activation appointment. This will have specific instructions on how to find the nearest credentialing station and how to make an enrollment appointment. To enroll the contract employee will be required to bring two (2) forms of valid government issued identification. A list of these documents is available at This link also provides additional information about the HSPD-12 credential, a credential station locator, and other important information. IMPORTANT: DO NOT make an appointment to enroll until you have received an notifying you that you have been sponsored. You may not enroll to receive a credential until you have been sponsored. To make an appointment you will be required to create a user name and password. If you forget this when you make your activation appointment, you can create a new one. There will be two choices: Enroll, and Pick up Card. Enroll will be your first trip to the credential station to enroll yourself. Pick up Card means you have received your card and you are making an appointment to activate it. 4. Once you enroll, you will receive an indicating your credential has been produced and is being delivered. It may also tell you to make an additional appointment to pick up your card (credential). DO NOT make an appointment to pick your credential up at this time. The pick up card appointment is to activate the credential; after you have already received it. Credential/Enrollment Stations: There may not be credential stations in all locations. You may be required to drive up to a 100 miles to the nearest credential station. Please use the above website to continue to look for new credential stations. Mobile Stations: GSA and other federal agencies will soon have a wave of mobile stations coming to several areas that do not have permanent stations. It is imperative that you submit your sponsorship information as soon as possible so you can utilize these mobile stations if they come to your area. This might limit the need to drive to a much further station. 17
34 General Services Administration 5. The HSPD-12 credential is shipped to the GSA Region 10 Security Office. The GSA Security Office will then ship the credential to the contract company representative or to a GSA Official in the general proximity to the building that the contract employee works at for distribution. 6. Once the contract employee receives the HSPD-12 credential the card will need to be activated. The contract employee or contract employee representative must make an additional appointment at the credential station. The received regarding that the HSPD-12 was ready for pick-up may state that the contract employee bring the provided PIN number to the activation appointment. If the PIN is available, please send it with the contract employee to the appointment. However, if it was not received or it was misplaced the contract employee may enroll without it. Upon activation, the process is completed and the HSPD-12 credential is good for up to five years. The expiration date is located on the top right hand side of the credential. Note: The overall goal of the HSPD-12 credential is allow the federal government employees and contractors to have one easily identifiable credential. However, there may be the need for a contractor to have a facility access card. The facility access card is the card most contractors receive now. It is generally made at the building you work in and must be displayed while on the premises performing contract duties. Each contractor may be required to have both, however, check with your GSA property management office to be sure. Eventually these new HPDS-12 credentials will be used as key cards to the building, eliminating the need for an additional facility access card. A temporary facility access card may also be required until each contractor has a chance to enroll and receive their GSA HSPD-12 credential. The HSPD-12 credential is your official government Identification and must be on your person at all times during work on government property, even if you are required to have an additional building specific badge such as a facility access card. Returning a HSPD-12 Credential If a Contract Company and/or contract employee is no longer working on a GSA contract, the GSA Security Office must be notified and the HSPD-12 credential and any other building badge or access card must be returned to a GSA Official; such as a Property Manager, Contracting Officer Representative (COR), or other GSA representative. The contract company representative may notify the GSA Security Office via at r10pbssecurity@gsa.gov or by calling any of the GSA Security Office Representatives. Returned HSPD-12 Credentials may be mailed to the GSA Security Office at th Street SW, Auburn, WA Additional contact Information for the Region 10 Security Office representatives is included on the last page of this guide. The GSA Requesting Official is responsible for the HSPD-12 credential and any issued facility access cards from the date of issue until it is collected for destruction upon expiration of contract, termination of the employee or removal from a contract. Reporting a lost or stolen HSPD-12 Credential A lost or stolen HSPD-12 credential must be reported immediately to the GSA Security Office at r10pbssecurity@gsa.gov, or by calling any of the GSA security points of contacts on the GSA Security Points of Contact page of this guide. Additional information on GSA s HSPD-12 Credential Program Refer to GSA HSPD-12 Handbook, CIO P 2181 at 18
35 General Services Administration Frequently asked questions regarding the HSPD-12 Credential Is a background investigation required to receive a card? Yes. Employees and contractors will continue to submit fingerprints for an FBI background criminal check. Once the fingerprint check is completed, employees and contractors will submit a National Agency Check with Inquiries (NAC-I), which is an investigation consisting of a record searches and written inquiries covering specific areas of a person's background during the past 5 years. Your NAC-I investigation must be initiated for you to enroll for a HSPD-12 credential. How will I know when to enroll for my HSPD-12 card? Once your information has been entered into the system as a part of the sponsorship, you will receive an from HSPD12PMO@gsa.gov. The will contain instructions to schedule an appointment at a GSA enrollment center to enroll for your new card, submit proof of ID documents, and get your fingerprints taken. Do I need a card if I am a temporary GSA contractor? Temporary contractors (those employed six months or less) must undergo a background investigation only if they will require routine access to GSA-controlled facilities for more than ten days. Generally, temporary contractors do not receive a HSPD-12 credential unless they require access to GSA IT systems. Temporary contractors needing issuance of a GSA HSPD-12 credential and/or access to IT systems must abide by the same personnel investigation requirements as those for longterm contractors. The Contracting Officer is responsible for determining who is a long-term or a temporary contractor. Can I have my nick name (short name) or middle name printed on the HSPD-12 card? The new HSPD-12 card is an identification card issued based on the applicant's legal documents. Applicant's name should exactly match the name on the Govt. issued photo identification documents. Also, the Managed Service Office (MSO) has mandated that all HSPD-12 cards show full first name, middle initial, and last name. The HSPD-12 card can not deviate from this format. What do I do if I recently changed my name (ex., marriage) but was sponsored under my old name? It is important that your name displayed on the HSPD-12 card matches the name that is on your proof of identification documents provided during the enrollment process. You will need to present two forms of identification (See the List of Acceptable Forms of Identification guide at during your enrollment appointment with your correct legal name. If your legal name was changed on your IDs but not updated in the HSPD-12 system, please HSPD12PMO@gsa.gov, and someone will work with you to update your information. When I pick up my new HSPD-12 card, can I keep my old GSA badge I need to enter my physical access controlled buildings? This depends on the security policies and job requirements of the GSA contract you are working on. You may keep your old GSA badge if you need to enter a facility that is governed by a physical access control system. Consult your contracting officers (COs) on the policy of keeping your old GSA badge and what to do with your new HSPD-12 card. 19
36 General Services Administration Do I need to pick up my new HSPD-12 card in Washington, DC as stated in the "USAccess - Credential Ready for Pick Up" ? No, please wait until you receive your HSPD-12 card and take it with you along with proper identification to your activation appointment. All HSPD-12 cards will be sent by GSA s Region 10 Security Office to a GSA Service Center Representative or to a Representative of the Contract Company to be distributed to you. How will I know when to go to an enrollment station? You will be contacted via to set up an appointment time for your new credential. At that point, you will be given the opportunity to select the nearest enrollment stations from the list of those available. Enrollment stations will be deployed across the nation. Additionally, the use of mobile enrollment stations will increase accessibility of enrollment centers to GSA personnel. Do I need to bring anything when I go to the enrollment station? Once scheduled to receive your new ID credential, you must bring two forms of government-issued identity verification to the enrollment site. One form of verification must be a government-issued photo ID. A partial list of approved verification documents is provided below: Driver's License Military ID US Passport (unexpired or expired) Foreign Passport (unexpired) Permanent Resident Card (with photo) Alien Registration Receipt Card (with photo) Certificate of U.S. Citizenship Birth Certificate Voter's Registration Card Please refer to Form I-9 for a complete list of which forms of identification are acceptable. Most of my co-workers have already been told to get their Cards, should I go with them? No. You will receive an notification requesting you to schedule a day and time to enroll for your card. This will ensure minimizing your time waiting in line by controlling the flow of applicants to the enrollment station. How do I take care of my HSPD-12 card? Do not mark on, punch holes in, or bend your card, as this will void the card warranty and could cause the protective plastic covering to peel away prematurely. Do not scratch the magnetic strip on your card. Avoid storing your card in areas subject to excessive heat (e.g. clothes dryer) or in direct sunlight (e.g. car dashboards) as the card could warp. Do not allow the card near magnetic fields (e.g. stereo equipment, magnets, other magnetic stripe cards, etc.) For best protection, please keep your card in your badge holder when not in use. 20
37 General Services Administration Obtaining an HSPD-12 Credential (flowchart) Flowchart D Obtaining an HSPD-12 Credential (Long-Term Contractors) Security Clearance Process 21
38 General Services Administration Obtaining a Building Identification Badge Contractor Badge Standard First Name Last Name Company Name Service Center Exp. Date: 10/23/06 1. All badges issued by the Service Centers and GSA Property Management Offices must meet the Region 10 Standard. Each badge must contain the following: a. Contractor Photo (in color) b. Contractor Employee Name c. Contractor Company Name d. Expiration Date (note: Expiration date may not exceed a period of one year). e. Service Center (Ex: Western Service Center) or All R10 Federal Buildings f. GSA Northwest Artic Region (at top) g. The word Contractor in Bold Red 2. If the badge is used as an access control card, the clearance expiration date must match the date put in the access control card system. Note: Even though a contractor may have a clearance good for five (5) years do not use that date on their badge. However, you may use the length of the contract if it does not exceed more than one year. 3. When the contractor leaves the contract or finishes the work, the badge must be returned to the appropriate property management office or service center and taken out of the access card system (if used as access card). 4. Yearly at a minimum, the GSA Property Manager will conduct and review their access control database to ensure integrity and security of the facility. 22
39 General Services Administration Previously Cleared Contractors (Reciprocity) Security Clearance Process HSPD-12 implementing guidelines specify that federal agencies shall not re-adjudicate contractors with a previous personnel security investigation by another federal agency provided the following requirements are met: The applicant has a current HSPD-12 investigation, NACI, or higher level (NACLC is not equivalent to a NACI because the written inquiries portion is missing) There is less than a two year break in service since working on the last Federal contract Although individuals with a previous clearance will not be re-adjudicated, the individual s previous security clearance will be recertified. In order to recertify a previous clearance, GSA and FPS require the following: GSA procedures 1. Complete CIW, noting that there was a prior federal government investigation, the agency and the date completed. Also, in the comments section of the CIW it must include the previous agency point of contact name and type of investigation performed. Please submit any copies of adjudication letters received with the CIW. 2. GSA Regional Office will attempt to get contractor to furnish a copy of previous investigation results, if available. 3. If the investigation was completed more than two years ago, include in the comments section the last date worked and a POC who can verify employment. (This step is necessary to ensure that there has not been a break in service of two years or more.) 4. Submit the CIW and copy of the previous investigation results, if available, to FPS following the established procedures. New fingerprints and new 85P are not required if they were completed less than five years ago. If the fingerprints and 85P are more than five years old, then complete new package (CIW, 85P, fingerprints) shall be submitted. FPS procedures FPS will verify the former investigation and if needed contact former agency POC to confirm, and use this information (if they find the investigation and adjudication) to issue an Enter on Duty (EOD) determination. Alternately, if a copy of the previous investigation results were submitted by the applicant, FPS shall attempt to verify its validity. If the investigation was more than two years old, FPS Regional office will contact the POC to verify last date of employment with the government or on behalf of the government prior to issuing the EOD determination. If the investigation is not found, or not adequate (not a NACI or higher), or there was a break in service of more than two years, the CIW will be returned to GSA and the contractor will be required to submit a new complete package (CIW, SF85P and FD-258 fingerprint cards). 23
40 General Services Administration Child-Care Worker Security Clearance Process The following is the process for personnel security investigations for those applying to work in GSA controlled child-care facilities as stated by the Memorandum, Background Checks for Child Development Center Works in GSA Controlled Facilities dated November 30, For training on the security clearance process or for any additional questions regarding GSA Region 10 Child Care policies you may contact the Regional Child Care Coordinator. Submission process: 1. Immediately upon hire the Child Care Center Director/Provider faxes the Name Check Information Sheet to the Department of Homeland Security/Federal Protective Service (DHS/FPS) at (253) Fill out electronically, but print hard copy for signature. A hard copy Name Check Information sheet is enclosed in Appendix M. A Child Care Director/Provider may hire the applicant/employee with the condition of a favorable background adjudication. a. DHS/FPS will give initial adjudication within two (2) business days of receipt of request. b. Cost covered under basic security charge. 2. DHS/FPS will conduct a preliminary investigation and notify via the initial adjudication results to the Child Care Director/Provider with a copy (cc) to the GSA Security Office. a. If the initial adjudication is favorable the Child Care Director/Provider may allow the applicant/employee to begin working in a classroom, supervised by another employee who has a favorable adjudication. b. The Child Care/Director and the GSA Security Office must be notified immediately of an applicant that has been denied approval to work in the Child Care Center. 3. With the initial favorable adjudication DHS/FPS also sends a request to the Childcare Director/Provider to have the background investigation forms completed. This background investigation will expire after five (5) years so a childcare applicant/employee must complete a renewal background investigation after this time. The employee/applicant has five (5) business days to complete the following forms and return them to FPS via Fed Ex. The Child Care Director notifies the GSA Security Office via at r10pbssecurity@gsa.gov of the date that the completed package was submitted to FPS. a. A copy of the Pre-employment certification sheet. b. A properly completed GSA Form 176, #1-15, 18-19a and all sections on Page 4. Please refer to the appendix section of this guide for assistance in completing the GSA Form 176. The completed typed form 176 with legible signature may be scanned and submitted electronically to r10pbssecurity@gsa.gov or faxed to the GSA Security Office at
41 General Services Administration c. Two (2) completed FD 258 Fingerprint cards. Step by step instructions on how to complete the FD-258 card is available in the appendix section of this guide. Note: The personal information on both FD-258s should be left blank until the fingerprints are recorded on the cards. Some organizations have electronic means to take fingerprints and the system will print the personal data on the card, while other providers do not have this capability, which results in the applicant having to hand-write the personal information on the cards in black ink only. The applicant is responsible for ensuring all personal information is filled out correctly. 4. If DHS/FPS find errors, incomplete information or require additional documentation; they send a notification on clarification request via a new e-qip invitation to be completed immediately. The applicant/employee must work with the Child Care Director/Provider to make the required changes and resubmit to DHS/FPS. 5. The Security Office records the date of the initial adjudication in excel database under initial start date and renewal date. NOTE: These dates should be the same, as the applicant is not allowed to begin work until they have a favorable initial adjudication. The date that the packet is required to be returned to DHS/FPS is also recorded. a. Case cancellations: The Child Care Director/Provider must immediately notify their DHS/FPS office of any situation pertaining to a new hire that will affect the background suitability clearance process. (Ex. if between the time personal information on a new hire is submitted for a name check and the date that the new hire is to officially report for work, the new hire does not report, then FPS must be immediately notified to stop the clearance process). 6. For applicant/employees who are working in a facility that requires a GSA building badge the Security Office will the appropriate property badging point of contact to notify them that the employee has been authorized a building identification badge. GSA Child Care facilities that require a GSA issued identification badge: ALASKA WASHINGTON Gold Creek Child Care Center Building Blocks Child Development Center Fed Bldg-Post Office & Courthouse th Street, SW P.O. Box Auburn, WA W. 9th Street (253) fax Juneau, AK Growing Years Child Development Center Oregon 4735 E Marginal Way South Joyful Noise EAST Seattle, WA NE 11th Ave (206) / fax Portland, OR (503) / fax When a final adjudication is received, DHS/FPS notifies via the Child Care Director/Provider with a copy to the GSA Security Office. a. The GSA Security Office records the dates in the excel spreadsheet. 25
42 General Services Administration 8. When an employee separates from the Child Care center a separation is sent by the Child Care Director/Provider to DHS/FPS at suitability-fpsr10@dhs.gov and copies the GSA Security Office at r10pbssecurity@gsa.gov. The subject line should state childcare and include the facility name. The body of the must state the employee name and the date of separation. The GSA Security Offices records the separation date into the security database. The Child Care Director is responsible for obtaining any issued GSA building identification badges. 9. The GSA Child Care Coordinator generates reports from the security database to send to GSA s National Office identifying the following information by center: a. Total number of staff in each center b. Total number of staff with cleared background checks c. Total number of background checks in process d. Sixty (60) days late from FPS e. Incomplete background checks packets f. Five (5) days late from the provider g. Percentage of cleared staff. 10. The GSA Security Office will provide the GSA Child Care Coordinator and the Child Care Director/Provider with a quarterly report in October, January, April and July of the childcare employee(s) who are approaching their five (5) year background investigation expiration and will need to have a renewal investigation completed. 26
43 General Services Administration Child-Care Worker Security Clearance Process Flowchart J Child Care Worker GSA Controlled Child Care Facilities Security Clearance Process Security Clearance Process 1. A name check check is completed and faxed to DHS/ FPS at (253) (1 business day) 2. DHS/FPS grants initial adjudication and notifies the Child Care Director/Provider and Security Department (2 business days) Favorable 2a. The Child Care Director/Provider may allow the applicant/employee to begin working with another adjudicated worker (1 business day) 3. The applicant/ employee completes the remaining background investigation forms (within 5 business days) Unfavorable 8. When an employee separation occurs the Child Care Director/ Provider completes a separation form and to FPS with a copy to the Security Office. The Child Care Director obtains any issued building badges. (1 business day) 2b. Applicant unable to work in GSA Controlled Child Care Facilities 7. DHS/FPS notifies Child Care Director/Provider, applicant/employee and Security Office of final investigation results (FNA) via 6. Security s the badging POC for applicant/ employee(s) requiring a GSA issued building identification card (1 business day) 5. Security Office records initial adjudication date into GSA security database (1 business day) 4. If DHS/FPS finds errors, incomplete information or requires additional documentation, they send new e-qip invitation. Applicant/ Employee must work with the Child Care Director/Provider to make needed updates/ changes and submit to DHS/FPS. (if required) 9. The Child Care Coordinator generates a report to National Office on each centers child care worker s clearance process (monthly) 10. Security Office provides a renewal report to the Child Care Coordinator and Director/Provider of upcoming background clearance expiration dates (quarterly) Clearance Process Complete 27
44 General Services Administration Appendix: A HSPD-12 Directive For Immediate Release Office of the Press Secretary August 27, 2004 Homeland Security Presidential Directive/Hspd-12 Subject: Policy for a Common Identification Standard for Federal Employees and Contractors (1) Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). (2) To implement the policy set forth in paragraph (1), the Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard") not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy. The Secretary of Commerce shall periodically review the Standard and update the Standard as appropriate in consultation with the affected agencies. (3) "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b) (2). (4) Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems. Departments and 28
45 General Services Administration agencies shall implement this directive in a manner consistent with ongoing Governmentwide activities, policies and guidance issued by OMB, which shall ensure compliance. (5) Not later than 6 months following promulgation of the Standard, the heads of executive departments and agencies shall identify to the Assistant to the President for Homeland Security and the Director of OMB those Federally controlled facilities, Federally controlled information systems, and other Federal applications that are important for security and for which use of the Standard in circumstances not covered by this directive should be considered. Not later than 7 months following the promulgation of the Standard, the Assistant to the President for Homeland Security and the Director of OMB shall make recommendations to the President concerning possible use of the Standard for such additional Federal applications. (6) This directive shall be implemented in a manner consistent with the Constitution and applicable laws, including the Privacy Act (5 U.S.C. 552a) and other statutes protecting the rights of Americans. (7) Nothing in this directive alters, or impedes the ability to carry out, the authorities of the Federal departments and agencies to perform their responsibilities under law and consistent with applicable legal authorities and presidential guidance. This directive is intended only to improve the internal management of the executive branch of the Federal Government, and it is not intended to, and does not, create any right or benefit enforceable at law or in equity by any party against the United States, its departments, agencies, entities, officers, employees or agents, or any other person. (8) The Assistant to the President for Homeland Security shall report to me not later than 7 months after the promulgation of the Standard on progress made to implement this directive, and shall thereafter report to me on such progress or any recommended changes from time to time as appropriate. GEORGE W. BUSH 29
46 General Services Administration Appendix B: Contractor Information Worksheet (CIW) Version 2 completion instructions & sample form Top of page: (GSA Requesting Official to complete) Type Contractor- Select PBS ARRA long term (more than six months)-select if work related to ARRA Investigation Preference: Select e-qip for SF-85P (all submissions are required via e-qip online; hardcopy submission requires prior approval by the GSA Security Office). Priority: Select Routine Sponsoring Office Symbol: GSA Region: Enter 10 Section 1: Contract Employee Information (Contract Company Representative to complete) Name: Provide full first, middle and last name. If initial only, enter the appropriate initial and IO. If no middle name, enter NMN. Suffix: If none, leave blank, if the applicant has one, enter appropriate suffix (Sr., Jr., III, etc). Social Security #: Enter the full SSN with dashes. Date of Birth: Use the MM/DD/YYYY format. Place of Birth: City: Enter the appropriate city. State: Enter the appropriate two letter abbreviation. If born outside the continental United States, this may be left blank. Country: Enter US or other country as appropriate. Sex: Select the appropriate box. Home Street Address: Enter complete home address with no abbreviations (ex. East). Required for e-qip submissions. This can be the contract company s representative, or the contract employee s personal or business address. Phone # (Day) and Phone # (Cell): Both boxes must be filled in; these two numbers may be the same. Position (Job) Title: Be specific as to the job the applicant is filling. For example use electrician, fence installer, janitorial, etc. IT/System Admin Position: Select this box only if the individual is currently filling a position as a system administrator on a Government Information Technology System. Prior Investigation: Select either yes or no. Investigation Date: Only complete if you selected yes in the previous box, and you have a verifiable date for the previous investigation. If prior investigation, please notate in the comments/note section the government agency that conducted the background, adjudicators name and contact information and as an attachment any adjudication letters received. US Citizen: Select the appropriate box. Non-US Citizens (if the applicant is a US citizen, this may be left blank): 30
47 General Services Administration Port of Entry City and State: Enter the US city and state of entry. Date of Entry: Enter the date the applicant entered the US. <3 Yrs. US Resident: Select if you have been a US Resident for 3 years or more. Alien Registration #: Enter the applicant s registration number. Citizenship: Enter the applicant s current country of citizenship. Section 2: Contract Information (GSA Requesting Official completes, Contract Company completes any remaining portions) Company Name: Enter the name of the company the applicant works for. Company is: Select either Prime or Subcontractor, as appropriate. If Sub, Name of Prime: Only enter information here if the company is a subcontractor. Enter the name of the prime contractor company. Task Order/Delivery Order/ RWA#: Enter the contract number here. If there is no contract number, enter task order number, purchase order or reimbursable work authorization (RWA) number. Contract Number Type: Select appropriate Contract Start Date: Enter the date the contract or lease started. Contract End Date: Enter the end date of the contract or lease. Has Option Years OR End Date TBD: Select the box if applicable. Company Point of Contact (POC) Name: Enter the company s POC. POC Phone # (Day): Enter the phone number for the company s POC. POC address: Enter the address of the company point of contact. Section 3: Project/Work Location Information (GSA Requesting Official to complete) GSA Building Number: Enter the complete GSA building number(s). GSA Building Name: Enter the name of the building(s) where the applicant will be working. Building Address: Enter the complete address of the facility or facilities. Section 4: Type of Investigation Requested for: HSPD-12 Credential (GSA Requesting Official to complete) Select Low Risk (NACI) SF-85P for work/clearances over six (6) months OR select Non-HSPD-12 Credential for work/clearance that is less than six (6) months. Section 5: Requesting Official (Sponsor) Information (GSA Requesting Official to complete; a requesting official may be a contracting officer, property manager, project manager. The requesting official is required to review the CIW for accuracy, appropriate security clearance, contract number and expiration date). Sponsor s Name: Enter the GSA Requesting Official s name. Title: Enter the GSA Requesting Official s job title. Is COR/COTR: Select if the GSA associate is the COR. address: Enter the appropriate address for the GSA associate. Phone # (Day): Enter the phone number for the GSA requesting official. Date Forms were reviewed: enter the date given to Contract Company Comments: ARRA long-term contractors (more than 6 months) must be notated here. Section 6: DHS Federal Protective Service CSA: (Leave blank- for FPS use) 31
48 General Services Administration 32
49 General Services Administration Contractor Information Worksheet Instructions Version 2 (Pg. 2 of 2) If you are having difficulty enabling the macros in the form, please try the following: If you receive an option to enable macros when you open the file, select Enable Macros. If you are not able to make selections or enter text on the form, please adjust your macros security settings. To adjust your settings, open the file. Click on Tools, then move your cursor to Macros, then select Security. On the Security window that appears, select Low, then click OK. Save the file to your workstation. When you reopen it, the form should work properly. Type Contractor Definitions: PBS Contractor: PBS building support contractor Embedded: Embedded or white collar. Formerly identified as Non-PBS Contractor in previous versions of CIW. Child Care: Child care worker External: Does not access GSA building or IT systems Privacy Act Notice Submission Information In compliance with the Privacy Act of 1974, the following information is provided: Solicitation 1. Ensure all information is complete of the information is authorized by the Federal 2. Submit completed worksheet to the GSA Property and Administrative Services Act of Region 10 Security Office via to: 1949, as amended, and Part III of Title 5, U.S.C; r10pbssecurity@gsa.gov with a copy (cc) to the O Disclosure of the information is GSA requesting official. voluntary. This form will be used as a means to prepare and issue a credential or pass. The GSA requesting official must be copied on the Information will be transferred to appropriate or the contractor may submit the CIW per the Federal, State, local or foreign agencies, when instructions provided by the GSA requesting relevant to civil, criminal or regulatory official. investigations or prosecutions, or pursuant to a request by GSA or such other agency in GSA Requesting Official (ex. contracting officer, connection with the firing or retention of an property manager, etc.): completes (sections 2, 3, 4, employee, the issuance of a security clearance, & 5) then s to contract company. the investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit. If the individual does not Contract Company: completes section 1 & any provide some or any part of the requested remaining portion of 2. information, the employee will not be issued a credential and will not be allowed to enter a GSA-controlled building after normal working hours or when the building is under security. 33
50 General Services Administration Appendix C: Instructions on encrypting Personally Identifiable Information (PII) prior to ing Protecting Sensitive Data for transmission through using the WinZip Utility to Encrypt files. 1. From your desktop right click on My Computer and choose Explore (or click on the Windows Explorer icon at the bottom of your screen). 2. Locate folder and file(s) to encrypt. 34
51 General Services Administration 3. Highlight the file(s) that you want to encrypt and right click on it (them). Select WinZip and Add to [name].zip. 4. You will see the zip file created at the bottom in the same folder as the original file. 35
52 General Services Administration 5. Double-click on it and this will open the WinZip dialogue box. Click on the Encrypt button. 6. Check on the box Do not display this dialog box in the future., so it does not slow you down in future encryptions. Click OK. 36
53 General Services Administration 7. This will take you to the Encrypt menu. You will need to type in a password twice to access the encrypted file. Make sure you have selected the 128-bit AES encryption method. Click OK. 8. After the file(s) have been encrypted; close the WinZip box. 9. You may now send the file(s) as an attachment. 10. You will also have to provide the encryption password to the recipient in a separate (2nd) message. 37
54 General Services Administration Appendix D: Instructions for using the e-qip application process 38
DEPARTMENTAL DIRECTIVE
ADMINISTRATIVE COMMUNICATIONS SYSTEM U.S. DEPARTMENT OF EDUCATION DEPARTMENTAL DIRECTIVE OM:5-101 Page 1 of 17 (07/16/2010) Distribution: All Department of Education employees Approved by: /s/ Winona H.
More informationE X E C U T I V E O F F I CE O F T H E P R E S I D EN T
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 THE DIRECTOR M-05-24 August 5, 2005 MEMORANDUM FOR THE HEADS OF ALL DEPARTMENTS AND AGENCIES FROM: SUBJECT: Joshua
More informationSecurity Language for IT Acquisition Efforts CIO-IT Security-09-48
Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationDepartment of Veterans Affairs VA Directive 0710 PERSONNEL SECURITY AND SUITABILITY PROGRAM
Department of Veterans Affairs VA Directive 0710 Washington, DC 20420 Transmittal Sheet June 4, 2010 PERSONNEL SECURITY AND SUITABILITY PROGRAM 1. REASON FOR ISSUE: To revise Department of Veterans Affairs
More informationIT Security Handbook. Incident Response and Management: Targeted Collection of Electronic Data
IT Security Handbook Incident Response and Management: Targeted Collection of Electronic Data ITS HBK 2810.09 03 Effective Date: 20110824 Expiration Date: 20130824 Responsible Office: OCIO/ Deputy CIO
More informationPrivacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015
For Person Authentication Service (PAS) Date: January 9, 2015 Point of Contact and Author: Hanan Abu Lebdeh Hanan.Abulebdeh@ed.gov System Owner: Ganesh Reddy Ganesh.Reddy@ed.gov Office of Federal Student
More informationHomeland Security Virtual Assistance Center
for the Homeland Security Virtual Assistance Center November 3, 2008 Contact Point Donald M. Lumpkins National Preparedness Directorate (FEMA) (202) 786-9754 Reviewing Official Hugo Teufel III Chief Privacy
More informationDepartment of Homeland Security Web Portals
for the Department of Homeland Security Web Portals June 15, 2009 Contact Point Mary Ellen Callahan Chief Privacy Officer Department of Homeland Security (703) 235-0780 Page 2 Abstract Many Department
More informationIT Compliance in Acquisition Checklist v3.5 Page 1 of 7
IT Compliance in Acquisition Checklist v3.5 Page 1 of 7 Instructions: This IT checklist, with appropriate signatures, must be completed for Information Technology (IT) acquisitions within the Department
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationPrivacy Impact Assessment. For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014
For Education s Central Automated Processing System (EDCAPS) Date: October 29, 2014 Point of Contact and Author: D Mekka Thompson DMekka.Thompson@ed.gov System Owner: Greg Robison Greg.Robison@ed.gov Office
More informationPERSONALLY IDENTIFIABLE INFORMATION (Pin BREACH NOTIFICATION CONTROLS
ClOP CHAPTER 1351.19 PERSONALLY IDENTIFIABLE INFORMATION (Pin BREACH NOTIFICATION CONTROLS TABLE OF CONTENTS SECTION #.1 SECTION #.2 SECTION #.3 SECTION #.4 SECTION #.5 SECTION #.6 SECTION #.7 SECTION
More informationPersonally Identifiable Information (PII), Protected Health Information (PHI), and Federal Information Requirements
Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Information Requirements (Revised April 9, 2015) 1. General Requirements Overview - Personally Identifiable Information
More informationOFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION
OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106
More informationBackground Check Service
for the Background Check Service Contact Point Elizabeth Gaffin USCIS Privacy Officer United States Citizenship and Immigration Services 202-272-1400 Reviewing Official Hugo Teufel III Chief Privacy Officer
More informationEPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015
Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM MAINTENANCE PROCEDURES V1.8 JULY 18, 2012 1. PURPOSE The purpose of this procedure
More informationThe Social Security Administration s Internal Controls over Issuing and Monitoring Contractors Homeland Security Presidential Directive-12 Credentials
Audit Report The Social Security Administration s Internal Controls over Issuing and Monitoring Contractors Homeland Security Presidential Directive-12 Credentials A-15-11-11178 April 2013 MEMORANDUM Date:
More informationPROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE
PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE U.S. Department of Justice Office of the Inspector General Audit Division Audit Report 05-32 July 2005 PROCESSING CLASSIFIED
More informationCASE MATTER MANAGEMENT TRACKING SYSTEM
for the CASE MATTER MANAGEMENT TRACKING SYSTEM September 25, 2009 Contact Point Mr. Donald A. Pedersen Commandant (CG-0948) (202) 372-3818 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department
More informationPrivacy Impact Assessment for the. Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS)
Privacy Impact Assessment for the Standardized Tracking and Accounting Reporting System- Financial Management System (STARS-FMS) United States Marshals Service Contact Point William E. Bordley Associate
More informationUnited States Department of State Global Financial Management System (GFMS) Privacy Impact Assessment
United States Department of State Global Financial Management System (GFMS) Privacy Impact Assessment CGFS/DCFO/GFMS 1. Contact Information Privacy Impact Assessment (PIA) Department of State Privacy Coordinator
More informationSYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh
SYSTEM OF RECORDS NO.: OCIO/QN.01 SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281 SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh Street, SW, Washington
More informationPrivacy Impact Assessment (PIA) Waiver Review System (WRS) Version 03.06.01.01. Last Updated: December 2, 2013
United States Department of State (PIA) Waiver Review System (WRS) Version 03.06.01.01 Last Updated: December 2, 2013 Bureau of Administration 1. Contact Information Department of State Privacy Coordinator
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationIRS Disclosure Of Sensitive But Unclassified Information
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Some Contractor Personnel Without Background Investigations Had Access to Taxpayer Data and Other Sensitive Information July 7, 2014 Reference Number:
More informationCITY OF LANCASTER RFP NO. 621-15 LANCASTER PERFORMING ARTS CENTER TICKETING SOFTWARE SUBMISSION DEADLINE. July 24, 2015 BY 11:00 A.M.
CITY OF LANCASTER RFP NO. 621-15 LANCASTER PERFORMING ARTS CENTER TICKETING SOFTWARE SUBMISSION DEADLINE July 24, 2015 BY 11:00 A.M. SUBMIT TO: Office of the City Clerk Lancaster City Hall 44933 Fern Avenue
More informationUnited States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)
for the United States Citizenship and Immigration Services (USCIS) June 22, 2007 Contact Point Harry Hopkins Office of Information Technology (OIT) (202) 272-8953 Reviewing Official Hugo Teufel III Chief
More informationGOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.
PERSONAL IDENTITY VERIFICATION (PIV) OVERVIEW INTRODUCTION (1) Welcome to the Homeland Security Presidential Directive 12 (HSPD-12) Personal Identity Verification (PIV) Overview module, designed to familiarize
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More information28042 Federal Register / Vol. 75, No. 96 / Wednesday, May 19, 2010 / Notices
28042 Federal Register / Vol. 75, No. 96 / Wednesday, May 19, 2010 / Notices the records are part of an on-going investigation in which case they may be retained until completion of the investigation.
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationBERKELEY COLLEGE DATA SECURITY POLICY
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
More informationCMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More informationOrder. Directive Number: IM 10-3. Stephen E. Barber Chief Management Officer
Pension Benefit Guaranty Corporation Order Subject: Protecting Sensitive Information Directive Number: IM 10-3 Effective Date: 4/23/08 Originator: OGC Stephen E. Barber Chief Management Officer 1. PURPOSE:
More informationPrivacy Impact Assessment. For. TeamMate Audit Management System (TeamMate) Date: July 9, 2014. Point of Contact: Hui Yang Hui.Yang@ed.
For TeamMate Audit Management System (TeamMate) Date: July 9, 2014 Point of Contact: Hui Yang Hui.Yang@ed.gov System Owner: Wanda Scott Wanda.Scott@ed.gov Author: Mike Burgenger Office of the Inspector
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and
More informationNOAA HSPD-12 PIV-II Implementation October 23, 2007. Who is responsible for implementation of HSPD-12 PIV-II?
NOAA HSPD-12 PIV-II Implementation What is HSPD-12? Homeland Security Presidential Directive 12 (HSPD-12) is a Presidential requirement signed on August 27, 2004 requiring Federal agencies comply with
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationRequest for Proposal RFP #201501. Printing & Mailing Services
Request for Proposal Printing & Mailing Services Date of Issue: 03/24/2015 For period beginning: 05/01/2015 Due Date/Time for Receipt of Proposals: 04/06/2015 @ 2:00 p.m. (EDT) RFP Number: 201501 Date
More informationDepartment of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT
Department of Veterans Affairs VA DIRECTIVE 6510 Washington, DC 20420 Transmittal Sheet VA IDENTITY AND ACCESS MANAGEMENT 1. REASON FOR ISSUE: This Directive defines the policy and responsibilities to
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationPrivacy Impact Assessment
AUGUST 16, 2013 Privacy Impact Assessment CIVIL PENALTY FUND AND BUREAU-ADMINISTERED REDRESS PROGRAM Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220
More informationPrivacy Act of 1974; Department of Homeland Security <Component Name> - <SORN. AGENCY: Department of Homeland Security, Privacy Office.
DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2014-] Privacy Act of 1974; Department of Homeland Security -
More informationGuidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES
DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationPrivacy Impact Assessment. For ecampus-based System (e/cb) Date: April 26, 2014. Point of Contact: Calvin Whitaker Calvin.Whitaker@ed.
For ecampus-based System (e/cb) Date: April 26, 2014 Point of Contact: Calvin Whitaker Calvin.Whitaker@ed.gov System Owner: Keith Wilson Keith.Wilson@ed.gov Author: Calvin Whitaker Office of Federal Student
More informationSIGNIFICANT CHANGES DOCUMENT
SIGNIFICANT CHANGES DOCUMENT Descriptive Title Schedule 70_MassModification_Health IT SIN Significant Changes Disclaimer Language DISCLAIMER: GSA FAS is posting this notification of a planned solicitation
More informationInfinedi HIPAA Business Associate Agreement RECITALS SAMPLE
Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor
More informationAppendix 1 CJC CONTRACT MANAGEMENT POLICIES AND PROCEDURES. Criminal Justice Commission Contract Management Policies and Procedures
CJC CONTRACT MANAGEMENT POLICIES AND PROCEDURES SNYOPSIS: The CJC was created by a Palm Beach County ordinance in 1988. It has 21 public sector members representing local, state, and federal criminal justice
More information[SUBPART 239.99 CLOUD COMPUTING (DEVIATION 2015-O0011) Prescribes policies and procedures for the acquisition of cloud computing services.
Attachment #1 [SUBPART 239.99 CLOUD COMPUTING (DEVIATION 2015-O0011) 239.9900 Scope of subpart. (DEVIATION 2015-O0011) Prescribes policies and procedures for the acquisition of cloud computing services.
More informationINFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY]
2012 MODEL STC AGREEMENT INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY] AS THE STATE TRANSMISSION/TRANSFER COMPONENT
More informationCanine Website System (CWS System) DHS/TSA/PIA-036 January 13, 2012
for the (CWS System) DHS/TSA/PIA-036 January 13, 2012 Contact Point Carolyn Y. Dorgham Program Manager, National Explosives Detection Canine Team Program Carolyn.Dorgham@dhs.gov Reviewing Official Mary
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS
More informationDEPARTMENTAL REGULATION
U.S. DEPARTMENT OF AGRICULTURE WASHINGTON, D.C. 20250 DEPARTMENTAL REGULATION SUBJECT: Identity, Credential, and Access Management Number: 3640-001 DATE: December 9, 2011 OPI: Office of the Chief Information
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationPrivacy Impact Assessment for Threat Assessments for Access to Sensitive Security Information for Use in Litigation December 28, 2006
for Threat Assessments for Access to Sensitive Security Information for Use in Litigation December 28, 2006 Contact Point Andrew Colsky Sensitive Security Information (SSI) Office SSI@dhs.gov Reviewing
More informationIntegrated Financial Management Information System (IFMIS) Merger
for the Information System (IFMIS) Merger DHS/FEMA/PIA-020 December 16, 2011 Contact Point Michael Thaggard Office of Chief Financial Officer (202) 212-8192 Reviewing Official Mary Ellen Callahan Chief
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationCONTRACT ADMINISTRATION AND MANAGEMENT GUIDE
CONTRACT ADMINISTRATION AND MANAGEMENT GUIDE STATE OF IDAHO DEPARTMENT OF ADMINISTRATION DIVISION OF PURCHASING REVISED 01 01 14 Table of Contents I. Purpose... 1 II. Overview of Contract Management and
More informationPrivacy Impact Assessment
Technology, Planning, Architecture, & E-Government Version: 1.1 Date: April 14, 2011 Prepared for: USDA OCIO TPA&E Privacy Impact Assessment for the April 14, 2011 Contact Point Charles McClam Deputy Chief
More informationBUSINESS ASSOCIATE AGREEMENT Tribal Contract
DEPARTMENT OF HEALTH SERVICES Division of Enterprise Services F-00714 (08/2013) STATE OF WISCONSIN BUSINESS ASSOCIATE AGREEMENT Tribal Contract This Business Associate Agreement is made between the Wisconsin
More informationDepartment of Veterans Affairs VA HANDBOOK 4090 GOVERNMENT FLEET CARD PROCEDURES
Department of Veterans Affairs VA HANDBOOK 4090 Washington, DC 20420 Transmittal Sheet January 12, 2010 GOVERNMENT FLEET CARD PROCEDURES 1. REASON FOR ISSUE: This handbook prescribes procedures for use
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationDirectory Services and Email System (DSES)
for the Directory Services and Email System (DSES) Contact Point James Kief Functional Area Manager Department of Homeland Security/US Coast Guard (304) 264-2573 Reviewing Official Hugo Teufel III Chief
More informationUNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET MS 1221 DIRECTIVES MANUAL
Form 1221-2 (June 1969) Subject UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET MS 1221 DIRECTIVES MANUAL Release 1-1759 Date 7/25/2014 1. Explanation of Materials
More informationAutomated Threat Prioritization Web Service
for the Automated Threat Prioritization Web Service DHS/ICE/PIA-028 June 6, 2011 Contact Point Luke McCormack Chief Information Officer U.S. Immigration and Customs Enforcement (202) 732-3100 Reviewing
More informationAlbuquerque Housing Authority. EIV Security and Procedure Policy
APPENDIX V Albuquerque Housing Authority EIV Security and Procedure Policy 10-2010 Date Adopted 2009-02 By Resolution Number 1/2012 Definitions Administrator Authorized User: EIV Improper Disclosure Intranet
More informationPrivacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee
Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationStatus: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS
Status: Final Form Date: 30-SEP-13 Question 1: OPDIV Question 1 Answer: OS Question 2: PIA Unique Identifier (UID): Question 2 Answer: P-2277902-798208 Question 2A: Name: Question 2A Answer: Identity and
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationState of Ohio Model Bid/Quote Template for General Goods & Services (Non-IT)
State of Ohio Model Bid/Quote Template for General Goods & Services (Non-IT) Guidance Document Department of Administrative Services, Office of Procurement Services 6/4/2015 Contents Purpose... 2 Background...
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationCrew Member Self Defense Training (CMSDT) Program
for the Crew Member Self Defense Training (CMSDT) Program February 6, 2008 Contact Point Michael Rigney Federal Air Marshal Service Flight Programs Division Michael.Rigney@dhs.gov Reviewing Officials Peter
More informationPrivacy Incident Handling Guidance
Privacy Incident Handling Guidance Revised January 26, 2012 Basis for Privacy Incident Handling Guidance The following procedures establish governing policies and procedures for Privacy Incident handling
More informationU.S. Nuclear Regulatory Commission
ADAMS ML11066A005 U.S. Nuclear Regulatory Commission Privacy Impact Assessment (Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy
More informationI. U.S. Government Privacy Laws
I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management
More informationPrivacy Impact Assessment
Privacy Impact Assessment For: Education Investigative Tracking System (EDITS) Date: April 10, 2013 Point of Contact: Hui Yang System Owner: Wanda A. Scott Author: William Hamel Office of Inspector General
More information3. Characterization of the Information
1. Contact Information Department of State Privacy Coordinator Margaret P. Grafeld Bureau of Administration Global Information Services Office of Information Programs and Services 2. System Information
More informationOnline Detainee Locator System
for the Online Detainee Locator System April 9, 2010 Contact Point James Chaparro Director, Office of Detention and Removal Operations U.S. Immigration and Customs Enforcement (202) 732-3100 Reviewing
More informationU.S. Nuclear Regulatory Commission
ADAMS ML14344A108 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act,
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationPage 1 of 12 Document Effective Date Solicitation Terms & Conditions 08/08/2008 Purchase Order Terms and Conditions 01/01/2009 Special Provisions 01/01/2009 STATE OF COLORADO SOLICITATION INSTRUCTIONS/
More informationNEIS HELP DESK FAQS. HSPD-12 Policy/Business Process. General HSPD-12 FAQs can be found online at: http://lincpass.usda.gov/faq.
General HSPD-12 FAQs can be found online at: http://lincpass.usda.gov/faq.html HSPD-12 Policy/Business Process 1. How long is the entire process for Non-Employees? After enrollment, applicants should receive
More informationREMEDY Enterprise Services Management System
for the Enterprise Services Management System April 28, 2016 Contact Point Marshall Nolan Border Enforcement and Management Systems Division Office of Information Technology U.S. Customs & Border Protection
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More informationTerms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013
Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations
More informationSubj: Appointment as a Contracting Officer's Technical Representative (COTR)
Attachment (1) Agency/Component letterhead Subj: Appointment as a Contracting Officer's Technical Representative (COTR) From: (Insert name of Contracting Officer) To: (Insert name of prospective COTR)
More informationATLANTA PUBLIC SCHOOLS
Procurement Services 130 Trinity Avenue, S.W. 5 th Floor Atlanta, Georgia 30303 Request for Qualifications For October 31, 2007 Solicitation Number: 112607-01 Due Date: November 26, 2007 ADVERTISEMENT
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationEASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
More informationPrivacy Act of 1974; Department of Transportation, Federal Aviation Administration,
(4910-62-P) DEPARTMENT OF TRANSPORTATION Office of the Secretary Docket No. DOT-OST-2015-0235 Privacy Act of 1974; Department of Transportation, Federal Aviation Administration, DOT/FAA-801; Aircraft Registration
More informationFederal Trade Commission Privacy Impact Assessment. for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website
Federal Trade Commission Privacy Impact Assessment for the: Gilardi & Co., LLC Claims Management System and Online Claim Submission Website January 2015 Page 1 of 14 1 System Overview The Federal Trade
More informationOSWEGO COUNTY PURCHASING DEPARTMENT
Bid #38-14 VOIP Municipal Lease OSWEGO COUNTY PURCHASING DEPARTMENT County Office Building 46 East Bridge Street Oswego, NY 13126 Phone (315) 349-8307 Fax (315) 349-8308 Email: dstevens@oswegocounty.com
More informationHandbook for Home Health Agencies
Handbook for Home Health Agencies Chapter R-200 Policy and Procedures For Home Health Agencies Illinois Department of Public Aid CHAPTER R-200 Home Health Agency Services TABLE OF CONTENTS FOREWORD R-200
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More information