NASA DESK GUIDE FOR SUITABILITY AND SECURITY CLEARANCE PROCESSING. Version 2

Transcription

1 NASA DESK GUIDE FOR SUITABILITY AND SECURITY CLEARANCE PROCESSING Version 2 Agency Human Resources Division NASA Headquarters SREF

2 (This page intentionally left blank.) Page 2 of 94

3 Status (Basic/Revision /Cancelled) NASA Desk Guide for Suitability and Security Clearance Processing Version 2 Document History Log Revision Date Basic 12/20/06 Basic Release Revision (Version 2) Description of Change 1/7/08 Changes Incorporated into Version 2: Added Document History Log. Section 2, References: updated with new references. Paragraph 3.1, New Hire Process Up to Submission of Investigative E-form Procedures: added new information to the Important note box. Paragraph 4.2, HSPD-12 Responsibilities: added information for Requestor and for PIV Representative. Section 7, National Security Clearance Level Determination: added note box with information on new policy regarding professional development for security personnel. Section 9, Background Investigation Level Determination: added an explanation that some of the charts used in this section, from NPR , are being updated, but the corrected information is provided in this document. Figure 9-02, Background Investigation Levels with National Security Requirements: updated chart. Figure 9-03, Background Reinvestigation Levels with National Security Requirements: updated chart. Section 11, Suitability Adjudication: added appeal information. Appendix C, Step-by-Step Suitability Determination Instructions: replaced all Suitability Adjudication Worksheet screen shots with new screen shots for NASA Form 1761, Suitability Adjudication Worksheet. Appendix D, Standard Suitability Adjudication Worksheet: replaced screen shots with new NASA Form 1761 screen shots. Attachment 3, Personal Identification Verification (PIV) Card Issuer (PCI) Procedures: replaced with new directive. Page 3 of 94

4 (This page intentionally left blank.) Page 4 of 94

5 TABLE OF CONTENTS Page SECTION 1 INTRODUCTION Purpose Background Applicability About this Document...9 SECTION 2 REFERENCES...10 SECTION 3 PROCESS OVERVIEW New Hire Process Up to Submission of Investigative E-form Procedures Suitability/Security Adjudication Procedures...17 SECTION 4 RESPONSIBILITIES General Responsibilities HSPD-12 Responsibilities...19 SECTION 5 DOCUMENTING NATIONAL SECURITY AND PUBLIC TRUST DESIGNATIONS...21 SECTION 6 POSITION RISK FACTORS Position Risk Designations Mission Critical Space System Personnel Reliability Program (MCSSPRP) IT Position Risk Designations...24 SECTION 7 NATIONAL SECURITY CLEARANCE LEVEL DETERMINATION Special-Sensitive (SS) Critical-Sensitive (CS) Noncritical-Sensitive (NCS)...28 SECTION 8 CODING OF POSITION SENSITIVITY LEVEL DESIGNATION FOR NATIONAL SECURITY POSITIONS Special-Sensitive (SS) Critical-Sensitive (CS) Noncritical-Sensitive (NCS)...30 SECTION 9 BACKGROUND INVESTIGATION LEVEL DETERMINATION Background Investigation Levels No National Security Requirements Background Investigation Levels National Security Requirements How to Determine Investigation Level Required...33 Page 5 of 94

6 Page SECTION 10 E-QIP...35 SECTION 11 SUITABILITY ADJUDICATION...36 APPENDICES APPENDIX A ACRONYMS AND ABBREVIATIONS...37 APPENDIX B POSITION RISK DESIGNATION STEP-BY-STEP INSTRUCTIONS...39 APPENDIX C STEP-BY-STEP SUITABILITY DETERMINATION INSTRUCTIONS...51 APPENDIX D STANDARD SUITABILITY ADJUDICATION WORKSHEET...55 ATTACHMENTS ATTACHMENT 1 OFFICE OF PERSONNEL MANAGEMENT SUITABILITY GUIDELINES CHART...57 ATTACHMENT 2 OFFICE OF PERSONNEL MANAGEMENT ISSUE CHARACTERIZATION CHART...63 ATTACHMENT 3 PERSONAL IDENTIFICATION VERIFICATION (PIV) CARD ISSUER (PCI) PROCEDURES...71 Figure LIST OF FIGURES 3-01 Suitability and Security Clearance Process Flow Chart Part Suitability and Security Clearance Process Flow Chart Part Computer/ADP Risk Levels and Definitions Background Investigation Levels with No National Security Requirements Background Investigation Levels with National Security Requirements Background Reinvestigation Levels with National Security Requirements Examples of Background Investigation Levels Required...34 B-01 NASA Form Page 6 of 94

7 Figure Page B-02 Table to Identify Impact Level and Location to Record...40 B-03 Table to Identify Scope of Operations and Location to Record...40 B-04 Table to Identify Program Designation and Location to Record...41 B-05 Table to Identify Risk Points and Location to Record...41 B-06 Table to Identify Risk Level and Investigation and Location to Record...42 B-07 Uniqueness and Uniformity Descriptions...43 B-08 Location of Uniqueness and Uniformity Comments...44 B-09 Location of National Security and Access Type Designations...45 B-10 National Security Levels and Location of Comments Area...46 B-11 Computer/ADP Levels and Location of Comments Area...47 B-12 Examples of Position Designations and Related Investigations...48 B-13 Location of Final Designation and Minimum Investigation Fields...49 B-14 Location of Signature and Date Lines...50 C-01 Suitability Adjudication Worksheet Header Area...51 C-02 Derogatory Information Example...52 C-03 Applicant Suitability Example...52 C-04 Final Suitability Determination Example...53 Page 7 of 94

8 (This page intentionally left blank.) Page 8 of 94

9 SECTION 1 INTRODUCTION 1.1 Purpose The purpose of this desk guide is to provide guidance to National Aeronautics and Space Administration (NASA) Center Human Resources Offices (HROs) with regards to the HRO role in Suitability and Security Clearance processing. This guide enables NASA Center HROs to ensure the following: 1. Consistency when determining risk designations and security clearance levels for NASA positions. 2. Appropriate background investigations are conducted. 3. Consistency when determining suitability for Federal employment. 1.2 Background The need for this guide has increased as the rules and procedures for determining suitability and security issues have become more defined. In addition, Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors, directs that all Government agencies enhance facility and information system security. This guide was developed with Center participation to provide HRO personnel with a complete understanding of security and suitability as these issues relate to the Human Resources (HR) processes. 1.3 Applicability This desk guide is for use by NASA Center HRO personnel. While other departments may be mentioned, the instructions and procedures are specifically meant for HRO personnel. 1.4 About this Document This document is a compilation of regulations, processes, and other information HRO personnel can use in suitability and security clearance processing. Throughout this desk guide, there are references to helpful documents and additional information. If the reader is directed to an appendix or attachment, the reader should reference appendices or attachments included with this document, unless another document is specified. The following appendices and attachments are included in this document: Appendix A, Acronyms and Abbreviations Appendix B, Position Risk Designation Step-By-Step Instructions Appendix C, Step-By-Step Suitability Determination Instructions Appendix D, Standard Suitability Adjudication Worksheet Attachment 1, Office of Personnel Management Suitability Guidelines Chart Attachment 2, Office of Personnel Management Issue Characterization Chart Attachment 3, Personal Identification Verification (PIV) Card Issuer (PCI) Procedures Page 9 of 94

10 SECTION 2 REFERENCES Various regulations govern suitability and security clearances. The following references were used in the preparation of this desk guide: a. 5 Code of Federal Regulations (CFR) Part 731: Suitability b. 5 CFR Part 732: National Security Positions c. Executive Order 10450: Security Requirements for Government Employees d. Executive Order 12968: Access to Classified Information e. Executive Order 13434: National Security Professional Development f. Federal Information Processing Standards (FIPS) Publication (PUB) 201: Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006 g. Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors h. NASA Form 1761, Suitability Adjudication Worksheet i. NASA Interim Directive (NID) (NPR ): Personal Identity Verification Policy and Procedures, NM j. NASA Procedural Requirements (NPR) , NASA Security Program Procedural Requirements k. Office of Human Capital Management (OHCM) Personnel Bulletin: VS, Human Resources Security Project, October 26, 2004 l. OHCM Personnel Bulletin: VS, Status of Human Resources Security Project, March 21, 2005 m. OHCM Personnel Bulletin: VS, Security Metrics, April 14, 2005 n. OHCM Personnel Bulletin: VS, Personnel Security and Suitability, July 14, 2005 o. OHCM Personnel Bulletin: VS, Review of Established and Occupied Position, November 29, 2005 p. OHCM Personnel Bulletin: CS, Personal Identity Verification (PIV) Card Issuance Procedures, December 16, 2005 Page 10 of 94

11 q. OHCM Personnel Bulletin: CS, Personnel Security Issues, Updates, and Reminders, March 20, 2006 r. Office of Security and Program Protection memo: Clarification regarding NIST FIPS 199 System Security Category Determination and OPM Position Risk Level Determination, May 25, 2005 Page 11 of 94

12 SECTION 3 PROCESS OVERVIEW This section contains the process flow charts for submission of investigative e-forms and suitability and security adjudication. Following the flow charts, specific procedures and additional information are included. The charts in this section are intended to show the suitability and security clearance process for new NASA Civil Servant employees only. Reinvestigations will be tracked and initiated by the Security Office. If derogatory information is discovered during an investigation, the investigation results will be forwarded to HR for suitability adjudication. Instructions and a worksheet to help with the suitability adjudication can be found in Appendix C, Step-By-Step Suitability Determination Instructions, and Appendix D, Standard Suitability Adjudication Worksheet. Note: To continually improve the suitability and security clearance process and comply with all regulations, these procedures may change. If they do, you will be notified. All notifications and updates should be kept with this desk guide to reference as needed. These procedures are recommended and were developed to reduce the length of time required for suitability and security clearance processing, as well as to reduce the number of times the investigative process changes hands between HRO and the Security Office. Ultimately, it is incumbent upon each Center HRO to work out a specific arrangement with the Center Security Office. The primary HRO concerns are as follows: 1. Form 1722 on positions are to be completed by HRO. 2. Applicant information is entered into the Workforce Transformation Tracking System (WTTS). 3. Initial and final suitability determinations are made solely by HRO. Page 12 of 94

13 Figure Suitability and Security Clearance Process Flow Chart Part 1 Page 13 of 94

14 Resume here if HR ordered copies of ROI OPM Review Concludes Suitability/Security Adjudication 90-day Window ROI is returned to NASA from OPM Security Clearance required? No If no security clearance needed, ROI is sent to Center Security Office Center Security Office receives ROI Center Security Office reviews ROI Yes 30-day Window Yes Derogatory information? No If security clearance is needed, ROI is received by CAF CAF adjudicates for security clearance Security Office forwards ROI to HRO Security notifies HR of clean ROI HR conducts final suitability adjudication HR finds employee suitable Adjudication successful? Yes CAF sends ROI to Center Security Office No Employee Suitable? Yes CAF notifies Center HRO of unsuccessful security clearance adjudication OPM notified of unfavorable adjudication No HR takes steps to remove employee HR notifies OPM of suitability determination HR takes steps to remove employee or find a position that does not require a security clearance HR Returns ROI to Security Office End End Responsibilities HRO Supervisor CAF Security Office Applicant Figure Suitability and Security Clearance Process Flow Chart Part 2 Page 14 of 94

15 These procedures encompass the flow charts in this section and include additional information and explanation on the process. Notice that these procedures are separated into two sections according to the separation of the flow charts. In some of the steps, additional background or explanatory information is provided in italics. 3.1 New Hire Process Up to Submission of Investigative E-form Procedures 1. Supervisor initiates a request to fill the position and creates a Position Description (PD). 2. Supervisor reviews the Program and PD and makes an initial Security Clearance and Position Risk Level determination. 3. HR Reviews the Program and PD; finalizes the Position Risk Designation and Security Clearance Level in coordination with the Supervisor. The NASA FM 1722 is in the process of being automated. It is anticipated that this information will flow automatically from WTTS into IdMAX, the new badging system. 4. The vacancy is advertised; a selection is made; and a letter is sent to the applicant stating employment is contingent upon favorable adjudication for suitability and, if necessary, a security clearance. 5. HR updates WTTS. As part of the new HSPD-12-compliant credentialing process, the HRO will take on the role of Sponsor for new employees. This role requires applicant information to be entered into the IdMAX system. If WTTS is being updated and used to its full capability, the transfer of information from WTTS to IdMAX will be completely hands off, eliminating the need for the HR Specialist to log into a separate system to enter applicant information. Because IdMAX is used to verify identity of an individual, it is imperative that applicant information be entered correctly and completely. For example, the full first name of the applicant must be entered into the first name field. Security cannot accurately verify identity with only the first initial. The name entered into WTTS must match the name presented on the I-9 documents. 6. HR determines if the applicant has an applicable Background Investigation on file with the Office of Personnel Management (OPM). A check is made via the OPM database. NASA must follow the principles of reciprocity. Your office must get access to the Personnel Investigation Processing System (PIPS) to see if an investigation is on file for an applicant. If an applicant has a background investigation on file that is of the correct level for the vacancy for which they applied, the HRO can contact the losing agency to determine reciprocity or NASA can request a copy of the results from OPM rather than pay for a new investigation. This could lead to a substantial cost savings for the Agency. 7. Is there an applicable Background Investigation on file? a. If no, HR initiates Electronic Questionnaires for Investigations Processing (e-qip) for the applicant. Proceed to step 8. b. If yes, HR orders copies of the Report of Investigation (ROI). Proceed to step Applicant fills out investigative e-form in e-qip. 9. Applicant provides two forms of identification. 10. HR verifies citizenship. The applicant name that is entered into WTTS must match the I-9 documents that are used to verify citizenship. If the documents and WTTS do not match, Security will not be able to validate the applicant s identity and the applicant therefore will not be able to receive a badge. 11. Security fingerprints the applicant and verifies identity based on I-9 documentation. 12. Security sends fingerprint results to HR for initial suitability determination. HR will need to electronically attach the fingerprint results to the investigative e-form to submit to OPM. 13. HR makes initial suitability determination based on initial review of investigative e-form, results from fingerprints, and Official Form (OF) 306. An applicant does not become an employee Page 15 of 94

16 until Entrance on Duty (EOD). Therefore, if the applicant is not suitable for Federal employment based on the initial suitability determination, the offer is rescinded. 14. Is the initial suitability determination favorable? a. If no, the offer is rescinded and the applicant s process ends. b. If yes, EOD. Important: EOD is the beginning of a 14-day window to complete the remaining steps in this part of the process. HR must submit investigative e-form to OPM within 14 days of EOD. Pre-appointment waiver rules include the following: a. Prior to completion of the required pre-appointment investigation, if clear justification exists to warrant a waiver, it may be authorized by Center Directors and the Assistant Administrator for Security and Program Protection to approve an emergency appointment or reassignment to a Critical-Sensitive or Noncritical-Sensitive position. b. Special-Sensitive positions must complete pre-appointment investigation. Pre-appointment investigation requirements shall NOT be waived for positions designated as Special-Sensitive. c. Critical-Sensitive positions need a waiver. d. Noncritical positions do not have to have a waiver. 15. Has HR ordered copies of the ROI from OPM for a Background Investigation on file? a. If yes, skip to paragraph 3.2, Suitability/Security Adjudication Procedures. b. If no, HR reviews investigative e-form for completeness. 16. Is a Security Clearance needed? a. If yes, HR codes the investigative e-form so the Central Adjudication Facility (CAF) receives the ROI. Proceed to step 17. The CAF is held to a 30-day window for adjudication and any delays by improper coding could result in disciplinary action against NASA by OPM. b. If no, HR codes investigative e-form so Center Security Office receives the ROI. Proceed to step HR submits investigative e-form to OPM. Proceed to paragraph 3.2, Suitability/Security Adjudication Procedures. Page 16 of 94

17 3.2 Suitability/Security Adjudication Procedures Important: The Suitability Adjudication part of the process can take no more than 90 days. In addition, if a Security Clearance is required, the CAF portion of the process can take no more than 30 of the 90 days. 1. ROI is returned to NASA from OPM. 2. Is a Security Clearance required? a. If yes, proceed to step 3. b. If no, proceed to step CAF receives the ROI. 4. CAF adjudicates for security clearance. 5. Is the adjudication successful? a. If yes, CAF sends the ROI to the Center Security Office. Then proceed to step 8. b. If no, CAF notifies the Center HRO of unsuccessful security clearance adjudication and CAF notifies OPM of unfavorable adjudication. Then proceed to step If CAF notifies HRO of unsuccessful adjudication, HR takes steps to remove the employee or find a position that does not require a security clearance. This process ends. 7. If no Security Clearance is required (per step 2 above), the ROI is sent to the Center Security Office. 8. The Center Security Office receives the ROI. 9. The Center Security Office reviews the ROI. 10. Is there derogatory information? a. If yes, the Security Office forwards the ROI to HRO. Then proceed to step 11. b. If no, Security notifies HR of a clean ROI. Then proceed to step HR conducts the final suitability adjudication. 12. Is the employee suitable? a. If yes, proceed to step 13. b. If no, HR takes steps to remove the employee. Then proceed to step HR finds the employee suitable. 14. HR notifies OPM of suitability determination. 15. HR returns ROI to Security Office. Page 17 of 94

18 SECTION 4 RESPONSIBILITIES 4.1 General Responsibilities The information contained in this section is taken from the Personnel Bulletins as listed in Section 2, References. The information extracted pertains to requirements as they relate to HROs. No personnel actions associated with recruitment, hiring, or position change shall take place without the appropriate prior assignment of position risk designation and position sensitivity level. No individual shall be issued a permanent NASA Civil Servant employee photo identification (ID) without, at a minimum, appropriate establishment of position sensitivity, risk designation, submission of required investigative e-form, and an initial favorable suitability determination. As part of the in-processing function for new employees, each Center HRO is responsible for: 1. Completing, reviewing, and submitting investigative e-form in a timely manner. 2. Providing, at the earliest possible time but no later than two (2) working days prior to EOD, the following information on each prospective employee to Security: Name Date of birth Place of birth (city, state, country) Social Security Number (SSN) Security will conduct an initial investigation (e.g., fingerprints) and, if any derogatory information is found, Security will forward the results to HRO to make an initial suitability determination. In unusual cases where it is not possible to provide such information within that time frame, the HRO will coordinate with Security to explain the circumstances and provide the information as quickly as possible. 3. Using e-qip to the maximum extent possible. All Standard Form (SF) 85, SF 85P, and SF 86 questionnaires shall be completed in e-qip. HROs will have a Submitting Office Number (SON). Please confirm that your office already has a SON. If not, PIPS Form 12 should be submitted to OPM to obtain one. HROs are assigned a SON by OPM to enable electronic submission of investigative forms and allow HRO personnel to inquire about case status. At this time, PIPS Form 12 is available at the OPM e-qip portal under the title, PIPS on the Portal. The completed form must be faxed. 4. Advising all new employees who do not indicate prior Federal service, at the time the offer of employment is made, on completing the appropriate investigative e-form. 5. Completing SF 75 for employees with prior Federal service to determine if the individual s current level of investigation is sufficient to meet the requirements of the position. If so, no additional investigative e-form needs to be generated; if not, appropriate e-form must be initiated. 6. Ensuring background investigations done by other agencies are accepted if they are of the appropriate level for the position, under the principles of reciprocity. 7. Assuring that new employees, or employees whose security requirements have changed, submit the appropriate investigative e-form. 8. Monitoring progress on completion of investigative e-form. Ideally, new employees will complete the e-form on or before EOD. In all but the most unusual circumstances, e-form Page 18 of 94

19 may be completed after EOD but must be completed in sufficient time to be reviewed and submitted to OPM within 14 days of EOD, as required by the CFR. 9. Ensuring that investigation level matches position requirements. 10. Reviewing completed e-form for any initial red flags, and consulting with Security personnel as necessary. 11. Ensuring that investigative e-form is coded correctly to ensure that the ROI is returned to the appropriate office (i.e., CAF or Center Security Office). 12. Transmitting investigative e-form to OPM. 13. Making suitability determinations in coordination with the selecting official. Where a manager makes a decision not in accordance with HR recommendations, the HR specialist will document the circumstances. 14. Ensuring that form 79A is completed with the notification of the adjudication determination and returned to OPM. 4.2 HSPD-12 Responsibilities The HSPD-12 directive that was signed by President George W. Bush mandates that each Federal Agency take more precautions in ensuring the safety of physical and logical assets. FIPS 201 specifically outlines the steps that each Agency must take to comply with HSPD-12. The process will verify the identity of all persons who access NASA facilities or systems and has several touch points with HR: Position Risk Designations Background Investigations Federal Employment Suitability Determinations o Initial Suitability o Final Suitability New Hire Sponsor Role NID (NPR ), Personal Identity Verification (PIV) Policy and Procedures, NM , provides specific information on processes, roles, and responsibilities relating to NASA issuing federal credentials. The following roles and responsibilities were compiled from the NID, as well as other applicable sources, and summarize the responsibilities for HSPD-12 personnel. Position Risk Designations HSPD-12 mandates that, at a minimum, each Federal employee will have a National Agency Check and Inquiries (NACI) background investigation done. However, many NASA programs and projects have positions that warrant a higher level of background investigation. To ensure that NASA employees are investigated at the appropriate level, a Position Risk Designation must be determined and NASA Form (NF) 1722 should be on file to validate the designation. Each position must be reviewed to ensure that the correct level of background investigation has been done on the employee holding that position. For New Hires, this process should be completed prior to the vacancy being advertised. Background Investigations Once the correct level of background investigation is determined by the Position Risk Designation for New Hires or position changes, the HRO is responsible for the timely completion and submission of investigative e-form to OPM via the e-qip system. This will require the HRO to have a SON. Page 19 of 94

20 Federal Employment Suitability Determination The HRO has the responsibility to adjudicate each New Hire for Federal Employment Suitability. This includes an initial suitability determination prior to EOD, which is made with limited information, and the final suitability determination, which is made using the Report of Investigation from OPM. Requestor This individual is authorized to create the initial request for an applicant to receive a badge and to perform the initial entry of the applicant s demographic data into the system for the PIV badge request. The Requestor for NASA employees is the HRO, for contractors is the contractor organization, and for grantees is the grant provider. The Requestor may also be the Sponsor, but may not be the Enrollment Official, Issuance Official, or PIV Authorizer. New Hire Sponsor Role In working with the HSPD-12 Implementation team, the HRO has been designated the Sponsor for New Hires. As defined in FIPS 201, the Sponsor is the person who requests the issuance of a PIV credential to the Applicant. As Sponsors, the HRO will need to ensure that all necessary information is entered into WTTS. The data flow from WTTS into the new badging system, IdMAX, will start the badging process by supplying Security with needed information. PIV Card Applicant Representative In working with HSPD-12, an HR Specialist or Contracting Officers Technical Representative (COTR) acts as a Point of Contact (POC) for applicants in adhering to processes, providing documents, and obtaining badges. This position is also responsible for adhering to all applicable procedures and directives, is responsible for protecting personal privacy of all applicants, and acts as a POC for applicants denied a badge due to missing or incorrect information. In addition, this position may act on behalf of an applicant who is not available for performing required actions. Page 20 of 94

21 SECTION 5 DOCUMENTING NATIONAL SECURITY AND PUBLIC TRUST DESIGNATIONS Effective March 21, 2005, National Security and public trust designations are to be documented on NF 1722, NASA Position Designation Record. Centers may add supplemental information to the basic designation record as they deem necessary. Refer to NPR , NASA Security Program Procedural Requirements, for additional information. Page 21 of 94

22 SECTION 6 POSITION RISK FACTORS Position Risk Designations determine the level of background investigation required for a person to hold a position. However, even if the Position Risk Designation is set at one risk level, if the position requires access to information or a facility that falls under National Security, the designation may be increased. Additionally, if other position factors such as Computer Category Positions are applicable, the designation may be increased. This section provides information on the various Position Risk Designations. The information contained in this section is taken from NPR , NASA Security Program Procedural Requirements. The information extracted pertains to requirements as they relate to HROs. Refer to NPR , NASA Security Program Procedural Requirements, for additional information. 6.1 Position Risk Designations Each position will be designated at a High, Moderate, or Low risk level depending on the position s potential for adverse impact to the integrity and efficiency of the Agency (5 CFR ). The Center HRO, in coordination with the supervisor, is responsible for making these risk determinations. Any High Risk or Moderate Risk position is also considered to be a Public Trust position. The process for making risk determinations is outlined in Appendix M of NPR , NASA Security Program Procedural Requirements. Refer to Appendix B, Position Risk Designation Step-By-Step Instructions. Note: If an employee is working part time in more than one position, the higher level Position Risk Designation takes precedence when determining the appropriate level of background investigation. There are three levels of risk: High Risk (HR), Moderate Risk (MR), and Low Risk (LR). 1. High Risk (HR): A position that has potential for exceptionally serious impact involving duties especially critical to the Agency or a program mission of the Agency with broad scope of policy or program authority such as: a. Policy development and implementation; b. Higher level management assignments; c. Independent spokespersons or non-management positions with authority for independent action; d. Significant involvement in life-critical or mission-critical systems; or e. Relatively high risk assignments associated with or directly involving the accounting, disbursement, or authorization of disbursement from systems of dollar amounts of $10 million per year or greater, or lesser amounts if the activities of the individual are not subject to technical review by higher authority to ensure the integrity of the system. Page 22 of 94

23 f. Positions in which the incumbent is responsible for the planning, direction, and implementation of a computer security program; has a major responsibility for the direction and control of risk analysis and/or threat assessment, planning, and design of the computer system, including the hardware and software; or, can access a system during the operation or maintenance in such a way, and with the relatively high risk for causing grave damage or realize a significant personal gain. 2. Moderate Risk (MR): A position that has the potential for moderate to serious impact involving duties of considerable importance to the Agency or a program mission of the Agency with significant program responsibilities and delivery of customer services to the public such as: a. Assistants to policy development and implementation; b. Mid-level management assignments; c. Non-management positions with authority for independent or semi-independent action; d. Delivery of service positions that demand public confidence or trust; or e. Positions with responsibility for the direction, planning, design, operation, or maintenance of a computer system and whose work is technically reviewed by a higher authority at the high risk level to ensure the integrity of the system. Such positions may include but are not limited to: 1) Access to and/or processing of proprietary data, Privacy Act of 1974, and Government-developed privileged information involving the award of contracts; 2) Accounting, disbursement, or authorization for disbursement from systems of dollar amounts of less than $10 million per year; or 3) Other positions as designated by the Agency head that involve degree of access to a system that creates a significant potential for damage or personal gain less than that in high risk positions. 3. Low Risk (LR): Positions that have the potential for impact involving duties of limited relation to the Agency mission with program responsibilities which affect the efficiency of the service. It also refers to those positions that do not fall within the definition of a high or moderate risk position. 6.2 Mission Critical Space System Personnel Reliability Program (MCSSPRP) If a position allows access to any mission-critical areas or is located in a mission-critical area, the position is categorized as Personnel Reliability Program (PRP). If the position also has access to National Security information, a security clearance may also be required. Refer to Section 8, Coding of Position Sensitivity Level Designation for National Security Positions, for additional information. 1. Those personnel occupying positions that involve unescorted access to mission-critical space systems areas, mission data, or mission-specific Information Technology (IT) systems including those activities related to access to and/or manipulation of command and control systems of all NASA space-assets (e.g., shuttle, International Space Station (ISS), NASA satellites, other exploration vehicles, etc.) where inappropriate actions could result in damage and/or loss of the asset and/or critical data, or result in the loss of life and/or serious injury. 2. Persons requiring unescorted access to Mission Essential Infrastructure (MEI) assets will be certified under the MCSSPRP. Page 23 of 94

24 6.3 IT Position Risk Designations If a position allows access to certain IT functions, the Position Risk Designation may be raised. Positions that are designated at the Moderate or High risk levels are deemed to be Public Trust positions. Note: If an employee is working part time in more than one position, the higher level Position Risk Designation takes precedence when determining the appropriate level of background investigation. Descriptions of the three IT positions are as follows: IT-1 Position - Any IT position whose duties, responsibilities, and authorities involve accessing information or system controls that if misused can reasonably be expected to cause exceptionally serious adverse impact. IT-2 Position - Any IT position whose duties, responsibilities, and authorities involve accessing information or systems that if misused can reasonably be expected to cause serious adverse impact or allow for great personal gain. IT-3 Position - Any other IT position whose duties, responsibilities, and authorities involve accessing information that if misused could reasonably be expected to have minimum adverse impact on the Agency s mission. Position risk-level determinations are inclusive of many factors, IT positions and/or access being an important factor. Provided below are categories of IT positions and/or specific duties that may influence the risk-level designation for each individual position. 1. In accordance with the Federal Information Systems Management Act (FISMA), the Office of Management and Budget (OMB) Circular A-130, and NPR , NASA has established requirements and procedures to assure an adequate level of protection for NASA IT systems, which includes the appropriate security screening of all individuals having access to NASA IT systems: a. HIGH RISK or 6C positions include positions in which the incumbent is responsible for planning, directing, and implementing a computer security program; has major responsibility for directing, planning, and designing an IT system, including the hardware and software; or, can access a system with relatively high risk for causing grave damage or realizing a significant personal gain. High risk IT positions may include positions, which involve the following: 1) Development or administering Agency IT Security Programs, directing, controlling IT risk analysis and threat assessments, or conducting investigations; 2) Significant involvement in life-critical or mission-critical systems; (See section [of the NPR , NASA Security Program Procedural Requirements] for further requirements); 3) Privileged access to NASA IT Systems designated as High Risk systems; Page 24 of 94

25 4) Access to data or systems whose misuse can cause very serious adverse impact or result in significant personal gain; or 5) Assignments involving accounting, disbursement, or authorization of $10 million or more per year. b. MODERATE RISK or 5C positions include positions where the incumbent is responsible for directing, planning, designing, operating, or maintaining IT systems and whose work is technically reviewed by a higher authority (at the high risk level) to ensure the integrity of the system: Moderate risk IT positions may involve: 1) Systems design, operation, testing maintenance or monitoring which is under technical review of IT-1 and includes: a. Those that contain the primary copy of data whose cost to replace exceeds $1 million dollars; b. Those that control systems which affect personal safety and/or physical security, fire, or Hazmat warning safety systems; c. Privileged information on contract awards in excess of $10 million dollars; or d. Accounting disbursement or authorization of more than $1 million dollars but less than $10 million dollars per year. 2) Access to data or systems whose misuse can cause serious adverse impact or result in personal gain, which includes but is not limited to: a. Proprietary data; b. Privacy Act protected information; or c. Export Control Regulation, International Traffic in Arms Regulations (ITAR), and the Militarily Critical Technologies List (MCTL) information. 3) Limited privileged access to NASA IT Systems designated as Moderate Risk systems. c. LOW RISK or 1C positions are all IT system positions that do not fall in the categories above and includes all non-sensitive positions and all other positions involving IT Systems whose misuse has limited potential for adverse impact or sensitive data is protected with password and encryption. Low risk IT positions may involve: 1) General word processing; or 2) Systems containing no IT-1 or IT-2 level information or IT-1 or IT-2 level information that is protected from unauthorized access. 2. Specific requirements and criteria for designating Computer/Automated Data Processing (ADP) risk levels are contained in NPR , Appendix M, Designation of Public Trust Positions and Investigation Requirements. Page 25 of 94

26 The following figure may help in determining the appropriate Computer/ADP risk levels: Figure Computer/ADP Risk Levels and Definitions Page 26 of 94

27 SECTION 7 NATIONAL SECURITY CLEARANCE LEVEL DETERMINATION National security clearance levels are determined based on the level of access needed to classified information. After determining which sensitivity level the particular position requires, refer to Section 8, Coding of Position Sensitivity Level Designation for National Security Positions, to determine what level of background investigation needs to be conducted. The information contained in this section is taken from NPR , NASA Security Program Procedural Requirements. The information extracted pertains to requirements as they relate to HROs. Refer to NPR , NASA Security Program Procedural Requirements, for additional information. Overview Some positions at NASA will require the employee to obtain and maintain a Security Clearance. The determination of the need for a Security Clearance and the subsequent level of clearance will be made by the supervisor. HRO personnel are responsible for ensuring the appropriate background investigation is ordered based on position requirements. Note: A recent change was published requiring professional development for persons in national security positions. The policy, requirements, and responsibilities can be found in Executive Order 13434: National Security Professional Development. All positions with National Security duties and responsibilities must have a sensitivity-level designation to ensure the appropriate level of investigative screening is done to comply with Executive Order 10450: Security Requirements for Government Employees and Executive Order 12968: Access to Classified Information. As stated in 5 CFR Part 732, a sensitive position is defined as any position within a department or agency the occupant of which could bring about, by virtue of the nature of the position, a material adverse effect on the National Security. Consequently, sensitivity level designation is based on an assessment of the degree of damage that an individual could cause to National Security. Apply the sensitivity levels described in this part as an Adjustment in the Risk Designation System to arrive at a final designation. There are three sensitivity levels: Special-Sensitive, Critical-Sensitive, Noncritical-Sensitive. They are defined in the following paragraphs. 7.1 Special-Sensitive (SS) A Special-Sensitive position is any position that the NASA Administrator determines to be at a higher level than Critical-Sensitive due to special requirements that complement E.O and E.O (such as Director of Central Intelligence Directive [DCID] 6/4 that sets investigative requirements and access to Sensitive Compartmented Information [SCI] and other intelligence-related Special Sensitive information). Page 27 of 94

28 7.2 Critical-Sensitive (CS) A Critical-Sensitive position is any position with potential for exceptional or grave damage to the National Security. Critical-Sensitive positions involve any of the following: Access to Top Secret classified information; Development or approval of war plans, or plans or particulars of future, major, or special operations of war, or critical and extremely important items of war; National Security policy-making or policy-determining positions; Investigative duties; Issuance of personnel security clearances; Duty on personnel security boards; and Any other positions related to National Security requiring the same degree of trust. 7.3 Noncritical-Sensitive (NCS) A Noncritical-Sensitive position is any position with potential for significant or serious damage to the National Security. Noncritical-Sensitive positions involve any of the following: Access to Secret or Confidential classified information, or Duties that may directly or indirectly adversely affect the National Security operations of the agency or the government. Note: The designation of Non-Sensitive is not shown in the table [Figure 9-04, Examples of Background Investigation Levels Required] because a Non-Sensitive position is the same as a Low Risk position; both require the same level of investigation: a NACI. Sensitivity level designations override Public Trust (i.e., HR and MR) designations due to the national interest or security. However, the basic risk level of a position needs to be determined first. If National Security duties and responsibilities are no longer a part of a position, the position reverts to its Public Trust designation. Additionally, if the Public Trust risk level designation requires a higher level of investigation than the National Security sensitivity level, the higher level of investigation must be conducted. For example, if the basic position description is HR, but the position requires Secret access, the position would have an adjusted designation of Noncritical-Sensitive because of the Secret access. The investigation required would be a Background Investigation (BI) for the HR position, and not an Access National Agency Check with Inquiries (ANACI) for the Noncritical-Sensitive designation due to Secret access. The higher level of investigation prevails because of the more intensive screening required of an HR position, a BI investigation being a higher level of investigation than an ANACI. Page 28 of 94

29 SECTION 8 CODING OF POSITION SENSITIVITY LEVEL DESIGNATION FOR NATIONAL SECURITY POSITIONS After using Section 7, National Security Clearance Level Determination, to determine which sensitivity level the particular position requires, use this section to determine what level of background investigation needs to be conducted. For instance, if the position is defined as in paragraph 7.2, Critical-Sensitive, the level of background investigation required can be found in paragraph 8.2, Critical-Sensitive. The information contained in this section is taken from NPR , NASA Security Program Procedural Requirements. The information extracted pertains to requirements as they relate to HROs. Refer to NPR , NASA Security Program Procedural Requirements, for additional information. Overview The proper coding of position sensitivity for National Security positions is required on Optional Form 8, Position Description, or NF 692, Position Description, and optional on the SF 50 and 52 (See 5 CFR part 732). NASA managers and supervisors must use the following codes whenever establishing position sensitivity for access to Classified National Security Information (CNSI): National Security Position Sensitivity Level Codes: Special-Sensitive: 4 Critical-Sensitive: 3 Noncritical-Sensitive: 2 Center HROs are responsible for managing a Risk Designation System in accordance with 5 CFR (a). They shall coordinate, in a timely manner, with managers, supervisors, and the Center Chief of Security (CCS) to accomplish designation of positions requiring access to CNSI. After the appropriate position sensitivity determination has been assigned, the Center HRO or Security Office shall initiate the appropriate investigation. 8.1 Special-Sensitive (SS) Positions requiring access to any of the levels of classified information outlined below shall be designated Special-Sensitive. Individuals in or selected for these positions must undergo a Single Scope Background Investigation (SSBI), using SF 86, and be favorably adjudicated prior to being granted access to: a. Top Secret (TS) SCI b. NASA Special Access Program Page 29 of 94

30 8.2 Critical-Sensitive (CS) Positions requiring access to any of the levels of classified information outlined below shall be designated Critical-Sensitive. Individuals in or selected for these positions must undergo an SSBI, using SF 86, and be favorably adjudicated prior to being granted access to: a. Top Secret (TS) b. NATO Top Secret 8.3 Noncritical-Sensitive (NCS) Positions requiring access to any of the levels of classified information outlined below shall be designated Noncritical-Sensitive. Individuals in or selected for these positions must undergo, at a minimum, an ANACI, using SF 86, and be favorably adjudicated prior to being granted access. Exceptions to classified access investigative requirements for these positions shall be made only as provided for in section 2.6 above [Refer to NPR , NASA Security Program Procedural Requirements.] a. Secret or Confidential b. NATO Secret/Confidential Pre-appointment investigation requirements shall NOT be waived for positions designated Special-Sensitive. Pre-appointment waivers may be authorized by Center Directors and the Assistant Administrator for Security and Program Protection to approve an emergency appointment or reassignment to a Critical- Sensitive or Noncritical-Sensitive position prior to completion of the required pre-appointment investigation only when clear justification exists to warrant the waiver. Page 30 of 94

31 SECTION 9 BACKGROUND INVESTIGATION LEVEL DETERMINATION The background investigation level is an OPM-designated requirement based on position risk factors, not on National Security. This section specifically addresses position risk. The information contained in this section is taken from NPR , NASA Security Program Procedural Requirements. The information extracted pertains to requirements as they relate to HROs. Refer to NPR , NASA Security Program Procedural Requirements, for additional information. Some of the charts pertaining to this section are currently being updated in NPR Those outdated charts are not being used here; corrected information is provided in this document. The level of risk and/or sensitivity associated with a position will determine the level of background investigation that is required for the employee filling that position. At a minimum, a NACI investigation must be completed for all Federal employees. 9.1 Background Investigation Levels No National Security Requirements For positions with no National Security requirements, use the chart below to determine the appropriate level of background investigation required: RISK LEVEL LOW Risk MODERATE Risk [Public Trust Position] HIGH Risk [Public Trust Position] PRP [Public Trust Position] MINIMUM REQUIRED INVESTIGATION NACI - National Agency Check and Inquiries MBI - Minimum Background Investigation BI - Background Investigation NACI National Agency Check and Inquiries Figure Background Investigation Levels with No National Security Requirements Page 31 of 94

32 9.2 Background Investigation Levels National Security Requirements For positions with National Security Requirements, use the following chart to determine the level of background investigation required for an initial investigation: WHICH INVESTIGATION TO REQUEST If the requirement is for And the person has this access Based on this investigation Then the investigation required is Using standard CONFIDENTIAL None None ANACI A SECRET; L CONF, SLc; L Out of Date Investigation ANACI TOP SECRET, SCI; Q None None SSBI None; CONF, SEC; L current or out of date NACLC TS, SCI; Q out of date SSBI SSBI-PR C Figure Background Investigation Levels with National Security Requirements Reinvestigations will be tracked and initiated by the Security Office. For positions with National Security requirements, the following chart is used to determine the level of background investigation required for a reinvestigation: REINVESTIGATION REQUIREMENTS If the requirement is for And the age of the investigation is Type required if there has been a break in service of CONFIDENTIAL 0 to 14 yrs. 11 mos months 24 months or more 15 yrs. or more None (NOTE 1) NACLC Page 32 of 94