Reclamation Manual Directives and Standards



Similar documents
NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

Privacy Impact Assessment of. Personal Identity Verification Program

Justice Management Division

NEIS HELP DESK FAQS. HSPD-12 Policy/Business Process. General HSPD-12 FAQs can be found online at:

HSPD-12 Homeland Security Presidential Directive #12 Overview

~ Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

U.S. Department of Energy Washington, D.C.

How To Get A Piv Credential

Reclamation Manual Directives and Standards

DEPARTMENT OF DEFENSE GUIDEBOOK FOR CAC-ELIGIBLE CONTRACTORS FOR UNCLASSIFIED NETWORK ACCESS

DEPARTMENTAL DIRECTIVE

Federal Identity Management Handbook

DEPARTMENTAL REGULATION

Department of Veterans Affairs VA Directive 0710 PERSONNEL SECURITY AND SUITABILITY PROGRAM

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Electronic Fingerprint System (EFS)

Personal Identity Verification

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

U.S. Department of Housing and Urban Development

Alien Criminal Response Information Management System (ACRIMe)

Standard CIP 004 3a Cyber Security Personnel and Training

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET MS 1221 DIRECTIVES MANUAL

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh

Automated Threat Prioritization Web Service

Next Generation Identification Program (NGI) Rap Back Service

Department of Defense INSTRUCTION

Department of the Interior Privacy Impact Assessment Template

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

Senate Bill 9 Background Checks for Education A Reference Guide January 1, 2008

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

DHS / UKvisas Project

Department of Defense INSTRUCTION

Background Check Service

GENERAL ORDER DISTRICT OF COLUMBIA I. BACKGROUND

Criminal Justice Information System (CJIS) Vendor Policy Guidelines

Defense Security Service

Physical Access Control System

United States Department of State Privacy Impact Assessment Risk Analysis and Management

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

Standard CIP Cyber Security Security Management Controls

Summary of CIP Version 5 Standards

Department of Defense INSTRUCTION

2. Privacy Policy Guidance Memorandum , OHS Policy Regarding Privacy Impact Assessments (December 30, 2008)

NASA DESK GUIDE FOR SUITABILITY AND SECURITY CLEARANCE PROCESSING. Version 2

Appendix 1: Approved Rap Back Privacy Risk Mitigation Strategies Version June 1, 2014

Port Authority of New York/New Jersey Secure Worker Access Consortium Vetting Services

INFORMATION MANAGEMENT

Lawrence Police Department Administrative Policy. August A. Access to CJIS sensitive data is only available to authorized users.

Identity Verification Program Guide

9/11 Heroes Stamp Act of 2001 File System

Department of Defense MANUAL

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Department of Defense MANUAL

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

NERC CIP Tools and Techniques

Agency Information Collection Activities: REAL ID: Minimum Standards for Driver s

Computer Linked Application Information Management System

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Small Business Administration Privacy Impact Assessment

803 CMR: DEPARTMENT OF CRIMINAL JUSTICE INFORMATION SERVICES 803 CMR 7.00: CRIMINAL JUSTICE INFORMATION SYSTEM (CJIS)

CJIS VENDOR AGREEMENT CJIS COMPUTER SYSTEMS COLORADO BUREAU OF INVESTIGATION

Personal Information Collection and the Privacy Impact Assessment (PIA)

1.02 Authorized Recipient means an entity authorized by statute to receive background check information for noncriminal justice purposes.

Privacy Impact Assessment

Department of the Interior Privacy Impact Assessment

5 FAM 620 INFORMATION TECHNOLOGY (IT) PROJECT MANAGEMENT

DEPARTMENT OF STATE POLICE CRIMINAL RECORDS DIVISION CRIMINAL JUSTICE INFORMATION SYSTEMS

Department of Defense DIRECTIVE

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

Arkansas Crime Information Center. ACIC Training Policy

CIP Cyber Security Security Management Controls

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

DEPARTMENT OF THE INTERIOR. Privacy Impact Assessment Guide. Departmental Privacy Office Office of the Chief Information Officer

APPLIED SCIENCE COOPERATIVE AGREEMENT STANDARD OPERATING PROCEDURES FOR PTRs, GRANTS & TECHNOLOGY TRANSFER STAFF

DHS DIRECTIVES INSTRUCTION HANDBOOK DHS INSTRUCTION HANDBOOK THE DEPARTMENT OF HOMELAND SECURITY PERSONNEL SUITABILITY AND SECURITY PROGRAM

Student Administration and Scheduling System

1. Contact Information. 2. System Information. Privacy Impact Assessment (PIA)

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

FISH AND WILDLIFE SERVICE LOGISTICS

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

Transcription:

PRA Process 1. Introduction. A. Additional information and requirements supplementing the PRA process are defined in the Directive and Standard (D&S). Terms used within this Appendix can be found in the Glossary of Terms in Appendix E. B. The Bureau of Reclamation s PRA Process is intended to ensure that all persons having unescorted access to identified Critical Cyber Assets (CCAs) at Reclamation facilities do not pose an unacceptable level of risk to the operation of those assets or the Bulk Electric System (BES). This PRA Process has been designed to be compliant with the PRA requirements outlined in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards. C. Reclamation s compliance obligations are summarized as follows: (1) provide a documented PRA Process for implementation; (2) produce and retain documented materials that demonstrate the application of the PRA Process to all personnel with unescorted access to Reclamation s identified CCAs; and (3) demonstrate that the PRA Process is being maintained, including implementation of the 7-year cycle requirements. D. To ensure that the PRA Process is effective and efficient, Reclamation will leverage existing background investigation processes and information to the fullest degree practical. This includes the use of the Homeland Security Presidential Directive 12 (HSPD-12) access card process as well as other identification and background investigation procedures that are already in place. 2. Process Outline. The PRA process must be successfully followed and fully completed prior to an individual receiving unescorted physical or logical access to Reclamation s identified CCAs. Once authorized access has been granted, a PRA must be repeated every 7 years, for as long as access is still required. The PRA renewal is triggered by the local CIP access control officer shortly before the PRA for an individual who currently has access reaches the 7-year update requirement. To ensure uninterrupted access, the PRA update must be initiated far enough in (408) 01/31/2011 Page A1

advance to ensure that the process can be completed before the 7-year period ends. CIP access control officers must maintain an awareness of the approximate lead time associated with the PRA process to ensure that PRAs can be reliably completed before access is needed or expires. A. Step 1 Personal Identity Verification and Issuance of Department of the Interior Access (DOI Access) Card. (1) Before an individual can request unescorted physical or logical access they must have a DOI Access card (an HSPD-12 personal identity verification card) and a completed and approved Access Authorization Request 1 form. If a card has not been issued the individual must follow the process outlined in the Department s Personnel Bulletin No. 09-06, Policy for the Issuance and Management of DOI Access Cards, before completing the request for unescorted access. Issuance of the card serves as identity verification. (2) If the individual is a new employee 2 or contractor 3, a National Agency Check with Inquiries (NACI) investigation (or higher) will be initiated as part of the hiring/contract process. Once the initial fingerprint check has been accomplished, it will be returned to the personnel security adjudicator for review. If the personnel security adjudicator makes an initial favorable adjudication the individual will be approved to continue through the process to receive a DOI Access card. Once a card has been issued, Step 7 must be followed for completion of the PRA process. If the personnel security adjudicator makes an unfavorable adjudication, the individual is not approved for a DOI Access card or for unescorted access to CCA. 1 Access Authorization Request forms are included as a part of the Physical Security Plan for each Critical Asset subject to the NERC CIP Standards. For additional information, refer to the site-specific Physical Security Plan prepared in support of Reclamation Manual TRMR-46: Physical Security Plans Supporting North American Electric Reliability Corporation (NERC) Reliability Standard Compliance. 2 If a new employee will require unescorted access, the requirements for unescorted access must be completed as part of the hiring process to ensure there is no delay between start date and beginning work. 3 If contractor employees will require unescorted access, the requirements for unauthorized access must be completed as part of the acquisitions planning process to ensure there is no delay between contract award and employee start date. (408) 01/31/2011 Page A2

B. Step 2 Authorization for Release of Information Form. (1) The individual requesting unescorted access to a CCA must complete the Authorization for Release of Information form found in Appendix B and any locally required forms. The completed forms must then be submitted to the requesting employee s supervisor or requesting contractor s contracting officer s representative/contracting officer/project manager for local approval. (2) If this is a 7-year renewal requirement triggered by the CIP access control officer, the Authorization for Release of Information form (Appendix B) will be forwarded to the individual at the time of notification of the need for renewal. C. Step 3 CIP Access Control Officer Notifies USAccess Adjudicator. (1) Once a DOI Access card has been issued, local approval granted, and the Authorization for Release of Information form has been completed, the CIP access control officer will forward copies of all forms to the USAccess Adjudicator with a written request detailing an individual s need for a PRA. (2) All completed forms will be accepted and maintained by the local USAccess Adjudicator and/or personnel security adjudicator. The Authorization for Release of Information form and local approval forms are subject to review as part of the overall compliance process and therefore must be correctly completed and maintained by the CIP access control officer and/or personnel security adjudicator for as long as the person maintains authorized access, and/or 1 year after access has been terminated or revoked. D. Step 4 USAccess Adjudicator Initiates Criminal History Check via USAccess System. (1) Once the USAccess Adjudicator receives the request for a PRA, the USAccess Adjudicator will verify if the individual requesting access has a favorably adjudicated national criminal check (or higher) within the past 7 years. If the individual has a fully adjudicated investigation on file, the USAccess Adjudicator will work with the personnel security adjudicator to transmit the appropriate documentation as detailed in Step 7, below. (408) 01/31/2011 Page A3

Information regarding the expiration of the existing check must then be submitted to the CIP access control officer for appropriate tracking and renewal. (2) If an individual requesting access does not have a favorably adjudicated investigation within the past 7 years, the USAccess Adjudicator will verify that all Personally Identifiable Information needed for the criminal history check is included in the USAccess database. The USAccess Adjudicator will submit the request for a criminal history check via the USAccess portal s OPM-FBI Background Check Request tab to the Office of Personnel Management (OPM) Federal Investigative Services Division. The Adjudicator indicates where the results must be returned to by selecting the appropriate Submitting Office Identifier, Submitting Office Number, and Online Payment and Collection System Agency Location Code. This must correspond to the region requesting the information to ensure proper processing of the data. The Federal agency user fee transaction type must also be selected. The USAccess Adjudicator must enter the cost authority provided by the CIP access control officer in the comments block to ensure proper processing of OPM charges. 4 (3) Note: In some cases, place of birth data may not have been entered into USAccess. If the required information is not currently entered into the database, the USAccess Adjudicator will coordinate with the USAccess Sponsor to complete the data fields before the Criminal History Check can be submitted. The USAccess Sponsor is the only individual that can enter any missing data, such as place of birth, into the USAccess system. In those cases where data is missing from the system, the USAccess Adjudicator will need to work with the USAccess Sponsor to have the missing data entered into the system. The USAccess Sponsor will also have to perform a complete sponsorship for individuals who have not been previously sponsored. (4) The Criminal History Check at a minimum requires the following four fields of information. Data for these four fields are contained in the USAccess database: (a) full name, 4 While no other comments are required in the USAccess comments block, it is recommended this field be used to provide contact information. (408) 01/31/2011 Page A4

(b) social security number, (c) date of birth, and (d) place of birth. E. Step 5 OPM Processes Criminal History Check through Federal Bureau of Investigation (FBI). OPM submits fingerprint classification requests to the FBI via the FBI Criminal Justice Information System (CJIS). 5 F. Step 6 Results Returned to Personnel Security Adjudicator. Results from the completed Criminal History Check will be provided by OPM directly to the appropriate personnel security adjudicator. Results are received in the form of a hard copy report known as a Case Closing Transmittal which will include record or no record status for criminal history fingerprint results, arrest record information, and a list of all previous OPM conducted investigations along with the status, if known. G. Step 7 Adjudication Process. (1) The results of the Criminal History Check must be adjudicated by the designated trained personnel security adjudicator. Adjudication is formally conducted using established OPM Adjudicative Guidelines, Code of Federal Regulations, Departmental Manual, and Reclamation Manual D&S. (a) Favorable Adjudication. The personnel security adjudicator notifies the respective CIP access control official of a completed favorable adjudication using the memorandum template found in Appendix C. On the basis of this notification, the individual has met the PRA requirements associated with gaining unescorted access. (b) Unfavorable Adjudication. The personnel security adjudicator notifies the respective CIP access control official of an unfavorable adjudication using the memorandum template found in Appendix D. On the basis of this notification, the individual will not be granted unescorted access to Reclamation CCAs. 5 Note: average time for OPM to complete the Criminal History Check is approximately 7-10 days. (408) 01/31/2011 Page A5

(c) Findings that lead to unfavorable adjudication must be reported to the respective regional Human Resources Office in the case of a Reclamation employee, to the regional Acquisitions Office in the case of contractors, and to Reclamation s Chief Security Officer in the case of Reclamation employees, contractors, managing partners and operating entities. Release of any information will be in accordance with Paragraph 10 (Records Management) of Reclamation Manual D&S, Personnel Security and Suitability (SLE 01-01). (2) The personnel security adjudicator must retain all files directly related to the Criminal History Check and adjudication. The Criminal History Check Determination is then transmitted to the CIP access control officer for final disposition and audit retention. (3) The entire seven-step PRA process described above is illustrated in Figure 1, below. (408) 01/31/2011 Page A6

PRA Process Flow 1 Figure 1 (408) 01/31/2011 Page A7

3. Maintenance and Management of PRA Records. For audit purposes, the personnel security adjudicator and CIP access control officer will maintain all records related to the PRA process separate from other personnel records. Records for employees, contractors, managing partners, and operating entities will be kept collectively for audit purposes. Information related to the risk assessment determination and results (adjudication results) for all individuals for whom a PRA has been conducted pursuant to access to CCAs shall be retained such that the risk assessment materials and determination results from the current (most recent) and previous PRA are always available for review or audit. These records must be kept secure, in accordance with Reclamation Manual Policy and D&S. Records will be retained in hard copy or electronic. Information contained in the PRA files falls under the Privacy Act and must be protected accordingly. 4. PRA Process Revision Procedures. Review of, and modifications to, this PRA process will be completed as necessary to ensure the protection of Reclamation CCAs and continuing compliance with the requirements of the NERC CIP (or any other applicable) Reliability Standards. The PRA process documentation will be revised within 30 calendar days of any changes to the process. All substantial changes will be coordinated with all stakeholders prior to implementation. Revision actions will be noted in the Document History, and the PRA process document will be reissued. 5. Summary. Application of the process discussed in this document is intended to ensure both a consistent approach and results when completing PRAs on individuals with access to Reclamation s CCAs. Following the process outlined will also ensure Reclamation s PRA supports and complies with the NERC CIP Reliability Standards. (408) 01/31/2011 Page A8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information