Personnel Security

1
Personnel Security
TRICARE Management Activity

• 2007 Data Protection Seminar
• TMA Privacy Office

HEALTH AFFAIRS
2
Personnel SecurityPurpose

• This presentation will provide an overview of the
  TRICARE Management Activity (TMA) office role in
  personnel security

3
Personnel SecurityObjectives

• Upon completion of this lesson, you will be able
  to
• Understand TMA Privacy Offices personnel
  security
• Be familiar with current policies and procedures
  for TMA personnel security
• Identify common misconceptions with respect to
  personnel security background investigations

4
Personnel Security Mission and Objective

• Mission
• Ensure policies and procedures against
  inappropriate use and disclosure of sensitive
  information are upheld by contractors who have
  access to information systems containing
  Protected Health Information (PHI) and Privacy
  Act information on Department of Defense (DoD)
  Information Technology (IT) Systems
• Objective
• Provide guidance and consultation to ensure all
  TMA contractor employees with access to DoD IT
  Systems are
• Trustworthy
• Reliable
• Of unquestionable allegiance to the United States

5
Personnel Security What is Personnel Security?

• Personnel Security refers to the practices,
  technologies, and/or services used to ensure
  personnel security safeguards are applied
  specifically to
• Contractors on TRICARE contracts
• IT systems
• Background checks and trustworthiness
  determination
• Granting or withdrawing system access privileges
  Common Access Card (CAC)
• Misconception
• TMA Privacy Office Personnel Security pertains to
  military and government civilian personnel

6
Personnel SecurityThe Information and System
Lifecycle
When to address Personnel Security?
Start Personnel Security
Phase 1 Initiation
Phase 5 Disposition
Complete Personnel Security
Phase 4 Operations/ Maintenance
Phase 2 Acquisition/ Development
Phase 3 Implementation
7
Personnel Security Why Personnel Security?

• Consider the purpose of Personnel Security
  safeguards
• The most common perpetrators of significant
  computer crime are those with legitimate access
• Knowingly
• Unknowingly
• Managing personnel with privileged access is
  critical
• Recertification
• Change in level access

8
USDI Guidance (DoD 5200.2R)
Personnel Security Workflow
OPM
Difficult cases
Completed cases
DOHA
DISCO
SF85P
SF85P
ISN
JPAS
Unacceptable Cases
MCSC employees
NPC employees
JPAS
Denials
TMA Privacy Office
ISN JPAS
ISN JPAS
9
Personnel Security ADP Determination Levels

• Applicable levels of trustworthiness
  determinations for public trust positions
• ADP/IT-I - Critical Sensitive Position
• ADP/IT-II - Non-critical Sensitive Position
• ADP/IT-III - Non-critical Non-Sensitive Position
• Note ADP/IT-III are no longer authorized on DoD
  systems
• ADP is the language formerly used for information
  systems

10
Personnel Security Positions of Trust vs.
Security Clearances (1 of 2)

• Positions of Trust- SF 85 (paper)
• SF 85P and FD 258 (fingerprint card) completed
  and mailed to OPM
• Office of Personnel Management (OPM) screens,
  schedules, or rejects questionnaire
• Investigation Schedule Notice (ISN)

11
Personnel Security Positions of Trust vs.
Security Clearances (2 of 2)

• ISNs entered into MHS database and copy sent to
  contracting company
• Investigation level and schedule date entered
  into JPAS
• Interim access granted upon ISN receipt

12
Personnel Security SF 86 Security Clearance

• Submitted electronically via eQIP to Defense
  Security System (DSS)
• Interim secret access granted normally within 48
  hours
• OPM schedules National Agency Check with Local
  Law and Credit Check (NACLC) investigation
• Posted in JPAS

13
Personnel SecurityCommon Access Card Process

• Facilities Security Officer (FSO) prepares DD1172
  and sends to TMA Privacy Office
• TMA Privacy Office verifies background
  investigation type
• NACLC required
• Sends DD1172 to TMA Security Office
• TMA Security notifies company FSO to have
  personnel complete Contracting Verification
  System (CVS) application
• TMA Security notifies FSO when CVS application
  has been accepted and to have employee proceed to
  a RAPIDS location for CAC issuance

14
Personnel Security Application Requirement
ADP/IT-I

• A written request for approval must be submitted
  to the TMA Privacy Officer prior to submitting
  the application to OPM
• The Letter of Request must include
• Thorough job description which justifies the need
  for the ADP/IT-I Trustworthiness Determination
• Contact information for the Security Officer or
  other appropriate executive
• Signature, at a minimum, by the company Security
  Officer or other appropriate executive

15
Personnel Security Interim Access

• New TRICARE contractor employees who are U.S.
  citizens may be granted interim access upon
  receipt of notification of a scheduled
  investigation by OPM
• Misconception
• Prior language implied access granted after
  submission of the SF 85P and fingerprint cards to
  the OPM

16
Personnel Security Non-U.S. Citizen Access

• Non-United State Citizens are not being
  adjudicated for any trustworthiness position by
  any government agency for TRICARE contracts
• SF 85Ps will not be submitted on Non-United
  States citizen contractor employees

17
Personnel Security Open Issues

• Communication between contracting companies and
  TMA Privacy Office (i.e. New submittals, Denial
  acknowledgement and Termination notification)
• Sharing of billing and accounting data can
  constitute fraud against the government
• Procedures for obtaining CAC and access to HA/TMA
  Network

18
Personnel SecurityPresentation Summary

• You should now be able to
• Understand TMA Privacy Offices personnel
  security
• Be familiar with current policies and procedures
  TMA personnel security
• Identify common misconceptions with respect to
  personnel security background investigations

19
Personnel SecurityResources (1 of 4)

• DoD 5200.2-R, Personnel Security Program
  (January 1987),
• Privacy Act of 1974
• Health Insurance Portability and Accountability
  Act (HIPAA) of 1996
• DoD 6025.18-R, DoD Health Information Privacy
  Regulation, January 2003

20
Personnel SecurityResources (2 of 4)

• DoD 5220.22-M, National Industrial Security
  Program Operating Manual (NISPOM), January 1995
  (Change 2, May 1, 2000)
• DoD 8500.1, Information Assurance, (October 24,
  2002)
• www.tricare.osd.mil/tmaprivacy/personnel-security.
  cfm
• Questions ADP.MAIL_at_TMA.OSD.MIL

21
Personnel SecurityResources (3 of 4)
22
Personnel SecurityResources (4 of 4)
23
TRICARE Management Activity
Please fill out your critiqueThanks!
HEALTH AFFAIRS