1 Personnel Security 2007 Data Protection Seminar TMA Privacy Office HEALTH AFFAIRS TRICARE Management Activity.

1

Personnel Security

2007 Data Protection SeminarTMA Privacy Office

HEALTH AFFAIRS

TRICAREManagement

Activity

2

Personnel Security

Purpose

This presentation will provide an overview of the TRICARE Management Activity (TMA) office role in personnel security

3

Personnel Security

Objectives

Upon completion of this lesson, you will be able to:

Understand TMA Privacy Office’s personnel security

Be familiar with current policies and procedures for TMA personnel security

Identify common misconceptions with respect to personnel security background investigations

4

Personnel Security

Mission and Objective Mission

Ensure policies and procedures against inappropriate use and disclosure of sensitive information are upheld by contractors who have access to information systems containing Protected Health Information (PHI) and Privacy Act information on Department of Defense (DoD) Information Technology (IT) Systems

Objective Provide guidance and consultation to ensure all TMA

contractor employees with access to DoD IT Systems are:TrustworthyReliableOf unquestionable allegiance to the United States

5

Personnel Security

What is Personnel Security?

Personnel Security refers to the practices, technologies, and/or services used to ensure personnel security safeguards are applied specifically to: Contractors on TRICARE contracts

IT systems

Background checks and trustworthiness determination

Granting or withdrawing system access privileges – Common Access Card (CAC)

Misconception TMA Privacy Office Personnel Security pertains to

military and government civilian personnel

6

Personnel Security

The Information and System Lifecycle

Start: Personnel Security

Phase 1 Initiation

Phase 2 Acquisition/

Development

Phase 3 Implementation

Phase 4 Operations/

Maintenance

Phase 5 Disposition

Complete: Personnel Security

When to address Personnel Security?

7

Personnel Security

Why Personnel Security? Consider the purpose of Personnel Security

safeguards

The most common perpetrators of significant computer crime are those with legitimate access

Knowingly

Unknowingly

Managing personnel with privileged access is critical

Recertification

Change in level access

8

USDI Guidance (DoD 5200.2R)

OPM

ISN

TMA Privacy Office

JPASMCSCemployees

NPCemployees

ISNJPAS

ISNJPAS

DISCODOHA

SF85PSF85P

Difficult cases

Completed cases

JPASUnacceptable

Cases

Denials

Personnel Security

Workflow

9

Personnel Security

ADP Determination Levels Applicable levels of trustworthiness

determinations for public trust positions:

ADP/IT-I ─ Critical Sensitive Position

ADP/IT-II ─ Non-critical Sensitive Position

ADP/IT-III ─ Non-critical Non-Sensitive Position

Note: ADP/IT-III are no longer authorized on DoD systems

ADP is the language formerly used for information systems

10

Personnel Security

Positions of Trust vs. Security Clearances (1 of 2)

Positions of Trust- SF 85 (paper)

SF 85P and FD 258 (fingerprint card) completed and mailed to OPM

Office of Personnel Management (OPM) screens, schedules, or rejects questionnaire

Investigation Schedule Notice (ISN)

11

Personnel Security

Positions of Trust vs. Security Clearances (2 of 2)

ISN’s entered into MHS database and copy sent to contracting company

Investigation level and schedule date entered into JPAS

Interim access granted upon ISN receipt

12

Personnel Security

SF 86 Security Clearance Submitted electronically via eQIP to Defense

Security System (DSS)

Interim secret access granted normally within 48 hours

OPM schedules National Agency Check with Local Law and Credit Check (NACLC) investigation

Posted in JPAS

13

Personnel Security

Common Access Card Process

Facilities Security Officer (FSO) prepares DD1172 and sends to TMA Privacy Office

TMA Privacy Office verifies background investigation type NACLC required

Sends DD1172 to TMA Security Office

TMA Security notifies company FSO to have personnel complete Contracting Verification System (CVS) application

TMA Security notifies FSO when CVS application has been accepted and to have employee proceed to a RAPIDS location for CAC issuance

14

Personnel Security

Application Requirement: ADP/IT-I

A written request for approval must be submitted to the TMA Privacy Officer prior to submitting the application to OPM

The Letter of Request must include:

Thorough job description which justifies the need for the ADP/IT-I Trustworthiness Determination

Contact information for the Security Officer or other appropriate executive

Signature, at a minimum, by the company Security Officer or other appropriate executive

15

Personnel Security

Interim Access New TRICARE contractor employees who are

U.S. citizens may be granted interim access upon receipt of notification of a scheduled investigation by OPM

Misconception:

Prior language implied access granted after submission of the SF 85P and fingerprint cards to the OPM

16

Personnel Security

Non-U.S. Citizen Access

Non-United State Citizens are not being adjudicated for any trustworthiness position by any government agency for TRICARE contracts

SF 85P’s will not be submitted on Non-United States citizen contractor employees

17

Personnel Security

Open Issues

Communication between contracting companies and TMA Privacy Office (i.e. New submittals, Denial acknowledgement and Termination notification)

Sharing of billing and accounting data – can constitute fraud against the government

Procedures for obtaining CAC and access to HA/TMA Network

18

Personnel Security

Presentation Summary

You should now be able to:

Understand TMA Privacy Office’s personnel security

Be familiar with current policies and procedures TMA personnel security

Identify common misconceptions with respect to personnel security background investigations

19

Personnel Security

Resources (1 of 4)

DoD 5200.2-R, “Personnel Security Program (January 1987),”

Privacy Act of 1974

Health Insurance Portability and Accountability Act (HIPAA) of 1996

DoD 6025.18-R, “DoD Health Information Privacy Regulation, January 2003”

20

Personnel Security

Resources (2 of 4)

DoD 5220.22-M, “National Industrial Security Program Operating Manual” (NISPOM), January 1995 (Change 2, May 1, 2000)

DoD 8500.1, “Information Assurance, (October 24, 2002)

www.tricare.osd.mil/tmaprivacy/personnel-security.cfm

Questions: [email protected]

21

Personnel Security

Resources (3 of 4)

22

Personnel Security

Resources (4 of 4)

23

Please fill out your critique

Thanks!

TRICAREManagement

Activity

HEALTH AFFAIRS