1 Personnel Security 2007 Data Protection Seminar TMA Privacy Office HEALTH AFFAIRS TRICARE Management Activity
Dec 30, 2015
1
Personnel Security
2007 Data Protection SeminarTMA Privacy Office
HEALTH AFFAIRS
TRICAREManagement
Activity
2
Personnel Security
Purpose
This presentation will provide an overview of the TRICARE Management Activity (TMA) office role in personnel security
3
Personnel Security
Objectives
Upon completion of this lesson, you will be able to:
Understand TMA Privacy Office’s personnel security
Be familiar with current policies and procedures for TMA personnel security
Identify common misconceptions with respect to personnel security background investigations
4
Personnel Security
Mission and Objective Mission
Ensure policies and procedures against inappropriate use and disclosure of sensitive information are upheld by contractors who have access to information systems containing Protected Health Information (PHI) and Privacy Act information on Department of Defense (DoD) Information Technology (IT) Systems
Objective Provide guidance and consultation to ensure all TMA
contractor employees with access to DoD IT Systems are:TrustworthyReliableOf unquestionable allegiance to the United States
5
Personnel Security
What is Personnel Security?
Personnel Security refers to the practices, technologies, and/or services used to ensure personnel security safeguards are applied specifically to: Contractors on TRICARE contracts
IT systems
Background checks and trustworthiness determination
Granting or withdrawing system access privileges – Common Access Card (CAC)
Misconception TMA Privacy Office Personnel Security pertains to
military and government civilian personnel
6
Personnel Security
The Information and System Lifecycle
Start: Personnel Security
Phase 1 Initiation
Phase 2 Acquisition/
Development
Phase 3 Implementation
Phase 4 Operations/
Maintenance
Phase 5 Disposition
Complete: Personnel Security
When to address Personnel Security?
7
Personnel Security
Why Personnel Security? Consider the purpose of Personnel Security
safeguards
The most common perpetrators of significant computer crime are those with legitimate access
Knowingly
Unknowingly
Managing personnel with privileged access is critical
Recertification
Change in level access
8
USDI Guidance (DoD 5200.2R)
OPM
ISN
TMA Privacy Office
JPASMCSCemployees
NPCemployees
ISNJPAS
ISNJPAS
DISCODOHA
SF85PSF85P
Difficult cases
Completed cases
JPASUnacceptable
Cases
Denials
Personnel Security
Workflow
9
Personnel Security
ADP Determination Levels Applicable levels of trustworthiness
determinations for public trust positions:
ADP/IT-I ─ Critical Sensitive Position
ADP/IT-II ─ Non-critical Sensitive Position
ADP/IT-III ─ Non-critical Non-Sensitive Position
Note: ADP/IT-III are no longer authorized on DoD systems
ADP is the language formerly used for information systems
10
Personnel Security
Positions of Trust vs. Security Clearances (1 of 2)
Positions of Trust- SF 85 (paper)
SF 85P and FD 258 (fingerprint card) completed and mailed to OPM
Office of Personnel Management (OPM) screens, schedules, or rejects questionnaire
Investigation Schedule Notice (ISN)
11
Personnel Security
Positions of Trust vs. Security Clearances (2 of 2)
ISN’s entered into MHS database and copy sent to contracting company
Investigation level and schedule date entered into JPAS
Interim access granted upon ISN receipt
12
Personnel Security
SF 86 Security Clearance Submitted electronically via eQIP to Defense
Security System (DSS)
Interim secret access granted normally within 48 hours
OPM schedules National Agency Check with Local Law and Credit Check (NACLC) investigation
Posted in JPAS
13
Personnel Security
Common Access Card Process
Facilities Security Officer (FSO) prepares DD1172 and sends to TMA Privacy Office
TMA Privacy Office verifies background investigation type NACLC required
Sends DD1172 to TMA Security Office
TMA Security notifies company FSO to have personnel complete Contracting Verification System (CVS) application
TMA Security notifies FSO when CVS application has been accepted and to have employee proceed to a RAPIDS location for CAC issuance
14
Personnel Security
Application Requirement: ADP/IT-I
A written request for approval must be submitted to the TMA Privacy Officer prior to submitting the application to OPM
The Letter of Request must include:
Thorough job description which justifies the need for the ADP/IT-I Trustworthiness Determination
Contact information for the Security Officer or other appropriate executive
Signature, at a minimum, by the company Security Officer or other appropriate executive
15
Personnel Security
Interim Access New TRICARE contractor employees who are
U.S. citizens may be granted interim access upon receipt of notification of a scheduled investigation by OPM
Misconception:
Prior language implied access granted after submission of the SF 85P and fingerprint cards to the OPM
16
Personnel Security
Non-U.S. Citizen Access
Non-United State Citizens are not being adjudicated for any trustworthiness position by any government agency for TRICARE contracts
SF 85P’s will not be submitted on Non-United States citizen contractor employees
17
Personnel Security
Open Issues
Communication between contracting companies and TMA Privacy Office (i.e. New submittals, Denial acknowledgement and Termination notification)
Sharing of billing and accounting data – can constitute fraud against the government
Procedures for obtaining CAC and access to HA/TMA Network
18
Personnel Security
Presentation Summary
You should now be able to:
Understand TMA Privacy Office’s personnel security
Be familiar with current policies and procedures TMA personnel security
Identify common misconceptions with respect to personnel security background investigations
19
Personnel Security
Resources (1 of 4)
DoD 5200.2-R, “Personnel Security Program (January 1987),”
Privacy Act of 1974
Health Insurance Portability and Accountability Act (HIPAA) of 1996
DoD 6025.18-R, “DoD Health Information Privacy Regulation, January 2003”
20
Personnel Security
Resources (2 of 4)
DoD 5220.22-M, “National Industrial Security Program Operating Manual” (NISPOM), January 1995 (Change 2, May 1, 2000)
DoD 8500.1, “Information Assurance, (October 24, 2002)
www.tricare.osd.mil/tmaprivacy/personnel-security.cfm
Questions: [email protected]
21
Personnel Security
Resources (3 of 4)
22
Personnel Security
Resources (4 of 4)
23
Please fill out your critique
Thanks!
TRICAREManagement
Activity
HEALTH AFFAIRS