Validation Procedures for Security Clearance Issuance and (Classified Systems and/or Physical) Access Granted

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32343	PE-03.02.01	SV-42680r2_rule	PECF-2 PEVC-1 PRAS-1 PRAS-2 PRNK-1	Medium

Description
Failure to verify security clearance status could result in an unauthorized person having access to a classified information system or an authorized person being unable to perform assigned duties.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40792r8_chk )
Background Information: When checking how an organization validates security clearance information for systems access the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. Ask what procedures are used for verifying that all personnel that have access to classified information systems have the appropriate security clearance and access authorization. Generally, organizations validation of clearance levels should come from JPAS, DCII, a service or agency data base or higher security office. Also note that organization manning documents should include the required clearance level for each Military and Civilian position and should be requested for review. Checks: Check #1. Review a sample of the organization personnel security records and compare with applicable System Access Authorization Request forms to ensure proper validation of clearance levels. Because it is generally not feasible to review all records it recommended to select where possible ALL those who have "privileged" systems access (such as SAs, IAOs, Network Admin, etc.) and supplement with a random sample of those with basic "user" access to systems. Check #2. If there are contract employees with systems access - check to ensure there is a Statement of Work with accompanying DD 254 ("Classified" Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. Check #3. Check that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel. Check #4. Check to ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Check Text ( C-40792r8_chk )

Background Information:

When checking how an organization validates security clearance information for systems access the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors.

Ask what procedures are used for verifying that all personnel that have access to classified information systems have the appropriate security clearance and access authorization.

Generally, organizations validation of clearance levels should come from JPAS, DCII, a service or agency data base or higher security office. Also note that organization manning documents should include the required clearance level for each Military and Civilian position and should be requested for review.

Checks:

Check #1. Review a sample of the organization personnel security records and compare with applicable System Access Authorization Request forms to ensure proper validation of clearance levels. Because it is generally not feasible to review all records it recommended to select where possible ALL those who have "privileged" systems access (such as SAs, IAOs, Network Admin, etc.) and supplement with a random sample of those with basic "user" access to systems.

Check #2. If there are contract employees with systems access - check to ensure there is a Statement of Work with accompanying DD 254 ("Classified" Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors.

Check #3. Check that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel.

Check #4. Check to ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix Text (F-36256r4_fix)
Background Information: When checking how an organization validates security clearance information for systems access the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. Ask what procedures are used for verifying that all personnel that have access to classified information systems have the appropriate security clearance and access authorization. Generally, organizations validation of clearance levels should come from JPAS, DCII, a service or agency data base or higher security office. Also note that organization manning documents should include the required clearance level for each Military and Civilian position and should be requested for review. Fixes: 1. Review all the organization personnel security records and compare with applicable System Access Authorization Request forms to ensure proper validation of clearance levels. Be especially aware of ALL those who have "privileged" systems access (such as SAs, IAOs, Network Admin, etc.) and ensure that correct clearance and IT assurance level have been granted. 2. If there are contract employees with systems access ensure there is a Statement of Work with accompanying DD 254 (Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. 3. Ensure that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel. 4. Ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government.

Fix Text (F-36256r4_fix)

Background Information:

When checking how an organization validates security clearance information for systems access the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors.

Ask what procedures are used for verifying that all personnel that have access to classified information systems have the appropriate security clearance and access authorization.

Generally, organizations validation of clearance levels should come from JPAS, DCII, a service or agency data base or higher security office. Also note that organization manning documents should include the required clearance level for each Military and Civilian position and should be requested for review.

Fixes:

1. Review all the organization personnel security records and compare with applicable System Access Authorization Request forms to ensure proper validation of clearance levels. Be especially aware of ALL those who have "privileged" systems access (such as SAs, IAOs, Network Admin, etc.) and ensure that correct clearance and IT assurance level have been granted.

2. If there are contract employees with systems access ensure there is a Statement of Work with accompanying DD 254 (Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors.

3. Ensure that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel.

4. Ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government.