Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-32396 | PE-05.02.01 | SV-42733r3_rule | Medium |
Description |
---|
Failure to properly investigate personnel in Information Assurance Positions of Trust (AKA: Cyber Security Positions) based upon their designated position sensitivity level could result in unsuitable personnel having access to classified or sensitive information or in positions of trust with the potential to adversely impact the Confidentiality, Integrity or Availability (CIA) of DoDIN information systems and assets. Background Information: All positions (military and civilian) must be categorized as either non-sensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements. This is the process detailed within the legacy DoD 5200.2-R, DoD Personnel Security Program, which is dated September 1987 and last updated in February 1996. In recent years a fourth category called special-sensitive was added by OPM for all Federal agencies (to include the DoD). This is detailed in the current DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017, which superseded the legacy DoD 5200.2-R. The significance of designating position sensitivity is that the type of background investigation the incumbent of a particular position must undergo (e.g., SSBI (now Tier 5 investigation) or NACI (now Tier 3 investigation)) is based upon the designated position sensitivity. As of 1 October 2016, the former investigations known as NACLAC, ANACI, NACI, BI, MBI, SSBI, etc. are no longer conducted. These investigations have been replaced by the Office of Personnel Management (OPM) with a "Tiered" Investigation process. The new investigations are grouped in five levels or tiers and so investigations are now referred to as Tier 1-5, with Tier 5 (T5) being the most stringent investigation. The update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017 does not contain any implementing guidance for moving from the former investigations to the new Tiered Investigations. With regard to Information Assurance Positions of Trust (e.g., those with privileged access and/or responsibility for security oversight of information systems) for DoD Information Network (DoDIN) (AKA: Defense Information System Network (DISN)) assets, the two most applicable levels of investigation are Tier 3 and Tier 5. Examples of jobs or duties associated with IA Positions of Trust are System Administrators (SA), Information System Security Managers (ISSM), and Information System Security Officers (ISSO). Tier 3 investigations are those generally associated with Non-Critical Sensitive positions of trust (confidential or secret security clearance or legacy ADP/IT-2 level duties). Examples of the former investigations which are now Tier 3 are NACLAC and ANACI. Tier 5 investigations are those generally associated with Special-Sensitive and/or Critical Sensitive positions of trust (TS clearances with or w/o SCI/SAP or legacy ADP/IT-1 level duties). The former investigation that is now Tier 5 is the SSBI. In the next 5-10 years it is reasonable to expect that a combination of both the old investigations and the new Tier investigations will be found within the DoD until the new investigations are completely phased-in for current personnel. Therefore, security personnel must be familiar with both the old and new investigations. While Contractor personnel are not formally assigned to positions within DoD organizations, the type of investigation required is like that of DoD civilians and military personnel in that it is based on the legacy IT/ADP level and/or security clearance requirements for each type or category of work performed. Duties associated with positions or described functions along with security clearance and/or ADP levels and associated investigations must be detailed in the applicable Statement of Work (SOW) and/or DD Form 254 (Contract Security Specification). With regard to legacy ADP/IT level designations the following general rules apply: Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or authorized (AKA: basic/general) users. Privileged users must undergo a SSBI/Tier 5 investigation, while general system users within the DoD must undergo a NACLAC, ANACI, NACI/Tier 3 investigation. With regard to security clearance levels the following general rules apply: Persons requiring a confidential or secret security clearance for their position or duties are required to undergo a favorably adjudicated NACLAC, ANACI, NACI/Tier 3 investigation. Persons requiring higher level security clearance such as top secret (TS) or TS with Sensitive Compartmented Information (SCI) access must undergo a favorably adjudicated SSBI/Tier 5 investigation. Under the new Tiered Investigation process the OPM provides the Position Designation Automated Tool (PDT) as an aide for those individuals within agencies charged with position designation responsibilities. The tool is found at the following URL: https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/ The PDT provides Federal Agencies a means to effectively and consistently determine position designations. The OPM Position Designation System and the related PDT assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation should be conducted for a position. To reduce subjectivity in the position sensitivity determination process security personnel must understand the following terms when using the PDT: NATIONAL SECURITY refers to those activities which are directly concerned with the foreign relations of the United States, or protection of the Nation from internal subversion, foreign aggression, or terrorism. A NATIONAL SECURITY POSITION, includes any position in a department or agency, the occupant of which could bring about, by virtue of the nature of the position, a material adverse effect on the national security. NON-SENSITIVE POSITIONS/DUTIES are PUBLIC TRUST POSITIONS or duties and responsibilities that are unrelated to National Security. *Keep in mind that the primary mission of most DoD organizations concerns the national security. Hence all Information Technology (IT) positions involved with the DoD (DISN) cyber security mission should be considered as National Security Positions. These positions are for instance System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers and other related positions, which are detailed in the DoD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015. Again, the outcome of using the PDT should generally be the same as the DoD requirements for position sensitivity under the legacy ADP/IT position criteria but the individual using the tool must have a thorough understanding of the duties and impact of the duties of each position being assessed for the PDT outcome to be appropriate and consistent with the DoD standards. It is important to limit the subjectivity involved with these determinations and provide consistent results throughout the DoD. PRIVILEGED ACCESS TO INFORMATION TECHNOLOGY SYSTEMS: A key legacy consideration for IA positions of trust is that any position where an incumbent has “Privileged Access” to an information system should normally be designated as a Critical-Sensitive position. *This is regardless if there is a corresponding requirement for the incumbent to have a TS security clearance or not. Generally the TS clearance is the predominate requirement for designation of position sensitivity as critical-sensitive; however, where there is a requirement for either a secret, confidential, or no security clearance and the incumbent also has a requirement for privileged access to an information system – the privileged access criterial will make the position critical-sensitive with a Tier-5 (T-5) background investigation requirement. Hence, the privileged access criteria consideration is beyond the typical noncritical-sensitive or non-sensitive position designations associated with only a secret, confidential, or no security clearance normally resulting in a Tier-3 (T-3) or lower level investigation requirement. PRIVILEGED ACCESS DEFINED: The following definition of privileged access is excerpted from the DoD 8570.01-M, Information Assurance Workforce Improvement Program. Privileged Access is an authorized user who has access to system control, monitoring, administration, criminal investigation, or compliance functions. Privileged access typically provides access to the following system controls: -Access to the control functions of the information system/network, administration of user accounts, etc. -Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software. -Ability and authority to control and change program files, and other users’ access to data. -Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed. -Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations. ************end of Privileged Access Definition********* THE BOTTOM LINE: The association of DoD position sensitivity designation and required investigations is based on IA position of trust system access levels and/or level of responsibility for oversight of systems security in conjunction with the level of security clearance required for military or civilian positions *or type of work performed by contractor employees. The relationship of position sensitivity to clearances, duties and investigations can be delineated as follows: *Special-Sensitive and/or Critical- Sensitive positions: Legacy IT-1 (ADP-1) Privileged users (SAs) and/or ISSM/ISSO and/or TS or TS-SCI clearance SSBI/Tier 5 investigations **Non-Critical Sensitive positions: Legacy IT-2 (ADP-2) Privileged users under direct supervision of an ADP-1 vetted Privileged user and/or Authorized users and/or Confidential or secret security clearance NACLAC, ANACI, NACI/Tier 3 investigations ***Non-Sensitive positions: Legacy IT-3 (ADP-3) and no security clearance; Not Applicable for current DoD cyber security positions In summary the primary criteria for association of DoD position sensitivity designation and required background investigations is the security clearance required for military or civilian positions or for the type of work performed by contractor employees. The second most influential criteria for determination of position sensitivity and background investigations required are information assurance/cyber security positions of trust, which is determined based upon designated legacy ADP/IT levels. Therefore both security clearance and ADP/IT levels must be considered concurrently for designation of position sensitivity and associated background investigations required. The highest level of background investigation required by either security clearance or ADP/IT level for performance of duties must be conducted for incumbents of (military/civilian) positions or duties performed by contractor employees. REFERENCES: DoDI 8500.01, March 14, 2014, SUBJECT: Cybersecurity: Paragraph 10.a-e (Cybersecurity Workforce) DoD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015: Paragraphs C1.4.4.4., C1.4.4.5., C3.2.4.1.2., C3.2.4.2., C3.2.4.8., C4.2.3.1.2., AP1.15 and AP 1.22. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 11., Enclosure B, paragraph 2.l. and Enclosure C, paragraph 4. and paragraph 10. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2(1), PS-1, PS-2, PS-3, PS-6(1) and PS-6(2). DoD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 2, Section 2 and Chapter 8, Section 3, paragraph 8-302.a. Personnel Security. (Current) DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 3.3., 4.1.a.(2)(m), (r), (u) & (3)(a), (b), (c) and 4.1.b. Civilian Personnel, 4.2. Military Personnel, 4.3. Contractors, 4.4. Consultants. (Legacy) DoD 5200.2-R, Personnel Security Program, Chapter 3, paragraphs C3.1., C3.1.2.1.1.7., C3.1.2.1.2.3., C3.1.3., C.3.2, C3.3 C3.4, C3.4.2, and C3.6.15, C3.7.10, C3.7.11., and Appendix 10. OPM/National Background Investigations Bureau URL: https://www.opm.gov/suitability/ https://nbib.opm.gov/ https://nbib.opm.gov/hr-security-personnel/requesting-opm-personnel-investigations/#url=5.0 *POSITION DESIGNATION TOOL: https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/ The Joint Personnel Adjudication System (JPAS) and the Defense Information System for Security (DISS). Once fully deployed, DISS will replace JPAS to serve as the system of record to perform comprehensive personnel security, suitability and credential eligibility management for all military, civilian, and DOD contractor personnel. These databases reflect position sensitivity, security clearance information and ADP/IT information for vetted individuals. |
STIG | Date |
---|---|
Traditional Security Checklist | 2020-08-26 |
Check Text ( C-40839r6_chk ) |
---|
Check that site personnel occupying Information Assurance Positions of Trust personnel have successfully been vetted with the appropriate level of investigation based on legacy ADP/IT position designations and/or security clearance in accordance with NOTE 3 below. The completed investigations must be reflected in JPAS (or any equivalent DoD Personnel Security Data Base) and as applicable any local PERSEC Data Base or equivalent. NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) and/or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers… NOTE 2: Formerly Information Assurance (IA) Positions of Trust were identified under the legacy Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017. This possible gap in policy guidance has been addressed with the USD(I) PERSEC Policy authority and they are aware of the omission of the guidance in the PERSEC update. Pending further direction from the USD(I) their guidance is to use the Office of Personnel Management (OPM) Position Designation Tool (PDT). NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of the legacy ADP position methodology for identification and designation of position sensitivity for IA Positions of Trust may still be used in lieu of the PDT for compliance with requirements in this STIG Rule. Personnel Occupying the legacy Information Systems Positions Designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows: ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation ADP-III (AKA: IT-3): Not Applicable to Information Assurance Positions of Trust Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level. NOTE 4: All designated IA Positions IAW DoD 8570.01-M (e.g., IAT Levels I-III or IAM Levels I-III) must be checked. Random checks of all other site personnel records should be made. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment. |
Fix Text (F-36313r5_fix) |
---|
Ensure that site personnel occupying Information Assurance Positions of Trust have successfully been vetted with the appropriate level of investigation based on legacy ADP/IT position designations and/or security clearance in accordance with NOTE 3 below. The completed investigations must be reflected in JPAS and as applicable any local PERSEC Data Base or equivalent. NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers… NOTE 2: Formerly Information Assurance (IA) Positions of Trust were identified under the legacy Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017. This possible gap in policy guidance has been addressed with the USD(I) PERSEC Policy authority and they are aware of the omission of the guidance in the PERSEC update. Pending further direction from the USD(I) their guidance is to use the Office of Personnel Management (OPM) Position Designation Tool (PDT). NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of the legacy ADP position methodology for identification and designation of position sensitivity for IA Positions of Trust may still be used in lieu of the PDT for compliance with requirements in this STIG Rule. Personnel Occupying the legacy Information Systems Positions Designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows: ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation ADP-III (AKA: IT-3): Not Applicable to Information Assurance Positions of Trust Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level. NOTE 4: All designated IA Positions IAW DoD 8570.01-M (e.g., IAT Levels I-III or IAM Levels I-III) must be considered as an IA Position of Trust. |