UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Periodic Reinvestigations - Submitted in a Timely Manner based Upon Position Sensitivity and Type of Investigation Required


Overview

Finding ID Version Rule ID IA Controls Severity
V-32408 PE-06.03.01 SV-42745r3_rule Low
Description
Failure to subject personnel to periodic reinvestigation can result in derogatory information not being discovered on personnel having access to sensitive or classified information. Background Information: All positions (military and civilian) must be categorized as either non-sensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements. This is the process detailed within the legacy DoD 5200.2-R, DoD Personnel Security Program, which is dated September 1987 and last updated in February 1996. In recent years a fourth category called special-sensitive was added by OPM for all Federal agencies (to include the DoD). This is detailed in the current DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017, which superseded the legacy DoD 5200.2-R. The significance of designating position sensitivity is that the type of background investigation the incumbent of a particular position must undergo (e.g., SSBI (now Tier 5 investigation) or NACI (now Tier 3 investigation)) is based upon the designated position sensitivity. As of 1 October 2016, the former investigations known as NACLAC, ANACI, NACI, BI, MBI, SSBI, etc. are no longer conducted. These investigations have been replaced by the Office of Personnel Management (OPM) with a "Tiered" Investigation process. The new investigations are grouped in five levels or tiers and so investigations are now referred to as Tier 1-5, with Tier 5 (T5) being the most stringent investigation. The update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017 does not contain any implementing guidance for moving from the former investigations to the new Tiered Investigations. With regard to Information Assurance Positions of Trust (e.g., those with privileged access and/or responsibility for security oversight of information systems) for DoD Information Network (DoDIN) (AKA: Defense Information System Network (DISN)) assets, the two most applicable levels of investigation are Tier 3 and Tier 5. Examples of jobs or duties associated with IA Positions of Trust are System Administrators (SA), Information System Security Managers (ISSM), and Information System Security Officers (ISSO). Tier 3 investigations are those generally associated with Non-Critical Sensitive positions of trust (confidential or secret security clearance or legacy ADP/IT-2 level duties). Examples of the former investigations which are now Tier 3 are NACLAC and ANACI. Tier 5 investigations are those generally associated with Special-Sensitive and/or Critical Sensitive positions of trust (TS clearances with or w/o SCI/SAP or legacy ADP/IT-1 level duties). The former investigation that is now Tier 5 is the SSBI. In the next 5-10 years it is reasonable to expect that a combination of both the old investigations and the new Tier investigations will be found within the DoD until the new investigations are completely phased-in for current personnel. Therefore, security personnel must be familiar with both the old and new investigations. While Contractor personnel are not formally assigned to positions within DoD organizations, the type of investigation required is like that of DoD civilians and military personnel in that it is based on the legacy IT/ADP level and/or security clearance requirements for each type or category of work performed. Duties associated with positions or described functions along with security clearance and/or ADP levels and associated investigations must be detailed in the applicable Statement of Work (SOW) and/or DD Form 254 (Contract Security Specification). With regard to legacy ADP/IT level designations the following general rules apply: Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or authorized (AKA: basic/general) users. Privileged users must undergo a SSBI/Tier 5 investigation, while general system users within the DoD must undergo a NACLAC, ANACI, NACI/Tier 3 investigation. With regard to security clearance levels the following general rules apply: Persons requiring a confidential or secret security clearance for their position or duties are required to undergo a favorably adjudicated NACLAC, ANACI, NACI/Tier 3 investigation. Persons requiring higher level security clearance such as top secret (TS) or TS with Sensitive Compartmented Information (SCI) access must undergo a favorably adjudicated SSBI/Tier 5 investigation. Under the new Tiered Investigation process the OPM provides the Position Designation Automated Tool (PDT) as an aide for those individuals within agencies charged with position designation responsibilities. The tool is found at the following URL: https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/ The PDT provides Federal Agencies a means to effectively and consistently determine position designations. The OPM Position Designation System and the related PDT assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service from misconduct of an incumbent of a position. This establishes the risk level of that position. This assessment also determines if a position’s duties and responsibilities present the potential for position incumbents to bring about a material adverse effect on the national security, and the degree of that potential effect, which establishes the sensitivity level of a position. The results of this assessment determine what level of investigation should be conducted for a position. To reduce subjectivity in the position sensitivity determination process security personnel must understand the following terms when using the PDT: NATIONAL SECURITY refers to those activities which are directly concerned with the foreign relations of the United States, or protection of the Nation from internal subversion, foreign aggression, or terrorism. A NATIONAL SECURITY POSITION, includes any position in a department or agency, the occupant of which could bring about, by virtue of the nature of the position, a material adverse effect on the national security. NON-SENSITIVE POSITIONS/DUTIES are PUBLIC TRUST POSITIONS or duties and responsibilities that are unrelated to National Security. *Keep in mind that the primary mission of most DoD organizations concerns the national security. Hence all Information Technology (IT) positions involved with the DoD (DISN) cyber security mission should be considered as National Security Positions. These positions are for instance System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers and other related positions, which are detailed in the DoD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015. Again, the outcome of using the PDT should generally be the same as the DoD requirements for position sensitivity under the legacy ADP/IT position criteria but the individual using the tool must have a thorough understanding of the duties and impact of the duties of each position being assessed for the PDT outcome to be appropriate and consistent with the DoD standards. It is important to limit the subjectivity involved with these determinations and provide consistent results throughout the DoD. PRIVILEGED ACCESS TO INFORMATION TECHNOLOGY SYSTEMS: A key legacy consideration for IA positions of trust is that any position where an incumbent has “Privileged Access” to an information system should normally be designated as a Critical-Sensitive position. *This is regardless if there is a corresponding requirement for the incumbent to have a TS security clearance or not. Generally the TS clearance is the predominate requirement for designation of position sensitivity as critical-sensitive; however, where there is a requirement for either a secret, confidential, or no security clearance and the incumbent also has a requirement for privileged access to an information system – the privileged access criterial will make the position critical-sensitive with a Tier-5 (T-5) background investigation requirement. Hence, the privileged access criteria consideration is beyond the typical noncritical-sensitive or non-sensitive position designations associated with only a secret, confidential, or no security clearance normally resulting in a Tier-3 (T-3) or lower level investigation requirement. PRIVILEGED ACCESS DEFINED: The following definition of privileged access is excerpted from the DoD 8570.01-M, Information Assurance Workforce Improvement Program. Privileged Access is an authorized user who has access to system control, monitoring, administration, criminal investigation, or compliance functions. Privileged access typically provides access to the following system controls: -Access to the control functions of the information system/network, administration of user accounts, etc. -Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software. -Ability and authority to control and change program files, and other users’ access to data. -Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed. -Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations. ************end of Privileged Access Definition********* THE BOTTOM LINE: The association of DoD position sensitivity designation and required investigations is based on IA position of trust system access levels and/or level of responsibility for oversight of systems security in conjunction with the level of security clearance required for military or civilian positions *or type of work performed by contractor employees. The relationship of position sensitivity to clearances, duties and investigations can be delineated as follows: *Special-Sensitive and/or Critical- Sensitive positions: Legacy IT-1 (ADP-1) Privileged users (SAs) and/or ISSM/ISSO and/or TS or TS-SCI clearance SSBI/Tier 5 investigations **Non-Critical Sensitive positions: Legacy IT-2 (ADP-2) Privileged users under direct supervision of an ADP-1 vetted Privileged user and/or Authorized users and/or Confidential or secret security clearance NACLAC, ANACI, NACI/Tier 3 investigations ***Non-Sensitive positions: Legacy IT-3 (ADP-3) and no security clearance; Not Applicable for current DoD cyber security positions In summary the primary criteria for association of DoD position sensitivity designation and required background investigations is the security clearance required for military or civilian positions or for the type of work performed by contractor employees. The second most influential criteria for determination of position sensitivity and background investigations required are information assurance/cyber security positions of trust, which is determined based upon designated legacy ADP/IT levels. Therefore both security clearance and ADP/IT levels must be considered concurrently for designation of position sensitivity and associated background investigations required. The highest level of background investigation required by either security clearance or ADP/IT level for performance of duties must be conducted for incumbents of (military/civilian) positions or duties performed by contractor employees. REFERENCES: DoDI 8500.01, March 14, 2014, SUBJECT: Cybersecurity: Paragraph 10.a-e (Cybersecurity Workforce) DoD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015: Paragraphs C1.4.4.4., C1.4.4.5., C3.2.4.1.2., C3.2.4.2., C3.2.4.8., C4.2.3.1.2., AP1.15 and AP 1.22. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 11., Enclosure B, paragraph 2.l. and Enclosure C, paragraph 4. and paragraph 10. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2(1), PS-1, PS-2, PS-3, PS-6(1) and PS-6(2). DoD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 2, Section 2 and Chapter 8, Section 3, paragraph 8-302.a. Personnel Security. (Current) DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 2.10.d, 2.10.w., 3.3., 3.6., 4.1.a.(2)(m), (r), (u) & (3)(a), (b), (c) and 4.1.b. Civilian Personnel, 4.2. Military Personnel, 4.3. Contractors, 4.4. Consultants, and 7.6.b.(2), . (Legacy) DoD 5200.2-R, Personnel Security Program, Chapter 3, paragraphs C3.1., C3.1.2.1.1.7., C3.1.2.1.2.3., C3.1.3., C.3.2, C3.3 C3.4, C3.4.2, and C3.6.15, C3.7.10, C3.7.11., and Appendix 10. OPM/National Background Investigations Bureau URL: https://www.opm.gov/suitability/ https://nbib.opm.gov/ https://nbib.opm.gov/hr-security-personnel/requesting-opm-personnel-investigations/#url=5.0 *POSITION DESIGNATION TOOL: https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/ The Joint Personnel Adjudication System (JPAS) and the Defense Information System for Security (DISS). Once fully deployed, DISS will replace JPAS to serve as the system of record to perform comprehensive personnel security, suitability and credential eligibility management for all military, civilian, and DOD contractor personnel. These databases reflect position sensitivity, security clearance information and ADP/IT information for vetted individuals.
STIG Date
Traditional Security Checklist 2020-08-26

Details

Check Text ( C-40852r5_chk )
Check procedures for requesting reinvestigations and obtain documentation (proof) that PRs have been submitted on expiring investigations. Any PRs discovered that are not submitted prior to the respective expiration date will result in a finding.

NOTE 1: Generally PRs should be requested about 6-months prior to the 5-year (for SSBI/ T5R – Tier 5 Reinvestigation) and 5-year (for Secret PR/ T3R - Tier 3 Reinvestigation) anniversary of the previous investigation.

NOTE 2: Periodic reviews for secret security clearances and/or ADP/IT-2 positions of trust have been reduced from 10-year to 5-year cycles in the new DoD Personnel Security Manual.

NOTE 3: Other temporary changes (usually a slight increase to the PR timeframe) based on investigation backlogs may occur. Reviewers should base evaluations of compliance on DoD or CC/S/A requirements existing at the time of a site review.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.
Fix Text (F-36326r6_fix)
Ensure there are local procedures for requesting reinvestigations AND that PRs have been submitted on all expiring investigations within required timeframes.

NOTE 1: Generally PRs should be requested about 6-months prior to the 5-year (SSBI/ T5R – Tier 5 Reinvestigation) and 5-year (Secret Periodic Review /T3R - Tier 3 Reinvestigation) anniversary of the previous investigation.

NOTE 2: Periodic reviews for secret security clearances and/or ADP/IT-2 positions of trust have been reduced from 10-year to 5-year cycles in the new DoD Personnel Security Manual.

NOTE 3: Other temporary changes (usually a slight increase to the PR timeframe) based on investigation backlogs may occur and adjustments in the submission timeframe will need to be made. Organizations should maintain documentation from OPM or other authoritative source to support any deviations from the regulatory standards for periodic reviews.