Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-245856	PE-03.02.01	SV-245856r822920_rule		Medium

Description
Failure to properly verify security clearance status could result in an unauthorized person having access to a classified information system or an authorized person being unable to perform assigned duties. REFERENCES: DoD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND): Enclosure C, paragraphs 26.c.(2) (3) and 27.f.(5) (6) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, MA-5, PE-2, PE-3, and PS-2 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 2, Section 2 and Chapter 8, Section 3, paragraph 8-302.a. Personnel Security. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2, paragraphs 1 and 3 DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 3.1.c., 4.1. Civilian Personnel, 4.2. Military Personnel, 4.3. Contractors, 4.4. Consultants. 4.5. Non-U.S. Citizens Employed Overseas in Support of National Security Positions. 4.6. Temporary Employees, 5A.2. Verify Eligibility, and Glossary G.2. Definitions: LAA. Now Cancelled: DoD 5200.2-R, Personnel Security Program, Chapter 3, para C3.4.3., Chapter 7 para C7.1.2. C7.1.3. and Appendix 9, para AP9.2. & AP9.3.6.2. DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals Paragraph 4.4. DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information: Paragraphs 4.6.3., E2.1.4, Enclosure 3 and Enclosure 4.

Description

Failure to properly verify security clearance status could result in an unauthorized person having access to a classified information system or an authorized person being unable to perform assigned duties. REFERENCES: DoD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND): Enclosure C, paragraphs 26.c.(2) (3) and 27.f.(5) (6) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, MA-5, PE-2, PE-3, and PS-2 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 2, Section 2 and Chapter 8, Section 3, paragraph 8-302.a. Personnel Security. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2, paragraphs 1 and 3 DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 3.1.c., 4.1. Civilian Personnel, 4.2. Military Personnel, 4.3. Contractors, 4.4. Consultants. 4.5. Non-U.S. Citizens Employed Overseas in Support of National Security Positions. 4.6. Temporary Employees, 5A.2. Verify Eligibility, and Glossary G.2. Definitions: LAA. Now Cancelled: DoD 5200.2-R, Personnel Security Program, Chapter 3, para C3.4.3., Chapter 7 para C7.1.2. C7.1.3. and Appendix 9, para AP9.2. & AP9.3.6.2. DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals Paragraph 4.4. DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information: Paragraphs 4.6.3., E2.1.4, Enclosure 3 and Enclosure 4.

STIG	Date
Traditional Security Checklist	2022-09-22

Details

Check Text ( C-49287r770228_chk )
Background Information: When checking how an organization validates security clearance information for either systems or physical access the first thing to consider is that there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. Generally, an organization validation of security clearance levels should come from official databases such as JPAS, DCII, a service or agency data base or "high level" (major subordinate command) headquarters security office. Also note that organization manning (staffing) documents should include the required clearance level for each assigned Military and Civilian position. Staffing documents should be requested by inspectors for review. The minimum security clearance requirement for systems access to the SIPRNet or unescorted access to the physical environment surrounding SIPRNet system information technology assets is secret. Local procedures must be developed for verifying that all personnel with access to classified information systems (logical or physical access) have the appropriate security clearance and access authorization. Inspectors should review local procedures. Checks: Check #1. Review a sample of the organization personnel security records (from local data bases, physical files, JPAS...) and compare with applicable System Access Authorization Request (SAAR) forms to ensure proper validation of clearance levels for access to the SIPRNet (both logical systems access and/or physical access to SIPRNet environments). Minimum of secret security clearance is required. Check organizational records against the JPAS data base if possible. Ensure that organizational manning records (security clearance requirements for the position occupied) match the actual security clearance held by the incumbent employee (military or DoD civilian) as reflected in JPAS. Because it is generally not feasible to review all records it is recommended to select where possible ALL those who have "privileged" systems access or responsibility for oversight of systems security (such as SAs, ISSM, ISSOs, Network Admin, etc.) along with key management personnel (commander/director, ISSM, division/branch chiefs, etc.) and supplement with a random sample of those with basic "user" access to systems. Check #2. If there are contractor employees with classified systems access (SIPRNet) (both logical and/or physical access) - check to ensure there is a Statement of Work with accompanying DD 254 ("Classified" Contract Security Specification) that covers security clearance requirements for each type of work (or specified positions) being performed by contractors. Check #3. Check to ensure that contractor employees performing the tasks outlined in the Statement of Work and/or DD Form 254 actually have the security clearance required by the contract - minimum secret for SIPRNet access. If possible validate this in the JPAS data base. Check #4. Check that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel who are either assigned to or visiting the site. The DDL will reflect the level of security clearance the FN official has and the level and type of information authorized to be shared. Check #5. Check to ensure that a Limited Access Authorization (LAA) is on hand when system access (or physical access) to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Check Text ( C-49287r770228_chk )

Background Information:

When checking how an organization validates security clearance information for either systems or physical access the first thing to consider is that there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors.

Generally, an organization validation of security clearance levels should come from official databases such as JPAS, DCII, a service or agency data base or "high level" (major subordinate command) headquarters security office. Also note that organization manning (staffing) documents should include the required clearance level for each assigned Military and Civilian position. Staffing documents should be requested by inspectors for review.

The minimum security clearance requirement for systems access to the SIPRNet or unescorted access to the physical environment surrounding SIPRNet system information technology assets is secret.

Local procedures must be developed for verifying that all personnel with access to classified information systems (logical or physical access) have the appropriate security clearance and access authorization. Inspectors should review local procedures.

Checks:

Check #1. Review a sample of the organization personnel security records (from local data bases, physical files, JPAS...) and compare with applicable System Access Authorization Request (SAAR) forms to ensure proper validation of clearance levels for access to the SIPRNet (both logical systems access and/or physical access to SIPRNet environments). Minimum of secret security clearance is required. Check organizational records against the JPAS data base if possible. Ensure that organizational manning records (security clearance requirements for the position occupied) match the actual security clearance held by the incumbent employee (military or DoD civilian) as reflected in JPAS.
Because it is generally not feasible to review all records it is recommended to select where possible ALL those who have "privileged" systems access or responsibility for oversight of systems security (such as SAs, ISSM, ISSOs, Network Admin, etc.) along with key management personnel (commander/director, ISSM, division/branch chiefs, etc.) and supplement with a random sample of those with basic "user" access to systems.

Check #2. If there are contractor employees with classified systems access (SIPRNet) (both logical and/or physical access) - check to ensure there is a Statement of Work with accompanying DD 254 ("Classified" Contract Security Specification) that covers security clearance requirements for each type of work (or specified positions) being performed by contractors.

Check #3. Check to ensure that contractor employees performing the tasks outlined in the Statement of Work and/or DD Form 254 actually have the security clearance required by the contract - minimum secret for SIPRNet access. If possible validate this in the JPAS data base.

Check #4. Check that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel who are either assigned to or visiting the site. The DDL will reflect the level of security clearance the FN official has and the level and type of information authorized to be shared.

Check #5. Check to ensure that a Limited Access Authorization (LAA) is on hand when system access (or physical access) to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix Text (F-49242r770229_fix)
Background Information: When developing an organizational program to validate security clearance information for systems access and/or physical access to SIPRNet work environments, the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. The minimum security clearance requirement for systems access to the SIPRNet or unescorted access to the physical environment surrounding SIPRNet system information technology assets is secret. Generally, an organization validation of security clearance levels should come from official databases such as JPAS, DCII, a service or agency data base or "high level" (major subordinate command) headquarters security office. Also note that organization manning (staffing) documents should include the required clearance level for each assigned Military and Civilian position. Local procedures must be developed for verifying that all personnel with access to classified information systems (logical or physical access) have the appropriate security clearance and access authorization. Fixes: 1. Ensure that organizational manning (staffing) records (*security clearance requirements for the position occupied) match the actual security clearance held by the incumbent employee (military or DoD civilian) as reflected in JPAS. Review all the organization personnel security records and compare with applicable System Access Authorization Request (SAAR) forms to ensure proper validation of clearance levels. Be especially aware of ALL those who have "privileged" systems access or responsibility for systems security oversight (such as SAs, ISSM, ISSOs, Network Admin, etc.) and ensure that correct clearance and IT assurance levels have been granted. 2. If there are contract employees with systems and/or physical access to SIPRNet, ensure there is a Statement of Work with accompanying DD 254 (Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. Review contractor records (those physical assigned to the site or working remotely on projects for the organization) to ensure they actually have the required security clearances. 3. Ensure that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel. 4. Ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government. 5. Ensure there is an organizational procedure developed to outline methodology for validation and maintenance of required security clearances.

Fix Text (F-49242r770229_fix)

Background Information:

When developing an organizational program to validate security clearance information for systems access and/or physical access to SIPRNet work environments, the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors.

The minimum security clearance requirement for systems access to the SIPRNet or unescorted access to the physical environment surrounding SIPRNet system information technology assets is secret.

Generally, an organization validation of security clearance levels should come from official databases such as JPAS, DCII, a service or agency data base or "high level" (major subordinate command) headquarters security office. Also note that organization manning (staffing) documents should include the required clearance level for each assigned Military and Civilian position.

Local procedures must be developed for verifying that all personnel with access to classified information systems (logical or physical access) have the appropriate security clearance and access authorization.

Fixes:

1. Ensure that organizational manning (staffing) records (*security clearance requirements for the position occupied) match the actual security clearance held by the incumbent employee (military or DoD civilian) as reflected in JPAS. Review all the organization personnel security records and compare with applicable System Access Authorization Request (SAAR) forms to ensure proper validation of clearance levels. Be especially aware of ALL those who have "privileged" systems access or responsibility for systems security oversight (such as SAs, ISSM, ISSOs, Network Admin, etc.) and ensure that correct clearance and IT assurance levels have been granted.

2. If there are contract employees with systems and/or physical access to SIPRNet, ensure there is a Statement of Work with accompanying DD 254 (Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. Review contractor records (those physical assigned to the site or working remotely on projects for the organization) to ensure they actually have the required security clearances.

3. Ensure that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel.

4. Ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government.

5. Ensure there is an organizational procedure developed to outline methodology for validation and maintenance of required security clearances.