Industrial Security - Contractor Visit Authorization Letters (VALs)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-245792	ID-02.03.01	SV-245792r917343_rule		Low

Description
Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2(1), PE- 3, , PE-8, PS-3(1), PS-6(2) DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.k., 9.l. & 9.m. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 7.a. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 6.

Description

Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2(1), PE- 3, , PE-8, PS-3(1), PS-6(2) DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.k., 9.l. & 9.m. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 7.a. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 6.

STIG	Date
Traditional Security Checklist	2023-05-31

Details

Check Text ( C-49223r917214_chk )
1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting government sites. 2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team. 3. Ensure all government facilities have a VAL on file for all contractors visiting the site, including permanent party contractors. NOTES: 1. DISS should and will likely be used for most short-term "visitor" VALs; however, in addition to DISS the VAL may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because DISS is by design intended for short-term visits, whereas contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via DISS. Lack of a hard-copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in DISS is available. Reviewers must use discretion when evaluating if the lack of hard-copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work [SOW] and/or DD 254), etc. when deciding if a finding is warranted. For instance, an individual employee's DISS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual, the lack of a hard-copy VAL could be cited as a finding, in addition to any other related findings for this discovery. 2. Applies in a tactical environment if contract personnel visit or are assigned. 3. Reviewers should be sure to note in the findings report if the finding concerns DISS issues for short-term contractor visitors or if it concerns "hard-copy" VALs for assigned contractor employees.

Check Text ( C-49223r917214_chk )

1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting government sites.

2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team.

3. Ensure all government facilities have a VAL on file for all contractors visiting the site, including permanent party contractors.

NOTES:

1. DISS should and will likely be used for most short-term "visitor" VALs; however, in addition to DISS the VAL may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because DISS is by design intended for short-term visits, whereas contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via DISS. Lack of a hard-copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in DISS is available. Reviewers must use discretion when evaluating if the lack of hard-copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work [SOW] and/or DD 254), etc. when deciding if a finding is warranted. For instance, an individual employee's DISS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual, the lack of a hard-copy VAL could be cited as a finding, in addition to any other related findings for this discovery.

2. Applies in a tactical environment if contract personnel visit or are assigned.

3. Reviewers should be sure to note in the findings report if the finding concerns DISS issues for short-term contractor visitors or if it concerns "hard-copy" VALs for assigned contractor employees.

Fix Text (F-49178r917215_fix)
1. Written procedures must be developed that cover the requirements and process for VALs for contractors visiting and/or employed at government sites. 2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors routinely working/physically employed at the site. NOTES: DISS should be used for most short-term "visitor" VALs; however, in addition to DISS (or as an alternative to JPAS for contractors who do not have DISS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because DISS is by design intended for short-term visits; whereas, contractor "employee" VALs require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via DISS. A hard-copy VAL for assigned contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable SOW and/or DD 254), etc.

Fix Text (F-49178r917215_fix)

1. Written procedures must be developed that cover the requirements and process for VALs for contractors visiting and/or employed at government sites.

2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors routinely working/physically employed at the site.

NOTES:

DISS should be used for most short-term "visitor" VALs; however, in addition to DISS (or as an alternative to JPAS for contractors who do not have DISS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because DISS is by design intended for short-term visits; whereas, contractor "employee" VALs require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via DISS.

A hard-copy VAL for assigned contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable SOW and/or DD 254), etc.