OCCUPATIONAL SAFETY AND HEALTH                                    OSHRC OA 101                        REVIEW COMMISSION                                                                     October 27, 2005

 

 

Personal Identity Verification of

Occupational Safety and Health Review Commission

Employees and Contractors

 

 

I.       PURPOSE

 

This directive provides policies and procedures to be followed by the Occupational Safety and Health Review Commission (Review Commission or OSHRC) to meet requirements established through Homeland Security Presidential Directive (HSPD)-12 and Government-wide standards and requirements.  Specifically, it addresses Part I - Common Identification, Security and Privacy Requirements, which is the minimum requirement for a Federal personal identity verification (PIV) system that meets the control and security objectives of HSPD-12.  It includes the personal identity proofing, registration, and issuance process for employees and contractors.[1]

 

II.     AUTHORITY

 

·        Homeland Security Presidential Directive HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, dated

      August 27, 2004.

·        U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, dated

      February 25, 2005.

·        OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD)-12 Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 5, 2005.

 

III.    BACKGROUND

 

HSPD-12 requires that all government agencies develop specific and consistent standards for both physical and logical identification systems.  NIST's FIPS 201 establishes detailed standards on implementing processes and systems to fulfill the requirements of HSPD-12.

 

FIPS 201 specifies a PIV system within which common identification credentials can be created, and later used to verify a claimed identity.  It also defines a reliable, government-wide PIV system for use in applications such as access to federally controlled facilities and information systems.  FIPS 201 outlines two phases to implementing an HSPD-12 program.  Phase I (PIV I) describes the registration, identity proofing, and issuance procedures, and Phase II (PIV II) describes the technical and interoperability requirements of an HSPD-12 compliant system.   PIV II includes card elements, systems interfaces, and security controls required to securely store and retrieve data from the card. 

 

IV.    APPLICABILITY

 

The FIPS 201 standard applies to individuals employed by, detailed to, or assigned to the Review Commission and all individuals under long-term (six months or longer) contract to the Review Commission.  The standard is applicable to credentials that the Review Commission issues to its employees and contractors for gaining physical access to federally controlled facilities and logical access to federally controlled information systems. 

 

PIV I requires the implementation of registration, identity proofing, and issuance procedures in line with the requirements of FIPS 201.  PIV I does not require the implementation of any new systems or technology.  It applies to new long-term (six months or longer) employees and contractors who begin work at the Review Commission on or after October 27, 2005. These individuals will have to follow the procedures outlined in section IX (B) below to apply for and receive their credentials. The Review Commission will continue to issue existing credentials under PIV I, but the process for application and issuance will be different. 

 

It is not required that temporary employees and “occasional visitors” to the Review Commission facilities be subject to PIV requirements.  Therefore, temporary employees and contractors (less than six months), will not be subject to PIV requirements under FIPS 201; however they may be required to undergo a limited reference check, following an agency risk-based assessment of the need for such.[2]

 

V.     SCHEDULES AND DEADLINES

 

The agency must create and implement a PIV I compliant process no later than

October 27, 2005.  The agency will apply the PIV I credential process to all new Review Commission employees and contractors who begin working for the Review Commission on or after October 27, 2005.

 

All current Review Commission employees and contractors should be identity proofed no later than October 27, 2007 and all employees will be issued a FIPS 201 compliant card as their sole identification card for the Review Commission by October 27, 2007.

 

By October 27, 2007, the agency will verify and/or complete background investigations for all current employees, contractors and other applicable individuals.

The agency must create and implement a PIV II compliant system no later than

October 27, 2006.

 

VI.   DEFINITIONS

 

Access control - the process of granting or denying requests to access physical facilities or areas, or logical systems (i.e., computer networks or software applications). See also "logical access control system" and "physical access control system."

 

Authentication - the process of establishing an individual's identity and determining whether individual Federal employees or contractors are who they say they are.

 

Authorization - process of giving individuals access to specific areas or systems based on their authentication.

 

Biometric - a measurable physical characteristic used to recognize the identity of an individual. Examples include fingerprints and facial images.  A biometric system uses biometric data for authentication purposes.

 

Contractor - an individual under contract to a department or agency requiring routine access to federally controlled facilities and/or federally controlled information systems to whom Federal agency identity credentials would be issued, consistent with the agency’s securities policies.

 

e-OIP Tracking Number - number assigned by the Electronic Questionnaire for Investigations Processing (e-QIP) to each SF-85 application. This tracking number

must be written on the fingerprint card when it is submitted to OMB in order to bind the fingerprint card to the proper applicant.

 

FBI Fingerprint Check - fingerprint check of the FBI fingerprint files. This check is an integral part of the NACI, and is the minimum requirement for provisional card issuance.

 

FD-258 - fingerprint chart to accompany the NACI request when the individual to be investigated is a contractor (neither a Federal employee nor an applicant for Federal employment), or when agreed to by the Office of Personnel Management (OPM) Federal Investigations Processing Center (FIPC).

 

Identity Proofing - the process of providing sufficient information (e.g., driver's license, proof of current address, etc.) to a registration authority, or the process of verifying an individual's information that he or she is that individual and no other.

 

Logical Access Control System (LACS) - protection mechanisms that limit users' access to information and restrict access on the system to only what is appropriate for them. These systems may be built into an operating system, application, or an added system.

 

National Agency Check (NAC) - is part of the National Agency Check with Written Inquiries.  Standard NACs consist of searches of the Security/Suitability/Investigations Index (SSI), Defense Clearance and Investigation Index (DCII), FBI Name Check, and FBI National Criminal History Fingerprint Check.

 

National Agency Check with Written Inquiries (NACI) - the basic and minimum investigation required for all new Federal employees and contractors consisting of searches of the OPM Security/Suitability Investigations Index (SII), the Defense Clearance and Investigations Index (DCII), the Federal Bureau of lnvestigation (FBI) Identification Division's name, fingerprint files, and other files or indices when necessary.  A NACI also includes written inquiries and searches of records covering specific areas of an individual's background during the past five years (inquiries sent to current and past employers, schools attended, references, and local law enforcement authorities).  Coverage includes: employment (five years); education (five years and highest degree verified); residence (three years); references; law enforcement (five years); and NACs.

 

Physical Access Control System (PACS) - protection mechanisms that limit users' access to physical facilities or areas to only what is appropriate for them.  These systems typically involve a combination of hardware and software (e.g., a card reader), and may involve human control (e.g., a security guard).

 

PIV II Credential - a government-issued credit card-sized identification that contains a contact and contactless chip.  The holder's facial image will be printed on the card along with other identifying information and security features.  The contact chip will store a PKI certificate, the CHIUD, and a fingerprint biometric, both of which can be used to authenticate the user for physical access to federally controlled facilities and logical access to federally controlled information systems.

 

Public Key Infrastructure (PKI) - A service that provides cryptographic keys needed to perform digital signature-based identity verification, and to protect communications and storage of sensitive data.

 

SF-87 - fingerprint chart to accompany the NACI request when the individual to be investigated is a Federal employee or applicant for Federal employment.

 

Submitting Office Number (SON) - number assigned by OPM to identify the office that submitted the NACI request.

 

VII.  PRlVACY POLICY

 

HSPD-12 explicitly states that "protect[ing] personal privacy" is a requirement of the PIV system.  As such, the Review Commission shall implement the PIV system in accordance with the spirit and letter of all privacy controls specified in FIPS 201, as well as those specified in Federal privacy laws and policies.  This includes, but is not limited to, the E-Government Act of 2002; the Privacy Act of 1974; OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 26, 2003; and OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSDP) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 5, 2005.

 

Background investigation records are subject to the Privacy Act.  The Review Commission must ensure those records are:

 

·        Secured against unauthorized access;

·        Accessed by only those whose official duties require such access; and

·        Stored in a locked metal file cabinet or secure room.

 

The Review Commission will also:

 

·        Establish procedures to allow employees or their designated representatives access to their records, while ensuring that the records remain subject to agency control at all times;

·        Ensure that those authorized to access personnel records subject to the Privacy Act understand how to apply the Act's restrictions on disclosing information from a system of records;

·        Oversee privacy-related matters associated with implementing the agency’s HSPD-12 program, and submit to OMB and make publicly available a comprehensive privacy impact assessment (PIA) of the program, including an analysis of any information technology systems used to implement this directive; 

·        Review and update the PIA periodically; and

·        Complete the actions required in OMB guidance.[3]

 

VIII. NACI/OPM/NS BI REQUIREMENTS

 

A NACI is the minimal background investigation that must be performed for all individuals to whom this directive applies, except when the position requires a higher-level OPM/NS BI.  In such cases, the OPM/NS BI shall be scheduled in lieu of the NACI.

 

These requirements may also be satisfied by locating and referencing a completed and successfully adjudicated NACI or other higher level OPM/NS BI.  To locate and reference an already completed and successfully adjudicated NACI, contact the Human Resource Specialist.  If the Applicant indicates that he/she has already been awarded a specified level of security clearance based on a NACI/Other BI from previous employment, the previous employer's human resources or personnel security office should be contacted to obtain a copy of the certificate or the original.  The certificate from the previous employer must be current from the date of inquiry. OPM may also be contacted to verify the level of security. 

 

The Office of Administration, in consultation with the Office of General Counsel, is responsible for determining the position sensitivity designation for all positions and for ensuring that employees have the appropriate investigation that corresponds to that determination.  It must also ensure that periodic reinvestigations are scheduled as required. The Human Resource Specialist or the Executive Officer will submit the NACI SF-85, Questionnaire for Non-Sensitive Positions directly to OPM.

 

Before issuing a credential, the agency should receive notification of the results of the National Agency Check.  If the agency has not received the results within five days, the identity credential can be issued based on the FBI National Criminal History Fingerprint Check (FBI fingerprint check).  The Registrar may issue a credential approval after the successful completion of a fingerprint check; however, the completion and successful adjudication of a full NACI is still required for all Applicants.  Refer to section IX (b) below and Appendix B for specific instructions on completing and adjudicating the NACI. 

 

IX.    REGISTRATION, IDENTITY PROOFING AND CREDENTIAL ISSUANCE

 

The agency will use a manual Role-Based Model specified below to register, identity proof, and credential applicants.  This process uses inspection of identity source documents and background checks to establish assurance of identity.  All actions taken for approval/denial of requests by all participants in the process shall have an auditable trail, which is a critical control component in establishing the chain of trust for PIV issuance and management.[4]  Auditing identity proofing and registration records may take place periodically.

 

A.  Role Based System

 

      The PIV I process contains critical roles associated with the identity proofing,

registration, and issuance process.  These roles are ancillary roles assigned to agency personnel who have other primary duties. No single individual may assume more than one of these roles in the process, with the exception of the Adjudicator role.  (An individual may assume the role of Adjudicator and Sponsor or Adjudicator and Registrar.)  The following roles shall be employed for registering and identity proofing an Applicant, and issuing an Applicant a credential.

 

1.  Roles and Responsibilities

 

(a)  PIV Applicant

 

The Applicant is the individual to whom a PIV credential needs to be issued.  The Applicant will:

 

·        Complete required forms;

·        Appear in person during various stages of the process;

·        Provide two forms of identity source I-9 documents (OMB No. 1115-0136 Employment Eligibility Verification) in original form to Registrar, one of which must be a valid State or Federal government-issued picture identification to prove claimed identity.

 

   (b)  PIV Sponsor

 

The Sponsor is the individual who substantiates the need for a PIV credential

to be issued to the Applicant and provides sponsorship to the Applicant.  The Sponsor will:

 

·        Authorize the request for a PIV credential;

·        Coordinate initial registration activities; and

·        Serve as intermediary between Applicant and Registrar, if necessary.

 

(c) PIV Registrar

 

The Registrar is the entity or individual responsible for identity proofing the Applicant, coordinating NACI activities, and ensuring the successful completion of the background checks.  The PIV Registrar provides the final approval for issuance of a PIV credential to the Applicant. The Registrar is a role that may be performed by more than one person. 

 

The Registrar will:

 

·        Compare Applicant’s information contained in the PIV Request (e.g., full name, date of birth, contact information) with the information provided by Applicant;

·        Retain copies of required information in a personnel security file (e.g., a facial image and fingerprints of Applicant, completed and signed PIV Request, completed and signed SF-85 or equivalent form received from Applicant, information related to the checked identity source documents, results of the required background check, and other materials used to prove the identity of Applicant);

·        Require Applicant to be fingerprinted at a facility referred to Applicant (e.g., a designated DOI facility or other secured location);

·        Initiate a NACI on Applicant as required by Executive Order 10450 by forwarding the information to OPM by overnight/FedEx or by certified mail, return receipt requested;

·        Approve or Deny Issuance of PIV card; 

·        Notify the PIV Sponsor and PIV Issuer that Applicant has been approved or denied the issuance of PIV credential; and

·        Provide required information to PIV Issuer through a secure process.

 

(d) Office of Personnel Management (OPM)

 

The OPM is responsible for conducting the NACI and FBI Fingerprint Check.

 

 

 

(e) PIV Adjudicator

 

The PIV Adjudicator is responsible for determining whether or

not the Applicant is eligible to receive a PIV Card, based on results obtained from OPM.   The Adjudicator will:

 

·        Confirm fingerprint check results;

·        Adjudicate NACI and attempt to resolve issues; and

·        Notify Registrar of results.

 

(f) PIV Issuer

 

The PIV Issuer is an individual or entity that performs credential personalization operations and issues the identity credential to the Applicant after all identity proofing, fingerprint checks, and related approvals have been completed.  The Issuer will:

 

·        Confirm Applicant identification source documents;

·        Capture photo, validate that the appearance of the individual matches the picture being printed on the PIV credential, and store duplicate photo in the personnel security file;

·        Issue provisional or new PIV credential;

·        Obtain a signature from Applicant (now PIV credential holder) attesting to Applicant’s acceptance of the PIV credential;

·        Notify PIV Sponsor and designated PIV Registrar of the successful or unsuccessful personalization and issuance of the credential;

·        Maintain records (completed and formally authorized PIV Request, approval notice from PIV Registrar, name of PIV credential holder, credential identifier, expiration date of the PIV credential, and signed acceptance form from PIV credential holder); and

·        Control PIV credential stock to ensure stock is only used to issue valid credentials.

 

B.     Registration, Identity Proofing, and Issuance Procedures

 

   The following is a sequential list of steps to be followed when applying for and issuing a credential that is compliant with the Review Commission's PIV I identity proofing and registration process.

 

(1) Sponsor - Send new hire package to Applicant with PIV registration instructions.  Simultaneously notify Registrar of the request for PIV credential.  Complete Sponsor section of Personal Identity Verification Request for OSHRC Credential (OSHRC PIV Request Form).  See Appendix A.

 

·        Federal Employee New Hire Package includes:  OF-306 (Declaration of Employment) and SF-87 (fingerprint chart) with instructions on where to obtain fingerprints; and instructions for accessing and completing SF-85 online and downloading it as a hard copy. 

·        Contractor New Hire Package includes:  OF-306 (Declaration of Employment) and FD-258 (fingerprint chart) with instructions on where to obtain fingerprints; and instructions for accessing SF-85 online and downloading it as a hard copy.

 

(2) Registrar - Confirm the validity of the PIV request.  Confirm registration requirements with Applicant.

 

(3) Applicant - Complete OF-306, SF-85 form, and fingerprint card per agency instructions in new hire package. OPM questionnaire is located at  http://www.opm.gov/forms/pdf_fill/SF85.pdf

 

(4) Applicant - Appear in person in front of Registrar with completed forms from new hire package, résumé, and two identity source documents in original form.  The identity source documents must come from the list of acceptable documents shown on Form 1-9, OMB No. 1115-0136, Employment Eligibility Verification.  At least one document should be a valid State or Federal government-issued picture identification (ID) card.

 

(5) Registrar - Inspect and validate the identity source documents, OF-306, résumé, and fingerprint card from Applicant. Verify that Applicant is the individual pictured in the government-issued picture identification.  Complete Registrar section of OSHRC PIV Request Form and record information from the identity source documents.

 

(6) Registrar - Copy OF-306, résumé, and fingerprint chart and attach to Applicant's SF-85 to send to OPM to initial a NACI on behalf of Applicant.

 

(7) Registrar - Send Applicant’s completed package and fingerprint chart by secure method to OPM.  

 

(8) OPM - Run fingerprint check based on fingerprint card.  Send results to

Adjudicator.

 

(9) Adjudicator -Verify that fingerprint check results received from OPM are successfully/unsuccessfully adjudicated and notify Registrar.

 

(10) Registrar - Review results of fingerprint check from Adjudicator.  If approved, complete Registrar section of OSHRC PIV Request Form.  (Applicants may be issued a provisional credential after the FBI Fingerprint Check portion of the NACI is successfully completed.)  Send approval notification to Sponsor and Issuer to issue provisional credential; go to step 12.  If denied due to unusable fingerprints or incorrect identity, notify Sponsor; go to step 11.

 

 

 

(11) Registrar - If fingerprint check was unsuccessful (unusable fingerprints,

incorrect identity), determine whether to proceed with another fingerprint

check or terminate the process.

 

(12) Registrar - Contact Applicant after approval and inform Applicant to appear in person in front of Issuer with identification source documents to receive credential.

 

(13) Applicant - Appear in person in front of Issuer and present State or

Federal ID.

 

(14) Issuer - Confirm Applicant's identity in person by verifying State or

Federal ID with source document information on OSHRC PIV Request Form received from Registrar.

 

(15) Issuer - Photograph Applicant or send Applicant to a designated location to obtain a photograph and issue credential (provisional credential if the NACI has not been completed).  Complete Issuer section of OSHRC PIV Request Form.

 

(16) Applicant - Complete Applicant section of OSHRC PIV Request Form acknowledging acceptance of credential.

 

(17) Issuer - Forward completed OSHRC PIV Request Form to Registrar to maintain in the personnel security file.

 

(18) Registrar - Receive completed OSHRC PIV Request Form from Issuer and update personnel security file with original completed OSHRC PIV Request Form.

 

NACI completion

 

(19) OPM - Conduct NACI and send final results to Adjudicator.  Step 19 follows Step 8 and can be completed concurrently with the activities in steps 9 through 18.

 

(20) Adjudicator - Adjudicate NACI according to the adjudication criteria listed in Appendix B and 5 C.F.R. pt. 731.  Notify Registrar and Sponsor of successful NACI.

 

(21) Adjudicator - Attempt to resolve any issues directly with Applicant.

 

(22) Adjudicator - If NACI adjudication is successful, notify Registrar, complete OFI-79A, store copy of OFI-79A in the personnel security file and Letter of Adjudication in the OPF, and forward original OFI-79A to OPM; go to step 23.  If NACI adjudication is unsuccessful, notify Registrar and Sponsor; go to step 24.

 

(23) Registrar - If a successful NACI is received from Adjudicator, remove provisional status from credential and update personnel security file.

 

(24) Registrar - If NACI is unsuccessful, update personnel security file and revoke credential.

 

(25) Sponsor - Notify Applicant of unsuccessful NACI, recover credential, and advise Applicant of appeal rights.

 

(26) Applicant - Appeal an unsuccessful adjudication (optional).

 

X.     APPEAL PROCEDURES FOR DENIAL OF CREDENTIAL

 

In the event of an unsuccessful adjudication, the appeal procedures noted below will be followed.

 

A.  Appeal Rights for Federal Service PIV Applicants

 

When the PIV Adjudicator determines that a PIV Applicant has not provided his or her true identity during the registration process or is otherwise found unsuitable, and the determination results in a decision by the agency to withdraw an employment offer, or remove the employee from the federal service, the appeals rights of either 5 C.F.R. pt. 315, subpart H (probationary employees); 5 C.F.R. pt. 731, subparts D and E (suitability); or 5 C.F.R. pt. 752, subparts D through F (adverse actions), will be followed, depending on the employment status of the federal service applicant, appointee, or employee.  And to the extent required by these provisions, the procedures of 5 C.F.R. pt. 1201 (practices and procedures of Merit Systems Protections Board) will be followed.

 

Employees who are removed from Federal service are entitled to dispute this action using applicable grievance, appeal, or complaint procedures available under Federal regulations, or Review Commission directives.

 

<