OIT CONTRACTOR ONBOARDING AND SECURITY TRAINING TMS 4183250
OI&T CONTRACTOR ON-BOARDING AND SECURITY TRAINING (TMS # 4183250) OI&T Contractor On-Boarding and Security Training 1
Learning Outcomes • Determine the purpose of regulatory guidelines • Identify the elements of a Pre-Contract • Identify the elements of a Post Contract • Understand the OI&T Contractor On. Boarding Process • Execute appropriate actions OI&T Contractor On-Boarding and Security Training 2
Purpose • This training module uses National and VA policy and procedures to build a foundation of understanding and standardize processes and procedures for contractor onboarding. • This training will assist the Contracting Officer Representatives (COR) in conducting their security responsibilities and enhance their understanding of processes and procedures for implementing security in appropriate contracts and acquisitions. • At the end of the training you should understand your role as a COR in the on-boarding and security processes. OI&T Contractor On-Boarding and Security Training 3
Pre Award 1. Information Security Requirements 2. Position Designation Automated Tool (PDT) 3. Information Security Checklist 4. Recommended Contract Language 5. Federal Acquisition Regulation 6. CRISP Screening Checklist 7. Government Furnished Equipment Forecasting OI&T Contractor On-Boarding and Security Training 4
Steps to Identify Security Requirements 1. Identify security requirement using Position Designation Automated tool (PDT) 2. Complete security section in draft acquisition package 3. Prepare Personnel security section is Performance Work Statement (PWS) 4. Complete CRISP Screening checklist 5. Complete and obtain signatures for Appendix A and C in VA Handbook 6500. 6 OI&T Contractor On-Boarding and Security Training 5
Position Designation Automated Tool Program Manager/Project Manager/COR/Sponsor or delegate uses the Position Designation Automated Tool (PDT) on OPM’s Website (https: //www. opm. gov/investigations/backgroundinvestigations/position-designation-tool/pdt/home/index) to determine appropriate level of investigation. The Position Designation Automated Tool (PDT) determines security requirements for the position(s) based job designation and degree of risk. Identifying the level of risk into 3 tiers. Tier 1 – Low Risk Tier 2 – Moderate Risk Tier 4 – High Risk TIP: Recommend printing PDT Summary Form and filing it with the contract; TIP: Shut off enterprise mode before printing PDT Summary OI&T Contractor On-Boarding and Security Training 6
Position Designation Automated Tool 1 • Example Scenario: Contract for Electronic Data Management Service. o o o Database System capable to meet Veterans administration ‘Research and Development’ requirements. The system needs to be computer and internet based used as a method of collecting, storing, utilizing, and transmitting data, including reviews, in research involving human participants as well as animals and basic science. The system owner must be permitted to register an unlimited number of users for the data management system OI&T Contractor On-Boarding and Security Training 7
Position Designation Automated Tool 21 • Example Scenario (Cont. ): o o There is no additional charge to the institution beyond the maintenance fee. The system owner must retain its rights and ownership of all content placed in the data management system. All data must be protected and the system owner must be provided access to the Service in accordance with commercially reasonable measures. The system owner will be solely and entirely responsible for the local management of our own information on VA equipment. OI&T Contractor On-Boarding and Security Training 8
Position Designation Automated Tool (1 of 14) Demonstration of OPM’s website: OPM Website OI&T Contractor On-Boarding and Security Training 9
Position Designation Automated Tool (2 of 14) • Use OPM’s website: Position Designation Automated Tool (http: //www. opm. gov/investigate/resources/position/index. a spx) OI&T Contractor On-Boarding and Security Training 10
Position Designation Automated Tool (3 of 14) o Use OPM’s website: Position Designation Automated Tool OI&T Contractor On-Boarding and Security Training 11
Position Designation Automated Tool (4 of 14) OI&T Contractor On-Boarding and Security Training 12
Position Designation Automated Tool (5 of 14) OI&T Contractor On-Boarding and Security Training 13
Position Designation Automated Tool (6 of 14) OI&T Contractor On-Boarding and Security Training 14
Position Designation Automated Tool (7 of 14) OI&T Contractor On-Boarding and Security Training 15
Position Designation Automated Tool (8 of 14) OI&T Contractor On-Boarding and Security Training 16
Position Designation Automated Tool (9 of 14) OI&T Contractor On-Boarding and Security Training 17
Position Designation Automated Tool (10 of 14) OI&T Contractor On-Boarding and Security Training 18
Position Designation Automated Tool (11 of 14) OI&T Contractor On-Boarding and Security Training 19
Position Designation Automated Tool (12 of 14) OI&T Contractor On-Boarding and Security Training 20
Position Designation Automated Tool (13 of 14) OI&T Contractor On-Boarding and Security Training 21
Position Designation Automated Tool (14 of 14) OI&T Contractor On-Boarding and Security Training 22
Information Security Checklist Appendix A, 6500. 6 Handbook Checklist for Information Security is completed in the Initiation Phase of all IT service acquisitions. OI&T Contractor On-Boarding and Security Training 23
Recommended Contract Language Appendix C, 6500. 6 Handbook 1. Limit access to VA Information and VA information systems 2. Restrict the co-mingling of VA information with other data - custodial language 3. Comply with all VA and Federal directives for system design, development, and privacy control 4. Information system hosting, operation, maintenance, or used at non-VA facilities OI&T Contractor On-Boarding and Security Training 24
Recommended Contract Language Appendix C, 6500. 6 Handbook (cont. ) 5. Contractor is required to immediately notify COR and investigate security incident /event 6. Liable to VA for liquidated damages for data breach or privacy incident 7. VA has right to evaluate/test contractor’s compliance with security controls and privacy practices 8. Contractor must complete mandatory training and sign Rules of Behavior before accessing VA network OI&T Contractor On-Boarding and Security Training 25
Federal Acquisition Regulation (FAR) Security Requirement • The FAR requires a security requirements paragraph in every acquisition package. • The following language must be included in the Security Section of the Performance Work Statement (PWS). FAR 7. 105(b)(18): Security considerations. For acquisitions dealing with classified matters, discuss how adequate security will be established, maintained, and monitored (see FAR subpart 4. 4). For information technology acquisitions, discuss how agency information security requirements will be met. For acquisitions requiring routine contractor physical access to a Federally-controlled facility and/or routine access to a Federallycontrolled information system, discuss how agency requirements for personal identity verification of contractors will be met (see FAR subpart 4. 13). OI&T Contractor On-Boarding and Security Training 26
Federal Acquisition Regulation (FAR) Security Requirement 1 • Enterprise Program/Project Management Manual (EP/PMM) (https: //vaww. vaco. portal. va. gov/sites/OAL/Academy/PM_School/EPPM%20 Onli ne%20 Manual%20%20 Toolkit/index. ht) located on VA Acquisition's Academy website • Acquisition Plan (Para 2. 16) discuss security requirements • Manual contains contract language templates 2. 16 Security Requirements List and briefly describe all applicable security requirements. For acquisitions dealing with classified matters, explain how adequate security will be established, maintained and monitored. Reference: FAR 7. 105(b)(18) Security will be maintained by requiring security badges at the appropriate level for all contractors. Physical access records and data access records will be reviewed daily to ensure that contractors are operating within the security requirements. Any security breach by a contractor will stop all contractor work and an investigation will be required. The contractor will not be relieved of required contractual delivery due to a security breach. OI&T Contractor On-Boarding and Security Training 27
Initiate Continuous Readiness in Information Security Program (CRISP) Screening Checklist Link to CRISP Checklist (http: //vaww. oed. wss. va. gov/process/Library/crisp_screeni ng_checklist. docx OI&T Contractor On-Boarding and Security Training 28
Government Furnished Equipment / Government Furnished Space (GFE/GFS) Forecasting • GFE/GFS Form is used prior to award • Asset Management Group uses GFE/GFS Form to forecast hardware requirements • GFE/GFS Form includes an ITARS number and the link to Resource Decision Matrix OI&T Contractor On-Boarding and Security Training 29
Resource Decision Matrix Assists Asset Management Staff and COR to forecast the number of laptop required on a future contract OI&T Contractor On-Boarding and Security Training 30
Post Award • • • Contractor On-Boarding Rep’s Role Receive & Validate Information Fingerprinting Process On-Boarding Documents Investigations OI&T Contractor On-Boarding and Security Training 31
Post Award 1 • • Training Network Access VA PIV Card Government Furnished Equipment (GFE) • Elevated Privileges OI&T Contractor On-Boarding and Security Training 32
Post Contractor Award OI&T Contractor On-Boarding and Security Training 33
Contractor On-Boarding Process • Contractor on-boarding process (CONB) is fully documented in Pro. Path. • Includes process map, RACI Chart, and artifacts, (Toolkit, Forms, Worksheet, & Checklist) • Click to link to Pro. Path CONB process (http: //vaww. oed. wss. va. gov/process/maps/process_CONB. p df) • OI&T Contractor On-boarding Processing Toolkit (http: //vaww. oed. wss. va. gov/process/Library/oit_contractor_onboar ding_processing_toolkit. pdf outlines the process steps) • Click to link to Pro. Path CONB process for Toolkit and other artifacts • New OI&T Contractor On-boarding Process (https: //www. vapulse. net/groups/new-oit-contractor-onboardingprocess) Group on VA Pulse OI&T Contractor On-Boarding and Security Training 34
Contractor On-Boarding Process 1 • When a new contractor is hired for a new or existing contract 1. Contractor On-Boarding Representative will notify COR or government Lead that on-boarding is required 2. On-boarding process will begin immediately • TIP: Not every contractor will be required to complete every process activity. Consult with the COR if there any questions. • COR is required to use the OI&T Contractor On-boarding Tracking Tool to track the on-boarding of every new contractor. • TIP: “First time users” will need to request access OI&T Contractor On-boarding Tracking Tool, and the COR will have to request access for the Contractor On-Boarding Representative OI&T Contractor On-Boarding and Security Training 35
OI&T Contractor On-boarding Tracking Tool Create an entry in the OI&T Contractor On-boarding Tracking Tool (https: //vaww. oit. esp. va. gov/sites/OIT/conb/Site. Pages/CONB%20 Tracker%20 Tool. aspx) for all Contractors being on-boarded. Tips for created a new record: 1. Initiate the onboarding process by created a new entry in the tracking tool. 2. Populate the name of the applicant and the date on-boarding started. OI&T Contractor On-Boarding and Security Training 36
OI&T Contractor On-boarding Tracking Tool 1 CONB Process Tracking Tool information should be updated as the applicant completes each step of on-boarding 3. Enter the information in the Contractor Onboarding Tracking Tool fields as the CONB process activities are completed. OI&T Contractor On-Boarding and Security Training 37
Contractor On-Boarding Representative Role • Contractor On-Boarding Representative • Serves as a liaison to the Government Lead or COR, and manages the on-boarding of contractor personnel. • Contract On-Boarding Representative’s responsibilities include: Delivers the Contractor Staff Roster • Collects Employment Documents • Provides Employee’s Guidance • Notifies COR of Changes • Forwards Required Documents to the COR OI&T Contractor On-Boarding and Security Training 38
Receive & Validate Information Forms requiring validation include: CRISP Screening Checklist Contractor Staff Roster Security and Investigations Center (SIC) Fingerprint Request Form Optional Form 306, Declaration for Federal Employment Self Certification of Continuous Service VA Form 710, Authorization for Release of Information TIP: Contractor On-Boarding Representative will require a VA email account in order to access the government systems used to on-board contractors OI&T Contractor On-Boarding and Security Training 39
Fingerprinting Fingerprint Screening Process flow OI&T Contractor On-Boarding and Security Training 40
Fingerprint Screening WHY is it necessary? • VA Directive 0710 states: “VA requires that all personnel be subject to an appropriate background screening (Special Agreement Check) prior to permitting access to VA information and information systems. ” WHEN are fingerprints required? • For Investigations • For VA PIV card • For VA Network Access Fingerprint screening completed by Contractor within 2 calendar days OI&T Contractor On-Boarding and Security Training 41
Fingerprint Screening 1 WHERE are fingerprints adjudicated? • The Fingerprints taken at a local VA facility WHO need to be fingerprinted by the SIC? • OI&T Contractors • Administrations • Staff Offices NOTE: Fingerprint Adjudication only valid for 120 days OI&T Contractor On-Boarding and Security Training 42
Fingerprinting Process (Day 1 – 2) 1. Locate nearest fingerprint facility 2. Create an account in the VA Fingerprint/Badge Schedule system (if available) 3. Schedule appointment or walk-in (if available) 4. Bring completed SIC Fingerprint Verification Form and 2 forms of ID to the facility 5. Upload SAC Request Form 6. Return completed Fingerprint Verification Form to Contractor On-Boarding Rep 7. Update Contractor Staff Roster and OI&T Contractor On-boarding Tracker Tool OI&T Contractor On-Boarding and Security Training 43
Fingerprinting - Process Flow • Fingerprinting is done at the nearest VA facility. Here is the web link with listing of locations to obtain fingerprints from the VA HSPD-12 Program web site PIV Badge Office Locations. (http: //vaww. va. gov/pivproject/piv_badge_offices. asp) • The Contractor must create an account before they can make an on-line appointment for fingerprinting. Link to create an account. (https: //va- piv. com/Sign. In. User. Account. aspx) OI&T Contractor On-Boarding and Security Training 44
Fingerprinting - Process Flow 1 • Contractor On-Boarding Representative provides Contractor with copy of the Contractor/Employee Fingerprint Request Form. (https: //vaww. visn 16. portal. va. gov/sites/lit/vasic/2013%20 Produ ction%20 Content%20 Library/SIC%20 Fingerprint%20 Request%2 0 Form. pdf) • Contractor schedules an appointment to get fingerprinted or walk-in (if available). • Contactor takes the request form and two forms of identification to local fingerprint office when they get fingerprinted. OI&T Contractor On-Boarding and Security Training 45
Fingerprinting - Process Flow 2 • Local facilities: a. Conduct fingerprinting and sign/date Contractor/Employee Fingerprint Request (https: //vaww. visn 16. portal. va. gov/sites/lit/vasic/2013%20 Prod uction%20 Content%20 Library/SIC%20 Fingerprint%20 Request %20 Form. pdf) Form b. Sends fingerprints request electronically to OPM for processing. OI&T Contractor On-Boarding and Security Training 46
Fingerprinting - Process Flow 3 • COR has the option to submit the Contractor/Employee Fingerprint Request (https: //vaww. visn 16. portal. va. gov/sites/lit/vasic/2013%20 Prod uction%20 Content%20 Library/SIC%20 Fingerprint%20 Request %20 Form. pdf) Form to the SIC to verify that the individual’s fingerprints were processed with no issues. a. Contracting On-Boarding Representative prepares the request for new special agreement check and submits to the COR. b. COR uploads completed request for New Special Agreement Check into the SIC Resource Share Point Site. (https: //vaww. visn 16. portal. va. gov/sites/lit/vasic/default. aspx) • COR is informed of the eligibility determination. OI&T Contractor On-Boarding and Security Training 47
Fingerprinting - Process Flow 4 Final steps: • Contractor must return signed/dated Fingerprint Verification Form to Contract On-Boarding Representative. • COR updates the Contractor Staff Roster and OI&T Contractor On-boarding Tracking Tool with results. OI&T Contractor On-Boarding and Security Training 48
Fingerprinting - Process Flow 5 • Go to SIC’s Resource Site (https: //vaww. visn 16. p ortal. va. gov/sites/lit/va sic/default. aspx) • Complete the New Special Agreement Check Request Form • Upload SAC Request Form OI&T Contractor On-Boarding and Security Training 49
Fingerprinting - Process Flow 6 • Trained VA personnel security specialist: a. Reviews the results of the SAC and makes a determination regarding eligibility for access to VA facilities and/or systems. b. Makes the determination of eligibility within: § 48 hours of submission if NO issues § 5 business days of submission if issues arise OI&T Contractor On-Boarding and Security Training 50
Fingerprinting Challenges: Program Manager/Project Manager/COR/Sponsor not: 1. Sending required information in the correct format to the SIC. 2. Reviewing the SAC Request Form for errors 3. Providing SIC with requestor information which enables the COR to receive SAC adjudication results OI&T Contractor On-Boarding and Security Training 51
Fingerprinting Process – Questions • Have questions or need help with Fingerprinting submitted questions to the SIC Help Desk • Contact: SIC Help Desk mailto: Vhalitbackgroundinvestigations @va. gov Phone: 501. 257. 4469/4490 OI&T Contractor On-Boarding and Security Training 52
On-Boarding Documents (Day 1 – 2) 1. Create a master record to track each contractor being on-boarded 2. Use Sample tracking spreadsheet provided in Toolkit – Appendix B 3. Update checklist and worksheet information prior to sending to Contractor 4. Send blank forms and on-boarding checklist to Contractor (See Toolkit in Pro. Path) 5. Contractor completes forms and sends them back to Contractor On-Boarding Rep (NLT 2 days) 6. Contractor On-Boarding Rep should call the individual to verify they know what is expected OI&T Contractor On-Boarding and Security Training 53
Documents Sent to Contractor 1. 2. 3. 4. 5. 6. 7. 8. Applicant Contractor On-Boarding Checklist Contractor On-Boarding Worksheet Contractor Rules of Behavior SIC Fingerprint Request Form Optional Form 306, Declaration for Federal Employment Self Certification of Continuous Service VA Form 710, Release of Information TIP: Contractor must have a company email account. Personal email accounts cannot be used to transmit documents to the Contractor. OI&T Contractor On-Boarding and Security Training 54
Scanned Documents 1. Contractor completes all the required forms and sends scan pdf copies to the Contractor On-Boarding Representative within 2 calendar days. 2. All documents must be a separate pdf formatted documents. • Don’t scan all documents in one file 3. Contractor must sign the Contractor Rules of Behavior (CROB) (initial each page, sign last page). 4. Contractor On-Boarding Representative should do a quality check on all documents before sending any documents to the COR 5. Each document file must be saved with the proper SIC naming convention OI&T Contractor On-Boarding and Security Training 55
SIC Naming Convention Ref: Guide for CORs (rev 6 -23 -2016) https: //vaww. visn 16. portal. va. gov/sites/l it/vasic/2016%20 Updated%20 Production %20 Content%20 Library/Forms/All. Items. a spx OI&T Contractor On-Boarding and Security Training 56
Investigations 1. 2. 3. 4. 5. Background Information Process Flow Required Documents Investigation Determination Challenges OI&T Contractor On-Boarding and Security Training 57
Background Information • 5 CFR Part 731 (https: //www. gpo. gov/fdsys/pkg/CFR-2011 -title 5 vol 2/pdf/CFR-2011 -title 5 -vol 2 -part 731. pdf) and Part 1400 (http: //www. archives. gov/federal-register/cfr/subject-title 05. html) apply to Suitability and National Security respectively • VA Directive and Handbook 0710 (http: //vaww. va. gov/vaforms/va/pdf/VA 0710. pdf)are the policy documents for Personnel Security and Suitability. • Executive Orders 13467 (http: //fas. org/irp/offdocs/eo/eo 13467. htm) are for granting reciprocity on excepted service • Executive Orders 13488 (https: //www. gpo. gov/fdsys/pkg/FR-2009 -01 -22/pdf/E 9 -1574. pdf) are the policy for contactor fitness OI&T Contractor On-Boarding and Security Training 58
Investigations - Process Flow COR ensures: • Fingerprints completed and submitted • Review documents for naming conventions • Background investigation request worksheet completed and submitted • Verify & upload documents to SIC • Ensures Contractor completes e-QIP in a timely manner Contractor must complete the e-QIP within the 7 calendar days OI&T Contractor On-Boarding and Security Training 59
Required Documents for Investigation OI&T Contractor On-Boarding and Security Training 60
Investigation Request • COR will submit the Contractor Background Investigation Request Form. • Contractor On-boarding Worksheet will provide information for completing the SIC Contractor Background Investigation Request form. • Contract language will indicate what type of investigation (Tier 1, Tier 2 or Tier 4) is required. • SIC instructions for submitting the investigation request form are found on the SIC Resource Site. (https: //vaww. visn 16. portal. va. gov/sites/lit/vasic/defa ult. aspx) OI&T Contractor On-Boarding and Security Training 61
Investigation - Process Flow Go to SIC’s Resource Site (https: //vaww. visn 16. portal. va. gov/sites/lit/vasic/default. aspx Complete Contractor Background Investigation Request Worksheet Upload required documents OI&T Contractor On-Boarding and Security Training 62
Investigation - Form • COR completes the Contractor Background Investigation Request • Save and submit form • Incomplete requests will be returned for corrections OI&T Contractor On-Boarding and Security Training 63
Investigation Determination VA Form 4236 Certificate of Eligibility for Reciprocity determination OI&T Contractor On-Boarding and Security Training 64
Investigation Process Flow • e-QIP application (https: //www. opm. gov/investigations/e-qipapplication/) must be submitted immediately upon receipt of a notification from OPM. • Within 48 hours of the submission the Contractor will be notified to complete the e-QIP directly by VA SIC. • TIP: Highly recommended that the COR send the notification to the Contractor On-Boarding Representative so they can track the timely completion of the submission by the Contractor. OI&T Contractor On-Boarding and Security Training 65
Investigation - Processing Electronic Questionnaires for Investigation Processing (e -QIP) 1. e-QIP initiation email sent to 3 contacts on worksheet 2. Contractor completes e-QIP within 7 calendar days 3. e-QIP reviewed by SIC 4. Investigation transmitted email sent 5. Contractor’s investigation status will be updated to “scheduled. ” 6. Proceed to PIV process OI&T Contractor On-Boarding and Security Training 66
Investigation Request 1 • Upon submission of e-QIP the: 1. Contractor must notify the Contractor On. Boarding Representative 2. SIC will send an email when the e-QIP has been transmitted to OPM • Once the e-QIP is transmitted to OPM, the COR can request PIV Sponsorship. OI&T Contractor On-Boarding and Security Training 67
Investigations Challenges: • If the e-QIP Questionnaire is not completed within 7 calendar days request is cancelled. • If an investigation is initiated on an individual and the Contractor leaves a company before the investigation is completed, then the Contractor On-Boarding Representative must notify the COR so the investigation request can be canceled. OI&T Contractor On-Boarding and Security Training 68
Investigation – Questions • Have questions or need help with an Investigation submitted to the SIC? • Contact: SIC Help Desk mailto: vhalitbackgroundinvestigations@va. gov Phone: 501. 257. 4469/4490 OI&T Contractor On-Boarding and Security Training 69
Training Requirements • Contractor must complete all required training and forward training certificates to the Contractor On-boarding Representative within 2 calendar days. • Contractor will self-register (https: //www. tms. va. gov/learning/user/Self. Registration. User. Sel ection. do) for an account on the VA Talent Management System (TMS) • Contractor will: 1. Register for a TMS Account & Training 2. Complete Required Training 3. Retain Training Certificate 4. Send Certificates to Contract On-Boarding Rep OI&T Contractor On-Boarding and Security Training 70
Register for Talent Management System (TMS) Account & Training Contractor: 1. Completes TMS self registration (https: //www. tms. va. gov/learnin g/user/login. jsp) 2. Completes assigned training with 24 hours 3. Contractor On-boarding Worksheet contains information to complete self-registration and add courses to “To Do” list in TMS 4. Sends scanned training certificates to Contractor On. Boarding Representative OI&T Contractor On-Boarding and Security Training 71
Complete Required Training • The contractor completes mandatory training within two calendar days and then sends scanned training certificates to Contractor On-Boarding Representative: VA Privacy and Information Security Awareness and Rules of Behavior; course number: 10176 VA Privacy and Health Insurance Portability and Accountability Act (HIPAA) Training (if accesses Protected Health Information); course number: 10203 (If Required) OI&T Contractor On-Boarding and Security Training 72
Complete Required Training Elevated Privileges The Contractor completes mandatory training within two calendar days and then sends scanned training certificates to Contractor Onboarding Representative 1. Information Security Role-based Training for Systems Administrators (WBT); course number: 1357076 2. Information Security Role-based Training for Network Administrators (WBT); course number: 1357083 3. Information Security Role-based Training for Data Managers (WBT); course number: 1357084 4. Information Security Role-based Training for IT Project Managers (WBT): course number 64899 5. Information Security Role-based Training for IT Specialist (WBT); course number 3197 6. Information Security Role-based Training for System Access (WBT); course number 3867205 7. Information Security Role-based Training for Systems Owners (WBT); course number 3867207 8. Information Security Role-based Training for Software Developers (WBT); course number 1016925 OI&T Contractor On-Boarding and Security Training 73
Retain Training Certificates and Send Certificates to Contracting On-Boarding Rep Contractor On-Boarding Representative: 1. Notifies COR of training completion 2. Forwards training certificates to Contracting On-Boarding Representative and then COR updates: 1. CRISP Screening Checklist 2. OI&T Contractor On-boarding Tracking Tool OI&T Contractor On-Boarding and Security Training 74
Network Account Requirements • Required documents • Complete CA Service Catalog • COR digitally signs CA Service Catalog Request • COR notified via email when the request is approved or denied OI&T Contractor On-Boarding and Security Training 75
Network Account • Contractor On-Boarding Representative initiates the VA Network/Remote Access/GFE request after 1. Required forms are complete 2. Required training are complete 3. Verification of fingerprint adjudication is received OI&T Contractor On-Boarding and Security Training 76
Network Access – electronic Contractor On. Boarding Form (CA Service Catalog) • Contractor On-boarding Worksheet contains all the information needed to submit the User Provisioning and JIT GFE Request request for network access and GFE • Four supporting documents must be completed prior to submission 1. Verification of Fingerprint Adjudication (fingerprints must be done within the last 120 days) 2. Proof of Privacy/Information Security training (PISA) current within the last 12 months 3. Proof of HIPAA Privacy Act training (HIPAA) current within the last 12 months 4. Signed Contractor Rules of Behavior (all pages must be initialed) OI&T Contractor On-Boarding and Security Training 77
Network Access – electronic Contractor On. Boarding Form (CA Service Catalog) • Requests are submitted using the IT Operations and Services Service Catalog. (https: //vaww. servicecatalog. va. gov/usm/wpf? Node=iclaunchpad. p ad) 1. Network Access includes the set-up of the user account to include email 2. GFE Requests include the issue of a laptop. • COR will provide information to Contractor On-Boarding Representative on the type of equipment authorized on the contract. 3. Remote Access includes either VPN Rescue for use with GFE or Citrix Access Gateway (CAG) for use with approved contractor equipment. • TIP: Do not attached any document containing PII information to either the User Provisioning or GFE Requests. OI&T Contractor On-Boarding and Security Training 78
Network Access – electronic Contractor On- Boarding Form (CA Service Catalog) 1 • The Contractor On-Boarding Representative will complete the User Provisioning Form for email, network access and type of remote access (VPN or CAG) required by the contract. • After approval of the User Provisioning the COR will submit a Just in Time GFE Laptop or Desktop Request. (NOTE: The VA PIV card must be issued prior to accessing the GFE) • COR will approve the requests for Network Access, Remote Access and GFE issue using the User Provision and JIT GFE Request forms. • If issues come up the COR will address issues with the Contractor On-Boarding Representative. OI&T Contractor On-Boarding and Security Training 79
PIV Card 1. Background 2. PIV Eligibility 3. VA Card Type & Requirements 4. PIV Card Sponsorship 5. Issue PIV Card 6. Challenges OI&T Contractor On-Boarding and Security Training 80
PIV Card Background • VA Directive & Handbook 0735 set the policy for Homeland Security Presidential Directive 12 (HSPD -12 ) Program to: • Provide trust • Reduces Burden • Aligns policies and approaches • Establishes roles • Provides Notification OI&T Contractor On-Boarding and Security Training 81
PIV Eligibility o Be an employee, contractor, affiliate or volunteer who will work with VA for more than six months continuously or more than 180 aggregate days in a given year o Require unsupervised access to VA facilities or information systems OI&T Contractor On-Boarding and Security Training 82
VA Card Types and Determining Factors The determining factors to consider when choosing the appropriate VA ID Card for Contractors are: 1. Access duration 2. Types of access OI&T Contractor On-Boarding and Security Training 83
VA Card Types and Requirements The following table is a matrix that depicts access and processing requirements for the 3 different PIV Credential types at the VA: * An applicant may be issued a PIV Card or Non-PIV Card even though they do not require logical access Ref: VA Handbook 0735 Appendix C OI&T Contractor On-Boarding and Security Training 84
Issue PIV Card: Steps 1 – 4 1. COR will notify the Contractor On-Boarding Representative to initiate the PIV Issue Process. 2. Contractor On-Boarding Representative will forward the completed PIV Applicant Information sheet to the COR. 3. COR will review and approve the completed PIV Applicant Information form. 4. COR forwarded COR will forward the PIV Applicant Information form to the Field Administrative Services Office via the OI&T Bus Ops Campus Manager PIV Sponsors mail group in the GAL. OI&T Contractor On-Boarding and Security Training 85
Issue PIV Card: Steps 5 – 8 5. OI&T Field Admin Services PIV Sponsor will enter the application into the PIV portal system. 6. For up-to-dated information on PIV, go to the Field Administrative Service website: http: //vaww. va. gov/CAMPUSMGMT/PIV_Sponsors. asp 7. Contractor will receive an email notice to report to the nearest VA facility for badge issuance. 8. Contractor On-Boarding Representative must provide the local Field Administrative Services Staff with the Contractor’s badge numbers, if Contractor works on-site at a VA facility. OI&T Contractor On-Boarding and Security Training 86
Issue PIV Card Contractor: Personnel Security: • • Identity Proof • Card management system • Photograph • Biometrics; and • Issues the Personal Identification Verification (PIV) • Arrives at scheduled appointment time (if required), in PIV Office Has two forms of Identity Proofing documents, per the PIV credential identity verification matrix: Verification Matrix OI&T Contractor On-Boarding and Security Training 87
Challenges • No email and/or active directory account • No SAC Fingerprint adjudication on file • No background investigation on file or scheduled OI&T Contractor On-Boarding and Security Training 88
Government Furnished Equipment (GFE): Steps 1 - 4 1. Identify need for GFE 2. Notification of GFE Requirements 3. Determine GFE Assignment 4. Use Just In Time GFE Laptor or Desktop Request form to request GFE OI&T Contractor On-Boarding and Security Training 89
Government Furnished Equipment (GFE): Steps 5 - 9 5. Contractor will be notified when equipment is ready for picked up at the closest VA facility 6. Schedule appointments for PIV and GFE pickup on the same day. 7. Contractor is issued GFE 8. After GFE is issued, provide information on the equipment for updating the GFE inventory 9. Update CRISP Screening Checklist and OI&T Contractor On-boarding Tracking Tool OI&T Contractor On-Boarding and Security Training 90
Elevated Privileges • • Specific VA systems or servers COR or PM can address questions Only after network access and training Requests and renewals OI&T Contractor On-Boarding and Security Training 91
Request for Elevated Privileges – Page 1 • COR is responsible for determining if Elevated Privileges are required a. Contract will specify which systems or servers are required for performance of work b. COR or Project Manager can address questions about Elevated Privileges c. Not every contractor requires Elevated Privileges • Requests for elevated privileges can only be completed after: a. Network account is set up b. Additional training has been completed c. Knowledge of systems/servers required for performance of work is known OI&T Contractor On-Boarding and Security Training 92
Request for Elevated Privileges – Page 2 • Contractor submits My. VA Elevated Privileges Form (https: //epas. r 02. med. va. gov/apps/myva/) • COR may submit for My. VA Elevated Privileges Form for the Contractor if Contractor is unable • A Non-Mail enabled account (NMEA) and associated token (USB/OTP) are required for elevated privileges • A Non-Mail enabled account (NMEA) and associated token (USB/OTP) can be requested on the My. VA Elevated Privileges Request, if Contractor does not have these OI&T Contractor On-Boarding and Security Training 93
Request for Elevated Privileges – Page 3 • All information must be available prior to starting the form. • You must read the instructions on the landing page prior to beginning • The following information is required to complete the My. VA Elevated Privileges Request: • COR name - determines the elevated privileges that you will need. Will be used to provide the status on the background investigation. • The system location, Assignee IT role, Assignee sub role, and whether elevated privileges are for Pre-Production or Production. OI&T Contractor On-Boarding and Security Training 94
Request for Elevated Privileges – Page 4 • Talent Management System (TMS) Certificates for completion of role-based training course(s) applicable to the elevated privileges requested which can be uploaded into the request form. • Information Security Officer (ISO) name - the ISO responsible for authenticating your assignee role • For contractor requests, you will use the distribution list VA FSS Network OITFO ISOs (VAFSSNetwork. OITFOISOs@va. gov) • Facility or working address if tokens (USB/OTP) are required for elevated privileges and need to be shipped (PO boxes are not acceptable) OI&T Contractor On-Boarding and Security Training 95
Request for Elevated Privileges – Page 5 • In addition, if you are completing the form on behalf of someone else, obtain the following information from the contractor prior to starting the form submission: • NMEA (non-mail enabled account) login name if they already have one • Signed Elevated Privileges Rules of Behavior (ROB) which can be uploaded into the request form • Contractor will need to read and sign the EP ROB and return to COR for uploading into the form request. • Access My. VA Elevated Privileges instructions for additional directions. Link to My. VA Elevated Privileges (https: //epas. r 02. med. va. gov/apps/myva/) OI&T Contractor On-Boarding and Security Training 96
Elevated Privileges 1 My. VA Elevated Privileges Landing Page (https: //epas. r 02. med. va. gov/apps/myva/) OI&T Contractor On-Boarding and Security Training 97
References - Policy National Laws, Regulations, Executive Orders, and Policy referenced in Contractor On Boarding: • 5 CFR Part 731, Suitability: http: //www. archives. gov/federal-register/cfr/subject-title-05. html • 5 CFR Part 1400, National Security Positions: https: //www. archives. gov/federal-register/cfr/subject-title 05. html • Homeland Security Presidential Directive-12 • NIST - Federal Information Processing Standards (FIPS) Publication 201 -2: http: //nvlpubs. nist. gov/nistpubs/FIPS/NIST. FIPS. 201 -2. pdf • Executive Order 13467: http: //nvlpubs. nist. gov/nistpubs/FIPS/NIST. FIPS. 201 -2. pdf • Executive Order 13488: https: //www. gpo. gov/fdsys/pkg/FR-2009 -01 -22/pdf/E 9 -1574. pdf OI&T Contractor On-Boarding and Security Training 98
References – Policy & Handbook VA Directive and Handbook Names and Links referenced in Contractor On Boarding. • 0710, Personnel Security and Suitability: http: //vaww. va. gov/vaforms/va/pdf/VA 0710. pdf • 0735, Homeland Security Presidential Directive 12 • (HSPD-12) Program: http: //www. va. gov/vapubs/view. Publication. asp? Pub _ID=758&FType=2 • 6500. 6, Contract Security: www 1. va. govvapubsview. Publication. asp? Pub_ID= 793&FType=2 OI&T Contractor On-Boarding and Security Training 99
References - Websites Sites: VA Pulse: “New OI&T Contractor On-Boarding Process” (https: //www. vapulse. net/groups/new-oit-contractor-onboarding-process) portal includes reference to CA Service Catalog: Ø References – Websites (https: //vaww. servicecatalog. va. gov/usm/wpf? Node=icguinode. catalogbrowse) EP/PPM Toolkit: Ø References - Websites FIPS 201 -2: Ø References – Websites (http: //www. opm. gov/investigate/resources/position/index. aspx) Federal Acquisition Regulation (FAR): Ø References - Websites (http: //nvlpubs. nist. gov/nistpubs/FIPS/NIST. FIPS. 2012. pdf) OPM’s PDT: Ø References – Websites (http: //www. opm. gov/investigate/resources/position/index. aspx) PIV Badge Office Listing: Ø References – Websites (http: //vaww. va. gov/PIVPROJECT/piv_badge_offices. asp) OI&T Contractor On-Boarding and Security Training 100
References - Forms: o o o o I-9, Employment Verification OF 306, Declaration of Federal Employment VA 0710, Authorization for Release of Information VA 0752, Confidentiality of Sensitive Information Non-Disclosure Agreement VA 4236, Certificate of Eligibility Contract Staff Roster Template Contractor / Employee Fingerprint Request Form 2 A Contractor / Employee Fingerprint Request Form – SIC CRISP Screening Checklist CA Service Catalog User Provisioning and JIT GFE Request Form PIV Badge Checklist PIV Official Role Certificate PIV Official Role Designator Letter SAC Request Form – SIC Self-Certification of Continuous Service OI&T Contractor On-Boarding and Security Training 101
References – Job Aids • Job Aids o o o o o OI&T Contractor On-Boarding Processing Toolkit Contractor Required Documents for Background Investigations COR Guide Create Your TMS Account CRISP SOP Handbook for PIV CORs Identity Documentation Criteria – HSPD-12 Obtaining Certificates using Web. RAO PIV Dos and Don’ts VA PIV Card Types and Requirements OI&T Contractor On-Boarding and Security Training Security Toolkit 102
Review 1. 2. 3. 4. 5. Purpose Pre Contract Award a. Identify Security Requirements b. Position Designation Automated Tool (PDT) c. Appendix A, 6500. 6 Handbook d. Appendix C, 6500. 6 Handbook e. FAR Security Requirements f. Initiate Continuous Readiness in Information (CRISP) Checklist g. Government Furnished Equipment Forecasting Post Contract Award a. Contractor On-Boarding Representative Consolidates Information b. Pro. Path and CONB Process Toolkit and OI&T Contractor On-Boarding Tracking Tool c. Fingerprinting d. On-Boarding Documents e. Investigation f. Training g. Network Accounts h. PIV Card i. Government Furnished Equipment (GFE) j. Elevated Privileges References Review OI&T Contractor On-Boarding and Security Training 103
Questions OI&T Contractor On-Boarding and Security Training 104
- Slides: 104