1. Guest Lecturer: Dr. Shawn P. Murray, C|CISO, CISSP, CRISC
IT Position of Trust Designation
ADP-IT Requirements for Government Contracts
Cyber Security Brief
Presented to the Defense Acquisition University
23 May 2013
Updated to add DIACAP – 8500.2 Controls to RMF - 800-53 Controls Alignment
22 November 2015
2. Agenda
– ADP-IT Defined
– History
– Basis – Public Law
– Application & Compliance Directives
– DoD 5200.2-R
– DODI 8500.2, February 6, 2003
– DISA STIG - Traditional Security
– Strategy
ADP-IT Requirements for Government Contracts
Cyber Security Brief
2
3. ADP & IT Defined
ADP - Automated Data Processing
IT - Information Technology
(Both terms are used synonymously)
ADP/IT requirements identify a specific “Position of Trust” for IT work that is to
be accomplished by certain individuals on government information systems.
It is meant to reduce the risk of the Insider Threat
There are three ADP/IT Position of Trust levels:
ADP/IT-I, ADP/IT-II & ADP/IT-III
ADP/IT Positions of Trust are required to be recorded on a DD Form 2875 and
assigned to specific personnel in the Joint Personnel Adjudication System
(JPAS).
ADP-IT Requirements for Government Contracts
Cyber Security Brief
3
4. ADP & IT Defined
ADP - Automated Data Processing
IT - Information Technology
(Both terms are used synonymously)
ADP/IT requirements apply to Military, Govt. Civilian and Contractor Personnel
Military – MOS or AFSC
Govt. Civilian – Described in Position Description (PD)
ADP/IT requirements for contractors are derived from a Statement of Work (SOW) supporting
a DoD contract which includes IT Services or General Access to Government Systems or
Sensitive Information to fulfill a contractual need.
• The SOW should have specific language for persons who will have access to
government systems and/or information.
− IE: Privileged User Access or Controlled Unclassified Information (CUI)
• ADP/IT requirements are normally articulated in section 11.l of the DD254 which is
married to the SOW.
• In many instances, the DD254 does not articulate the correct ADP/IT requirements or
does not align to the SOW properly.
− This is normally due to a lack of knowledge of the requirement or a missing
contract security review by an experienced security professional (government & contractor)
− When this happens the risk to the Insider Threat can be greater
ADP-IT Requirements for Government Contracts
Cyber Security Brief
4
5. History
- OMB Circular A-71 (and Transmittal Memo #B1), July 1978
- OMB Circular A-130, December 12, 1985
- FPM Letter 732, November 14, 1978
These artifacts contain the criteria for designating positions under the existing
categories used in the personnel security program for Federal civilian employees as
well as the criteria for designating ADP and ADP related positions outlined in public
law.
► Title 32: National Defense
PART 154 - DEPARTMENT OF DEFENSE PERSONNEL SECURITY
PROGRAM REGULATION
Subpart K - Program Management
Appendix J to Part 154 (ADP Position Categories and Criteria for Designating Positions)
ADP-IT Requirements for Government Contracts
Cyber Security Brief
5
6. Appendix J to Part 154 - ADP Position Categories and Criteria for Designating Positions
OMB Circular A-71 (and Transmittal Memo #B1), July 1978 OMB Circular A-130, December 12, 1985, and FPM Letter 732, November 14, 1978
contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees
as well as the criteria for designating ADP and ADP related positions. This policy is outlined below:
ADP Position Categories
1. Critical-Sensitive Positions
ADP-I positions. Those positions in which the incumbent is responsible for the planning, direction, and implementation of a computer
security program; major responsibility for the direction, planning and design of a computer system, including the hardware and software;
or, can access a system during the operation or maintenance in such a way, and with a relatively high risk for causing grave damage, or
realize a significant personal gain.
2. Noncritical-Sensitive Positions
ADP-II positions. Those positions in which the incumbent is responsible for the direction, planning, design, operation, or maintenance of a
computer system, and whose work is technically reviewed by a higher authority of the ADP-I category to insure the integrity of the system.
4. Nonsensitive Positions
ADP-III positions. All other positions involved in computer activities.
In establishing the categories of positions, other factors may enter into the determination, permitting placement in higher or lower
categories based on the agency's judgement as to the unique characteristics of the system or the safeguards protecting the system.
Criteria for Designating Positions
Three categories have been established for designating computer and computer-related positions—ADP-I, ADP-II, and ADP-III. Specific criteria
for assigning positions to one of these categories is displayed on the next slide:
ADP-IT Requirements for Government Contracts
Cyber Security Brief
6
7. ADP-IT Requirements for Government Contracts
Cyber Security Brief
Specific Criteria as written into Title 32 Part 154 (Appendix J)
7
9. 8500.2 DCIT-1 V0008392 (CAT I) Acquisition does not address IA roles
Vulnerability Acquisition does not address IA roles and responsibilities.
8500.2 IA Control: DCIT-1 References: Department of Defense Instruction 8500.2 (DODI 8500.2)
Vulnerability Discussion
Security procedures are vital to ensure the integrity, confidentiality and availability of systems and data. In outsourcing
situations the requirements and responsibilities to perform them must be spelled out to ensure all are accomplished.
Checks 8500.2 DCIT-1:
Examine acquisition and outsourcing documents including task orders to ensure IT services explicitly addresses
Government, service provider, and end user IA roles and responsibilities.
Ensure the organization monitors compliance.
Default Finding Details
The following issues were noted:
Government, service provider, and end user IA roles and responsibilities are not explicitly stated in acquisition or
outsourcing requirements.
The organization is not monitoring compliance of IT roles and responsibilities in outsourcing agreements.
OPEN: __________ NOT A FINDING: __________ NOT REVIEWED: __________ NOT APPLICABLE: __________
8500.2 DCIT-1 Fixes:
Amend IT services acquisition and outsourcing documents including task orders to ensure explicitly addresses
Government, service provider, and end user IA roles and responsibilities are explicitly addressed .
Insure the organization monitors contractor compliance with all contract provisions plus applicable federal laws,
directives, policies, regulations, standards, guidance, and established service level agreements .
ADP-IT Requirements for Government Contracts
Cyber Security Brief
9
10. ADP-IT Requirements for Government Contracts
Cyber Security Brief
PS-7: Third-Party Personnel Security
Control Text: "The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party
providers;
b. Documents personnel security requirements; and
c. Monitors provider compliance."
Supplemental Guidance:
Third-party providers include, for example, service bureaus, contractors, and other organizations providing
information system development, information technology services, outsourced applications, and network
and security management. The organization explicitly includes personnel security requirements in
acquisition-related documents.
NIST 800-53 PS-7
10
11. ADP-IT Requirements for Government Contracts
Cyber Security Brief
SA-9: External Information System Services
Control Text: "The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and
employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies,
regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system
services; and
c. Monitors security control compliance by external service providers."
Supplemental Guidance:
An external information system service is a service that is implemented outside of the authorization boundary of the organizational
information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with
external service providers are established in a variety of ways, for example, through joint ventures, business partnerships,
outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or
supply chain exchanges. The responsibility for adequately mitigating risks arising from the use of external information system
services remains with the authorizing official. Authorizing officials require that an appropriate chain of trust be established with
external service providers when dealing with the many issues associated with information security. For services external to the
organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating provider
in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the
organization. The extent and nature of this chain of trust varies based on the relationship between the organization and the external
provider. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization
employs compensating security controls or accepts the greater degree of risk. The external information system services
documentation includes government, service provider, and end user security roles and responsibilities, and any service-level
agreements. Service-level agreements define the expectations of performance for each required security control, describe
measurable outcomes, and identify remedies and response requirements for any identified instance of noncompliance.
NIST 800-53 SA-9
11
12. “Failure to designate position sensitivity could result in personnel having access to classified information or other
sensitive duties (such as privileged access to DoD Information Systems) without the required investigative and
adjudicative prerequisites”
STIG Check #3. For privileged users (eg, SA, IAO, NSO): Check to ensure that privileged users if military or government civilian are
in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work
in privileged IS roles must also undergo successful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of
the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or
Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems.
ADP-IT Requirements for Government Contracts
Cyber Security Brief
12
13. DoDI 8500.2
Enclosure 3 (page 46)
Privileged Access = IT-I Position of Trust
(Privileged Access = Privileged User - (PU)
Identifies PU access for:
• DAA or IAM (ISSM) (government)
• IAO (ISSO)
• Monitors or Testers (CND & Developers)
• Network Administrators
• Systems Administrators
• Maintenance of IA products
(ACAS, HBSS, PKI, EMET, AV…)
Requires a final SSBI prior to
being provided PU access to
any IT systems
(US Military, Civilian or Contractor)
ADP-IT Requirements for Government Contracts
Cyber Security Brief
13
14. SSBI Investigation
IT-I Position of Trust
Designation
Personnel Category:
• Govt. Civilian
• Contractor
ADP-IT Requirements for Government Contracts
Cyber Security Brief
14
15. ADP-IT Requirements for Government Contracts
Cyber Security Brief
Funding
Who pays for the SSBI?
- Government Civilian and Military – The Service Component or
Agency (OPM)
- Contractors – DSS pays for SSBIs for contractors that require
Top Secret clearances
- If the contractor only needs a SSBI for privileged user
access and does not need a Top Secret Clearance, then
the Agency or Service Component the contractor is
assigned to has to budget for and fund the requirement.
15
16. ADP-IT Requirements for Government Contracts
Cyber Security Brief
Strategy
- Most Department of Defense agencies and service components have
applied IT-I, IT-II, & IT-III to privileged users differently due to funding the
SSBI, which in 2013 was estimated to be $3700 per person.
- Strategy 1: Align the SSBI to a person who has a requirement to access
Top Secret information so DSS has to funds the investigation.
- Risk 1: A person can be provided access to TS information that does not really have
a need to know
- Strategy 2: Assign one privileged user as an IT-I and all other privileged
users as an IT-II to save money.
- Risk 1: An IT-II who is being provided privileged user access is not being properly
vetted as required (Insider Threat)
- Risk 2: An IT-I privileged user is required to directly oversee and validate tasks
completed by all IT-II privileged users they supervise. This is not always feasible in
an organization with multiple IT-II privileged users
- Strategy 3: Do not address the IT Position of Trust for privileged users
- Risk 1: This is the greatest risk and does not protect against the Insider Threat.
NOTE: This is the most common approach due to lack of knowledge by acquisition,
contracting and security personnel 16
17. Where do we go from here?
• All ISSMs managing Cyber Security on a DoD contract should already have:
1. List of all Privileged Users for their specific areas (IA, SA, NA/E, SE, CND, etc.)
2. Privileged User Agreements for them (signed)
3. Privileged User training certificate
4. 8570 Certification IAT or IAM
5. 8570 Certification Computing Environment (CE)
6. Completed 2875s for all PU personnel
7. HBSS training certificate if required by one of your PUs
8. ACAS training certification if required by one of your PUs
9. ISSO appointment letters for your appointed ISSOs
• A Review/Audit of contracts should be considered
• Statement of work should identify privileged user roles
• DD254 Should also identify IT-I, IT-II & IT-III Positions of Trust
• A strategy should be developed to address deficiencies
ADP-IT Requirements for Government Contracts
Cyber Security Brief
17
20. Industrial Security - DD Form 254
ID-01.02.01 - Industrial Security - DD Form 254
Vulnerability Discussion: Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance
and/or IT requirements for all contracts that require access to classified material can result in unauthorized personnel having access to
classified material or mission failure if personnel are not authorized the proper access
IA Controls PECF-1, PRAS-2, PRNK-1
VMS Target Traditional Security
DISA FSO
VMS Target
Traditional Security - 2506
1. DD Forms 254 must be on hand for each classified contract.
2. 2. All security requirements must be properly detailed on the form, particularly for Information technology related requirements, such as
IT Position levels for the positions or types of work to be performed.
1. Check there are DD Forms 254 available for all classified contracts. NOTE: These forms may be held by the site contracting officials but
should be available to the site security manager and information security manager for review.
2. Conduct a cursory review of the DD 254 to ensure all security requirements are properly detailed on the form, especially with regard to
Information Assurance (ie., IT Position level designation). NOTE: Applicable to tactical environments if there are contractor personnel
performing classified work. This form will likely only be found at fixed locations rather than field locations. While the DD 254 may not be
available on site or even in Theater, the completed document's location should be identified and if possible a scanned and emailed copy
requested for review. This will likely only be able to occur via SIPRNet email because some of these forms contain classified information,
while all others are only FOUO.
ADP-IT Requirements for Government Contracts
Cyber Security Brief
20
21. Industrial Security - Contractor VALs
ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs)
Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials
being released to unauthorized personnel.
IA Controls -ECAN-1, PECF-1, PRAS-2
VMS Target Traditional Security - DISA FSO
VMS Target - Traditional Security – 2506
Checks:
• 1. Written procedures must be developed that cover the requirements and process for Visit Authorization Letters (VAL) for contractors
visiting and/or employed at government sites.
• 2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors
routinely working/physically employed at the site.
Notes: JPAS should be used for most short term "visitor" VALs; however, in addition to JPAS (or as an alternative to JPAS for contractors who
do not have JPAS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor
employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs require additional
information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. A hard copy VAL for assigned
contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract
employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW
and/or DD 254), etc.
ADP-IT Requirements for Government Contracts
Cyber Security Brief
21
22. Industrial Security - Contractor VALs (Continued from previous page)
ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs)
Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials
being released to unauthorized personnel.
IA Controls -ECAN-1, PECF-1, PRAS-2
VMS Target Traditional Security - DISA FSO
VMS Target - Traditional Security – 2506
Checks:
• 1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting
government sites.
• 2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team.
• 3. Ensure all government facilities have a VAL on file for all contractors visiting the site - to include permanent party contractors.
Notes:
• 1. JPAS should and will likely be used for most short term "visitor" VALs; however, in addition to JPAS the VAL may also be passed via hard
copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for
short term visits; whereas, contractor "employee" VALs should require additional information (such as contract number, COR identification,
etc.) that cannot be input or passed via JPAS. Lack of a hard copy VAL alone for assigned contractor employees at a site will not necessarily
be cause for a finding if a VAL in JPAS is available. Reviewers must use discretion when evaluating if the lack of hard copy VAL has caused
any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT
position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. when deciding if a
finding is warranted. For instance an individual employee's JPAS access might indicate they have TS clearance - but the FCL for the company
is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual - then
the lack of a hard copy VAL could be cited as a finding, in addition to any other related findings for this discovery.
• 2. Applies in a tactical environment if contract personnel visit or are assigned.
• 3. Reviewers should be sure to note in the findings report if the finding concerns JPAS issues for short term contractor visitors or if it
concerns "hard copy" VALs for assigned contractor employees.
ADP-IT Requirements for Government Contracts
Cyber Security Brief
22