STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020: STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:SV-42733r3_rule
V-32396
Background Investigations
PE-05.02.01
CAT II
10
Ensure that site personnel occupying Information Assurance Positions of Trust have successfully been vetted with the appropriate level of investigation based on legacy ADP/IT position designations and/or security clearance in accordance with NOTE 3 below. The completed investigations must be reflected in JPAS and as applicable any local PERSEC Data Base or equivalent.
NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers…
NOTE 2: Formerly Information Assurance (IA) Positions of Trust were identified under the legacy Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017.
This possible gap in policy guidance has been addressed with the USD(I) PERSEC Policy authority and they are aware of the omission of the guidance in the PERSEC update. Pending further direction from the USD(I) their guidance is to use the Office of Personnel Management (OPM) Position Designation Tool (PDT).
NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of the legacy ADP position methodology for identification and designation of position sensitivity for IA Positions of Trust may still be used in lieu of the PDT for compliance with requirements in this STIG Rule.
Personnel Occupying the legacy Information Systems Positions Designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:
ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation
ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation
ADP-III (AKA: IT-3): Not Applicable to Information Assurance Positions of Trust
Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.
NOTE 4: All designated IA Positions IAW DoD 8570.01-M (e.g., IAT Levels I-III or IAM Levels I-III) must be considered as an IA Position of Trust.
Check that site personnel occupying Information Assurance Positions of Trust personnel have successfully been vetted with the appropriate level of investigation based on legacy ADP/IT position designations and/or security clearance in accordance with NOTE 3 below. The completed investigations must be reflected in JPAS (or any equivalent DoD Personnel Security Data Base) and as applicable any local PERSEC Data Base or equivalent.
NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) and/or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers…
NOTE 2: Formerly Information Assurance (IA) Positions of Trust were identified under the legacy Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017.
This possible gap in policy guidance has been addressed with the USD(I) PERSEC Policy authority and they are aware of the omission of the guidance in the PERSEC update. Pending further direction from the USD(I) their guidance is to use the Office of Personnel Management (OPM) Position Designation Tool (PDT).
NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of the legacy ADP position methodology for identification and designation of position sensitivity for IA Positions of Trust may still be used in lieu of the PDT for compliance with requirements in this STIG Rule.
Personnel Occupying the legacy Information Systems Positions Designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:
ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation
ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation
ADP-III (AKA: IT-3): Not Applicable to Information Assurance Positions of Trust
Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.
NOTE 4: All designated IA Positions IAW DoD 8570.01-M (e.g., IAT Levels I-III or IAM Levels I-III) must be checked. Random checks of all other site personnel records should be made.
TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.
V-32396
False
PE-05.02.01
Check that site personnel occupying Information Assurance Positions of Trust personnel have successfully been vetted with the appropriate level of investigation based on legacy ADP/IT position designations and/or security clearance in accordance with NOTE 3 below. The completed investigations must be reflected in JPAS (or any equivalent DoD Personnel Security Data Base) and as applicable any local PERSEC Data Base or equivalent.
NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) and/or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers…
NOTE 2: Formerly Information Assurance (IA) Positions of Trust were identified under the legacy Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017.
This possible gap in policy guidance has been addressed with the USD(I) PERSEC Policy authority and they are aware of the omission of the guidance in the PERSEC update. Pending further direction from the USD(I) their guidance is to use the Office of Personnel Management (OPM) Position Designation Tool (PDT).
NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of the legacy ADP position methodology for identification and designation of position sensitivity for IA Positions of Trust may still be used in lieu of the PDT for compliance with requirements in this STIG Rule.
Personnel Occupying the legacy Information Systems Positions Designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:
ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation
ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation
ADP-III (AKA: IT-3): Not Applicable to Information Assurance Positions of Trust
Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.
NOTE 4: All designated IA Positions IAW DoD 8570.01-M (e.g., IAT Levels I-III or IAM Levels I-III) must be checked. Random checks of all other site personnel records should be made.
TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.
M
Related STIG rules:
PE-02-02-01 - Position Sensitivity - Based on Security Clearance and/or Information Technology (IT) Systems Access Level or Responsibility for Security Oversight on Assigned Information Systems (IS)
PE-03.02.01 - Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
PE-04.02.01 - Information Assurance (IA) Positions of Trust - Identification of Positions or Duties with Privileged Access to Information Systems or Responsibility for Security Oversight of Information Systems
PE-06.03.01 - Periodic Reinvestigations
2506