Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)

An XCCDF Rule

Description

<VulnDiscussion>Failure to properly verify security clearance status could result in an unauthorized person having access to a classified information system or an authorized person being unable to perform assigned duties. REFERENCES: DOD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND): Enclosure C, paragraphs 26.c.(2) (3) and 27.f.(5) (6) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, MA-5, PE-2, PE-3, and PS-2 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 2, Section 2 and Chapter 8, Section 3, paragraph 8-302.a. Personnel Security. DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraphs 1 and 3 DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), April 3, 2017, Paragraphs 3.1.c., 4.1. Civilian Personnel, 4.2. Military Personnel, 4.3. Contractors, 4.4. Consultants. 4.5. Non-U.S. Citizens Employed Overseas in Support of National Security Positions. 4.6. Temporary Employees, 5A.2. Verify Eligibility, and Glossary G.2. Definitions: LAA. Now Cancelled: DOD 5200.2-R, Personnel Security Program, Chapter 3, para C3.4.3., Chapter 7 para C7.1.2. C7.1.3. and Appendix 9, para AP9.2. & AP9.3.6.2. DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals Paragraph 4.4. DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information: Paragraphs 4.6.3., E2.1.4, Enclosure 3 and Enclosure 4.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-245856r917360_rule
Severity: Medium
Updated: 9 months ago

Background Information:

When developing an organizational program to validate security clearance information for systems access and/or physical access to SIPRNet work environments, the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. 

The minimum security clearance requirement for systems access to the SIPRNet or unescorted access to the physical environment surrounding SIPRNet system information technology assets is secret.
Generally, an organization validation of security clearance levels should come from official databases such as DISS, DCII, a service or agency data base or "high level" (major subordinate command) headquarters security office. Also note that organization manning (staffing) documents should include the required clearance level for each assigned Military and Civilian position.

Local procedures must be developed for verifying that all personnel with access to classified information systems (logical or physical access) have the appropriate security clearance and access authorization. 

Fixes:

1. Ensure that organizational manning (staffing) records (*security clearance requirements for the position occupied) match the actual security clearance held by the incumbent employee (military or DOD civilian) as reflected in DISS. Review all the organization personnel security records and compare with applicable System Access Authorization Request (SAAR) forms to ensure proper validation of clearance levels. Be especially aware of ALL those who have "privileged" systems access or responsibility for systems security oversight (such as SAs, ISSM, ISSOs, Network Admin, etc.) and ensure that correct clearance and IT assurance levels have been granted.

2. If there are contract employees with systems and/or physical access to SIPRNet, ensure there is a Statement of Work with accompanying DD 254 (Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. Review contractor records (those physical assigned to the site or working remotely on projects for the organization) to ensure they actually have the required security clearances.

3. Ensure that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel. 

4. Ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government. 

5. Ensure there is an organizational procedure developed to outline methodology for validation and maintenance of required security clearances.

Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)

Description

Remediation - Manual Procedure