Safeguarding Federal Automated
Information Systems—A Critical Step
in Homeland Security
by Dennis E. Black
Abstract. This article provides a discussion for acquisition officials
to ensure information accessed by contractor employees in federal
automated information systems (AISs) is safeguarded as required
by the Computer Security Act of 1987 and other federal laws.1 As
our nation takes great measures to protect our homeland security,
our efforts to ensure the confidentiality, integrity, and availability
of information in federal automated information systems take on
increased importance.
To assist federal acquisition personnel and contractors, this
article includes a checklist of appropriate information technology
(IT) security measures that should be taken throughout the acquisition process. Note that the IT security measures discussed herein apply to both federal employees and contractors who have
access to information in federal AISs. Steps in the process relative
to federal employees are within the purview of an agency’s human
resources (HR) function and are outside the scope of this article.
Scenario: A Breach of Information Technology
Systems Security
You are a contracting officer assigned to a field office
within your federal agency. You recently awarded an IT contract
to deploy a state-of-the-art software application that will re-design
a segment of your agency’s legacy financial management system.2
It’s Monday morning, and you just received a frantic call from the
project officer. You learn that a disgruntled contractor employee
working on the project somehow broke through a firewall, introduced a cyber virus into the software code, and downloaded
sensitive financial records. Your agency’s financial management
information has just been compromised, and you discover that
you, the project officer, and the contractor failed to address information systems security requirements prior to awarding the contract.
Now what do you do?
Does this scenario sound far-fetched? Not in the post-9/11 envi-
ronment. The author’s advice to acquisition personnel is to inventory their portfolios of active IT contracts where contractor personnel
have access to information in any federal agency AIS. Then follow
the guiding discussion provided herein to ensure appropriate measures to safeguard the federal information being accessed. Make no
mistake about it. Safeguarding an agency’s IT systems is no less
important than safeguarding an agency’s physical facilities.
Federal IT Systems Security Policy
A plethora of federal policies have been in place for a number of
years to ensure the safeguard of information contained in agency
AISs.3 The question is to what extent have agencies effectively
implemented that policy, especially in the current climate of
heightened concerns about our national security? The following
two federal statutes are particularly germane to this article.
The Computer Security Act of 1987 was enacted to improve the
security of information in federal computer systems. The act
requires that each federal agency establish and administer an
automated information systems security program (AISSP) to protect its information resources and to properly train its employees.
Each agency is required to implement an AISSP that will ensure
an adequate level of security and privacy for each AIS that is commensurate with the risk and magnitude of the harm that could
result from the loss, misuse, disclosure, or modification of the
information contained in the system. Agencies must implement
levels of AIS security that will protect the confidentiality, integrity, and availability of the information.4
The Government Information Security Reform Act of 2000
amended the Paperwork Reduction Act of 1995 by enacting a new
subchapter, “Information Security,” which focuses on the program management, implementation, and evaluation aspects of the
security of unclassified and national security systems in federal
agencies. In addition, the act requires
Dennis E. Black, Ph.D., CPCM, is a federal acquisitions consultant. He is an NCMA Fellow and a charter member of the Bethesda/Medical Chapter.
April 2003 / Journal of Contract Management ■ 11
SAFEGUARDING
FEDERAL
AUTOMATED
INFORMATION
■
Annual agency program reviews of information security
programs,
■
Annual Inspector General (IG) evaluations of agency efforts,
■
Agency reports to the Office of Management and Budget (OMB)
on the results of IG evaluations of unclassified information
systems and audits of IG evaluations for national security
programs, and
■
An annual OMB report to Congress summarizing the material
received from agencies.
As part of our nation’s efforts to provide for homeland security,
acquisition officials now share in new responsibilities to ensure
the protection of federal information systems for critical infrastructure (i.e., the transaction of business, the operation of government, and the conduct of our national defense).5
The Basics
It is imperative that an agency’s acquisition and technical staff,
along with its contractors, work together to ensure that information being accessed from agency AISs is properly safeguarded.
Before using the checklist provided in this article, acquisition
officials must first become familiar with the following basics for
safeguarding federal information: categories of safeguarded agency
information, security level designations for agency information,
and position sensitivity designations for individuals accessing
agency information.
Categories of Safeguarded Agency Information
Agency information is categorized as follows:
■
Non-sensitive Information—Agency information that does not
meet the definitions of “sensitive” or “classified” below and is
generally available to the public.
■
Sensitive Information—“Any information, the loss, misuse, or
unauthorized access to or modification of which could adversely
affect the national interest or the conduct of federal programs, or
the privacy to which individuals are entitled under section 552a
of title 5, United States Code (the Privacy Act), but which has not
been specifically authorized under criteria established by an
Executive Order or an act of Congress to be kept secret in the
interest of national defense or foreign policy.”6
■
Classified Information—Agency information that is defined as
confidential, secret, or top secret.7
Federal Acquisition Regulation (FAR) Subpart 4.4, Safeguarding
Classified Information within Industry, provides procedures that
must be followed when the contractor will have access to classified information during contract performance.
SYSTEMS
adequate management control systems that ensure adequate
security of automated information.8 An agency’s efforts to safeguard information that is accessible to contractor employees are
based on determinations of (1) the level of sensitivity of the data
contained in the AIS, and (2) the level of operational criticality of
the data processing capabilities of the AIS. 9
A determination of the level of sensitivity of the data contained
in an AIS addresses the need to protect data from unauthorized
disclosure, fraud, waste, or abuse. The following four security level
designations apply: Level 1 (Low Sensitivity), Level 2 (Moderate
Sensitivity), Level 3 (High Sensitivity), and Level 4 (High
Sensitivity and National Security Interest).
A determination of the level of operational criticality of the data
processing capabilities of an AIS addresses the ramifications
should those processing capabilities be interrupted for a period of
time or subject to fraud or abuse. The following four security level
designations apply: Level 1 (Low Criticality), Level 2 (Moderate
Criticality), Level 3 (High Criticality), and Level 4 (High
Criticality and National Security Interest).
Table 1 (see page 14) summarizes the definitions of the security level designations for agency information.
Position Sensitivity Designations for Individuals Accessing
Agency Information
Each federal and contractor position having access to agency
information must be assigned a position sensitivity designation
that is commensurate with the sensitivity level of the information
being accessed.10 There are three position sensitivity designations
(non-sensitive, public trust, and national security) that correlate
with six specific sensitivity levels.
Once an appropriate position sensitivity designation is assigned
to an individual, the agency determines the level of clearance that
the individual will require and then requests an investigation of
the individual. The U.S. Office of Personnel Management (OPM),
or another federal investigative agency, conducts various types of
investigations. Requests for investigations are processed in accordance with the requesting agency’s internal procedures and OPM
guidelines.11 The scope and coverage of an investigation are determined by the level of sensitivity involved with the individual’s
responsibilities. Investigations are designed to cover pertinent
facts, past and present, about the character and honesty, trustworthiness, and reputation, of the individual.
Table 2 (see page 15) summarizes the position sensitivity designations and types of clearances and investigations that are used
for individuals having access to agency information.
Checklist of IT Systems Security
Having become familiar at this point with the basics for safeguarding federal information, acquisition officials should refer to
the following checklist when processing IT acquisitions where
contractor employees will have access to sensitive information in
an agency AIS.
Procurement Planning and Pre-solicitation
Security Level Designations for Agency Information
Federal agencies are assigned the responsibility for implementing
12 ■ Journal of Contract Management / April 2003
✔
Become familiar with the agency’s AISSP.
SAFEGUARDING
FEDERAL
Solicitation, Evaluation, and Award
✔
Prior to issuing the solicitation, receive a certification from the
project officer and the information systems security officer
(ISSO) that the statement of work complies with the security
requirements of the agency’s AISSP. This should include statements
that the project officer and the ISSO have determined the appropriate
■
category of information that will be accessed (i.e., nonsensitive, sensitive, or classified);
■
security level designations for the information that will be
accessed (i.e., the level of sensitivity of th data contained
in the AIS and the level of operational criticality of the data
processing capabilities of the AIS); and
■
position sensitivity designation and specific sensitivity
level for the contractor employees.
✔
AUTOMATED
INFORMATION
SYSTEMS
Include special reporting requirements in the contract that
require the contractor to report on AIS security issues.
Post-award Administration
✔
Receive a certification from the project officer confirming that the
contractor has (1) processed the appropriate clearance/investigation for each contractor employee having access to information
under an agency AIS and (2) provided AIS training and orientation to those contractor employees.
✔
Confirm that the project officer is monitoring contractor performance for compliance with the AIS security requirements of the
acquisition.
Conclusion
✔
Include a special provision in the solicitation that contains the
appropriate AIS security requirements, including the requirements that the offeror must (1) comply with the statement of
work and the agency’s AISSP, and (2) submit a detailed outline of
its present and proposed AISSP with the offer that is commensurate with the size and complexity of the work requirements.
✔
Include FAR Clause 52.204-2, “Security Requirements,” in the
solicitation and contract when the contractor may require access
to classified information during contract performance.
✔
Include FAR Clause 52.239-1, “Privacy or Security Safeguards,”
in the solicitation and contract.
✔
Ensure that the technical evaluation criteria in the solicitation
include the review and evaluation of each offeror’s present and
proposed AISSP.
✔
✔
Prior to awarding the contract, receive a certification from the
project officer and the agency’s ISSO that they have reviewed the
apparent successful offeror’s detailed outline of its present and
proposed AISSP and have determined that it complies with the
security requirements of the agency’s AISSP.
In the post-9/11 environment, our nation continues its struggle to
protect our homeland security from external, as well as internal,
threats to our way of life. Unwittingly, acquisition officials have
been given a significant role in the battle. The subject of IT systems security in federal acquisitions can no longer be given secondary importance. Unfortunately, we continue to experience
incidents where federal AISs are seriously breached.12
It is imperative that acquisition officials understand their important role in safeguarding federal information being accessed by
contractor employees. The guidance provided in this article
ensures that agency information will be adequately protected
throughout the acquisition process as required by law. Only
through the cooperative efforts of agency acquisition and technical
staffs, along with its contractors, can we guarantee the confidence,
integrity, and availability of information in agency AISs. And from
those efforts, we shall continue to maintain the public trust. JCM
Endnotes
1. “Information” is defined as “any knowledge that can be communicated
or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the
United States government” (Executive Order 12958).
An “automated information system” (AIS) is defined as the organized
collection, processing, transmission, and dissemination of automated
information in accordance with defined procedures (OMB Circular A130). An agency’s automated information systems security program
applies to all AISs, including application systems and databases; AIS facilities, including mainframe, minicomputer, and microcomputer
platforms; and to all information technology utilities (ITUs), local area
networks (LANs), and wide area networks (WANs). An AIS is also defined
as any assembly of computer hardware, software, or firmware configured to collect, create, communicate, compute, disseminate, process,
store, or control data or information (Executive Order 12958).
Include a special clause in the contract that contains the appropriate AIS security requirements, including that the offeror must
(1) comply with the statement of work and the agency’s AISSP,
and (2) include the provision in any subcontract.
✔
Include a special requirement in the contract that each contractor employee must submit a statement to serve as an individual
commitment to protect any privileged information accessed
during the contract work.
✔ Attach the contractor’s detailed outline of its present and proposed
AISSP to the contract, along with any other portions of the
contractor’s successful technical proposal deemed necessary by
the project officer.
2.
Federal policies and procedures applicable to the acquisition of information technology by or for the use of agencies, except for acquisitions
of information technology for national security systems, is contained in
Federal Acquisition Regulation (FAR) Part 39, “Acquisition of
Information Technology.” FAR Subpart 2.1, “Definitions,” defines
“information technology” as “any equipment, or interconnected
system(s) or subsystem(s) of equipment that is used in the automatic
acquisition, storage, manipulation, management, movement, control,
April 2003 / Journal of Contract Management ■ 13
SAFEGUARDING
FEDERAL
AUTOMATED
INFORMATION
SYSTEMS
Sensitivity of Data in the AIS
Operational Criticality of the Data
Processing Capabilities of the AIS
Level 1: Low Sensitivity
Level 1: Low Criticality
■
■
■
Data requiring minimal protection (e.g., data that is of
value only in raw form)
Information subject to the Privacy Act that is virtually in
the public domain and for which unauthorized disclosure could reasonably be expected not to adversely
affect an individual
■
Data processing capabilities requiring minimal
protection
Would minimally affect the agency in the event of
alteration or failure (e.g., AISs that generate, store,
process, transfer, or communicate data having low or
minimal sensitivity)
Unintentional alteration or destruction is the primary
concern
Level 2: Moderate Sensitivity
■
Data determined to be important to the agency (e.g.,
management information concerning workload, performance, and staffing; research and statistical data)
■
Information subject to the Privacy Act for which unauthorized disclosure could cause nonspecific embarrassment to an individual
■
Must be protected against acts of malicious destruction
■
Usually collected for analytical purposes, disclosure of
which is not usually significant
Level 3: High Sensitivity
Level 2: Moderate Criticality
■
Data processing capabilities that are important but not
critical to the internal management of the agency (e.g.,
AISs whose failure or function for an extended period of
time would not be critical to the agency, or AISs that
generate, store, process, transfer, or communicate data
having moderate sensitivity)
Level 3: High Criticality
■
Data containing the most sensitive unclassified information (e.g., payroll records or proprietary information)
■
Information subject to the Privacy Act that meets the
qualifications of Exemption 6 of the Freedom of Information Act (i.e., unauthorized disclosure would constitute
a clearly unwarranted invasion of personal privacy likely
to lead to specific detrimental consequences for the
individual)
■
■
■
Data processing capabilities considered critical to the
agency (e.g., AISs whose failure or function for even a
short period of time could have a severe impact on the
agency, or AISs that perform functions with data considered to have a high potential for fraud, waste, or abuse)
Requires the greatest number and most stringent security
safeguards at the user level
Level 4: High Sensitivity and National Security Interest
■
Data containing national security classified information
■
Other sensitive, but unclassified information, the loss of
which could adversely affect national security interests
Level 4: High Criticality and National Security Interest
■
Data processing capabilities considered to be critical to
the agency and to the well being of the nation (e.g., AISs
that generate, store, process, transfer, or communicate
national security classified data, or AISs that handle
other sensitive, but unclassified data the loss of which
could adversely affect national security interests)
Table 1. Security Level Designations for Agency Information
14 ■ Journal of Contract Management / April 2003
SAFEGUARDING
Sensitivity Level
FEDERAL
Type of Clearance
AUTOMATED
INFORMATION
SYSTEMS
Type of Investigation *
Non-Sensitive Designation
Positions in which the individual will have access to non-sensitive information that involves mostly low-risk, non-sensitive,
and non-national security program responsibilities.
Level 1
Non-sensitive
Suitability Determination
NACI
Use SF 85, Questionnaire for Non-sensitive Positions
National Security Designations
Positions in which the individual will have access to classified information (confidential, secret, top secret) or other restricted
information relating to national security.
Level 2
Classified
Confidential or Secret
LBI
Use SF 86, Questionnaire for National Security Positions
Level 3
Classified
Top Secret
SSBI
Use SF 86, Questionnaire for National Security Positions
Level 4
Classified
Special Access
SSBI
Use SF 86, Questionnaire for National Security Positions
Public Trust Designations
Positions in which the individual’s actions or inactions could diminish public confidence in the integrity, efficiency, or effectiveness of assigned government activities, whether or not actual damage occurs, and positions in which the individual is
entrusted with control over information that the government has legal or contractual obligations not to divulge.
Level 5
Sensitive
(Moderate Risk)
Suitability Determination
NACIC or LBI
Use SF 85P, Questionnaire for Public Trust Positions
Level 6
Sensitive
(High Risk)
Suitability Determination
BI
Use SF 85P, Questionnaire for Public Trust Positions
* Types of Investigations:
■
National Agency Check (NAC)—An integral part of all background investigations, consisting of searches of the OPM
Security/Suitability Investigations Index (SII), the Defense Clearance and Investigations Index (DCII), the Federal Bureau
of Investigation (FBI) identification division’s name and fingerprint files, and other files or indices when necessary.
■
National Agency Check and Inquiries (NACI)—The basic and minimum investigation required on all new federal employees
consisting of a NAC with written inquiries and searches of records covering specific areas of an individual’s background
during the past five years (inquiries sent to current and past employers, schools attended, references, and local law
enforcement authorities).
■
NACI and Credit (NACIC)—This NACI includes the addition of a credit record search.
■
Access NACI (ANACI)—Initial investigation for those who need access to classified national security information at the “confidential” or “secret” level. The ANACI includes NACI and credit coverage with additional local law enforcement agency checks.
Table 2. Position Sensitivity Designations for Individuals Accessing Agency Information
April 2003 / Journal of Contract Management ■ 15
SAFEGUARDING
FEDERAL
AUTOMATED
INFORMATION
SYSTEMS
■
Child Care NACI (CNACI)—An enhanced NACI designed to meet special investigation requirements for those who are in
child care provider positions. This investigation includes a search of records of criminal history repositories of the state
where the subject resides.
■
NAC with Local Agency Check and Credit (NACLC)—An ANACI without the written inquiries to past employers, schools
attended, etc. It is designed as the initial investigation for contractors at the confidential and secret national security
access levels.
■
Minimum Background Investigation (MBI)—This investigation includes a NACIC, a face-to-face personal interview
between the investigator and the subject, and telephone inquiries to selected employers.
■
Limited Background Investigation (LBI)—This investigation includes a NACIC, personal subject interview, and personal
interviews by an investigator of subject’s background during the most recent three years.
■
Background Investigation (BI)—This is a more in-depth version of the LBI since the personal investigation coverage is the
most recent five to seven years. This investigation is required of those going into “high risk” public trust positions.
■
Single Scope Background Investigation (SSBI)—A governmentwide investigation required of those who need access to
top secret classified national security information. This investigation covers the past seven years of the individual’s
activities. It includes a verification of citizenship and date and place of birth, as well as national records checks on the
individual’s spouse or cohabitant, interviews with selected references and former spouses.
■
SSBI Periodic Reinvestigation (SSBI-PR)—The required five-year update investigation for those who have top secret security
clearances. It consists of personal investigative coverage of employments and residences since the previous investigation,
including interviews with all former spouses divorced during the coverage period. A search of the U.S. Treasury Department’s
financial data base is also included.
(Cont.) Table 2. Position Sensitivity Designations for Individuals Accessing Agency Information
display, switching, interchange, transmission, or reception of data or
information by the agency.” For purposes of the definition, equipment used by an agency includes equipment that the agency uses
directly or is used by a contractor under a contract with the agency that
(1) requires its use or (2) to a significant extent, requires its use in the
performance of a service or the furnishing of a product. The term
“information technology” includes computers, ancillary equipment,
software, firmware and similar procedures, services (including support
services), and related resources. The term does not include any equipment that (1) is acquired by a federal contractor incidental to a federal
contract or (2) contains embedded information technology that is used
as an integral part of the product, but the principal function of which
is not the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or
reception of data. The genesis of the FAR definition of “information
technology” can be found in the Information Technology Management
Reform Act of 1996 (Section 5002 of the Clinger-Cohen Act of 1996, P.L.
104-106).
3.
Federal Law: Privacy Act (P.L. 93-579), Paperwork Reduction Act (P.L. 96511), Computer Security Act (P.L. 100-235), Government Performance
and Results Act (P.L. 103-62), Information Technology Management
Reform Act (P.L. 104-106), Government Information Security Reform Act
(Title X, Subtitle G of the FY 2001 Defense Authorization Act (P.L. 106398). OMB Circulars: A-123 Management Accountability and Control
(Revised June 21, 1995); A-127, Financial Management Systems (Revised
July 23, 1993) (Transmittal Memorandum # 2, June 10, 1999); A-130,
16 ■ Journal of Contract Management / April 2003
Management of Federal Information Resources (12-12-85), (Transmittal
Memorandum # 4, November 28, 2000). Executive Orders: 10865
(February 20, 1960), Safeguarding Classified Information within
Industry; 10909 (January 17, 1961); 12829 (January 6, 1993), National
Industrial Security Program; 13011 (1996), Federal Information
Technology. National Institute of Standards and Technology (NIST) FIPS
PUBS: 31, Guidelines for Automatic Data Processing Physical Security
and Risk Management, June 1984; 65, Guidelines for Automatic Data
Processing Risk Analysis, August 1, 1979; 73, Guidelines for Security of
Computer Applications, June 30, 1980; 87, Guidelines for ADP
Contingency Planning, March 27, 1981; 102, Guidelines for Computer
Security Certification and Accreditation, September 27, 1983; NIST SPEC
PUB 500-172, Computer Security Training Guidelines, November 1989.
See NIST Computer Security Resource Center: Special Publications (500
Series and 800 Series) at http://csrc.nist.gov/publications/nistpubs/
index.html and Policies at http://csrc.nist.gov/policies/index.html.
Federal Personnel Manual, Chapter 731, “Personnel Suitability.” One
example of an agency’s implementation of an automated information
systems security program can be found in the Department of Health and
Human Services (HHS), Automated Information Systems Security
Program Handbook (Release 2.0, May 1994). Miscellaneous: Presidential
Decision Directive 63, Critical Infrastructure Protection (May 22, 1998).
4.
Appendix III to OMB Circular No. A-130, “Security of Federal Automated
Information Resources.”
5.
Executive Order, Establishing the Office of Homeland Security and the
Homeland Security Council (October 8, 2001); Executive Order, Critical
SAFEGUARDING
FEDERAL
AUTOMATED
INFORMATION
SYSTEMS
Infrastructure Protection in the Information Age (October 16, 2001).
6. Computer Security Act (P.L. 100-235), Sec. 3.
7.
Executive Order No. 12958 (April 17, 1995) prescribes a uniform system
for classifying, safeguarding, and declassifying national security information. The following three classification levels are prescribed: “top
secret” applies to information, the unauthorized disclosure of which
reasonably could be expected to cause exceptionally grave damage to
the national security; “secret” applies to information, the unauthorized
disclosure of which reasonably could be expected to cause serious
damage to the national security; “confidential” applies to information,
the unauthorized disclosure of which reasonably could be expected to
cause damage to the national security.
Note that a “q access” is a term used by the Department of Energy and
the Nuclear Regulatory Commission to refer to a security clearance that
allows an individual access to all classification levels and nuclear material categories on a need-to-know basis.
Executive Order No. 12968 (August 2, 1995) established a uniform
federal personnel security program for employees having access to
classified information. Under the Executive Order, the term “employees” applies to “a person, other than the president and vice president,
employed by, detailed or assigned to, an agency, including members of
the armed forces; an expert or consultant to an agency; an industrial or
commercial contractor, licensee, certificate holder, or grantee of an
agency, including all subcontractors; a personal services contractor; or
any other category of person who acts for or on behalf of an agency as
determined by the appropriate agency head.”
Executive Order No. 12968 states, in part, that access to classified information shall be granted to “employees who are United States citizens
for whom an appropriate investigation has been completed and whose
personal and professional history affirmatively indicates loyalty to the
United States, strength of character, trustworthiness, honesty, reliability, discretion, and sound judgment, as well as freedom from conflicting
allegiances and potential for coercion, freedom from conflicting allegiances and regulations governing the use, handling, and protection of
classified information.” The Executive Order also allows for non-United
States citizens to have access to classified information where there are
compelling reasons.
For historical references to the development of requirements for investigations of federal employees, see the following Executive Orders: 9835
(March 31, 1947), 10237 (April 26, 1951), 10450 (April 27, 1953), 10491
(October 13, 1953), 10531 (May 27, 1954), 10548 (August 2, 1954), 10550
(August 5, 1954), 11785 (June 4, 1974), and 12107 (December 28, 1978).
8. “Adequate security” is defined as “security commensurate with the
risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information” (OMB Circular A-130,
Appendix III, Security of Federal Automated Information Resources).
9.
Department of Health and Human Services (HHS), Automated
Information Systems Security Program Handbook (Release 2.0, May
1994); Chapter II, Security Level Designations, pp. 20-24.
10. Department of Health and Human Services (HHS), Personnel
Security/Suitability Handbook (SDD/ASMB 1/98).
11. U.S. Office of Personnel Management Investigations Service, Requesting
OPM Personnel Investigations (IS-15, May 2001). Information on OPM’s
investigation services, including guidance and a schedule of current
processing fees can be found at www.opm.gov/extra/investigate.
12. Endnote 12: French, M. “Reward Offered for Stolen DOD Files,” Federal
Computer Week. January 3, 2003 (www.fcw.com).
April 2003 / Journal of Contract Management ■ 17