empowhr adjudicator page 1. welcome to usaccess, personal identity verification (piv) adjudicator...

EmpowHR Adjudicator

Welcome to USAccess, Personal Identity Verification (PIV) Adjudicator training. Identity management has become an important part of our homeland security since September 11th and it directly affects you, the federal employee and federal contractor.

Presidential Homeland Security Directive 12 established the criteria for an interoperable, personal identity verification program within the federal government.

The 9/11 Commission Report recommended screening people with biometric identifiers across agencies and governments as one of its global strategies to protect against terrorist attacks.

Your roles as PIV Credential Holder and Adjudicator are vitally important to the security of the nation, its assets, and its people. Each of us has an important personal role to fulfill in the credentialing process. By establishing an identity verification chain of trust, we will be working together to achieve a safer work environment and homeland.

Introduction

The USAccess Personal Identity Verification Program is deployed in response to HSPD-12, Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors. The system provides many financial, logistical, and security-related benefits.

Here are several features and benefits of USAccess:

USAccess Features & Benefits

It standardizes security criteria across all federal agencies.

Wide variations in the quality and security of identification used to gain access to secure facilities increase the likelihood of a security breach since the criteria used for one agency may not be as stringent as another for the same level of access. HSPD-12 standardizes security criteria across all federal agencies and ensures that all federal credentials can be trusted equally because they are based on common criteria.

It provides secure and reliable forms of identification.

Authentication of an individual's identity is an essential component when controlling access to secure facilities and to information systems. FIPS 201 specifies technical and operational requirements for Personal Identity Verification (PIV) systems that: • Issue PIV Credentials as identification • Read the Credentials to authenticate an individual's identity

USAccess Features & Benefits (cont’d)

It is resistant to fraud, tampering, counterfeiting, and terrorist exploitation.

The HSPD-12 standard was codified by the National Institute of Standards and Technology (NIST) with the issuance of the Federal Information Processing Standards Publication (FIPS PUB) 201: Personal Identity Verification (PIV) of Federal Employees and Contractors.

FIPS 201 was approved by the Secretary of Commerce and issued on February 25, 2005. This new standard will enable federal agencies to issue more secure and reliable forms of identification to better protect federal assets against threats such as terrorist attacks. It also will help safeguard against other risks such as identity theft.

It rapidly verifies a person's identity electronically.

A key concept of HSPD-12 is that anyone should be able to identify him or herself reliably to any federal agency using a single credential. Stove-piped credentialing systems of the past were not standardized and resulted in individuals receiving multiple credentials at various assurance levels.

USAccess Features & Benefits (cont’d)

It delivers interoperability across federal badge-based facilities and information systems.

HSPD-12 requires standardized badges that can be used at different agencies' secure facilities. The two most prominent reasons for standardized badging are as follows: • It eliminates wide variations in the quality and security of forms of identification used to access secure federal facilities and information resources. • It reflects the policy of the United States to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy.

HSPD-12 is a federal effort to combat terrorism and maintain the domestic security of the U.S.

HSPD-12 is the twelfth Homeland Security Presidential Directive issued by President George W. Bush. It requires all agencies to implement compliant identity systems by October 2006 so that the issuance of interoperable personal identity Credentials can begin. Interoperability allows software and hardware on different machines from different vendors to share data.

The Agency Adjudicator is the individual who is authorized to record or update the status of adjudication result for an Applicant in the EmpowHR system. A positive adjudication result will initiate the PIV credential issuance process.

The Adjudicator is assigned to this role by the Agency's Role Administrator. You must hold a valid PIV Credential and receive training and be certified before you can be assigned the Adjudicator Role.

The Adjudicator has the important role of serving as a gatekeeper to the granting of PIV Credentials. Being in a position of such trust also requires that the person to be fully aware of all federal privacy laws and policies.

Adjudicators are subject to the directive that all departments and agencies shall implement the PIV system in accordance with the spirit and letter of all federal privacy laws and policies.

The Adjudicator Role

New standard for Personal Identification Verification

HSPD-12 sets a new standard for Personal Identity Verification for the Federal Government.

• HSPD-12 directs establishment of common identity and security requirements and definition of

specifications for technical interoperability - leading to a new standardized badging process

• Standardized badging eliminates wide variations in the quality and security of the forms of

identification used to access secure federal facilities and information resources.

• Graduated identity confirmation assurance levels are available, providing flexibility in selecting

appropriate levels of physical and logical access for each person, location, and information

system.

• Permissions and restrictions are all contained in a single Personal Identity Verification (PIV)

Credential that can be used at any federal facility.

FIPS 201 Overview

• NIST initiated a new program to improve identification and authentication for access to federal facilities and information systems.

• The result - Federal Information Processing Standard (FIPS) 201, Personal Identity Verification of Federal Employees and Contractors.

• FIPS 201 details the standards that must be adhered to in order to satisfy HSPD-12.

• FIPS 201 standardizes the approach agencies must use to meet the security objectives of HSPD-12.

HSPD-12 tasked the National Institute of Standards and Technology (NIST) to create the security standards it described.

FIPS 201 identifies the control objectives as well as the security and privacy requirements of HSPD-12. These include identity proofing and registration requirements and the requirement that no individual has the capability to issue a PIV credential without the cooperation of another authorized person. Processes or roles in the implementation of this solution are:

PIV Requirements and Process

Applicant-The individual to whom an identity credential is to be issued. Individual provides supporting enrollment documentation for claimed identity.

Sponsorship- Substantiate the relationship to the Applicant and provide sponsorship of Applicant. Authorize the request for a PIV credential.

Enrollment- Initiates the chain of trust for identity proofing. Enrollment provides trusted services to confirm employer sponsorship, bind the Applicant to his or her biometric, and validate identity claim documentation. Enrollment delivers a secured enrollment package to the IDMS for adjudication.

Background Check- Identity proofing via government-wide standard services such as National Agency Check with Inquiries (NACI) and Federal Bureau of Investigation (FBI) Integrated Automated Fingerprint Identification System (IAFIS) background checks.

FIPS 201 identifies the control objectives as well as the security and privacy requirements of HSPD-12. These include identity proofing and registration requirements and the requirement that no individual has the capability to issue a PIV credential without the cooperation of another authorized person. Processes or roles in the implementation of this solution are:

PIV Requirements and Process

Approval- The Adjudicator initiates the request for the OPM-FBI Background Checks, validates successful completion of the background checks and approves issue of the PIV Credential.

PIV Card- The agency issues the identity credential to the Applicant after all identity proofing, background checks, and related approvals have been completed. Activation includes performing 1:1 biometric check of Applicant against PIV enrollment record, credential personalization, and verification of biometrics against the PIV Credential. This completes the chain of trust and the PIV Credential is released to the individual.

IDMS- The Approval Authority maintains an IDMS that is the system of records for PIV credentials to be issued. The IDMS performs identity proofing, verification, and validation to establish identity claim validity through government-wide standardized services.

Your card (PIV Credential) meets the requirements for a standard federal credential. Visually and electronically it will be the benchmark for identification of a federal employee.

PIV Card required physical information elements are listed below:

•Required Information Elements, Card Front:-Printed Information - photo, full name, employee affiliation, organizational affiliation, expiration date-Machine-Readable - contact chip front

•Required Information Elements, Card Back:-Printed Information - agency card serial number, issuer identification number-Machine-Readable - contact chip back

The type and location of these elements, the card dimensions, and allowable printed information are specified by FIPS 201.

PIV Credential

Mandatory logical data elements of personal information are contained in the PIV card chip.

To prove the identity of the Credential Holder to the card, a Personal Information Number (PIN) is stored.

Card management keys are stored to prove the identity of the card management system to the card.

To prove the identity of the Credential Holder to an external entity, such as a protected computer system, the card stores a Credential Holder Unique ID (CHUID), two biometric fingerprints, symmetric keys, and asymmetric keys.

Personal biographic data is not stored on the card.

PIV Credential (Cont.)

Initiates the process for an Applicant to establish a PIV record and, if applicable, to receive a PIV Credential. If the Applicant does not yet exist in the system, the Sponsor creates a New Applicant record.

Upon meeting with an Applicant, the Registrar begins the Enrollment process. This includes scanning and validating the two identity documents, verifying/updating Applicant biographic data, photographing Applicant, and completing fingerprint capture/verification. All information is entered into the system as part of the application.

Verifies that Agency-specific background check(s) have been completed. If satisfied that Applicant has satisfactorily passed the background checks, the Adjudicator marks the application as Approved, and the system automatically creates the PIV Credential package required to print the PIV Credential.

For an Attended Activation, the printed PIV Credential and Applicant are present at the Activation Station. The Activator verifies the Applicant through photo and fingerprint check, and then has Applicant enter a new PIN for the PIV Credential. Upon successful writing of the PIN to the card and system, the Credential is personalized and ready for use.

For Unattended Activation, the Applicant visits an Activation Station and activates their Credential through the Active Identity Web Portal.

PIV Process and Roles

Role Administrators assign and manage an agency's roles within the USAccess system. They verify that policies regarding appropriate separation of duties are followed.

Security Officers perform duplicate checks, Credential lock/unlock, PIN set/reset, Credential suspension, Credential revocation, and Credential renewal activities. The Security Officer has final authority to adjudicate failed enrollment actions positively and negatively. Only Security Officers have access to system audit logs.

PIV Credential Holders play a part in maintaining the system by safeguarding their PIV Credential and PIN. They should know how to activate the Credential, use it to gain approved access to physical and logical resources, and make requests for required Credential maintenance.

PIV Process and Roles (Cont.)

Separation of Duties

The FIPS 201 control objective that ensures separation of duties in the system plays an important part in the chain of trust and the security of the entire PIV program. The control objective enhances security by limiting powers.

Here are some examples of how this occurs in the USAccess system:

• Role Administrators cannot hold any other role. They cannot access their own record to assign a role. • Only the Sponsor can edit a PIV record.

Authorizing an applicant, registering his or her data, and issuing the Credential must be performed by persons occupying a variety of roles, adding a layer of quality checks during the entire process.

Separation of duties such as these ensure that no single corrupt official in the process may issue a Credential with an incorrect identity or to a person not entitled to the Credential, making fraudulent use of the system much more difficult.

Adjudication Procedures

After an Applicant is Sponsored and has enrolled in-person with a Registrar at an enrollment station, a completed enrollment package is ready to be submitted for background checks.

The required background check for a PIV credential is a National Agency Check with Written Inquiries (NACI) or other Office of Personnel Management (OPM) or National Security community investigation required for Federal employment.

A Federal Bureau of Investigation (FBI) National Criminal History Fingerprint Check is part of the background check. The Adjudicator can request fingerprint recapture through re-enrollment.

When the background investigation is complete and a determination is made, the Adjudicator records the decision in the EmpowHR system.

HSPD-12 fields do not have to be updated as part of a PAR Action. This does not require a separate PAR action but only needs to be saved once complete.

Prerequisites for entering Adjudication Information into EmpowHR:•You have access to and a user ID and password for USDA’s EmpowHR system.•You have background investigation (e.g., NACI) adjudication information for these employees, either from OPM records or USDA HR records.•You have experience using EmpowHR, and have access to EmpowHR user guides and procedure manuals if needed.

Note: Eventually Adjudicators will be logging into EmpowHR with their LincPass. The LincPass should not be removed out of the card reader during the Adjudication process until the employee’s record is saved/completed.

EmpowHR Adjudicator

Adjudicating an Employee

Note: The screenshots used are from the EmpowHR test system. There may be slight variances in the EmpowHR production system you are using.

Step 1. Sign in to the EmpowHR System with your User ID and Password.

1

Adjudicating and Employee

Once logged in you will be directed to the main page of EmpowHR. The left-side menu links you to the required processes.

Step 2. Click on PAR Processing.

2


Step 3. Click the link for Adjudication Information.

3


Step 4. Search for the Employee in the begins with field.

4


Step 5. Investigation Type: Use the droplist to select the appropriate Investigation Type the employee has completed. If the employees completed background investigation is not in the droplist because it is higher than a NACI, select the “NACI” option because that is the highest background investigation level that HSPD-12 is concerned with.

5

Step 6. Status: Use the droplist to select the “Approved” option for confirmed background investigation.

6


Note: An applicant is eligible to enroll for a LincPass after the successfully adjudicated fingerprint (FBI/NCHC) results have been entered into EmpowHR. Enrollment for a LincPass is not contingent upon a background investigation (NACI) being completed.

Step 7. Notes: Reference This field can be used to enter in the true adjudicator name and actual adjudication date.

Note: Adjudication Date and Adjudicator OprID: These two fields are populated by the system.

Step 8. Save the updates by clicking the Save button.

7

8


Adjudicator Procedures Summary

In this section of the course you learned how to use EmpowHR to verify the request for a Background Check, and complete Adjudication records.

Adjudication sessions always begin with logging in to the system and performing an applicant search.

When you set the FBI/NCHC and NACI as approved, a request is automatically sent to the card production facility and the applicant's PIV Credential is ordered. When the Credential is ready the Applicant will receive an e-mail to report to an Activation station to verify their identity and personalize their PIV Credential.

Privacy-Control Objectives

The control objectives given in HSPD-12 and expanded in FIPS 201 are central to meeting the security, efficiency, fraud prevention, and privacy protection goals of HSPD-12. Control objectives are to be maintained throughout the life cycle of PIV deployments. The control objectives can be summarized as follows:

Use of Roles in Registration and Issuance - separation of duties.

Use of Original Identity Source Documents - Proper custody of the documents for identity proofing is needed for accuracy and to maintain the privacy of personal information.

Credentialing officials must have the means to verify that the appropriate amount of investigation has been carried out on the right individual before a Credential is issued.

Use of Credentials Resistant to Tampering and Forgery.

Reliance on Rapid Credential Revocation.

Certification and Accreditation (C&A) - Test and verify processes, IT systems, and personnel reliability.

Privacy- FIPS 201 Guidelines

As the Sponsor, you have particular responsibilities for the protection of Applicant privacy and must comply fully with applicable federal laws and Agency directives.

Highlight of your responsibilities are:• Be familiar with and adhere to the directives of the Department/Agency publication(s) on privacy protection.

• Abide by the spirit and letter of all federal privacy laws and policies.

• All PIV System user records are stored only in the secure central Identity Management System (IDMS).

Privacy - Laws and Your Responsibility As the Adjudicator, you have particular responsibilities for the protection of Applicant privacy and must comply fully with applicable federal laws and Agency directives. Privacy questions or complaints should be directed to the Managed Services Organization (MSO) Security Officer.

Privacy controls specified in the Privacy Act of 1974, E-Government Act of 2002, and OMB M-03-22 are:• Citizens can access and correct personal information the government is maintaining on them in a system of records.• Agencies must publish information on how they handle electronic information collected on individuals, and are accountable for their reasons and uses of private information.

Your obligation under the Privacy Act Program are as follows:• Limit personnel authorized access to Applicant personal information and databases. • Inform the Applicant of his or her rights and responsibilities under the Privacy Act, including the privacy complaint process and the privacy appeals process. • Do not remove any Personally Identifiable Information from the EmpowHR and transport it in any way. There are sanctions for failure to safeguard confidential matters and violations of the Privacy Act.

Privacy - Transfer of Documents

Users of the PIV system may occasionally have to transfer private documents to other users of the system. This requires a safe and confidential method. In any transfer of private documents or files, you must meet all of your Agency's privacy and security policies.

Hand-carrying is to be performed only by individuals in an authorized PIV role. Materials are to be protected from plain sight and the transfers trackedby a logging system.

When mailing, use only registered mail or FedEx (signature receipt required, signatures to be logged). Packages are to be double-wrapped and sealed in such a manner as to make any tampering evident.

Fax only with prior notification to the intended recipient and with the recipient available to immediately remove document(s) from fax machine. Recipient is to provide verification of receipt by phone or email. It is required that faxes include a Privacy Act statement. Documents are not to be faxed to machines located in public areas.

For secure FTP or Web site transfer, files can be uploaded to a pre-established secure site. Any required access directions or passwords are to be communicated separately. Notify intended recipient of the upload of new files.

You as a Adjudicator have a responsibility to contribute to the privacy, security, and protection of the PIV system.

You must handle all personal Personally Identifiable Information (PII) in accordance with the guidelines of FIPS 201.

Every aspect of the PIV credentialing and transaction processes must be audited and will be audited. Any improper or illegal activity will be prosecuted.

Be aware that per Title 18 of the U.S. Code, it is a federal offense to counterfeit, alter, or misuse the PIV Credential or system.

Privacy - Title 18

Only federal employees and contractors who have enrolled in The PIV Sponsor Training course through GSA's government-approved LMS are qualified to take this certification test.

You must pass the certification test to be qualified for the role of Adjudicator.

The test consists of 10 questions that are related to your specific role in the PIV process. Choose the 1 best answer for each question.

Follow the instructions and navigation controls on your screen to proceed through the test. When you have completed the test you will receive a score and directions on how to proceed with your role assignment.

Certification Test for the Adjudicator Role