Main Page
From Jpl Rebadging
|  (→Other optional things to do) |  (Creation of JPL rebadging wiki) | ||
| Line 1: | Line 1: | ||
| - | + | == Overview == | |
| + | The [[Jet Propulsion Laboratory]] has initiated a new '''JPL rebadging''' process<ref name="newID">The New ID Card at JPL, [http://hspd12.jpl.nasa.gov/TheNewIDCard/ http://hspd12.jpl.nasa.gov/TheNewIDCard/]</ref> for its employees, contractors, and | ||
| + | affiliates.  After | ||
| + | negotiating with NASA Headquarters, | ||
| + | JPL Director [[Charles Elachi]] agreed to the new process, which will produce new ID cards in conformance with | ||
| + | FIPS 201 ([[Federal Information Processing Standard]]s Publication | ||
| + | 201), a [[United States]] federal government standard that | ||
| + | specifies Personal Identity Verification ([[PIV]]) requirements for | ||
| + | Federal employees and contractors.  FIPS 201 is a response to Homeland Security Presidential | ||
| + | Directive 12 (HSPD-12)<ref name="hspd12">HSPD-12, | ||
| + | [http://csrc.nist.gov/policies/Presidential-Directive-Hspd-12.html | ||
| + | HSPD-12, Homeland Security Presidential Directive 12]</ref>.   | ||
| - | + | The new JPL badging process is controversial, for a variety of reasons (see Controversy section below).  One of the concerns voiced is the lack of respect for privacy | |
| - | The  | + | of employees, because the badging procedure requires each employee to answer | 
| - | + | a personal questionnaire, sign a waiver permitting a background | |
| - | + | investigation at any level of detail, have fingerprints taken, and carry a new ID card with the fingerprints readable by | |
| - | + | [[RFID]] technology.  This level of personal intrusion has led to questions that the JPL Honor Code of treating | |
| + | employees with dignity and respect is being violated.   | ||
| + | [[JPL]] Badges are identification cards issued to employees, contractors, affiliates, | ||
| + | and retirees of JPL for | ||
| + | the purpose of permitting unescorted access to the JPL facility.  They are also used | ||
| + | for access to controlled areas within the laboratory, and a bar code on it is scanned for | ||
| + | a variety of routine uses | ||
| + | such as receiving packages and recording attendance at training sessions.  | ||
| + | JPL management contends that no privacy related information will be stored on the new ID card.<ref name="hspd12"/> | ||
| + | Some employees wonder how JPL management defines "privacy related information", because there is agreement | ||
| + | that the new ID card will utilize passive [[RFID]] technology to store the following attributes: | ||
| + | * JPL User Name | ||
| + | * Electronic IT Certificate | ||
| + | * Citizenship | ||
| + | * Personal Identification Number (PIN) Unique to Issuer | ||
| + | * Two Biometric Fingerprints | ||
| + | * Facial photo | ||
| + | An electromagnetic shield would need to cover the new ID card in order to prevent a remote RFID reader from accessing the data | ||
| + | stored on the new ID card. | ||
| + | [http://hspd12.jpl.nasa.gov/TheNewIDCard/ Information and a description] of the existing JPL badge and NASA One badge is also available. | ||
| + | == Rebadging process == | ||
| + | JPL management has outlined the following steps in order to obtain a new JPL ID card: | ||
| + | * Employee supplies name, birthday, SSN, and city of birth to JPL, if they have not previously done so | ||
| + | * The Office of Protective Servicees sends out email requesting employee to fill out online form | ||
| + | * Employee fills out form 85 or 85P, as directed, using the online e-QIP system, within 10 days.  This process takes 1-3 hours. | ||
| + | * Employee prints out release forms, brings them to the security office, and signs in presence of officer | ||
| + | * JPL Security scans release form, encrypts it, and sends it to the U.S. government. | ||
| + | * A fresh set of fingerprints are taken (even if they were taken for One NASA badge) | ||
| + | * A picture is taken (possibly two pictures, one with One NASA Camera, one with new ID card camera) | ||
| + | * U.S. [[Office of Personnel Management]] performs background investigation | ||
| + | * If OPM permits it, a badge is issued | ||
| + | * If adverse information is reported, employee is notified directly by OPM, and has 30 days to adjudicate.  After 30 days, the employee will be barred from accessing the laboratory, and employment will be terminated. | ||
| + | The process is repeated every 5 years.  Those who have a security clearance are exempt from the process and can | ||
| + | immediately acquire their badge. | ||
| - | == | + | == Background Investigations == | 
| - | + | ||
| - | + | === Risk Assessment === | |
| - | + | ||
| - | + | Prior to rebadging, each JPL employee will be classified as low, moderate, or high risk.  The low risk personnel will fill out form 85, while moderate and high risk personnel will fill out the more detailed form 85P.  According to Jerry Suitor, tThe classification is based on the job performed, not the individual.  Approximately 97% of the JPL workforce is expected to be classified as low risk, and 3% as high risk.  The classification will be unrelated to the two tiers of sensitivity used in classifying personnel for drug testing. | |
| - | + | ||
| - | + | According to Jerry Suitor, a high risk assessment will be made for personnel with access to ATLO, access to spacecraft software without going through a review, or for any position in which damage can be done to a NASA asset.  Section managers are being told of the classification list and can give feedback. | |
| - | + | ||
| - | + | * 4 individuals known to you in last few years | |
| - | + | ** Questions: adverse health, mental, use of alcohol, drugs, behavior | |
| - | + | ** Classification not related to drug risk classification | |
| - | + | ||
| - | * | + | === Form 85 and 85P === | 
| - | * | + | |
| + | Standard Form 85 or 85P is used as the basis for a background investigation. The official instructions on these do not agree with how JPL management is directing JPL employees and contractors to use them.  The following table is a summary of these differences. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! What the Form 85 Instructions say | ||
| + | ! What JPL management says | ||
| + | |- | ||
| + | | The information you give us is for the purpose of determining your suitability for federal employment | ||
| + | | Actually, we're not going to use it for that at all.  The information you give us is for the purpose of determining access to the laboratory. | ||
| + | |- | ||
| + | | The form is to be used "only when a conditional offer of employment has been made" | ||
| + | | Employees and contractors already employed will use this form. | ||
| + | |- | ||
| + | | "[F]inal determination on your eligibility for a position will be made by the Office of Personnel Management or the federal agency that requested | ||
| + | your investigation." | ||
| + | | Determination on job eligibility was made at the time of employment.  For some employees, this decision was made years or decades ago. | ||
| + | |- | ||
| + | | Giving us the information we ask for is voluntary | ||
| + | | Your employment, regardless of its previous duration, will be terminated if you do not provide the information we ask. | ||
| + | |} | ||
| + | |||
| + | Standard Form 85 requests the following information: | ||
| + | Name, | ||
| + | Date of Birth, | ||
| + | Place of Birth, | ||
| + | Social Security Number, | ||
| + | Other Names Used, | ||
| + | Gender, | ||
| + | Citizenship, | ||
| + | Where have you lived (past 5 years), | ||
| + | Degrees you have & Where you went to school, | ||
| + | Employment History (past 5 years), | ||
| + | People who know you well (not relatives), | ||
| + | Military History, | ||
| + | Selective Service Record (if male born after December 31, 1959), | ||
| + | Used, possessed, supplied, or manufactured illegal drugs (1 year). | ||
| + | Authorization for release of information (from schools, residences, employers, and ''other sources'', without limitation to the type of information | ||
| + | gathered) | ||
| + | |||
| + | Standard Form 85P requests the following information: | ||
| + | Police Record (arrests, charges, convictions great than $150), | ||
| + | Illegal Drugs, | ||
| + | Alcohol Use, | ||
| + | Background investigations conducted in the past, | ||
| + | Financial Record (bankruptcy, debt in arrears more than 180 days), | ||
| + | Release for information gathering in support of information provided (academic history, employment, criminal history, financial), | ||
| + | Release for Medical Information | ||
| + | |||
| + | === Followup Investigation === | ||
| + | |||
| + | Describe graduation verification, employment verification. | ||
| + | |||
| + | Describe medical question, "any reason judgement impaired by a medical reason?" | ||
| + | |||
| + | === Correcting Adverse Information === | ||
| + | |||
| + | Describe similarities to "no fly" list, and difficulty of getting corrections.  Describe similarity of | ||
| + | fixing credit information after identity theft.  Describe difficulty of fixing errors within prescribed 30 day window. | ||
| + | |||
| + | == FIPS 201 and HSPD 12 == | ||
| + | Description of new ID card | ||
| + | |||
| + | '''FIPS 201 ([[Federal Information Processing Standard]]s Publication | ||
| + | 201)''' is a [[United States]] federal government standard that | ||
| + | specifies Personal Identity Verification ([[PIV]]) requirements for | ||
| + | Federal employees and contractors. | ||
| + | |||
| + | In response to HSPD-12<ref name="hspd12"/>, the | ||
| + | [[NIST]] Computer Security Division initiated a new program for | ||
| + | improving the identification and authentication of Federal employees and | ||
| + | contractors for access to Federal facilities and information systems. | ||
| + | FIPS 201 was developed to satisfy the technical requirements of HSPD 12, | ||
| + | approved by the [[Secretary of Commerce]], and issued on February 25, | ||
| + | 2005. | ||
| + | |||
| + | FIPS 201 together with [[National Institute of Standards and | ||
| + | Technology|NIST]] SP 800-78 (Cryptographic Algorithms and Key Sizes for | ||
| + | PIV) are required for U.S. Federal Agencies but do not apply to US | ||
| + | national security systems.<ref>NIST SP 800-78 | ||
| + | [http://csrc.nist.gov/publications/nistpubs/800-78/sp800-78-final.pdf | ||
| + | Cryptographic Algorithms and Key Sizes for Personal Identity | ||
| + | Verification]</ref> | ||
| + | |||
| + | The SmartCard Interagency Advisory Board has indicated that to comply | ||
| + | with FIPS 201 PIV II US government agencies should use [[Smart card]] | ||
| + | technology.  <ref>IAB [http://www.smart.gov/iab/ Interagency Advisory | ||
| + | Board]</ref> | ||
| + | |||
| + | == Controversy == | ||
| + | The rebadging process is not popular with employees and contractors.  There are numerous complaints about it, | ||
| + | which are summarized below. | ||
| + | |||
| + | === Violation of JPL Honor Code === | ||
| + | |||
| + | Need description of "dignity and respect" provision here, and relationship to badging process. | ||
| + | |||
| + | === Unlimited Waivers === | ||
| + | |||
| + | Need a description of the waiver and the concerns about it. | ||
| + | |||
| + | Need a discussion of alternate user-defined waivers. | ||
| + | |||
| + | === Fingerprints === | ||
| + | |||
| + | Need a discussion of fingerprinting, storage by FBI, intermingling with criminal database, etc. | ||
| + | |||
| + | === Drug Prosecution === | ||
| + | |||
| + | Need a description of the dangers of answering the drug question.  Investigations to independently confirm information first given here, and then prosecute it. | ||
| + | |||
| + | === Identity Theft === | ||
| + | |||
| + | Need a description of previously mishandled sensitive information | ||
| + | |||
| + | === Abuse of Information === | ||
| + | |||
| + | Need a description of previously abused sensitive information. | ||
| + | |||
| + | === Coercion === | ||
| + | |||
| + | Describe loss of job in relation to "voluntary" procedure. | ||
| + | |||
| + | === Relationship to California Law === | ||
| + | |||
| + | Describe California's prohibition on picture-taking and fingerprinting as a condition of employment, with links. | ||
| + | |||
| + | === Loss of Talent === | ||
| + | |||
| + | Describe potential loss of personnel.  Give examples from the press. | ||
| + | |||
| + | === Required Verbiage === | ||
| + | |||
| + | Insert direction from Homeland Security about the required language to describe the process. | ||
| + | |||
| + | == Political Action == | ||
| + | Insert text of Nelson letter, other letters, Holt's letter to Commerce Secretary. | ||
| + | |||
| + | List relevant congressional representatives and local officials. Provide sample letter and/or link to a stand-alone document. | ||
| + | |||
| + | Link to online petition calling for a moratorium on the rebadging process until it can be investigated and changed to align with the privacy laws, California law, JPL honor code.  (e.g., petitiononline.com) | ||
| + | |||
| + | == JPL Rebadging in the News== | ||
| + | |||
| + | JPL has not officially responded to the complaints on the new process.  It has posted a | ||
| + | [[http://hspd12.jpl.nasa.gov/ public website]] to describe the process and provide employees and the | ||
| + | public with official information on the new ID card.  The controversy is not reported on this site. | ||
| + | |||
| + | Need to reference/link to other stories here.  Pasadena Free Press, Boston Globe, NASAwatch, etc. | ||
| + | |||
| + | ==References== | ||
| + | <references /> | ||
| + | |||
| + | ==See also== | ||
| + | *[[Common Access Card| U.S. Department of Defense Common Access Card | ||
| + | (CAC)]] | ||
| + | ==External links== | ||
| + | This list needs to be updated.  Here are HSPD-12 related links only: | ||
| + | |||
| + | * [http://csrc.nist.gov/piv-program/index.html PIV Information ] | ||
| + | * [http://csrc.nist.gov/npivp/ PIV News] | ||
| + | * [http://govtsecurity.com/mag/plan_ahead_maximize/index.html Plan ahead | ||
| + | * to maximize benefits to HSPD-12 investment] | ||
| + | * [http://www.smartcard.gov/information/FSCPMmarch2005/TonyCieri.pdf PIV | ||
| + | * Supporting Documents ] | ||
| + | * [http://www.smartcard.gov/information/FSCPMmarch2005/JohnMoore.pdf | ||
| + | * Federal Identity Management and Smart Cards ] | ||
| + | * [http://www.cio.gov/ficc/cpl.htm Shared Service Providers ] | ||
| + | * [http://www.fips201.com FIPS201.com, a source of comparative | ||
| + | * information for GSA-approved FIPS 201 products] | ||
Revision as of 16:51, 23 May 2007
| Contents | 
Overview
The Jet Propulsion Laboratory has initiated a new JPL rebadging process<ref name="newID">The New ID Card at JPL, http://hspd12.jpl.nasa.gov/TheNewIDCard/</ref> for its employees, contractors, and affiliates. After negotiating with NASA Headquarters, JPL Director Charles Elachi agreed to the new process, which will produce new ID cards in conformance with FIPS 201 (Federal Information Processing Standards Publication 201), a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. FIPS 201 is a response to Homeland Security Presidential Directive 12 (HSPD-12)<ref name="hspd12">HSPD-12, [http://csrc.nist.gov/policies/Presidential-Directive-Hspd-12.html HSPD-12, Homeland Security Presidential Directive 12]</ref>.
The new JPL badging process is controversial, for a variety of reasons (see Controversy section below). One of the concerns voiced is the lack of respect for privacy of employees, because the badging procedure requires each employee to answer a personal questionnaire, sign a waiver permitting a background investigation at any level of detail, have fingerprints taken, and carry a new ID card with the fingerprints readable by RFID technology. This level of personal intrusion has led to questions that the JPL Honor Code of treating employees with dignity and respect is being violated.
JPL Badges are identification cards issued to employees, contractors, affiliates, and retirees of JPL for the purpose of permitting unescorted access to the JPL facility. They are also used for access to controlled areas within the laboratory, and a bar code on it is scanned for a variety of routine uses such as receiving packages and recording attendance at training sessions.
JPL management contends that no privacy related information will be stored on the new ID card.<ref name="hspd12"/> Some employees wonder how JPL management defines "privacy related information", because there is agreement that the new ID card will utilize passive RFID technology to store the following attributes:
- JPL User Name
- Electronic IT Certificate
- Citizenship
- Personal Identification Number (PIN) Unique to Issuer
- Two Biometric Fingerprints
- Facial photo
An electromagnetic shield would need to cover the new ID card in order to prevent a remote RFID reader from accessing the data stored on the new ID card.
Information and a description of the existing JPL badge and NASA One badge is also available.
Rebadging process
JPL management has outlined the following steps in order to obtain a new JPL ID card:
- Employee supplies name, birthday, SSN, and city of birth to JPL, if they have not previously done so
- The Office of Protective Servicees sends out email requesting employee to fill out online form
- Employee fills out form 85 or 85P, as directed, using the online e-QIP system, within 10 days. This process takes 1-3 hours.
- Employee prints out release forms, brings them to the security office, and signs in presence of officer
- JPL Security scans release form, encrypts it, and sends it to the U.S. government.
- A fresh set of fingerprints are taken (even if they were taken for One NASA badge)
- A picture is taken (possibly two pictures, one with One NASA Camera, one with new ID card camera)
- U.S. Office of Personnel Management performs background investigation
- If OPM permits it, a badge is issued
- If adverse information is reported, employee is notified directly by OPM, and has 30 days to adjudicate. After 30 days, the employee will be barred from accessing the laboratory, and employment will be terminated.
The process is repeated every 5 years. Those who have a security clearance are exempt from the process and can immediately acquire their badge.
Background Investigations
Risk Assessment
Prior to rebadging, each JPL employee will be classified as low, moderate, or high risk. The low risk personnel will fill out form 85, while moderate and high risk personnel will fill out the more detailed form 85P. According to Jerry Suitor, tThe classification is based on the job performed, not the individual. Approximately 97% of the JPL workforce is expected to be classified as low risk, and 3% as high risk. The classification will be unrelated to the two tiers of sensitivity used in classifying personnel for drug testing.
According to Jerry Suitor, a high risk assessment will be made for personnel with access to ATLO, access to spacecraft software without going through a review, or for any position in which damage can be done to a NASA asset. Section managers are being told of the classification list and can give feedback.
-  4 individuals known to you in last few years
- Questions: adverse health, mental, use of alcohol, drugs, behavior
- Classification not related to drug risk classification
 
Form 85 and 85P
Standard Form 85 or 85P is used as the basis for a background investigation. The official instructions on these do not agree with how JPL management is directing JPL employees and contractors to use them. The following table is a summary of these differences.
| What the Form 85 Instructions say | What JPL management says | 
|---|---|
| The information you give us is for the purpose of determining your suitability for federal employment | Actually, we're not going to use it for that at all. The information you give us is for the purpose of determining access to the laboratory. | 
| The form is to be used "only when a conditional offer of employment has been made" | Employees and contractors already employed will use this form. | 
| "[F]inal determination on your eligibility for a position will be made by the Office of Personnel Management or the federal agency that requested your investigation." | Determination on job eligibility was made at the time of employment. For some employees, this decision was made years or decades ago. | 
| Giving us the information we ask for is voluntary | Your employment, regardless of its previous duration, will be terminated if you do not provide the information we ask. | 
Standard Form 85 requests the following information: Name, Date of Birth, Place of Birth, Social Security Number, Other Names Used, Gender, Citizenship, Where have you lived (past 5 years), Degrees you have & Where you went to school, Employment History (past 5 years), People who know you well (not relatives), Military History, Selective Service Record (if male born after December 31, 1959), Used, possessed, supplied, or manufactured illegal drugs (1 year). Authorization for release of information (from schools, residences, employers, and other sources, without limitation to the type of information gathered)
Standard Form 85P requests the following information: Police Record (arrests, charges, convictions great than $150), Illegal Drugs, Alcohol Use, Background investigations conducted in the past, Financial Record (bankruptcy, debt in arrears more than 180 days), Release for information gathering in support of information provided (academic history, employment, criminal history, financial), Release for Medical Information
Followup Investigation
Describe graduation verification, employment verification.
Describe medical question, "any reason judgement impaired by a medical reason?"
Correcting Adverse Information
Describe similarities to "no fly" list, and difficulty of getting corrections. Describe similarity of fixing credit information after identity theft. Describe difficulty of fixing errors within prescribed 30 day window.
FIPS 201 and HSPD 12
Description of new ID card
FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.
In response to HSPD-12<ref name="hspd12"/>, the NIST Computer Security Division initiated a new program for improving the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems. FIPS 201 was developed to satisfy the technical requirements of HSPD 12, approved by the Secretary of Commerce, and issued on February 25, 2005.
FIPS 201 together with [[National Institute of Standards and Technology|NIST]] SP 800-78 (Cryptographic Algorithms and Key Sizes for PIV) are required for U.S. Federal Agencies but do not apply to US national security systems.<ref>NIST SP 800-78 [http://csrc.nist.gov/publications/nistpubs/800-78/sp800-78-final.pdf Cryptographic Algorithms and Key Sizes for Personal Identity Verification]</ref>
The SmartCard Interagency Advisory Board has indicated that to comply with FIPS 201 PIV II US government agencies should use Smart card technology. <ref>IAB [http://www.smart.gov/iab/ Interagency Advisory Board]</ref>
Controversy
The rebadging process is not popular with employees and contractors. There are numerous complaints about it, which are summarized below.
Violation of JPL Honor Code
Need description of "dignity and respect" provision here, and relationship to badging process.
Unlimited Waivers
Need a description of the waiver and the concerns about it.
Need a discussion of alternate user-defined waivers.
Fingerprints
Need a discussion of fingerprinting, storage by FBI, intermingling with criminal database, etc.
Drug Prosecution
Need a description of the dangers of answering the drug question. Investigations to independently confirm information first given here, and then prosecute it.
Identity Theft
Need a description of previously mishandled sensitive information
Abuse of Information
Need a description of previously abused sensitive information.
Coercion
Describe loss of job in relation to "voluntary" procedure.
Relationship to California Law
Describe California's prohibition on picture-taking and fingerprinting as a condition of employment, with links.
Loss of Talent
Describe potential loss of personnel. Give examples from the press.
Required Verbiage
Insert direction from Homeland Security about the required language to describe the process.
Political Action
Insert text of Nelson letter, other letters, Holt's letter to Commerce Secretary.
List relevant congressional representatives and local officials. Provide sample letter and/or link to a stand-alone document.
Link to online petition calling for a moratorium on the rebadging process until it can be investigated and changed to align with the privacy laws, California law, JPL honor code. (e.g., petitiononline.com)
JPL Rebadging in the News
JPL has not officially responded to the complaints on the new process. It has posted a [public website] to describe the process and provide employees and the public with official information on the new ID card. The controversy is not reported on this site.
Need to reference/link to other stories here. Pasadena Free Press, Boston Globe, NASAwatch, etc.
References
<references />
See also
External links
This list needs to be updated. Here are HSPD-12 related links only:
- PIV Information
- PIV News
- [http://govtsecurity.com/mag/plan_ahead_maximize/index.html Plan ahead
- to maximize benefits to HSPD-12 investment]
- [http://www.smartcard.gov/information/FSCPMmarch2005/TonyCieri.pdf PIV
- Supporting Documents ]
- [http://www.smartcard.gov/information/FSCPMmarch2005/JohnMoore.pdf
- Federal Identity Management and Smart Cards ]
- Shared Service Providers
- [http://www.fips201.com FIPS201.com, a source of comparative
- information for GSA-approved FIPS 201 products]
