Overview
From Jpl Rebadging
ATTENTION: This Page Has Been Superseded By HSPD12JPL.org
Contents |
Overview
The Jet Propulsion Laboratory has initiated a new JPL rebadging process for its employees, contractors, and affiliates. After negotiating with NASA Headquarters, JPL Director Charles Elachi agreed to the new process, which will produce new ID cards in conformance with FIPS 201 (Federal Information Processing Standards Publication 201), a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. FIPS 201 is a response to Homeland Security Presidential Directive 12 (HSPD-12).
The new JPL badging process is controversial, for a variety of reasons (see Controversy section below). One of the concerns voiced is the lack of respect for privacy of employees, because the badging procedure requires each employee to answer a personal questionnaire, sign a waiver permitting a background investigation at any level of detail, have fingerprints taken, and carry a new ID card with the fingerprints readable by RFID technology. This level of personal intrusion has led to questions that the JPL Honor Code of treating employees with dignity and respect is being violated.
JPL Badges are identification cards issued to employees, contractors, affiliates, and retirees of JPL for the purpose of permitting unescorted access to the JPL facility. They are also used for access to controlled areas within the laboratory, and a bar code on it is scanned for a variety of routine uses such as receiving packages and recording attendance at training sessions.
JPL management contends that no privacy related information will be stored on the new ID card.<ref name="hspd12"/> Some employees wonder how JPL management defines "privacy related information", because there is agreement that the new ID card will utilize passive RFID technology to store the following attributes:
- JPL User Name
- Electronic IT Certificate
- Citizenship
- Personal Identification Number (PIN) Unique to Issuer
- Two Biometric Fingerprints
- Facial photo
An electromagnetic shield would need to cover the new ID card in order to prevent a remote RFID reader from accessing the data stored on the new ID card.
Information and a description of the existing JPL badge and NASA One badge is also available.
Rebadging process
JPL management has outlined the following steps in order to obtain a new JPL ID card:
- Employee supplies name, birthday, SSN, and city of birth to JPL, if they have not previously done so
- The Office of Protective Servicees sends out email requesting employee to fill out online form
- Employee fills out form 85 or 85P, as directed, using the online e-QIP system, within 10 days. This process takes 1-3 hours.
- Employee prints out release forms, brings them to the security office, and signs in presence of officer
- JPL Security scans release form, encrypts it, and sends it to the U.S. government.
- A fresh set of fingerprints are taken (even if they were taken for One NASA badge)
- A picture is taken (possibly two pictures, one with One NASA Camera, one with new ID card camera)
- U.S. Office of Personnel Management performs background investigation
- (Attendees at the second "process" meeting held to discuss the process were explicitly informed that OPM simply collects the data and provides it to NASA. NASA employees have been trained to do the evaluation of the collected information, and NASA will inform Caltech if the employee has been cleared for access to the facility.)
- If OPM permits it, a badge is issued
- If adverse information is reported, employee is notified directly by OPM [as per above, we were recently told that NASA notifies the employee in the event of adverse information - not OPM], and has 30 days to adjudicate. After 30 days, the employee will be barred from accessing the laboratory, and employment will be terminated.
The process is repeated every 5 years. Those who have a security clearance are exempt from the process and can immediately acquire their badge.
Background Investigations
Risk Assessment
Prior to rebadging, each JPL employee will be classified as low, moderate, or high risk. The low risk personnel will fill out form 85, while moderate and high risk personnel will fill out the more detailed form 85P. According to Jerry Suitor, the classification is based on the job performed, not the individual. Approximately 97% of the JPL workforce is expected to be classified as low risk, and 3% as moderate or high risk. The classification will be unrelated to the two tiers of sensitivity used in classifying personnel for drug testing.
According to Jerry Suitor, a high risk assessment will be made for personnel with access to ATLO (without requiring a "buddy"), access to spacecraft software without going through a review, or for any position in which damage can be done to a NASA asset. Section managers are being told of the classification list and can give feedback.
References
On the SF85 form, applicants are required to provide the names of 3 individuals who have known the employees over the last 5 years (covering the entire five year period) and additional people (at least one for each address) who knew you at each address where you have lived over the past three years. The form indicates that the applicant should "try" not to list these reference names in multiple places (e.g., a generic reference should not also be used as someone who knew you at an address), but the implications of listing the same person multiple places are not defined. (What does it mean to "try?")
Applicants are also required to provide the supervisor's name for all employment within the past 5 years (for SF85) and to include all employment activities covering 5 years, including part-time work, self-employment, and all periods of unemployment. [It is believed that the supervisors are sent similar forms to the other references, but this has not been confirmed.]
This means that applicants are required to submit the names of supervisors for whom they worked, even if they requested to be transferred from those positions because of an unworkable relationship with that supervisor. Jerry Suitor indicated at a recent process meeting that his office was drafting an e-mail to be sent to all supervisors and above to inform them that before any supervisor at JPL submits adverse information for any employee for which they receive a reference request, that supervisor should contact his office. However, many people who have been supervisors in the past 5 years are no longer supervisors and will not receive this e-mail (assuming it even is/was sent to current "supervisors and above"). Also, this could be seen as coersive of the supervisors to not submit information they believe is valid, thereby undermining the entire activity while JPL is legitimately trying to protect employees from potentially inappropriate inputs.
The references are mailed a "fill in the bubble" form with yes or no questions regarding whether the reference has any adverse information about violations of the law, health, financial stability, mental or emotional stability, abuse of alcohol, use or posession of drugs and behavior of the applicant.
Form 85 and 85P
Standard Form 85 or 85P is used as the basis for a background investigation. The official instructions on these do not agree with how JPL management is directing JPL employees and contractors to use them. The following table is a summary of these differences.
What the Form 85 Instructions say | What JPL management says |
---|---|
The information you give us is for the purpose of determining your suitability for federal employment | Actually, we're not going to use it for that at all. The information you give us is for the purpose of determining access to the laboratory. |
The form is to be used "only when a conditional offer of employment has been made" | Employees and contractors already employed will use this form. |
"[F]inal determination on your eligibility for a position will be made by the Office of Personnel Management or the federal agency that requested
your investigation." | Determination on job eligibility was made at the time of employment. For some employees, this decision was made years or decades ago. |
Giving us the information we ask for is voluntary | Your employment, regardless of its previous duration, will be terminated if you do not provide the information we ask. |
Standard Form 85 requests the following information: Name, Date of Birth, Place of Birth, Social Security Number, Other Names Used, Gender, Citizenship, Where have you lived (past 5 years), Degrees you have & Where you went to school, Employment History (past 5 years), People who know you well (not relatives), Military History, Selective Service Record (if male born after December 31, 1959), Used, possessed, supplied, or manufactured illegal drugs (1 year). Authorization for release of information (from schools, residences, employers, and other sources, without limitation to the type of information gathered)
Standard Form 85P requests the following information: Police Record (arrests, charges, convictions great than $150), Illegal Drugs, Alcohol Use, Background investigations conducted in the past, Financial Record (bankruptcy, debt in arrears more than 180 days), Release for information gathering in support of information provided (academic history, employment, criminal history, financial), Release for Medical Information.
Page 8 of form 85P indicates that the employee is authorizing investigations "...for the purpose of making a determination of suitability or eligibility for a security clearance." Note that applying for a security clearance differs from applying for a badge to verify personal identity.
Followup Investigation
Describe graduation verification, employment verification.
Describe medical question, "any reason judgement impaired by a medical reason?"
Correcting Adverse Information
Describe similarities to "no fly" list, and difficulty of getting corrections. Describe similarity of fixing credit information after identity theft. Describe difficulty of fixing errors within prescribed 30 day window.
In the event adverse information is received, NASA will notify the employee and offer the employee 30 days in which to attempt to refute or explain the information that was received. [NASA does not tell Caltech either that adverse information has been received or the nature of the information at this point in the process.] If the issue cannot be resolved to NASA's satisfaction with the 30 days allocated, NASA will notify Caltech that the applicant is not eligible for unescorted access to JPL which will result in JPL initiating termination proceedings.
When asked about whether it was realistic to resolve any generic problem within 30 days that involves dealing with a bureaurcracy, Jerry Suitor "assured" attendees at a recent process meeting that JPL is confident that any problems can be resolved within 30 days. He also encouraged anyone who was notified that an adverse finding had been received to contact his office in case there was anything they could do to facilitate the resolution.
FIPS 201 and HSPD 12
Description of new ID card
FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.
In response to HSPD-12<ref name="hspd12"/>, the NIST Computer Security Division initiated a new program for improving the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems. FIPS 201 was developed to satisfy the technical requirements of HSPD 12, approved by the Secretary of Commerce, and issued on February 25, 2005.
FIPS 201 together with [[National Institute of Standards and Technology|NIST]] SP 800-78 (Cryptographic Algorithms and Key Sizes for PIV) are required for U.S. Federal Agencies but do not apply to US national security systems.<ref>NIST SP 800-78 [http://csrc.nist.gov/publications/nistpubs/800-78/sp800-78-final.pdf Cryptographic Algorithms and Key Sizes for Personal Identity Verification]</ref>
The SmartCard Interagency Advisory Board has indicated that to comply with FIPS 201 PIV II US government agencies should use Smart card technology. <ref>IAB [http://www.smart.gov/iab/ Interagency Advisory Board]</ref>
External links
This list needs to be updated. Here are HSPD-12 related links only:
- PIV Information
- PIV News
- [http://govtsecurity.com/mag/plan_ahead_maximize/index.html Plan ahead
- to maximize benefits to HSPD-12 investment]
- [http://www.smartcard.gov/information/FSCPMmarch2005/TonyCieri.pdf PIV
- Supporting Documents ]
- [http://www.smartcard.gov/information/FSCPMmarch2005/JohnMoore.pdf
- Federal Identity Management and Smart Cards ]
- Shared Service Providers
- [http://www.fips201.com FIPS201.com, a source of comparative
- information for GSA-approved FIPS 201 products]
- The Privacy Act of 1974 http://www.usdoj.gov/oip/privstat.htm
- California Constitution http://www.leginfo.ca.gov/const-toc.html
- Electronic Privacy Information Center ( RFID ) http://www.epic.org/privacy/rfid/