We found that FSA did not effectively implement Department requirements for the contractor personnel security screening process. We specifically noted weaknesses in FSA’s development of internal policies and procedures; designation of contract positions and risk levels; maintenance of contract position, risk, and employee information, notification and maintenance of security screening decisions, and contractor employee departure procedures. We found that FSA staff and officials involved in the process were generally unaware of Department requirements and their related responsibilities for processing contractor employees’ security screenings.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1.1 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that staff involved in the contractor personnel security screening process are aware of and comply with the Directive requirements, to include any subsequent updates to the requirements, and fulfill their responsibilities for processing security screenings. | |||||
1.2 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA develop written policies and procedures to comply with the Directive, to include explanations of the key duties to be performed by specific FSA staff, requirements of the contract positions and risk designation process including the use of Position Designation Records, and other internal requirements for the FSA contractor personnel security screening process, as well as contractor employee departure procedures. | |||||
1.3 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA have appropriate FSA staff develop and approve complete position category listings and associated risk level designations for all contractor positions on each contract, through FSA justification of position responsibilities and access, and through reconciliation of current contract position risk levels and any available position risk level designation records. | |||||
1.4 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that screenings are initiated at the appropriate risk level based on the contractor employee’s position risk level that was classified and approved by FSA. | |||||
1.5 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA coordinate with OM to learn the adjudication results of current contractor employees assigned to FSA contracts to ensure that all contractor employees either have a screening initiated or have been appropriately cleared to work on Department contracts. | |||||
1.6 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA monitor the screening status of contractor employees until final OM adjudication decisions are made. | |||||
1.7 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA maintain all information and records required by the Directive, to include up-to-date listings of all contractor employees assigned to FSA contracts and records of OM adjudication decisions for all contractor employees assigned to FSA contracts. | |||||
1.8 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that all contractor employee departures are reported to OM as required, and inform contractor companies on a regular basis of their responsibility to notify FSA of contractor employee departures. Also ensure that contractors provide PIV cards to the COR upon contractor employee departure, as required. | |||||
2.1 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA identify and begin tracking all active contractor employees assigned to FSA contracts, along with their risk level and any IT access, to ensure that all contractor employees have undergone security screenings at appropriate risk levels as required by Department policy. For those who have not, take immediate action to complete the security screenings and/or deny further access to Department facilities, systems, and information until appropriate security screenings are completed or required screening information is submitted. Alert the Department CISO of the condition. | |||||
2.2 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA determine through system security audit logs and other appropriate validation processes, if there were instances of unauthorized access to Department information and systems and report appropriately, at a minimum to the Department’s CISO. | |||||
2.3 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that security screenings and reinvestigations are initiated within the timeframes established by the Directive. | |||||
2.4 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that all contractor employees complete the appropriate screening steps before receiving access to IT systems or Department sensitive or Privacy Act-protected information. | |||||
2.5 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that contractor employees review and sign applicable Rules of Behavior for IT systems they are accessing. | |||||
2.6 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that ISSOs maintain and exercise access approval rights over any IT systems that contain or can access sensitive Department data, whether owned by the Department or by the contractor, and modify applicable contracts accordingly to reflect the FSA ISSO approval rights. | |||||
2.7 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that any contractor employees with discontinued or rejected investigations have all access to sensitive Department information, including any IT access, discontinued until appropriate screening steps have been completed. Alert the Department CISO should this condition exist. | |||||
2.8 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that all non-U.S. citizens, current and prospective, are permitted to work on Department contracts only after appropriate steps have been taken with regard to waiver documentation, as required by the Directive. | |||||
2.9 | Yes | $0 | $0 | ||
We recommend that the Chief Operating Officer for FSA ensure that FSA staff are aware of and have an understanding of their responsibilities and applicable policies and procedures. |