STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Industrial Security - Contractor Visit Authorization Letters (VALs)

DISA Rule

SV-41040r3_rule

Vulnerability Number

V-30994

Group Title

Industrial Security - Contractor VALs

Rule Version

ID-02.03.01

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

1. Written procedures must be developed that cover the requirements and process for Visit Authorization Letters (VAL) for contractors visiting and/or employed at government sites.

2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors routinely working/physically employed at the site.

NOTES:

JPAS should be used for most short term "visitor" VALs; however, in addition to JPAS (or as an alternative to JPAS for contractors who do not have JPAS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS.

A hard copy VAL for assigned contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc.

Check Contents

1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting government sites.

2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team.

3. Ensure all government facilities have a VAL on file for all contractors visiting the site - to include permanent party contractors.

NOTES:

1. JPAS should and will likely be used for most short term "visitor" VALs; however, in addition to JPAS the VAL may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. Lack of a hard copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in JPAS is available. Reviewers must use discretion when evaluating if the lack of hard copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. when deciding if a finding is warranted. For instance an individual employee's JPAS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual - then the lack of a hard copy VAL could be cited as a finding, in addition to any other related findings for this discovery.

2. Applies in a tactical environment if contract personnel visit or are assigned.

3. Reviewers should be sure to note in the findings report if the finding concerns JPAS issues for short term contractor visitors or if it concerns "hard copy" VALs for assigned contractor employees.

Vulnerability Number

V-30994

Documentable

False

Rule Version

ID-02.03.01

Severity Override Guidance

1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting government sites.

2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team.

3. Ensure all government facilities have a VAL on file for all contractors visiting the site - to include permanent party contractors.

NOTES:

1. JPAS should and will likely be used for most short term "visitor" VALs; however, in addition to JPAS the VAL may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. Lack of a hard copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in JPAS is available. Reviewers must use discretion when evaluating if the lack of hard copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. when deciding if a finding is warranted. For instance an individual employee's JPAS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual - then the lack of a hard copy VAL could be cited as a finding, in addition to any other related findings for this discovery.

2. Applies in a tactical environment if contract personnel visit or are assigned.

3. Reviewers should be sure to note in the findings report if the finding concerns JPAS issues for short term contractor visitors or if it concerns "hard copy" VALs for assigned contractor employees.

Check Content Reference

I

Target Key

2506

Comments