Introduction

The Risk Management Handbook Chapter 13: Personnel Security discusses how the organization must: ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions prior to issuing any security credentials or providing authorized access to Federal information systems; ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and employ formal sanctions for personnel failing to comply with organizational security policies and procedures.

Personnel Security controls

In this section, the PS family procedures are outlined. To increase traceability, each procedure maps to the associated NIST controls using the control number from the CMS IS2P2.

Position Risk Designation (PS-2)

The purpose of the Position Risk Designation control is for the organization to assign risk designations to organizational positions, establishing screening criteria for the individuals filling those positions, and reviewing and updating designations on a routine basis. The Office of Personnel Management (OPM) oversees the Position Designation Automated Tool (PDT) that assists organizational users to identify position designations within their agency.

There are (3) position sensitivity designations (non-sensitive, public trust, and national security) that correlate with (6) specific sensitivity levels (1-6). CMS does not have positions at the national security designation but does employ non-sensitive and public trust designation positions. In addition, CMS requires that all individuals with significant security responsibilities to possess a Level 5 Public Trust, at a minimum.

The Division of Personnel Security within the Office of Support Services and Operations (OSSO) at CMS is responsible for initiating and adjudicating background investigations and security clearances commensurate with position sensitivity risk designation for both employees and contractors. They also coordinate with the different CMS components to determine position sensitivity risk designations for all employee and contractor personnel receiving access to CMS data and/or facilities as well as providing consultation and training to managers, executive officers, project officers, contractors, and Office of Human Capital (OHC) on how to determine  position sensitivity. The EUA Front-End Interface8 (EFI) is the system used to conduct training on the PDT and other tools.

The table below outlines the CMS organizationally defined parameters (ODPs) for PS-2 Position Risk Designation.

Table 1: CMS Defined Parameters – Control PS-2

Personnel Screening (PS-3)

The purpose of the Personnel Screening control is to ensure that the organization screens and conducts background checks on individuals prior to granting access to information systems, CMS data, and/or physical access to CMS facilities and locations.

CMS screens individuals prior to authorizing access to the information system and rescreens individuals periodically and, for CMS employees, anytime they move to a new position with a higher risk designation. CMS contractors who move to a new contract are required to receive new PIV credentials and a new CMS User ID through the Enterprise User Interface (EUA). CMS refuses employees and contractors access to information systems until they have:

1. Been granted an interim clearance by CMS where the employee receives a CMS User ID; and
2. Signed the appropriate access agreements.

HHS and CMS requires individuals with significant security responsibilities be assigned and hold, at a minimum, a Level 5 Public Trust sensitivity level clearance as defined in the HHS Personnel Security/Suitability Handbook9 with submission of HHS-745 and 20037. CMS facilitates the screening and background check with the employee filling out the HHS-745 and 20037 which is then submitted to the Division of Personnel Security (DPS) through the EUA Front-End Interface10 (EFI). This process initiates the request for screening of individuals by the COR, ISSO, Manager, and/or Business Owner.

The table below outlines the CMS organizationally defined parameters (ODPs) for PS-3 Position Screening.

Table 2: CMS Defined Parameters – Control PS-3

Personnel Termination (PS-4)

The purpose of Personnel Termination is to ensure that logical and physical access are removed from both voluntarily and involuntarily separated users, and that all physical items provided by the agency are returned to CMS11. This control requires timely communication and coordination among several stakeholders involved in the process to include Office of Human Capital (OHC), Human Resources, CORs (for contract personnel), Managers (for Federal employees), ISSOs, Business Owners, and others as necessary. These stakeholders shall be identified within the System Security and Privacy Plan (SSPP) for each information system to ensure that the appropriate personnel are contacted.

When a contractor leaves the contract for any reason it is essential that the COR coordinate with the contracting company to collect all CMS-issued items to the contractor including PIV, laptop(s), devices, etc. When Federal employees are terminated it is the responsibility of the employee’s 1st line supervisor to ensure that the items listed above are collected prior to their departure. This is facilitated by an email that is sent from Human Resources to the Division of Personnel Security (DPS) within the Office of Support Services and Operations (OSSO) and notifies them which employees have departed or are no longer employed, the physical equipment that needs to be collected, and the access which must be revoked. OSSO/DPS then coordinates with the appropriate POCs (Manager, ISSO, BO) to ensure the equipment is collected, the PIV is returned to OSSO/DPS, and that the user’s access to information and information systems is revoked in a timely manner commensurate with the type of separation or termination. For instance, individuals who are involuntarily separated from the contract or position with CMS will be escorted off of CMS premises immediately. For these involuntary separations it is vital that logical and physical access is revoked during the separation process i.e. interview to mitigate against sabotage, malicious activity, or any other damage to CMS persons or assets.

Coordination with the Division of Physical Security and Strategic Information (DPSSI) must occur prior to the involuntary separation of the employee or contractor in order to properly facilitate their exit from CMS premises.12

The Office of Human Capital (OHC) is responsible for conducting exit interviews, especially for employees with a security clearance, that includes a discussion of the access agreements the employee signed such as non-disclosure of information security and privacy information and any other agreements.

The table below outlines the CMS organizationally defined parameters (ODPs) for PS-4 Personnel Termination.

Table 3: CMS Defined Parameters – Control PS-4

Automated Notification (PS-4(2))

The purpose of the Automated Notification control is to ensure that CMS employs automated mechanisms to notify certain personnel/roles upon the termination of an individual. These can be established via email notification to the COR, Managers, Personnel Security, and others. In addition relevant accounts for the terminated individual can be set to close during the process to protect against insider threats such as sabotage or malicious activity. One way to accomplish this is through submitting the name of the terminated individual via the EUA Front-End Interface (EFI)13 to notify CMS security management.

Personnel Transfer (PS-5)

The purpose of the Personnel Transfer control is to review access granted to individuals who are transferred or reassigned to other positions within the organization on a permanent basis or for an extended length of time. Just as Personnel Termination (PS-4) requires the Manager of the employee (or COR for the contract) to notify OSSO/DPS when an individual is terminated or exiting the agency, this control requires these same stakeholders to notify OSSO/DPS when an employee or contractor is changing roles via transfer. For a contractor this typically requires all logical and physical access to be revoked and reassigned when/if they join another contract which necessitates starting the new process of regaining access to CMS facilities, information, and information systems. For employees this process is different since it is common for CMS personnel to take temporary transfers to other components and roles within the agency. The Manager should work with the information system owner, ISSO, and Business Owner to determine if the length of the employee’s transfer is long enough to require revocation of access right, and/or return of physical equipment.

Upon notification of personnel transfer, OSSO/DPS is responsible for granting physical access and badges while the information system owner is responsible for notifying the appropriate parties (should be identified in the System Security Plan) and notifying the CMS Access Administrator (CAA) for logical access and job code(s) approval.

System owners should revoke employee access rights immediately upon notification of the transfer. Physical access is revoked immediately following employee transfer, and procedures are in place to ensure system access is revoked prior to or during the employee transfer process. The employee Manager reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization and initiates the following transfer or reassignment actions during the formal transfer process:

• Re-issuing or confirming the need to continue to have/access appropriate information system-related property (e.g., keys, identification cards, building passes);
• Notification to security management;
• Closing obsolete accounts and establishing new accounts; and when an employee moves to a new position of trust, logical and physical access controls must be re-evaluated as soon as possible but not to exceed 30 days; and
• Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and notifies defined personnel or roles (defined in the applicable security plan) within one (1) business day.

The table below outlines the CMS organizationally defined parameters (ODPs) for PS-5 Personnel Transfer.

Table 4: CMS Defined Parameters – Control PS-5

Access Agreements (PS-6)

The purpose of the Access Agreements control is to ensure that users of an information system have read, understood, and agree to abide by the rules and/or constraints associated with their access to the information system and its data. These access agreements can include, but are not limited to, documents such as a non-disclosure agreement (NDA), acceptable use agreements, and Rules of Behavior (RoB). Information system users must complete the required access agreement(s) prior to receiving logical access.

The HHS RoB for Use of HHS Information and IT Resources14 is the standard HHS access agreement and is in use by CMS. All new users of information resources must read the HHS RoB and sign the accompanying acknowledgement form before accessing Department data or other information, systems, and/or networks. This acknowledgement must be completed every 365 days thereafter, which may be done as part of annual Information Systems Security and Privacy Awareness Training (see AT-3) conducted through the Computer-Based Training15 (CBT) required by CMS. CMS tracks this compliance within EUA and will revoke access for users who fail to recertify within the annual time period. Users without EUA access should contact their Contracting Officer (CO) or Contracting Officer Representative (COR) for direction.

The table below outlines the CMS organizationally defined parameters (ODPs) for PS-6 Access Agreements.

Table 5: CMS Defined Parameters – Control PS-6

Third-Party Personnel and Security (PS-7)

The purpose of Third-Party Personnel and Security is to ensure that all third-party individuals who require logical or physical access to CMS systems, data, and facilities comply with security requirements set forth by the organization. Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management.

Contract requirements for third-party personnel and security can be found on security.cms.gov and is part of the acquisition process identified in the System and Services Acquisition RMH Chapter 15 (SA-4). The BO or ISSO will work with their COR to ensure the security and privacy requirements necessary for their contract(s) are identified, inserted into the contract(s), and adhered to for any and all third-party personnel.

The table below outlines the CMS organizationally defined parameters (ODPs) for PS-7 Third-Party Personnel and Security.

Table 6: CMS Defined Parameters – Control PS-7

Personnel Sanctions (PS-8)

The purpose of the Personnel Sanctions control is to ensure that users comply with information security policies and procedures and to identify and enforce a sanctions process for those who fail to comply.

When the Workforce Management Division (WMD) is notified that an employee has violated information security policies and procedures, a member of the WMD Labor and Employee Relations Staff will work with the employee`s manager to determine the appropriate action to be taken to address the violation. Disciplinary action against CMS employees is administered in accordance with the provisions of 5 USC Chapter 75 (statutory requirements for taking adverse actions), 5 CFR Part 752 (regulatory requirements for taking adverse actions), HHS Instructions (Reprimands), and the procedures set out in Article 23 of the Master Labor Agreement16 (MLA) between CMS and the American Federation of Government Employees, Local 1923 (bargaining unit employees only).

CMS does not follow strict penalties in sanctioning personnel, but does follow the principles of progressive discipline when effecting disciplinary action (adverse actions), but each violation is considered individually and a determination is made by the supervising manager, with assistance from the labor and employee relations staff. Depending upon the severity of the offense, actions range from a letter of reprimand; short and long-term suspensions from pay and duty status; and/or removal from CMS and the Federal service.

Contractor personnel who have violated information security policies and procedures are handled differently than CMS employees in accordance with the Statement of Work and overall personnel security language identified therein (See PS-7). The personnel sanctions on information system users who are contractors is handled between the COR, Manager, and organization whom the contractor works for. If the information system user has access to a High system then notification must be sent within (3) calendar days. For Moderate systems there must be notification within (7) calendar days, and (30) calendar days for Low systems.

The table below outlines the CMS organizationally defined parameters (ODPs) for PS-8 Personnel Sanctions.