Personnel Security Activities Management System (PSAMS)/Integrated Security Management System (ISMS)
http://www.nationalcybersecurity.com/articles/152/1/Personnel-Security-Activities-Management-System-PSAMSIntegrated-Security-Management-System-ISMS/Page1.html
Grey McKenzie
National Cyber Security FounderCyber security watchdog Grey McKenzie is one of the nation's leading Internet security experts.
Some of his clients include members of the Department of Homeland Security, State Department, Department of Defense & the Federal Bureau of Investigation.
His SpyCop security software products are in use by over 50,000 individuals & companies worldwide
To schedule an interview or consult with Grey call 850-708-7660
By Grey McKenzie
Published on Wednesday 30th 2008
ISMS collects the same list of personally identifiable information (PII) as outlined in the PSAMS Privacy Impact Assessment (PIA).
The primary difference in the amount and type of information collected and stored is that potentially disqualifying issues that may be identified during the adjudicative review process are documented and tracked within ISMS.
In addition, the results from NCIC checks, credit checks, FBI name checks, and background investigations may be stored.
This information is stored to centralize case related documents and to shorten review and approval times associated with case processing.
The Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004, codified in Executive Order 13381 (6-27-05), mandates that agencies ensure the appropriate uniformity, centralization, efficiency, effectiveness, timeliness, and reciprocity of determining eligibility for access to classified national security information.
Centralization and automation of related data as described in this update directly supports this mandate. Specific security roles have been defined within the application to control access to the data and the data is stored in encrypted fields or secured with file permissions if included as an attachment.
The ISMS system also introduces an information security (INFOSEC) module to support the tracking of classification authorities, guides, containers, documents, courier cards, DD254, and other INFOSEC related activities.
The INFOSEC module integrates with the personnel security module (PERSEC) for identifying owners of INFOSEC elements (e.g., name, clearance level), but does not expose any other PII information to that module.
Depending on the type of investigation required, Executive Orders 10450, 10865, 12333, 12356, 12968 and 13311; Title 5 US Code (USC), sections 3301 and 9101; 42 USC sections 2165 and 2201; 50 USC sections 781 to 887; 5 Code of Federal Regulations (CFR) sections 5, 731, 732, and 736 provide the basis for collecting information regarding background investigations for suitability determination and National Security positions.
Protection of information associated with the system is described in DHS Management Directive (MD) 11042.1 Safeguarding Sensitive and Unclassified Information (FOUO), and DHS Policy for FOIA Compliance MD 0460.1
The only additional risk associated with this update is that additional information is being collected as outlined above. These risks are mitigated with the following security controls:
• Specific security roles have been defined and implemented within the application to control access to the additional information.
• Any additional information stored in large text fields will be stored in an encrypted form in the database • When this additional information is stored as an attachment on the server, file access will be restricted by file permissions to prevent access by those without an appropriate requirement for access.
• Network access to the application is made via a Secure Sockets Layer (SSL) connection to the ISMS environment.
The Department of Homeland Security (DHS) Office of Security (OS) uses the Integrated Security Management System (ISMS) to automate the tracking of Personnel Security related activities at DHS headquarters and component sites.
ISMS is an update system to the Personnel Security Activities Management System (PSAMS). ISMS will help manage DHS personnel and security case records by adding to the existing functionality of PSAMS.
ISMS is an update system to the Personnel Security Activities Management System (PSAMS). ISMS will help manage DHS personnel and security case records by adding to the existing functionality of PSAMS.
Personnel Security Activities Management
Introduction
The DHS Office of Security and each Component Security Office are responsible for vetting its’ employees and contractors to ensure that they meet mandated suitability and security clearance standards. Currently, each DHS Component maintains its own security management system to store records related to this process.
Additionally, each Component maintains a separate interface to various external systems maintained by the Office of Personnel Management (OPM) and the National Finance Center (NFC).
The DHS Office of Security has plans to implement a web-based software solution to manage DHS personnel and administrative security case records across the enterprise.
The ISMS system will add to the existing functionality of the case management system in use by DHS Headquarters (i.e., PSAMS), and will replace five separate systems in use at Custom and Border Protection (CBP),
Citizenship and Immigration Services (CIS), Federal Emergency Management Agency (FEMA), Federal Law Enforcement Training Center (FLETC), and Immigration and Customs Enforcement (ICE). ISMS supports the lifecycle of DHS’s personnel and administrative security cases to include capturing the data related to all aspects of suitability determination, security clearance processing, security violation tracking, secure document tracking, and Contract Security Classification Specification (DD254) production.
The DHS Office of Security and each Component Security Office are responsible for vetting its’ employees and contractors to ensure that they meet mandated suitability and security clearance standards. Currently, each DHS Component maintains its own security management system to store records related to this process.
Additionally, each Component maintains a separate interface to various external systems maintained by the Office of Personnel Management (OPM) and the National Finance Center (NFC).
The DHS Office of Security has plans to implement a web-based software solution to manage DHS personnel and administrative security case records across the enterprise.
The ISMS system will add to the existing functionality of the case management system in use by DHS Headquarters (i.e., PSAMS), and will replace five separate systems in use at Custom and Border Protection (CBP),
Citizenship and Immigration Services (CIS), Federal Emergency Management Agency (FEMA), Federal Law Enforcement Training Center (FLETC), and Immigration and Customs Enforcement (ICE). ISMS supports the lifecycle of DHS’s personnel and administrative security cases to include capturing the data related to all aspects of suitability determination, security clearance processing, security violation tracking, secure document tracking, and Contract Security Classification Specification (DD254) production.
Reason for the PIA Update
ISMS will replace the multiple security management systems currently in use across DHS HQ and Component organizations with a single commercial-off-the-shelf (COTS)-based enterprise-wide security management solution.
The Office of Security has conducted market research to ensure that such a solution is commercially available.
The solution provides a common repository for personnel security records across the Components facilitating the aggregate reporting that DHS must provide to the Office of Management and Budget (OMB) and the Office of the Director of National Intelligence (DNI).
Furthermore, a consolidated system reduces the number of discrete interfaces that must be established and maintained with external systems. Finally, a consolidated solution provides the ability to shift personnel security resources from one Component to another for surge support without incurring extensive retraining.
The Office of Security has conducted market research to ensure that such a solution is commercially available.
The solution provides a common repository for personnel security records across the Components facilitating the aggregate reporting that DHS must provide to the Office of Management and Budget (OMB) and the Office of the Director of National Intelligence (DNI).
Furthermore, a consolidated system reduces the number of discrete interfaces that must be established and maintained with external systems. Finally, a consolidated solution provides the ability to shift personnel security resources from one Component to another for surge support without incurring extensive retraining.
Privacy Impact Analysis
The System and the Information Collected and Stored within the System
ISMS collects the same list of personally identifiable information (PII) as outlined in the PSAMS Privacy Impact Assessment (PIA).
The primary difference in the amount and type of information collected and stored is that potentially disqualifying issues that may be identified during the adjudicative review process are documented and tracked within ISMS.
In addition, the results from NCIC checks, credit checks, FBI name checks, and background investigations may be stored.
This information is stored to centralize case related documents and to shorten review and approval times associated with case processing.
The Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004, codified in Executive Order 13381 (6-27-05), mandates that agencies ensure the appropriate uniformity, centralization, efficiency, effectiveness, timeliness, and reciprocity of determining eligibility for access to classified national security information.
Centralization and automation of related data as described in this update directly supports this mandate. Specific security roles have been defined within the application to control access to the data and the data is stored in encrypted fields or secured with file permissions if included as an attachment.
The ISMS system also introduces an information security (INFOSEC) module to support the tracking of classification authorities, guides, containers, documents, courier cards, DD254, and other INFOSEC related activities.
The INFOSEC module integrates with the personnel security module (PERSEC) for identifying owners of INFOSEC elements (e.g., name, clearance level), but does not expose any other PII information to that module.
Depending on the type of investigation required, Executive Orders 10450, 10865, 12333, 12356, 12968 and 13311; Title 5 US Code (USC), sections 3301 and 9101; 42 USC sections 2165 and 2201; 50 USC sections 781 to 887; 5 Code of Federal Regulations (CFR) sections 5, 731, 732, and 736 provide the basis for collecting information regarding background investigations for suitability determination and National Security positions.
Protection of information associated with the system is described in DHS Management Directive (MD) 11042.1 Safeguarding Sensitive and Unclassified Information (FOUO), and DHS Policy for FOIA Compliance MD 0460.1
The only additional risk associated with this update is that additional information is being collected as outlined above. These risks are mitigated with the following security controls:
• Specific security roles have been defined and implemented within the application to control access to the additional information.
• Any additional information stored in large text fields will be stored in an encrypted form in the database • When this additional information is stored as an attachment on the server, file access will be restricted by file permissions to prevent access by those without an appropriate requirement for access.
• Network access to the application is made via a Secure Sockets Layer (SSL) connection to the ISMS environment.
Uses of the System and the Information
The overall use(s) of personally identifiable information has not changed with the introduction of the ISMS update.
However, in addition to the list of uses outlined in the PSAMS PIA, the ISMS system provides support to the following other security clearance related processes:
• Special Access
• Separation
• Periodic Reinvestigations
• Reinstate Security Clearance
• Security Clearance Downgrade
• Suspend/Withdraw
• Deny/Revoke Clearance
• Appeals
The only additional risk associated with this update is that additional information is being collected as described in the sections above.
These risks are mitigated with the following security controls:
• Specific security roles have been defined and implemented within the application to control access to the additional information.
• Any additional information stored in large text fields will be stored in an encrypted form in the database
• When this additional information is stored as an attachment on the server, file access will be restricted by file permissions to prevent access by those without an appropriate requirement for access.
• Network access to the application is made via a Secure Sockets Layer (SSL) connection to the ISMS environment.
However, in addition to the list of uses outlined in the PSAMS PIA, the ISMS system provides support to the following other security clearance related processes:
• Special Access
• Separation
• Periodic Reinvestigations
• Reinstate Security Clearance
• Security Clearance Downgrade
• Suspend/Withdraw
• Deny/Revoke Clearance
• Appeals
The only additional risk associated with this update is that additional information is being collected as described in the sections above.
These risks are mitigated with the following security controls:
• Specific security roles have been defined and implemented within the application to control access to the additional information.
• Any additional information stored in large text fields will be stored in an encrypted form in the database
• When this additional information is stored as an attachment on the server, file access will be restricted by file permissions to prevent access by those without an appropriate requirement for access.
• Network access to the application is made via a Secure Sockets Layer (SSL) connection to the ISMS environment.
Retention
The implementation of ISMS does not require any change to existing security record or index retention schedules. The Personnel Security Division continues to follow NARA General Schedule 18, item 22a and 22c.
Internal Sharing and Disclosure
In addition to the organizations outlined in the PSAMS PIA, the ISMS system will be deployed and used by Personnel Security Offices at CBP, CIS, FEMA, FLETC, and ICE.
The data stored and managed by ISMS is partitioned by component so that only records belonging to that organization are viewable.
Employees and contractors are required to go through ISMS as they were with PSAMS to obtain Security Clearances and Suitability screening processes.
Privacy risks with information sharing have not changed and were mitigated previously implemented security controls.
External Sharing and Disclosure
External sharing and disclosure has not changed with the ISMS update. The ISMS update does not introduce any additional privacy risks in this area.
Full Documentation
Internal Sharing and Disclosure
In addition to the organizations outlined in the PSAMS PIA, the ISMS system will be deployed and used by Personnel Security Offices at CBP, CIS, FEMA, FLETC, and ICE.
The data stored and managed by ISMS is partitioned by component so that only records belonging to that organization are viewable.
Employees and contractors are required to go through ISMS as they were with PSAMS to obtain Security Clearances and Suitability screening processes.
Privacy risks with information sharing have not changed and were mitigated previously implemented security controls.
External Sharing and Disclosure
External sharing and disclosure has not changed with the ISMS update. The ISMS update does not introduce any additional privacy risks in this area.
Full Documentation