empowhr sponsorship. welcome to usaccess, personal identity verification (piv) sponsor training....

EmpowHR Sponsorship

Welcome to USAccess, Personal Identity Verification (PIV) Sponsor training. Identity management has become an important part of our homeland security since September 11th and it directly affects you, the federal employee and federal contractor.

Presidential Homeland Security Directive 12 established the criteria for an interoperable, personal identity verification program within the federal government.

The 9/11 Commission Report recommended screening people with biometric identifiers across agencies and governments as one of its global strategies to protect against terrorist attacks.

Your roles as PIV Credential Holder and Sponsor are vitally important to the security of the nation, its assets, and its people. Each of us has an important personal role to fulfill in the Credentialing process. By establishing an identity verification chain of trust, we will be working together to achieve a safer work environment and homeland.

Introduction

The USAccess Personal Identity Verification Program is deployed in response to HSPD-12, Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors. The system provides many financial, logistical, and security-related benefits.

Here are several features and benefits of USAccess:

USAccess Features & Benefits

It standardizes security criteria across all federal agencies.

Wide variations in the quality and security of identification used to gain access to secure facilities increase the likelihood of a security breach since the criteria used for one agency may not be as stringent as another for the same level of access. HSPD-12 standardizes security criteria across all federal agencies and ensures that all federal Credentials can be trusted equally because they are based on common criteria.

It provides secure and reliable forms of identification.

Authentication of an individual's identity is an essential component when controlling access to secure facilities and to information systems. FIPS 201 specifies technical and operational requirements for Personal Identity Verification (PIV) systems that: • Issue PIV Credentials as identification • Read the Credentials to authenticate an individual's identity


It is resistant to fraud, tampering, counterfeiting, and terrorist exploitation.

The HSPD-12 standard was codified by the National Institute of Standards and Technology (NIST) with the issuance of the Federal Information Processing Standards Publication (FIPS PUB) 201: Personal Identity Verification (PIV) of Federal Employees and Contractors.

FIPS 201 was approved by the Secretary of Commerce and issued on February 25, 2005. This new standard will enable federal agencies to issue more secure and reliable forms of identification to better protect federal assets against threats such as terrorist attacks. It also will help safeguard against other risks such as identity theft.

It rapidly verifies a person's identity electronically.

A key concept of HSPD-12 is that anyone should be able to identify him or herself reliably to any federal agency using a single Credential. Stove-piped Credentialing systems of the past were not standardized and resulted in individuals receiving multiple Credentials at various assurance levels.


It delivers interoperability across federal badge-based facilities and information systems.

HSPD-12 requires standardized badges that can be used at different agencies' secure facilities. The two most prominent reasons for standardized badging are as follows: • It eliminates wide variations in the quality and security of forms of identification used to access secure federal facilities and information resources. • It reflects the policy of the United States to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy.

HSPD-12 is a federal effort to combat terrorism and maintain the domestic security of the U.S.

HSPD-12 is the twelfth Homeland Security Presidential Directive issued by President George W. Bush. It requires all agencies to implement compliant identity systems by October 2006 so that the issuance of interoperable personal identity Credentials can begin. Interoperability allows software and hardware on different machines from different vendors to share data.

Given the mandate to fight terrorism by keeping unauthorized persons from entering government buildings or obtaining sensitive government information, the role of a Sponsor is very important in the identity verification process.

The Sponsor is the gatekeeper, standing in as our first line of defense against identity fraud among those seeking to impersonate government employees or contractors.

The Sponsor must be a U.S. Government official and be authorized in writing by the agency to Sponsor Applicants. He or she must be in a position of responsibility at his or her agency.

The Sponsor validates the need for a PIV Credential to be issued to the Applicant, and provides sponsorship to the Applicant. The Sponsor's role consists of initiating Applicant records and managing Applicant accounts.

The Sponsor Role

New standard for Personal Identification Verification

HSPD-12 sets a new standard for Personal Identity Verification for the Federal Government.

• HSPD-12 directs establishment of common identity and security requirements and definition of

specifications for technical interoperability - leading to a new standardized badging process

• Standardized badging eliminates wide variations in the quality and security of the forms of

identification used to access secure federal facilities and information resources.

• Graduated identity confirmation assurance levels are available, providing flexibility in selecting

appropriate levels of physical and logical access for each person, location, and information

system.

• Permissions and restrictions are all contained in a single Personal Identity Verification (PIV)

Credential that can be used at any federal facility.

FIPS 201 Overview

• NIST initiated a new program to improve identification and authentication for access to federal facilities and information systems.

• The result - Federal Information Processing Standard (FIPS) 201, Personal Identity Verification of Federal Employees and Contractors.

• FIPS 201 details the standards that must be adhered to in order to satisfy HSPD-12.

• FIPS 201 standardizes the approach agencies must use to meet the security objectives of HSPD-12.

HSPD-12 tasked the National Institute of Standards and Technology (NIST) to create the security standards it described.

FIPS 201 identifies the control objectives as well as the security and privacy requirements of HSPD-12. These include identity proofing and registration requirements and the requirement that no individual has the capability to issue a PIV Credential without the cooperation of another authorized person. Processes or roles in the implementation of this solution are:

PIV Requirements and Process

Applicant-The individual to whom an identity Credential is to be issued. Individual provides supporting enrollment documentation for claimed identity.

Sponsorship- Substantiate the relationship to the Applicant and provide sponsorship of Applicant. Authorize the request for a PIV Credential.

Enrollment- Initiates the chain of trust for identity proofing. Enrollment provides trusted services to confirm employer sponsorship, bind the Applicant to his or her biometric, and validate identity claim documentation. Enrollment delivers a secured enrollment package to the IDMS for adjudication.

Background Check- Identity proofing via government-wide standard services such as National Agency Check with Inquiries (NACI) and Federal Bureau of Investigation (FBI) Integrated Automated Fingerprint Identification System (IAFIS) background checks.

FIPS 201 identifies the control objectives as well as the security and privacy requirements of HSPD-12. These include identity proofing and registration requirements and the requirement that no individual has the capability to issue a PIV Credential without the cooperation of another authorized person. Processes or roles in the implementation of this solution are:

PIV Requirements and Process

Approval- The Adjudicator initiates the request for the OPM-FBI Background Checks, validates successful completion of the background checks and approves issue of the PIV Credential.

PIV Card- The agency issues the identity Credential to the Applicant after all identity proofing, background checks, and related approvals have been completed. Activation includes performing 1:1 biometric check of Applicant against PIV enrollment record, Credential personalization, and verification of biometrics against the PIV Credential. This completes the chain of trust and the PIV Credential is released to the individual.

IDMS- The Approval Authority maintains an IDMS that is the system of records for PIV Credentials to be issued. The IDMS performs identity proofing, verification, and validation to establish identity claim validity through government-wide standardized services.

Your card (PIV Credential) meets the requirements for a standard federal Credential. Visually and electronically it will be the benchmark for identification of a federal employee.

PIV Card required physical information elements are listed below:

•Required Information Elements, Card Front:-Printed Information - photo, full name, employee affiliation, organizational affiliation, expiration date-Machine-Readable - contact chip front

•Required Information Elements, Card Back:-Printed Information - agency card serial number, issuer identification number-Machine-Readable - contact chip back

The type and location of these elements, the card dimensions, and allowable printed information are specified by FIPS 201.

PIV Credential

Mandatory logical data elements of personal information are contained in the PIV card chip.

To prove the identity of the Credential Holder to the card, a Personal Information Number (PIN) is stored.

Card management keys are stored to prove the identity of the card management system to the card.

To prove the identity of the Credential Holder to an external entity, such as a protected computer system, the card stores a Credential Holder Unique ID (CHUID), two biometric fingerprints, symmetric keys, and asymmetric keys.

Personal biographic data is not stored on the card.

PIV Credential (Cont.)

Initiates the process for an Applicant to establish a PIV record and, if applicable, to receive a PIV Credential. If the Applicant does not yet exist in the system, the Sponsor creates a New Applicant record.

Upon meeting with an Applicant, the Registrar begins the Enrollment process. This includes scanning and validating the two identity documents, verifying/updating Applicant biographic data, photographing Applicant, and completing fingerprint capture/verification. All information is entered into the system as part of the application.

Verifies that Agency-specific background check(s) have been completed. If satisfied that Applicant has satisfactorily passed the background checks, the Adjudicator marks the application as Approved, and the system automatically creates the PIV Credential package required to print the PIV Credential.

For an Attended Activation, the printed PIV Credential and Applicant are present at the Activation Station. The Activator verifies the Applicant through photo and fingerprint check, and then has Applicant enter a new PIN for the PIV Credential. Upon successful writing of the PIN to the card and system, the Credential is personalized and ready for use.

For Unattended Activation, the Applicant visits an Activation Station and activates their Credential through the Active Identity Web Portal.

PIV Process and Roles

Role Administrators assign and manage an agency's roles within the USAccess system. They verify that policies regarding appropriate separation of duties are followed.

Security Officers perform duplicate checks, Credential lock/unlock, PIN set/reset, Credential suspension, Credential revocation, and Credential renewal activities. The Security Officer has final authority to adjudicate failed enrollment actions positively and negatively. Only Security Officers have access to system audit logs.

PIV Credential Holders play a part in maintaining the system by safeguarding their PIV Credential and PIN. They should know how to activate the Credential, use it to gain approved access to physical and logical resources, and make requests for required Credential maintenance.

PIV Process and Roles (Cont.)

Separation of Duties

The FIPS 201 control objective that ensures separation of duties in the system plays an important part in the chain of trust and the security of the entire PIV program. The control objective enhances security by limiting powers.

Here are some examples of how this occurs in the USAccess system:

• Role Administrators cannot hold any other role. They cannot access their own record to assign a role. • Only the Sponsor can edit a PIV record.

Authorizing an Applicant, registering his or her data, and issuing the Credential must be performed by persons occupying a variety of roles, adding a layer of quality checks during the entire process.

Separation of duties such as these ensure that no single corrupt official in the process may issue a Credential with an incorrect identity or to a person not entitled to the Credential, making fraudulent use of the system much more difficult.

Sponsorship Procedures

The Sponsor is the individual who substantiates the need for a PIV Credential to be issued to an Applicant, enters the Applicant's required sponsorship data into the system, and remains aware of the Applicant's status and continuing need to hold a PIV Credential.

The Sponsor performs an Applicant Search, enters the Applicant's biographical data, and the Sponsorship information. PIV records are also updated and managed by the Sponsor. For example, the Sponsor can renew, reissue, reactive, and revoke a PIV Credential.

The Sponsor is the only person who can make corrections or changes to an Applicant's information in the system.

The next set of slides will provide procedures in verifying and sponsoring an employee record in EmpowHR.

HSPD-12 fields do not have to be updated as part of a PAR Action, it is important that the data is entered from the Employee Security Clearance menu item. This does not require a separate PAR action but only needs to be saved once complete.

Prerequisites:•You have access to and a user ID and password for USDA’s EmpowHR system.•You have background investigation (e.g., NACI) adjudication information for these employees, either from OPM records or USDA HR records.•You have experience using EmpowHR, and have access to EmpowHR user guides and procedure manuals if needed.

EmpowHR Sponsorship

Note: Sponsors initiate the Background Investigation in EQIP as part of their sponsorship role in HSPD-12 . Once sponsored the Applicant can enroll for a LincPass, but if a Background Investigation has not been initiated the Applicant’s record will not be able to progress through the Adjudication stage.

Eventually Sponsors will be logging into EmpowHR with their LincPass. The LincPass should not be removed out of the card reader during the Sponsorship process until the employee’s record is saved/completed.

Sponsoring an Existing Employee

Note: The screenshots used are from the EmpowHR test system. There may be slight variances in the EmpowHR production system you are using.

Step 1. Sign in to the EmpowHR System with your User ID and Password.

1

Sponsoring an Existing Applicant

Once logged in you will be directed to the main page of EmpowHR. The left-side menu links you to the required processes.

Step 2. Click on the PAR Processing.

2


Step 3. Click on HR Processing.


3

Step 4. The HR Processing USF appears. Enter the employee ID in the EmplID field.


Step 5. Click on the Search button.

4

5

Note: The Sponsor must have the EMPLID in order to sponsor the employee.

Step 6. Data Control screen displays. Click on the Personal Data tab to verify HSPD-12 required Data/Fields.


6

Step 7. Verify the following fields are correct and have data:

•Employee Status•SSN•First Name•Middle Name

•Last Name•Suffix•Date of Birth•Citizenship Status


•Business Email Address•Business Phone Number

Note: If any of the information is incorrect, missing, or needs updating, follow standard EmpowHR PAR Action Procedures for making the necessary changes and saving the record. For example, Name changes should be done according to the Name Chg from Action and Date of Birth or Citizenship Status changes should be done according to the Data Change Action. Remember to Save your changes.


Step 8. Go back to the PAR Processing screen and click the link for Employee Security Clearance.

8


Step 9. Use the search field to locate the employee’s record.

9


Step 10. In the Investigation block, click the LincPass Required checkbox.

Note: A new card activation information field will be added. This field is to indicate the card activation shipping location.

10


Step 11. You may optionally enter data in the Notes field. NOTE: If the employee has not completed his/her background investigation, the Employee’s Submitting Office Number, Security Office Identifier and OPAC/ALC must also be entered. Disregard the Card Activation Information link.

Step 13. Save the updates by clicking the Save button.

11

12


Step 12. Click on Emergency Response Official check box if applicable.

13

Sponsoring a New Employee

Step 1. Sign in to the EmpowHR System with your User ID and Password.

1

Sponsoring a New Applicant


Step 2. Click on the PAR Processing.

2



Step 3. Click on Hire Employee.


3

Sponsoring a New ApplicantPlease follow your normal business process in entering a new employee record into EmpowHR

Step 4. Please enter data in the following fields and ensure its accuracy:

•Employee Status•SSN•First Name•Middle Name

•Last Name•Suffix•Date of Birth•Citizenship Status

•Business Email Address•Business Phone Number

Step 5. Go back to the PAR Processing screen and click the link for Employee Security Clearance.

5


Step 6. Use the search field to locate the employee’s record.

6


Step 7. In the Investigation block, click the LincPass Required checkbox.

Note: A new card activation information field will be added. This field is to indicate the card activation shipping location.

7


Step 8. You may optionally enter data in the Notes field. NOTE: If the employee has not completed his/her background investigation, the Employee’s Submitting Office Number, Security Office Identifier and OPAC/ALC must also be entered. Disregard the Card Activation Information link.

Step 10. Save the updates by clicking the Save button.

8

10


Step 9. Click on Emergency Response Official check box if applicable.

9

Sponsorship Procedures Summary

In this section of the course you learned how to use the EmpowHR Sponsorship application to create a new Applicant PIV Record, Sponsor Applicants, and to update and manage PIV Records.

Sponsorship sessions always begin with logging on to the system and performing an Applicant search. When you save and digitally sign a new Applicant Record, an e-mail is automatically sent to the Applicant with instructions for scheduling an enrollment appointment with the Registrar.

The e-mail includes a link to the scheduling portal, instructions for scheduling the appointment, and an explanation of the identity documents required for enrollment.

Privacy-Control Objectives

The control objectives given in HSPD-12 and expanded in FIPS 201 are central to meeting the security, efficiency, fraud prevention, and privacy protection goals of HSPD-12. Control objectives are to be maintained throughout the life cycle of PIV deployments. The control objectives can be summarized as follows:

Use of Roles in Registration and Issuance - separation of duties.

Use of Original Identity Source Documents - Proper custody of the documents for identity proofing is needed for accuracy and to maintain the privacy of personal information.

Credentialing officials must have the means to verify that the appropriate amount of investigation has been carried out on the right individual before a Credential is issued.

Use of Credentials Resistant to Tampering and Forgery.

Reliance on Rapid Credential Revocation.

Certification and Accreditation (C&A) - Test and verify processes, IT systems, and personnel reliability.

Privacy- FIPS 201 Guidelines

As the Sponsor, you have particular responsibilities for the protection of Applicant privacy and must comply fully with applicable federal laws and Agency directives.

Highlights of your responsibilities are:• Be familiar with and adhere to the directives of the Department/Agency publication(s) on privacy protection.

• Abide by the spirit and letter of all federal privacy laws and policies.

• All PIV System user records are stored only in the secure central Identity Management System (IDMS).

Privacy - Laws and Your Responsibility As the Sponsor, you have particular responsibilities for the protection of Applicant privacy and must comply fully with applicable federal laws and Agency directives. Privacy questions or complaints should be directed to the Managed Services Organization (MSO) Security Officer.

Privacy controls specified in the Privacy Act of 1974, E-Government Act of 2002, and OMB M-03-22 are:• Citizens can access and correct personal information the government is maintaining on them in a system of records.• Agencies must publish information on how they handle electronic information collected on individuals, and are accountable for their reasons and uses of private information.

Your obligation under the Privacy Act Program are as follows:• Limit personnel authorized access to Applicant personal information and databases. • Inform the Applicant of his or her rights and responsibilities under the Privacy Act, including the privacy complaint process and the privacy appeals process. • Do not remove any Personally Identifiable Information from the USAccess System and transport it in any way. There are sanctions for failure to safeguard confidential matters and violations of the Privacy Act.

Privacy - Transfer of Documents

Users of the PIV system may occasionally have to transfer private documents to other users of the system. This requires a safe and confidential method. In any transfer of private documents or files, you must meet all of your Agency's privacy and security policies.

Hand-carrying is to be performed only by individuals in an authorized PIV role. Materials are to be protected from plain sight and the transfers trackedby a logging system.

When mailing, use only registered mail or FedEx (signature receipt required, signatures to be logged). Packages are to be double-wrapped and sealed in such a manner as to make any tampering evident.

Fax only with prior notification to the intended recipient and with the recipient available to immediately remove document(s) from fax machine. Recipient is to provide verification of receipt by phone or email. It is required that faxes include a Privacy Act statement. Documents are not to be faxed to machines located in public areas.

For secure FTP or Web site transfer, files can be uploaded to a pre-established secure site. Any required access directions or passwords are to be communicated separately. Notify intended recipient of the upload of new files.

You as a Sponsor have a responsibility to contribute to the privacy, security, and protection of the PIV system.

You must handle all Personally Identifiable Information (PII) in accordance with the guidelines of FIPS 201.

Every aspect of the PIV Credentialing and transaction processes must be audited and will be audited. Any improper or illegal activity will be prosecuted.

Be aware that per Title 18 of the U.S. Code, it is a federal offense to counterfeit, alter, or misuse the PIV Credential or system.

Privacy - Title 18

Only federal employees and contractors who have enrolled in the PIV Sponsor Training course through GSA's government-approved LMS are qualified to take this certification test.

You must pass the certification test to be qualified for the role of Sponsor.

The test consists of 10 questions that are related to your specific role in the PIV process. Choose the 1 best answer for each question.

Follow the instructions and navigation controls on your screen to proceed through the test. When you have completed the test you will receive a score and directions on how to proceed with your role assignment.

Certification Test for the Sponsor Role