JPAS Basics & Updates July 20, 2016 Steven Burke Industrial Security

JPAS Basics & Updates July 20, 2016 Steven Burke Industrial Security Asc. Mgr. Lisa Hadwin Security Rep. Asc. 1

What You’re Here For? JPAS Basics SWFT Basics Clearance Processing Updates DISS/JVS Update 2

JPAS Basics Joint Access Manage ment System (JAMS) JPAS Today Joint Clearanc e Access Verificatio n System (JCAVS) Joint Personnel Adjudicati on Verificatio n System (JPAS) JPAS Future Case Adjudicat ion Tracking System (CATS) Joint Verificati on System (JVS) JVS is the system that will replace JPAS (Scheduled for 2017) Defense Informatio n System for Security (DISS) 3

Access to JPAS 4

JPAS Access Requirements The minimum requirement for JPAS access is Interim Secret eligibility. An active owning and/or servicing Security Management Office (SMO), with an active facility clearance. Obtain an active PKI Certificate on a smartcard prior to requesting access. – CAC, PIV card, ECA PKI Certificate, or other approved DoD PKI on a smartcard/token. Complete JPAS training. – Must include your course completion certificate. Complete Personnel Security System Access Request (PSSAR) Form. – Submit Letter of Appointment (LOA), if applicable. A LOA is required for ALL Account Managers. 5

JPAS Required Training JPAS/JCAVS Virtual Training for Security Professionals – STEPP course PS123.16 http://www.cdse.edu/catalog/elearning/PS123.html – JCAVS LEVEL 7 and 10 USERS ONLY (in place of JCAVS training above): Introduction to Personnel Security, STEPP course PS113.16 http:// www.cdse.edu/catalog/elearning/PS113.html Cyber Security Awareness/Information Assurance course* options) (2 – http://iase.disa.mil/eta/cyberchallenge/launchPage.htm – Organization (service/company/agency) security training the subject may be required to take, such as annual NISP mandatory security training * If your agency/service/company is already performing this training internally, no additional training is required. JPAS Users are responsible for maintaining annual refresher training dates in case of audit 6

JPAS Required Training cont. Personally Identifiable Information course* (3 options) – http://iatraining.disa.mil/eta/piiv2/launchPage.htm – http://www.cdse.edu/catalog/elearning/DS-IF101.html (must have STEPP acct) – Approved existing corporate PII training course * If your agency/service/company is already performing this training internally, no additional training is required. JPAS Users are responsible for maintaining annual refresher training dates in case of audit 7

Personnel Security System Access Request (PSSAR) (Required for JPAS, eQIP permissions, and SWFT) Note: Completed PSSARs should be submitted to appropriate Account Manager or DMDC Contact Center as outlined in PSSAR Procedures. Page 3 of PSSAR provides detailed instructions for completion. 8

JPAS User Levels LEVEL SCI security security personnel personnel at at unified unified command, command, DoD DoD agency, agency, military military LEVEL 2 2 SCI department or department or major major command/equivalent command/equivalent headquarters. headquarters. PSM PSM Net Net is is determined determined by by the the responsible responsible SOIC SOIC or or designee. designee. (Read (Read and and Write Write Access Access -- SSBI) SSBI) LEVEL LEVEL 3 3 SCI SCI security security personnel personnel at at echelons echelons subordinate subordinate to to Level Level 2 2 at at a a particular particular geographic geographic location location (installation, (installation, base, base, post, post, naval naval vessel). vessel). PSM PSM -- Net Net is is determined determined by by the the responsible responsible SOIC SOIC or or designee. designee. (Read (Read and and Write Write Access-SSBI) Access-SSBI) LEVEL LEVEL 4 4 Non-SCI Non-SCI security security personnel personnel at at unified unified command, command, DoD DoD agency, agency, military military department department or or major major command/equivalent command/equivalent headquarters. headquarters. PSM PSM -- Net Net is is determined determined by by the the responsible Security Officer or designee. (Read and Write Access responsible Security Officer or designee. (Read and Write Access NACLC/T3/T3R/ANACI) NACLC/T3/T3R/ANACI) LEVEL LEVEL 5 5 Non-SCI Non-SCI security security personnel personnel at at echelons echelons subordinate subordinate to to Level Level 4 4 at at a a particular particular geographic geographic location location (installation, (installation, base, base, post, post, naval naval vessel). vessel). PSM PSM -- Net Net is is determined determined by by the the responsible responsible Security Security Officer Officer or or designee. designee. (Read (Read and and Write Write Access Access -NACLC/ANACI/T3/T3R) NACLC/ANACI/T3/T3R) LEVEL 6 Unit security manager (additional duty) responsible for security functions as determined by responsible senior security official. (Read and Write Access - NACLC/T3/T3R/ANACI) LEVEL 7 Non-SCI Entry control personnel. Individuals who grant access to installations, buildings, etc. Varies according to organizations. (Read Access - NACLC/T3/T3R/ANACI) LEVEL 8 CI Entry control personnel. Individuals who grant access to SCIF installations, buildings, etc. Varies according to organizations. (Read Access - SSBI) LEVEL LEVEL 10 10 Visitor Visitor Management. Management. Level Level 10 10 users users will will have have the the same same view view of of the the JCAVS JCAVS Person Person Summary Summary as as a a JCAVS JCAVS Level Level 7 7 User. User. They They will will receive receive Visit Visit Notifications Notifications when when their their SMO SMO is is being being notified notified of of a a visit. visit. A A Level Level 10 10 User User may may not not be be an an Account Account Manager, Manager, create create or or delete delete an an account account at at any any level level 9

Common Misuses of JPAS When you log in to JPAS and click the “I agree” button, you are consenting to the terms and use of the JPAS application. Please make note of some the misuses of JPAS: Sharing of username, password, CAC, or PIV cards and/or associated PIN numbers to access the system. Allowing non-cleared individuals to access the system. Leaving the JPAS application unsecure while logged in. Allowing others to view data on the JPAS screen that do not have the proper authorization. Printing or taking a screenshot of JPAS data. Note: See JPAS Account Management Policy Section 5.8 Misuse of JPAS. 10

Common Misuses of JPAS cont. Querying the JPAS application for ‘celebrity’ records. Querying the JPAS application for your own record. Entering test or “dummy” SSNs into JPAS. Entering false or inaccurate information into the system. Initiating investigations for subjects who you have no owning/servicing relationship. Querying the JPAS application for information you have no need to know to conduct your official duties. Note: See JPAS Account Management Policy Section 5.8 Misuse of JPAS. 11

JPAS Account Activity Why does my account keep getting locked or going away? 5.6 Account Activity An active JPAS account is one that has been logged into within the past 30 days. An inactive JPAS account is an account that has not been logged into in over 30 days. If a JPAS account is inactive—i.e., not successfully accessed—for more than 30 days, the JPAS system shall automatically lock the account. The AM managing the account will be able to unlock the account, unless the account exceeds 45 days of inactivity. JPAS accounts that have not been logged into for longer than 45 days are deleted per DoD Regulations (CYBERCOM TASKORD 13-0641). If an account is needed, a new account will have to be established following the aforementioned guidelines. 12

JPAS Home Page This is the best page to bookmark: www.dmdc.osd.mil/psawebdocs – JPAS Status, Alerts, Notices, FAQs and general information, is posted here If unable to log in via above link, try the following link that takes you to JPAS Disclosure page: https://jpasapp.dmdc.osd.mil/JPA S/JPASDisclosure For Customer support: – DMDC Contact Center: 800-467-5526 – DSS Call Center: 888-282-7682 13

Now That You’re In 14

JPAS Basics Person Categories – Within Industry, we will only create “Industry Tabs” (non-DoD) for our employees. Each employee should have an “Industry Tab” that is associated with the CAGE for which the employee is assigned. A person can have more than one “active” industry tab (i.e., multiple companies). A person can also have “other” tabs, i.e., Active Duty, National Guard, etc. 15

JPAS Basics An Industry Tab is made up of three parts: – Person Category Title (Industry) – Person Type (Contractor, Consultant, or Key Management Personnel) Contractor and Consultant categories are updated by the Facility Security Officer Key Management Personnel (KMP) are updated through the e-FCL. – As of January 19, 2010, all companies in process for a facility clearance or reporting a changed condition will be required to use the DSS Electronic Facility Clearance (e-FCL) online application to submit their documents to DSS. This information includes: the SF 328, list of key management personnel, list of stockholders, articles, bylaws, and other supporting documentation. – Organization (CAGE-I) (I indicates this is an Industry tab) 16

JPAS Basics Owning and Servicing Relationships – Relationships: Within JPAS, you must establish a “relationship” with everyone within your SMO before you can do anything to their record, i.e., indoctrinate, debrief, separate, submit RRU, initiate Investigation, etc. – There are two types of Relationships: Owning: If you are responsible for maintaining a person’s eligibility status and submitting their investigation request, you should own them. The assigned organization is usually the one that owns the records. Servicing: If you need to be notified of a change in a person’s eligibility status or if you need to update their record, you should service them. Note: You can establish a one day relationship by entering same in and out date when you in-process. That relationship will go away at midnight EST. Only modify Person Category Tabs and relationships that are associated with YOUR company. 17

JPAS Basics RRU- Research, Recertify, and Upgrade Requests (July 2016) – Reciprocity: PSMO-I will attempt to verify the eligibility via Scattered Castles / CVS prior to contacting the agency directly. If the eligibility is not verified in the available databases, a hardcopy reciprocity request will be submitted to the appropriate agency. Timeframes will vary depending on the action needed or agency response. – Upgrade: Official government requests for information from DoD CAF, DOHA or DSS – Recertify: The FSO has reason to believe the eligibility line in JPAS is incorrect. All other personnel security related questions should be directed to the DSS Knowledge Center at (888) 282-7682. 18

JPAS Basics RRU- Research, Recertify, and Upgrade Requests (July 2016) cont. – Separation from the company: Upon separation from the organization, the FSO enters a separated date for the employee in the system. If an investigation is open for the employee, a notification will be forwarded to the appropriate CAF to determine whether the investigation needs to be cancelled. Notify PSMO-I via Research request when a separation occurs and either of the following two items exist. Notification will permit PSMO-I to take appropriate actions on the record. An action is pending on a person, e.g. pending incident report, pending adjudication and pending investigation request. There is not an open investigation and an interim eligibility exists. 19

The Person Data Repository (PDR) Why does Personal Information continue to change in JPAS each month: – As of March 2015 many JPAS Industry Persons were added to the DoD Person Data Repository. – As a result Industry FSOs will not be able to manually update data for those subjects directly in JPAS. – Person data from the PDR will overwrite whatever is changed in the JPAS database once per month on the day of the subject’s birth. To make corrections FSOs will now need to follow PDR data update instructions located on the JPAS PSA WebPage. Hint: Look for the Electronic Data Interface Person Identifier (EDIPN). 20

Retaining PCL Documentation NISPOM 2-202a – The FSO shall inform the employee, in writing, that the SF86 is subject to review solely to determine its adequacy and ensure necessary information has not been omitted. The FSO shall not share information from the SF86 for anything other than to determine its adequacy and ensure necessary information has not been omitted NISPOM 2-202b – The FSO shall ensure that the applicants fingerprints are authentic, legible and complete to avoid delays. The FSO shall retain the original signed SF86 and releases until the clearance process is complete. This documentation must be kept confidentially and only until the eligibility is granted. 21

Retaining PCL Documentation cont. The Following Clarification is posted to the DSS Website: – Obtain a Copy of Previously Filled out Standard Form 86 in e-QIP. – With the requirement to maintain a copy of the SF-86 until the investigation is complete, OPM has improved their technology and created the ability to gain access to this document at any time without the need to maintain the hard copy on file. DSS will no longer be reviewing these documents as part of their assessments. FSO’s can initiate the subject in e-QIP and upon logging in, the subject will have the option to view their previous document as shown below. 22

JPAS Notifications Notifications should be checked often – Eligibility Change – Incident Updates – Investigation Request Status – Message from CAF – RRU Response – Action by Servicing SMO – Visits (remain for duration of visit) or until manually removed Notifications are removed: – 30 days from receipt of notification (except for visits) – Manually, if you click on “Remove from Display” checkbox 23

JPAS Reports Act PC-Access/No PSM Net – Lists organizations that have a Person Category for a subject without a PSM Net relationship owned or serviced Inv Rqst by Duty Pos – This report indicates all Investigation Requests currently in your PSM Net by Duty Position. Non-SCI Totals – List of all Non-SCI Access’s, for owned and or serviced Person Categories in your PSM Net or subordinate organization. Periodic Reinvest – List of Personnel within your PSM Net or subordinate organization whose investigation may be out-of-scope and may require a Periodic Reinvestigation 24

JPAS Reports cont. Personnel – Detailed list of Personnel in your PSM Net and or subordinate organization, including access, eligibility and investigation information. PSM Net Personnel – Abbreviated list of all personnel in your PSM Net or subordinate organization. SMO-No PSM Net – Retrieve information regarding SMOs in your hierarchy that have not established a PSM Net. SMO-No Users – Retrieve information regarding SMOs in your hierarchy that have established their SMO but have no Personnel with an Owning or Servicing relationship in their PSM Net. 25

JPAS Reports cont. SMO-PC-No Access – Retrieve information regarding SMOs in your hierarchy that have established their PSM Net but don’t have an access indoctrinated for a Person Category. Suspense – Retrieves information regarding Suspense information the JCAVS user created from a subject’s Person Summery screen / Suspense Data link. Suspensions – Information regarding Suspensions (eligibility and/or Access) for personnel in your PSM Net and or subordinate organization. 26

Break In Employment vs. Break In Access Break in employment is the point when a cleared contractor terminates the employment of an employee with eligibility for access to classified information regardless of the reason for the termination, and regardless of whether the termination was initiated by the company, the employee (e.g., by resignation), or by mutual agreement of the company and the employee. – When a contractor terminates the employment of an employee who is eligible for access to classified information at the time of termination, the contractor must complete the following actions in JPAS: “Debrief” the employee from access (Note: this is the verbiage in JPAS for removing access) Add a separation date to the record Out-process the employee’s eligibility record from the PSM Net 27

Break In Employment vs. Break In Access Cont. Break in Access – When a cleared employee no longer has a requirement to access classified information and there is no reasonable expectation they will require access in the future – Debrief, Separate, Out-process – Contractors should continue to submit adverse information reports as long as the employee has eligibility – Annual security refresher training is NOT required 28

Break In Employment vs. Break In Access Cont. Break in Access – When a cleared employee no longer has a requirement to access classified information but there is a reasonable expectation they will require access in the future – Debrief from access, maintain owning relationship until a separation action is necessary – Contractors should continue to submit adverse information reports as long as the employee has eligibility – Annual security refresher training is required 29

Contact Information DMDC Contact Center: DSS Knowledge Center: 8:00 am – 8:00 pm ET, M-F Contact Information – 1-800-467-5526 – dodhra.knox.dmdc.mbx.conta [email protected] – [email protected] Menu Options: 1 – JPAS 2 – e-QIP (Non-Industry) 3 – SWFT 4 – DCII 5 – Personnel Security Inquiry 6 – General Inquiry / Contact Center Information Contact Information – – 1-888-282-7682 [email protected] Menu Options: 1 - Account Lockouts and Passwords8:00AM to 6:00PM ET 2 - Personnel Security Inquiries to include e-QIP - 8:00AM to 5:00PM ET 3 - Facility Clearance Inquiries 8:00AM to 5:00PM ET 4 - OBMS 5 - STEPP/CDSE - 8:00AM - 4:00PM ET 6 - Industrial Policy International After hours information regarding NISP Policy and International issues: http:// www.dss.mil/isp/policy programs.ht ml DoD CAF Call Center: Contact Information – 301-833-3850 SSOs and FSOs ONLY Menu Options: 5 – Industry PSMO-I Customer Service: Email/Online received via mailbox at: [email protected] 7 - Industrial Policy –After hours information regarding NISP Policy and International issues: http:// www.dss.mil/isp/policy programs.ht ml 30

SWFT Basics 31

SWFT Process Industr y Site Scanne r Type Trans Destinatio n Name SSN DOB SWFT OPM DoD Fingerprint Archive 32

SWFT Account Requirements The minimum background investigation for a SWFT user is a NACLC with interim secret eligibility. Registered through a cleared company identified in ISFD. Must complete and submit a PSSAR. Completed PSSAR forms for primary and backup Account Managers must be submitted to the DMDC Contact Center. Must complete PII and Cyber Security Awareness/Information Assurance. Must have PKI enabled credential to access SWFT. Any scanner or software used for capturing and sending EFTs to SWFT must meet Federal Bureau of Investigation (FBI) certification guidelines and must be registered with SWFT and OPM. 33

SWFT Registration, Application Access, and Testing You must have your FBI approved ten-print live scan systems or card scanners; then you must obtain the DSS Configuration Guide from the SWFT Coordinator. – Registration: All ten-print live scan and card equipment must be certified by the FBI. In addition, ANY equipment capturing and sending electronic fingerprints must be registered with OPM. – Application Access: All SWFT users must complete a System Access Request (SAR) form. – DoD Call Center will maintain SARs for accounts they create – SWFT Account Managers will maintain SARs for accounts they create. 34

SWFT Registration, Application Access, and Testing cont. – Testing: All ten-print live scan and card reader equipment must be tested with OPM’s Store and Forward test server. Users will send test records via SWFT, OPM will validate the data and authorize when e-prints can be submitted to the production system. Average number of days from Initial Contact/Request to Test Authorization: 22 days Average number of days from Initial Contact/Request to Approved Production Use: 48 days 35

e-Fingerprint Options The December 2013 deadline for implementing an eFP solution has passed. Please review the eFP Implementation Guide to figure out which option is best for your company. – Option 1: Company purchases eFP capture equipment and submits FPs through SWFT Costs: one time equipment maintenance – Option 2: Multiple companies share costs to purchase eFP capture equipment and submit FPs through SWFT Costs: one time equipment maintenance – Option 3: Cleared company submits eFPs through SWFT on behalf of other company Click Here Costs: per transaction fee 36

e-Fingerprint Options cont. – Option 4: Third Party Vendor provides eFPs to cleared company to submit through SWFT Costs: per transaction fee – Option 5: Government entity supports cleared company to submit eFPs to SWFT or OPM Costs: none at this time, subject to availability Contacts Email questions: PSMO-I: [email protected] SWFT: [email protected] eFP Setup & Submission FBI Product List FBI Approved Channeler List SWFT Approved List SWFT - Registration, Access and Testin g Procedures DMDC-SWFT Homepage When submitting eFPs use: SOI: DD03 SON: 346W IPAC: DSS-IND Click Here 37

Clearance Processing Updates 38

Clearance Processing Updates DSS Knowledge Center: PSMO-I Inventory – Processing Cases as old as May 5th – Incident Reports are same day processing Click To Sign – 95% Utilization for Industry New RRU Process – Only submit RRUs for the following: Reciprocity Recertify/Upgrade/Reject Requests Responses to Official Government Requests Contact Information – – 1-888-282-7682 [email protected] Menu Options: 1 - Account Lockouts and Passwords8:00AM to 6:00PM ET 2 - Personnel Security Inquiries to include e-QIP - 8:00AM to 5:00PM ET 3 - Facility Clearance Inquiries 8:00AM to 5:00PM ET 4 - OBMS 5 - STEPP/CDSE - 8:00AM - 4:00PM ET 6 - Industrial Policy International After hours information regarding NISP Policy and International issues: http:// www.dss.mil/isp/policy programs.ht ml 7 - Industrial Policy –After hours information regarding NISP Policy and International issues: http:// www.dss.mil/isp/policy programs.ht ml – If you’ve called the Knowledge Center regarding a recently submitted RRU, cancel the RRU 39

Personnel Security Investigation (PSI) Update Posted July 6th to the DSS Website – To stay within its budget authority for PSI-Is, DSS metered the expenditure of PSI-I funds and maintained a daily limit on the number of cases submitted to the Office of Personnel Management (OPM). – This limit caused a delay in processing industry submissions to OPM, increasing the inventory workload. DSS recently received additional funding for the PSI-I program through a reprogramming approved by Congress. With this reprogramming, DSS will continue to process all PSI-I requests and will continue to work down the inventory. As a result, industry should begin to see improved timelines. Industry should continue to submit initial requests as well as requests for periodic reinvestigations. DSS will continue to monitor the PSI-I program and its expenditures. 40

OPM Investigation Timelines OPM Investigation Timelines as of June 2016: Case SSBI SSBI-PR/PPR Avg. Days 293 332/251 T3 118 T3R 112 NACLC 330 Scheduling timeliness delays on reinvestigations (T3R/SSBI/PPR) due to increased volume for month of June. – SBPR/PPR - 11 days – T3R - 8 days – Initials - 1 day 41

DISS UPDATE 42

DISS Update Defense Information System for Security (DISS) will reform DoD Security and Suitability processes to improve timeliness, reciprocity, quality, and cost efficiencies through the design and implementation of a secure, end-to-end IT system that electronically collects, reviews, and shares relevant personnel data government wide, as mandated by the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and guided by relevant Executive Orders, Congress, and GAO recommendations to deliver and maintain an appropriately vetted workforce. 43

DISS Update Meetings are ongoing for an official release of the DISS Implementation Schedule Some things to look forward to: – The Ability to Upload SF-312s – RRU Process Replaced with Customer Service Requests Requests for Action – Additional Reporting Features – No Lockouts when accidentally hitting the “x” 44

DISS Overview DISS will enable consistent standards throughout the collateral DoD Personnel Security, Suitability and HSPD-12 mission areas. Once fully deployed, DISS will replace JPAS and the legacy Case Adjudication Tracking Systems. 45

DISS Transformation Benefits Continuous and integrated workflow between DoD CAF, DSS PSMO-I and FSOs Ability to provide supporting documents through Secure Portal Provide electronic clearance decisions (e-Adjudication) by applying defined business rules to investigative case files Ability for DoD CAF Adjudicators to view requests about a subject from multiple organizations and perform one review and action Updated Incident Workflow process Updated Visit Workflow process Updated Workflow for SF-312s and eliminates faxing SF-312s etc. and ability to get SF-312 history 46

Channels of Communication DSS Website VOI NCMS DMDC PSA JPAS Website DSS Webinar Briefings to Industry JPAS PMO meetings E-Mail List Serv ISFD CDSE Flash JPAS SMO emails AskPSMO-I Webinar Participants 47