Overview
The Jet
Propulsion Laboratory has initiated a new rebadging process for its employees, contractors, and
affiliates. After negotiating with NASA Headquarters,
JPL Director Charles Elachi
agreed to the new process, which will produce new ID cards in conformance with
FIPS 201 (Federal Information
Processing Standards Publication
201), a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for
Federal employees and contractors. FIPS 201 is a response to Homeland Security Presidential
Directive 12 (HSPD-12).
The new JPL badging process is controversial, for a variety of reasons. One of the concerns voiced is the lack of respect for privacy
of employees, because the badging procedure requires each employee to answer
a personal questionnaire, sign a waiver permitting a background
investigation at any level of detail, have fingerprints taken, and carry a new ID card with the fingerprints readable by
RFID technology. This level of personal intrusion
has led to questions that the JPL Honor Code of treating employees with dignity and respect is being violated.
JPL Badges are identification cards issued to employees, contractors, affiliates,
and retirees of JPL for
the purpose of permitting unescorted access to the JPL facility. They are also used
for access to controlled areas within the laboratory, and a bar code on it is scanned for
a variety of routine uses such as receiving packages and recording attendance at training sessions.
JPL management contends that no privacy related information will be stored on the new ID card.
Some employees wonder how JPL management defines "privacy related information", because there is agreement
that the new ID card will utilize passive RFID technology to store the following attributes:
- JPL User Name
- Electronic IT Certificate
- Citizenship
- Personal Identification Number (PIN) Unique to Issuer
- Two Biometric Fingerprints
- Facial photo
An electromagnetic shield would need to cover the new ID card in order to prevent a remote RFID reader from accessing the data
stored on the new ID card.
Information and a description of the existing JPL badge and NASA One badge is also available.
Rebadging process
JPL management has outlined the following steps in order to obtain a new JPL ID card:
- Employee supplies name, birthday, SSN, and city of birth to JPL, if they have not previously done so.
- The Office of Protective Servicees sends out email requesting employee to fill out online form.
- Employee fills out form 85 or 85P, as directed, using the online e-QIP system, within 10 days. This process takes 1-3 hours.
- Employee prints out release forms, brings them to the security office, and signs in presence of officer.
- JPL Security scans release form, encrypts it, and sends it to the U.S. government.
- A fresh set of fingerprints are taken (even if they were taken for One NASA badge)
- A picture is taken (possibly two pictures, one with One NASA Camera, one with new ID card camera)
- U.S. Office of Personnel Management
performs a background investigation.
- NASA conducts "suitability" determination.
- If NASA permits it, a badge is issued
- If adverse information is reported, employee is notified either directly by OPM or by NASA, and an
opportunity to correct any false information and/to appeal the adverse adjudication decision (but still within OPM and NASA) is provided.
The process is repeated every 5 years. Those who have a security clearance are exempt from the process and can
immediately acquire their badge.
Background Investigations
Risk Assessment
Prior to rebadging, each JPL employee will be classified as low, moderate, or high risk.
The low risk personnel will fill out form 85, while moderate and high risk personnel will fill
out the more detailed form 85P. According to Jerry Suitor, the classification is based on the
job performed, not the individual. Approximately 97% of the JPL workforce is expected to be
classified as low risk, and 3% as moderate or high risk. The classification will be unrelated
to the two tiers of sensitivity used in classifying personnel for drug testing.
According to Jerry Suitor, a high risk assessment will be made for personnel with access to
ATLO (without requiring a "buddy"), access to spacecraft software without going through a review,
or for any position in which damage can be done to a NASA asset. Section managers are being told
of the classification list and can give feedback.
References
On the SF85 form, applicants are required to provide the names of 3 individuals who have known
the employees over the last 5 years (covering the entire five year period) and a additional people
(at least one for each address) who knew you at each address where you have lived over the past
three years. The form indicates that the applicant should "try" not to list these reference
names in multiple places (e.g., a generic reference should not also be used as someone
who knew you at an address), but the implications of listing the same person multiple places are
not defined.
Applicants are also required to provide the supervisor's name for all employment within
the past 5 years (for SF85) and to include all employment activities covering 5 years, including
part-time work, self-employment, and all periods of unemployment. [The
supervisors are sent similar forms to the other references.]
This means that applicants are required to submit the names of supervisors for whom they worked,
even if they requested to be transferred from those organizations because of an unworkable relationship
with that supervisor. Jerry Suitor indicated at a process meeting that his office was drafting
an e-mail to be sent to all supervisors and above to information them that before any supervisor at JPL
submits adverse information for any employee for which they receive a reference request, that supervisor
should contact his office. However, many people who have been supervisors in the past 5 years are no
longer supervisors and will not receive this e-mail (assuming it even is/was sent to current
"supervisors and above"). Also, this could be seen as coersive of the supervisors to not submit
information they believe is valid, thereby undermining the entire activity while JPL is legitimately
trying to protect employees from potentially inappropriate inputs.
The references are mailed a "fill in the bubble" form with yes or no questions regarding
whether the reference has any knowledge of adverse health, mental, use of alcohol,
use or posession of drugs and behavior. A space is provided to write in details for any such information.
Form 85 and 85P
Standard Forms 85 or 85P are used as the basis for a background investigation. The official
instructions on these do not agree with how JPL management is directing JPL employees and contractors
to use them. The following table is a summary of these differences.
| What the Form 85 Instructions say
| What JPL management says
|
| The information you give us is for the purpose of determining your suitability for federal employment
| Actually, we're not going to use it for that at all. The information you give us is for the
purpose of determining access to the laboratory.
|
| The form is to be used "only when a conditional offer of employment has been made"
| Employees and contractors already employed will use this form.
|
| "[F]inal determination on your eligibility for a position will be made by the Office of Personnel Management
or the federal agency that requested
your investigation."
| Determination on job eligibility was made at the time of employment. For some employees, this decision was made years or decades ago.
|
| Giving us the information we ask for is voluntary
| Your employment, regardless of its previous duration, will be terminated if you do not provide the information we ask.
|
Standard Form 85 requests the following information:
Name,
Date of Birth,
Place of Birth,
Social Security Number,
Other Names Used,
Gender,
Citizenship,
Where have you lived (past 5 years),
Degrees you have & Where you went to school,
Employment History (past 5 years),
People who know you well (not relatives),
Military History,
Selective Service Record (if male born after December 31, 1959),
Used, possessed, supplied, or manufactured illegal drugs (1 year).
Authorization for release of information (from schools, residences, employers, and other sources, without limitation to the type of information
gathered)
Standard Form 85P requests the following information:
Police Record (arrests, charges, convictions great than $150),
Illegal Drugs,
Alcohol Use,
Background investigations conducted in the past,
Financial Record (bankruptcy, debt in arrears more than 180 days),
Release for information gathering in support of information provided (academic history, employment, criminal history, financial),
Release for Medical Information.
Page 8 of form 85P indicates that the employee is authorizing investigations
"...for the purpose of making a determination of suitability or eligibility for a security clearance."
Note that applying for a security clearance differs from applying for a badge to verify personal identity.
Followup Investigation
Describe graduation verification, employment verification.
Describe medical question, "any reason judgement impaired by a medical reason?"
Correcting Adverse Information
Describe similarities to "no fly" list, and difficulty of getting corrections. Describe similarity of
fixing credit information after identity theft. Describe difficulty of fixing errors within prescribed 30 day window.
In the event adverse information is received, NASA will notify the employee and offer the employee 30 days in which to attempt to refute or explain the information that was received. [NASA does not tell Caltech either that adverse information has been received or the nature of the information at this point in the process.] If the issue cannot be resolved to NASA's satisfaction with the 30 days allocated, NASA will notify Caltech that the applicant is not eligible for unescorted access to JPL which will result in JPL initiating termination proceedings.
When asked about whether it was realistic to resolve any generic problem within 30 days that involves dealing with a bureaurcracy, Jerry Suitor "assured" attendees at a recent process meeting that JPL is confident that any problems can be resolved within 30 days. He also encouraged anyone who was notified that an adverse infinding had been received to contact his offer in case there was anything they could do to facilitate the resolution.
FIPS 201 and HSPD 12
Description of new ID card
FIPS 201 (Federal Information Processing Standards Publication
201) is a United States federal government standard that
specifies Personal Identity Verification (PIV) requirements for
Federal employees and contractors.
In response to HSPD-12<ref name="hspd12"/>, the
NIST Computer Security Division initiated a new program for
improving the identification and authentication of Federal employees and
contractors for access to Federal facilities and information systems.
FIPS 201 was developed to satisfy the technical requirements of HSPD 12,
approved by the Secretary of Commerce, and issued on February 25,
2005.
FIPS 201 together with [[National Institute of Standards and
Technology|NIST]] SP 800-78 (Cryptographic Algorithms and Key Sizes for
PIV) are required for U.S. Federal Agencies but do not apply to US
national security systems. NIST SP 800-78
[
http://csrc.nist.gov/publications/nistpubs/800-78/sp800-78-final.pdf
Cryptographic Algorithms and Key Sizes for Personal Identity
Verification]
The SmartCard Interagency Advisory Board has indicated that to comply
with FIPS 201 PIV II US government agencies should use
Smart card
technology. <ref>IAB [http://www.smart.gov/iab/ Interagency Advisory
Board]</ref>
