COR Quarterly News - U. S. Army Training Support Center
COR Quarterly News - U. S. Army Training Support Center
COR Quarterly News - U. S. Army Training Support Center
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong><br />
____________________________________________________________________________________________________________________________________________________________<br />
Mission Installation Contracting Command, Mission Contracting Office (MCO) - Fort Eustis<br />
[Joint Base Langley-Eustis]<br />
<strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong>letter For Apr – Jun 2011<br />
MOTTO: Striving for Improvement<br />
DoD Contractors<br />
And The<br />
Contractor Verification System<br />
<br />
<br />
In This Issue!<br />
‣ What is the Contractor<br />
Verification System (CVS)?<br />
‣ Advantages and Benefits of<br />
Using CVS<br />
‣ CAC Eligibility Criteria<br />
‣ The Trusted Agent (TA)<br />
‣ CACs Are Specific To A<br />
Contract<br />
‣ CAC Request Memo For Record<br />
‣ Proposed Rules<br />
‣ CVS/CAC Approval Process<br />
‣ Contractors Must Be On the Up-<br />
N-Up!<br />
‣ The Information Protection<br />
Office<br />
‣ Contractor Responsibilities<br />
‣ Audit Findings<br />
‣ Lessons Learned<br />
‣ Synchronized Pre-Deployment<br />
and Operational Tracker<br />
(SPOT)
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
What is The Contractor<br />
Verification System (CVS)?<br />
‣ CVS is a web-based system that allows DoD<br />
contractors to register for a Common Access<br />
Card (CAC) electronically via the internet. CVS<br />
came into existence for DoD contractors in<br />
October 2000. Eligible contractors are those<br />
requiring physical access to the interior of certain<br />
escorted and/or unescorted facilities and logical<br />
access to DoD network information systems.<br />
‣ CVS is maintained by the Defense Manpower<br />
Data <strong>Center</strong> (DMDC) Card Technology and<br />
Identity Solutions (CTIS) and Personnel Identity<br />
Protection (PIP) office in Monterey, CA. It is<br />
the primary source for identification and<br />
authentication of people in DoD.<br />
‣ MYTH: All contractor employees must have a<br />
CAC to enter into and work at DoD government<br />
installations.<br />
‣ FACT: A CAC is not required for all<br />
contractor employees to enter into and work at<br />
DoD installations. The CAC is used as a form of<br />
identification that allows contractor entrance to<br />
the “INTERIOR ONLY” of DoD facilities and<br />
controlled spaces. The CAC serves as a means<br />
of electronic authentication by consolidating<br />
multiple credentials and data to be used for<br />
network security and secure email<br />
communication.<br />
‣ The CAC will not be issued nor network<br />
accounts created until DoD contactors are inprocessed<br />
through the Information Protection<br />
Office (Security Office).<br />
‣ CVS automated the DD Form 1171-2 process.<br />
‣ CVS serves as the authoritative data-feed for<br />
DoD contractor data into the Defense Enrollment<br />
Eligibility Reporting System (DEERS).<br />
‣ Homeland Security Presidential Directive-12<br />
(HSPD-12) requires that federal departments and<br />
agencies ensure temporary contractors and their<br />
employees have limited/controlled physical<br />
access to facilities and logical access to networks<br />
and information systems.<br />
Advantages and Benefits of Using CVS<br />
‣ Greatly reduces potential security violations.<br />
‣ Greatly reduces fraudulent issuance of the<br />
CAC.<br />
‣ Reduces data entry and security errors made<br />
during the use of the manual paper process.<br />
‣ Makes the process paperless.<br />
‣ Improves management of contractors and<br />
installation access.<br />
‣ Reduces CAC issuance and cancellation time.<br />
‣ Provides convenient application using the<br />
internet.<br />
‣ Reduces time required to initiate CAC.<br />
‣ Reduces the potential for fraud.<br />
‣ Automatically updates the DEERS<br />
database with contractor information.<br />
‣ Preserves integrity and accuracy of the<br />
DEERS database.<br />
‣ Ensures compliance with the Government<br />
Paperwork Elimination Act.<br />
‣ Provides periodic online re-verification of<br />
contractor CAC requirement.<br />
2
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
CAC Eligibility Criteria<br />
‣ Verification of DoD affiliation from DEERS.<br />
‣ Favorable approval of background vetting<br />
requirements:<br />
Federal Bureau of Investigation (FBI)<br />
fingerprint check.<br />
Completion of National Agency Check<br />
with Inquiries (NACI) background<br />
security check.<br />
‣ Must meet access requirements:<br />
Individual(s) require access to DoD<br />
facilities and networks on site or remotely<br />
for six months or more.<br />
Individual(s) require access to both DoD<br />
facilities and or networks on site or<br />
remotely or six months or more.<br />
Individual(s) requires remote access to<br />
both DoD networks that use only the CAC<br />
logon for user authentication.<br />
‣ Contractors who have multiple personnel<br />
categories (e.g., a reservist and contractor or<br />
government retiree and contractor), should be<br />
issued a separate CAC for “EACH” category in<br />
which they are eligible.<br />
‣ The contractor will only receive a CAC when<br />
their application has received favorable approval.<br />
‣ If the contractor was provided an interim<br />
CAC while awaiting approval of his background<br />
vetting requirements, and there is an unfavorable<br />
reply, the contractor’s CAC will be revoked at<br />
once.<br />
‣ Credentials<br />
The Trusted Agent (TA)<br />
Must be a CAC holder capable of<br />
sending and receiving digitally signed<br />
and encrypted e-mails.<br />
Must be a DoD uniformed service<br />
member or DoD civilian government<br />
employee.<br />
Can be a <strong>COR</strong> but not for a contract they<br />
currently administer.<br />
‣ Responsibilities<br />
Approves, rejects, or revokes contractor<br />
applications.<br />
Provides contractor access to CVS.<br />
Establishes the contractor’s need and<br />
DoD affiliation for logical and physical<br />
access to a DoD network or facility<br />
approval.<br />
Re-verifies the contractor’s affiliation<br />
with DoD every six months.<br />
Completes annual CVS certification<br />
training.<br />
Confiscate contractor employees CACs<br />
when any of the following occur:<br />
o Upon completion of the<br />
contractor’s employment.<br />
o Upon completion or termination of<br />
the contract.<br />
o The contractor is no longer eligible<br />
to receive the card.<br />
3
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
CACs Are Specific To A Contract!<br />
‣ Did you know that CACs are issued and must<br />
correspond with the “current” contract number<br />
awarded to a contractor? Did you know that<br />
when a contract expires and the contractor<br />
receives a follow-on contract, the contractor and<br />
its employees must receive a “NEW” CAC<br />
issued for the “NEW” contract number?<br />
‣ For a re-issued CAC, the contractor must restart<br />
the approval process. The process should<br />
start in ample time to ensure that all security<br />
requirements have been met by the starting date<br />
of the new contract.<br />
‣ If the contractor has not received CAC<br />
approval by the starting date of the new contract,<br />
the <strong>COR</strong> “WILL NOT” allow the contractor<br />
to start work without the proper security<br />
clearances. It is a serious security violation<br />
when the contractor is allowed to work without<br />
proper security approval.<br />
‣ At a time when security is of the utmost<br />
importance for federal and government<br />
installations in the United States, would you, as a<br />
<strong>COR</strong> put your job (and maybe retirement) in<br />
jeopardy by allowing the contractor to start work<br />
if he has not been approved for facility or<br />
network access?<br />
‣ CACs are electronically deactivated so they<br />
can no longer be used to allow access to DoD<br />
installations and network systems.<br />
CAC Request Memo for Record<br />
‣ The <strong>COR</strong> may provide an access request<br />
package to the TA for a CAC. It may consist of<br />
the following documents:<br />
<br />
Personnel Security Investigation Portal<br />
(PSIP) Worksheet<br />
<br />
<br />
<br />
Copy of the Performance Work Statement<br />
(PWS)<br />
<strong>COR</strong> Appointment Letter<br />
<strong>COR</strong> <strong>Training</strong> Certificates<br />
‣ The memo request for a CAC issuance or<br />
renewal may read something like this:<br />
Request a CAC Card for Mr. Dust N.<br />
Mop, Contractor JUST BECAUSE IT’S<br />
CLEAN for Custodial Services, W911S0-25-<br />
D-0999, Task Order #0999.<br />
Request approval to issue Mr. Dust N.<br />
Mop a Common Access Card (CAC) for<br />
logical and physical access to DoD facilities<br />
in performance of his contractual duties.<br />
Attached is the Contractor's PSIP, Task<br />
Order Award, PWS, and my <strong>COR</strong><br />
Appointment Letter and training certificates<br />
for your review and approval.<br />
If further information is required, please<br />
contact me as soon as possible to remedy any<br />
delay to this CAC request.<br />
Thanking you in advance for your prompt<br />
attention to this request.<br />
<strong>COR</strong> Am I. Clean<br />
Proposed Rules<br />
‣ GSA, DoD, and NASA have proposed rules<br />
(24 May 2010) that require agencies to ensure<br />
that any form of government-furnished<br />
identification (ID) provided to a contractor be<br />
returned as soon as the card is no longer needed<br />
to perform the contract work, or as soon as the<br />
contract is complete—whichever happens first.<br />
‣ This rule allows agencies/KO to withhold or<br />
delay final payment to contractors who fail to<br />
return “ALL” cards issued.<br />
4
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
CVS/CAC Approval Process<br />
‣ The <strong>COR</strong> receives a CAC request and<br />
completes a PSIP, to provide to the TA or<br />
security office who will determine CAC<br />
eligibility requirements.<br />
‣ The <strong>COR</strong> completes a registration request<br />
form and sends to the TA.<br />
‣ The TA verifies that the registration form is<br />
correct.<br />
‣ The <strong>COR</strong> and TA will verify that the contract<br />
has met security requirements by reviewing the<br />
TO/PWS and then cross-verification with the<br />
security office that the application has been<br />
approved thru DEERS.<br />
‣ The TA creates and submits an application in<br />
the CVS.<br />
‣ The <strong>COR</strong>/TA will receive an automated<br />
email notifying him/her that the application has<br />
been completed and is awaiting approval.<br />
‣ The TA will provide the contractor with a<br />
one-time log-in access password and other info<br />
so that he can submit his application in DEERS.<br />
‣ Upon confirmation from the Security Office,<br />
the TA will approve the CAC. An automated<br />
email will be sent to the contractor notifying<br />
him/her that the application has been approved.<br />
‣ The contractor has seven days to log-in to<br />
CVS or the system will automatically disable the<br />
application.<br />
‣ After the contractor completes an initial login,<br />
the TA has 30 days to review the application<br />
for errors and discrepancies and then approve or<br />
CVS will automatically disable the application.<br />
‣ The TA will return the application to the<br />
contractor with comments explaining errors and<br />
discrepancies if necessary.<br />
‣ Once the application is approved, the<br />
contractor has 90 days to have a card issued or<br />
CVS will automatically disable the application.<br />
‣ The CVS will send an automated e-mail to<br />
the contractor and the TA stating that the<br />
application was approved and tells the contractor<br />
where to go to get his CAC issued.<br />
‣ The contractor must verify that no other info<br />
is needed and he has met all requirements to<br />
receive a CAC before going to the Pass & ID<br />
office.<br />
‣ The contractor must present two forms of<br />
unexpired identification as a “claimed identity”.<br />
A claimed identity is an ID (i.e., driver’s license<br />
or state ID) that you carry on your person to<br />
verify that “you are who you say you are”. Other<br />
acceptable forms of ID include Passport, Birth<br />
Certificate, Social Security card, or Voter's<br />
Registration card.<br />
‣ The contractor receives a CAC.<br />
‣ Once approved, the TA must review or reverify<br />
the application to re-validate the card each<br />
six months.<br />
‣ The <strong>COR</strong>:<br />
Validates facility or network access<br />
requirement via the contract.<br />
Validates access requirements to classified<br />
information and/or buildings via the contract.<br />
Initiates DD Form 254 when required.<br />
Processes contractor personnel through the<br />
Organization’s Security Manager/S-2.<br />
5
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
‣ Information Protection Security Manager:<br />
Checks JPAS for Visit Request (VRs).<br />
Submits the PSIP Form via email after<br />
contract personnel has been in-briefed.<br />
Contractors Must Be on the Up-N-Up!<br />
‣ The “contractor’s business” credentials must<br />
first be cleared by the installation Information<br />
Protection Office (IPO). In other words, the<br />
business must have clean hands before his<br />
employees are approved. Once the business has<br />
been determined to be eligible for a CAC, the<br />
TA will review, approve, and/or reject each<br />
individual contractor employee whose names are<br />
provided to the TA.<br />
‣ The TA is responsible for ensuring that<br />
“background vetting requirements” have been<br />
met before final approval.<br />
‣ The contractor must complete an approved<br />
FBI fingerprint check.<br />
‣ The contractor must complete a criminal<br />
background and Citizenship & Immigration<br />
Status Checks to ensure that they are eligible to<br />
be on the installation.<br />
‣ A favorable National Agency Check with<br />
Inquiries (NACI) background security check or a<br />
DoD determined equivalent investigation is<br />
required. The contractor will receive an interim<br />
security clearance until the final results have<br />
been completed.<br />
The Information Protection Office (IPO)<br />
‣ The IPO is the security office with a new<br />
look.<br />
‣ Once the PSIP has been received, the IPO<br />
will check DEERS for the appropriate<br />
background investigation and/or eligibility.<br />
‣ If FBI fingerprinting is required, an<br />
appointment is scheduled. Once the results of<br />
the FBI investigation are approved, contractor<br />
personnel will be eligible for CAC issuance. A<br />
CAC approval memo will be forwarded to the<br />
organization's security manager.<br />
‣ The security manager will notify the <strong>COR</strong><br />
and/or TA if the contactor has been approved or<br />
rejected.<br />
‣ The CAC must be “re-verified or re-reviewed<br />
every six months by the TA to ensure that the<br />
contractor is still entitled to a CAC.<br />
‣ The ultimate responsibility for the CAC is<br />
the TA as the approving official.<br />
‣ If the contract has ended and the TA has<br />
made an effort to collect the CAC and has been<br />
unsuccessful, final payment to the contractor<br />
may be withheld.<br />
‣ The contract company MAY be potentially<br />
liable for any wrong actions of his employees in<br />
the misuse of the CAC.<br />
‣ Unauthorized use and possession of an<br />
official government identification card, such as<br />
the CAC, can be prosecuted criminally under<br />
section 701 of title 18, United States Code<br />
(U.S.C.) (Reference (t)), which prohibits<br />
photographing or otherwise reproducing or<br />
possessing DoD identification cards in an<br />
unauthorized manner, under penalty of fine,<br />
imprisonment, or both.<br />
6
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
Contractor Responsibilities<br />
‣ The contractor will provide the following<br />
info to the <strong>COR</strong>:<br />
LAST NAME:<br />
FIRST NAME:<br />
MIDDLE NAME:<br />
CADENCY (i.e., Jr, Sr, III):<br />
SSN:<br />
DATE OF BIRTH:<br />
E-MAIL:<br />
CONTRACT/TO NUMBER:<br />
CONTRACT END DATE:<br />
‣ Once the contractor has been approved, the<br />
contractor has seven days to log-in to establish a<br />
DEERS record with a temporary password or the<br />
system will automatically disable the applicant.<br />
‣ Once the application is approved, the<br />
contractor has 90 days to have a card issued or<br />
CVS will automatically disable the applicant.<br />
‣ Additional controls over contractor CACs<br />
were needed and existing controls needed<br />
improvement.<br />
‣ CACs should not remain in the control of<br />
private contractors when they no longer have a<br />
justifiable need for access to government<br />
facilities or networks.<br />
‣ Contractor CACs were not consistently<br />
approved, issued, re-verified, revoked, or<br />
recovered. This weakness poses a potential<br />
national security risk that may result in<br />
unauthorized access to DoD resources,<br />
installations, and sensitive government<br />
information worldwide.<br />
‣ Other issues included:<br />
<br />
<br />
Failing to complete consistent CAC reverification<br />
every six months.<br />
Failing to consistently approve, issue, reverify,<br />
or revoke the CAC.<br />
‣ Contractor personnel must notify their TA if<br />
their CAC becomes lost or stolen. They must<br />
include a memo for record documenting the<br />
circumstances that caused the card to be lost or<br />
stolen.<br />
Audit Findings<br />
‣ The use of CAC cards was examined in<br />
several Audit Reports (Department of Defense<br />
Office of Inspector General Report No. D-2008-<br />
114 July 24, 2008 and 2008 IG Report #D-<br />
2009-005, October 10). The most prevalent issue<br />
of the CAC is that they are not being confiscated<br />
by the approving official at the end of the<br />
contract.<br />
‣ DoD lacked procedures to ensure that CACs<br />
issued to contractors were deactivated and<br />
recovered by the government when contractor<br />
personnel no longer had a legitimate need for<br />
their use.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Government’s failure to understand the<br />
responsibility of retrieving the CAC at<br />
the end of a contract.<br />
Contractor’s failure for not knowing or<br />
not understanding the responsibility of<br />
surrendering the CAC.<br />
Providing CACs without requiring<br />
sufficient background checks or receiving<br />
appropriate government approval.<br />
Inadequate evidence to link contractors to<br />
a contract.<br />
Inadequate evidence to justify CAC<br />
expiration date.<br />
The TA felt that it was not their job to<br />
recover the CAC.<br />
7
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
<br />
<br />
A large percentage of CACs were never<br />
accounted for or recovered<br />
Contractor employees were inadvertently<br />
classified as government employees on<br />
numerous forms.<br />
‣ Local commands, installations, and sponsors<br />
of contract support personnel and other eligible<br />
CAC holders shall establish procedures to ensure<br />
the retrieval of government furnished equipment<br />
(GFE).<br />
Lessons Learned<br />
‣ There is currently no contract clause or local<br />
statement to make contractors aware that “ALL”<br />
CACs must be returned upon contract<br />
completion.<br />
‣ A local statement may be placed in DoD<br />
contracts and in the <strong>COR</strong> appointment letter<br />
to encourage CAC recovery upon termination<br />
or completion of a contract.<br />
‣ CAC issuers changed information approved<br />
by government sponsors<br />
‣ Neither the KO nor the contracting office is<br />
responsible for any CVS related duties.<br />
‣ The KO is responsible for including the<br />
regulatory inclusion of FAR clause 52.204-9,<br />
Personal Identity Verification of Contractor<br />
Personnel, in all solicitations and contracts<br />
awarded after 3 January 2006, that require<br />
contractors to have physical access to a<br />
federally-controlled facility or access to a<br />
federally-controlled information system.<br />
‣ The Installation CVS TA (customer) may be<br />
included as an acquisition team member to<br />
ensure compliance with identity verification<br />
requirements for contract performance, when<br />
practicable.<br />
Synchronized Pre-Deployment and<br />
Operational Tracker (SPOT)<br />
‣ The Synchronized Pre-deployment and<br />
Operational Tracker (SPOT) has been designated<br />
as the Joint Enterprise contractor management<br />
and accountability system to provide a central<br />
source of contingency contractor information.<br />
Contractor companies are required to maintain<br />
by name accountability within SPOT while<br />
government representatives use SPOT for<br />
oversight of the contractors they deploy.<br />
‣ SPOT is used to identify and track all<br />
deploying government contractors in support of<br />
Operations IRAQI Freedom and Enduring<br />
Freedom through a CAC intended specifically<br />
for deploying contractors. Contractors will be<br />
required to be identified “prior” to deployment.<br />
SPOT became an idea when it was determined<br />
that contractors supporting the force needed<br />
accountability. The government would have<br />
visibility of their location, their capabilities, and<br />
their status.<br />
‣ SPOT will enable private industry to provide<br />
government contractors with credentials that are<br />
accepted as access to facilities and computer<br />
networks.<br />
‣ Providing CAC access to deploying<br />
contractors has been cumbersome in the past.<br />
SPOT access will provide information from<br />
corporate finance and personnel databases.<br />
Departure from theater and in-theater CAC<br />
scanners will be at entry points to installations,<br />
and facilities, and other areas. Additional time<br />
will not be spent completing “vetting<br />
requirements’ as it will have already been<br />
completed.<br />
‣ To learn more about SPOT, visit<br />
http://www.bta.mil/products/spot.html.<br />
8
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
SAMPLE<br />
PSIP Required Information Worksheet<br />
(Personnel Security Investigation Portal)<br />
SSN: Birth Date: (MM/DD/YYYY)<br />
Rank/Prefix (Dr., Ms., Mrs., Mr.)<br />
Last Name:<br />
First Name: Middle Name: (Initial Only / No Middle Name)<br />
Postfix/Suffix (i.e.: II, III, Jr.):<br />
Country of Birth State of Birth: City of Birth:<br />
Subject Contact Information:<br />
Email Address (AKO preferred):<br />
Secondary Email Address:<br />
Primary Phone:<br />
Secondary Phone:<br />
(Comm. / DSN / Overseas)<br />
(Comm. / DSN / Overseas)<br />
Organization/Unit Name:<br />
Organization/Unit UIC:<br />
Contracting Officer Representative (<strong>COR</strong>) Contact Information:<br />
Name:<br />
Email Address:<br />
Telephone Number:<br />
Contact Number:<br />
Company’s Name and Address:<br />
Name:<br />
Street:<br />
City:<br />
State:<br />
Zip Code:<br />
Telephone Number: _________________________ (Comm. / DSN/ Overseas)<br />
9
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
SAMPLE<br />
10
MICC MCO – Fort Eustis, VA <strong>COR</strong> <strong>Quarterly</strong> <strong>News</strong> – Apr 2011 - Jun 2011<br />
<br />
<br />
<br />
We Would Love To<br />
H<br />
From You!<br />
You Are Never Too Old To Learn!<br />
‣ For More CVS FAQs – (CLICK ”HELP”),<br />
visit https://www.dmdc.osd.mil/appj/cvs/login<br />
‣ For questions on the Virtual Contracting<br />
Enterprise (VCE) <strong>COR</strong> <strong>Training</strong>, consult<br />
your installation KO, contracting Quality<br />
Assurance Specialist, or <strong>COR</strong> Program<br />
Manager.<br />
‣ ACC <strong>COR</strong> Comprehension <strong>Training</strong> has<br />
already started at some installations. For the<br />
rest of us, it’s on the way!!!<br />
<strong>COR</strong> Self-Development<br />
Plan to attend <strong>COR</strong> <strong>Training</strong><br />
….whether you need to or not!<br />
<br />
Camilla.tramuel@us.army.mil<br />
Camilla @ 757-878-3166 x3384<br />
OR<br />
Shirley.powell@us.army.mil<br />
Shirley @ 757-878-3166 x3386<br />
Visit our website @<br />
http://www.aca-nrcc.eustis.army.mil/<br />
Editor & Publisher,<br />
Camilla H. Tramuel<br />
<strong>COR</strong> Program Manager<br />
MICC Mission Contracting Office (MCO)<br />
Fort Eustis<br />
Acquisition <strong>Support</strong> Division<br />
2746 Harrison Loop<br />
Fort Eustis, VA 23604<br />
<br />
11