ADMINISTRATIVE COMMUNICATIONS SYSTEM

UNITED STATES DEPARTMENT OF EDUCATION

Office of Management, Executive Office
400 Maryland Avenue; Washington, DC 20202

Transmittal Sheet #: 2005-0010 Date: July 7, 2005

Distribution: All ED employees Distribution Approved: /s/

Directives Management Officer: Tammy Taylor

Action: Pen and Ink Changes

Document Changing: OM:5-101, Contractor Employee Personnel Security Screenings, dated 03/30/2005.

Summary: This document establishes the Department policy regarding the personnel security
screening requirements for all contractor employees and their subcontractors directly
contracted by the Department.

Pen and Ink The following pen and ink changes have been made.
Changes:

Page Section Changed To

All Date 03/30/2005 07/07/2005
1 Superseding Information described above Information described above
Information
8 III. B. Contracts and Purchasing Operations Contracts and Acquisitions Management
15 Edited Conducted for Low Risk (1 or 1C) Positions. Conducted for Low Risk (1 or 1C)
NACI row Used at Department of Education as the Positions.
standard Moderate Risk investigation unless
need to upgrade to MBI or LBI
15 Added Added row See page 15
NACI-C
row

Our mission is to ensure equal access to education and to promote educational excellence throughout the nation.
 ADMINISTRATIVE
COMMUNICATIONS SYSTEM
U.S. DEPARTMENT OF EDUCATION

DEPARTMENTAL DIRECTIVE

OM:5-101 Page 1 of 16 (07/07/2005)

Distribution: Approved by: ___________/s/_(03/30/2005)_____

All Department of Education employees William J. Leidinger
Assistant Secretary for Management

Contractor Employee Personnel Security Screenings

Table of Contents

I. Policy...........................................................................................................................................................................2
II. Definitions..................................................................................................................................................................2
III. Procedures and Responsibilities................................................................................................................................4
Appendix I: Position Risk Designation Requirements for all Contractor Positions and Screening Requirements for
all Contractor Employees..............................................................................................................................................12
Appendix II: Position Designation Record for all Contractor Positions......................................................................16

For technical questions regarding this directive, please contact Sandra Warren on 202-205-9780
or via sandra.warren@ed.gov.

Supersedes OM:5-101 “Contractor Employee Personnel Security Screenings” dated 03/30/2005.

OM:5-101 Page 2 of 16 (07/07/2005)

I. Policy

This document establishes the U.S. Department of Education’s (Department) policy

regarding the personnel security screening requirements for all contractor employees and
their subcontractors directly contracted by the Department and may be found on the
Department’s intranet website, ConnectED, at Policies, References and Resources, ACS
Directives, Alphabetical listing by title, Contractor Employee Personnel Security Screenings
at http://connected1.ed.gov/po/om/executive/print/acs_om_5_101.doc.

All solicitations and contracts issued after the date of this directive must include
personnel security screening requirements for Department contractor employees.
Solicitations and contracts that currently do not contain appropriate wording will require
a modification to comply with this directive.

All contractor employees must undergo personnel security screening if they will be
employed for thirty (30) days or more. The type of screening and the timing of the
screening will depend upon the nature of the contractor position, the type of data to be
accessed, or the type of information technology (IT) system access required. Personnel
security screenings will be commensurate with the risk and magnitude of harm the
individual could cause.

Contractor employees who will have physical access to Department controlled facilities,
sensitive information or systems for 30 days or less (e.g., a one or two week project), or
have infrequent access (e.g., three times a month), do not require any investigation if they
are escorted. Escort access requires the contractor employee to be supervised by an
authorized Department employee or authorized cleared contractor employee. A
Department manager must provide WRITTEN authorization before a contractor
employee can access a Department facility, system, or information. Escort access may
not be used for contractor employees after notification of an unfavorable adjudication
determination about the contractor employee from the Department Personnel Security
Officer (DPSO). A Principal Office (PO) also has the option to deny contractor
employees access to their controlled facilities, sensitive but unclassified information, or
systems, until the DPSO has made a personnel security determination.

II. Definitions

A. Computer Refers to an individual formally designated by the head of a PO

Security Officer to be responsible for the implementation and management of
the Information Technology (IT) Security Program within his or
her organization.

B. Contractor For the purpose of this directive refers to all non-Federal

Employee employees working on a Department of Education contract,
including all subcontractors, requiring (1) access to Department
controlled facilities or space, or (2) work, wherever located, on
those contracts which involve the design, operation, repair or
maintenance of information systems and access to sensitive but
OM:5-101 Page 3 of 16 (07/07/2005)

unclassified information.

C. Contracting An individual with the authority to enter into, administer, or

Officer terminate contracts and execute related determinations and
findings within the limits of the authority delegated. Only a
contracting officer has the authority to contractually bind the
government.

D. Department A management official within OM Security Services

Personnel responsible for making personnel security adjudication
Security Officer determinations on the access of contractor employees to
(DPSO) Department facilities, sensitive but unclassified information,
and systems.

E. Escort Access Requires the contractor employee to be supervised by an

authorized Department employee or by a cleared contractor
employee who has been authorized by a Department manager.

F. Information The hardware and software operated by a Federal agency or by

Technology (IT) a contractor of a Federal agency or other organization that
processes information for the use of the Federal government to
accomplish a Federal function, regardless of the technology
involved, whether computers, telecommunications, or others.
IT is used synonymously with Automated Data Processing
(ADP), Federal Information Processing (FIP) resources, and
Automated Information Systems (AIS).

G. Lawful Any person not a citizen of the United States who is residing in
Permanent the United States under legally recognized and lawfully
Resident recorded permanent residence as an immigrant. Also known as
“Permanent Resident Alien”, “Resident Alien Permit Holder”,
and “Green Card Holder”.

H. Personnel A decision made about whether a person is an acceptable

Security security risk after examining a sufficient period of their life
Adjudication following a Personnel Security Screening.
Determination
I. Personnel The process of conducting a background investigation through
Security written, electronic, telephone, or personal contact to determine
Screening the suitability, eligibility, or qualifications of a person for
Federal employment, work on Federal contracts, or for National
Security purposes.

J. Position Risk There are three risk level designations, High Risk, Moderate
Level Risk, and Low Risk. Different types of background
investigations, varying in scope, have been identified and
required for positions based on the associated level of risk.
OM:5-101 Page 4 of 16 (07/07/2005)

K. Preliminary This is a review of completed security forms, a credit check,

Screening fingerprint check, record checks, and file reviews. A
preliminary screening is conducted before a contractor
employee can be assigned to a High Risk level IT position.

L. Unfavorable The final determination that results in adverse action relative to

Adjudication a person’s employment acceptability or suitability, retention in a
Determination sensitive or public trust position, access to National Security
Information, materials, or areas, or incumbency in a sensitive
position.

M. Up-To-Date Forms submitted within 30 days from the time the contractor
Investigative employee signs the personnel security forms and they are
Forms received by the DPSO.

III. Procedures and Responsibilities

A. Principal Office (PO)

The PO is responsible for performing the functions described below to implement this
directive. Each PO Contracting Officer’s Representative (COR) is expected to play a
key role in tracking the clearances of contractor employees as a supplemental
responsibility in monitoring the contract, without altering the primary duties as
specifically noted in this Handbook or in the Department's IT Security Policy.

The Executive Officer of each PO is that Office's liaison and key point of contact with
the DPSO, Security Services, Office of Management, for all personnel security
matters.

1. Each PO must establish and maintain on file with the DPSO its own procedural
document for complying with this directive. The document will identify the
responsible officials, e.g. COR’s, Computer Security Officers, or System Security
Officers with the PO who will be performing key duties as stated in the directive.
All modifications to the PO Procedures Document must be forwarded to the
DPSO for review. Each PO must include in its procedures the requirements for
contractor employee screening in any work statement that will result in contractor
employees having either one or all of the following:

Un-escorted access to Department controlled facilities;

Access to the Department's IT systems and the systems’ data;
Access to sensitive but unclassified or Privacy Act-protected information.

2. The PO must coordinate with the Contracting Officer during the preparation phase
of the contract solicitation and acquisition process to implement these procedures.

3. Each PO must determine the risk levels for each contractor position. This process
requires coordination with the Computer Security Officers of each PO and the
DPSO. Each PO must maintain a current position risk level designation record
OM:5-101 Page 5 of 16 (07/07/2005)

for each contractor position. The three position risk levels and their investigative
requirements are:

HIGH RISK (HR) Positions with the potential for exceptionally serious impact
on the efficiency of the Department. This includes access to
Department IT systems that allows the bypass of security
controls or access that, if taken advantage of, could cause
serious harm to the IT system or data. A Background
Investigation (BI) is the type of investigation required.

MODERATE Positions with the potential for moderate to serious impact

RISK (MR) on the efficiency of the Department, including all positions
that require access to sensitive but unclassified, or Privacy
Act-protected information. A National Agency Check with
Written Inquiries (NACI), and a credit check, is the type of
investigation required. The investigation will be expanded
to a Minimum Background Investigation (MBI) or a Limited
Background Investigation (LBI) if the NACI plus credit
check investigation develops information that the DPSO
considers potentially actionable.

LOW RISK (LR) Positions that involve duties and responsibilities of limited
relation to the Department’s or a program mission, with the
potential for limited impact on the efficiency of the
Department. A National Agency Check with Written
Inquiries (NACI) is the type of investigation required.

4. Each PO must assign a position risk level, before the solicitation is released,
consistent with Appendix I of this document, to each contractor employee
position. These records can be maintained on file with either the COR or CO for
that PO. The PO's Computer Security Officer must concur in writing with the
designated risk level. If the duties of a position involve more than one risk level,
the higher of the two risk levels will be assigned to the position.

NOTE: Contractor employees must not be placed in a higher risk level position
than the one currently approved by the DPSO

5. High Risk Level Positions: Each PO must have the COR submit completed
contractor employee investigative forms, and a “Request for Security Officer
Action” form for each individual, on a pre-appointment basis for High Risk level
positions. The PO must deny the contractor employee High Risk level access to
systems, or Department sensitive or Privacy Act-protected information, until the
DPSO notifies the COR that the preliminary security screening was completed
favorably.

Additional considerations for High Risk Level Positions Regarding:

Citizenship
OM:5-101 Page 6 of 16 (07/07/2005)

Every effort must be made to minimize and where possible eliminate, the number
of non-U.S. Citizens employed in High Risk level positions; this applies to all
contractors and sub-contractors. However, the Department recognizes there is,
from time to time, a compelling reason that may exist to grant a non-U.S. Citizen
High Risk access. In those circumstances where a non-U.S. Citizen possesses a
unique or unusual skill or expertise urgently needed by the Department, but a
suitable U.S. Citizen is not available, a non-U.S. Citizen may be assigned to a
High Risk level position provided: they are Lawful Permanent Residents of the
United States; they have resided continuously in the United States for a minimum
of three (3) years; the head of the PO, or his/her designee that owns the
system/information/network approves the assignment in writing, and the written
approval is filed with the Contracting Officer before requesting a preliminary
screening and/or investigation.

Preliminary Screening

All Contractor employees assigned or transferred into High Risk level IT

positions must undergo a preliminary security screening before:

• They are authorized to bypass significant technical and operational security

controls of general support systems, or major applications; or

• They are authorized to access applications where controls such as separation

of duties, least privilege, and individual accountability cannot adequately
protect the application or the information in it.

The preliminary security screening may include a review of completed security

forms, credit check, record checks, and file reviews. The PO must deny the
contractor employee High Risk level access to systems until the DPSO notifies
the PO that the preliminary security screening was completed favorably. The
inquiries for the preliminary security screening will be initiated within 5 working
days after receipt of the completed security forms. Within 5 working days after
receiving the results of those inquiries, a determination will be made regarding a
contractor employee’s acceptability. As necessary, a Background Investigation
(BI) will be conducted following the completion of the preliminary screening.

Reinvestigations

Contractor employees occupying High Risk level IT positions must undergo

periodic reinvestigation every 5 years for the duration of their contract at the
Department, or if there is a break-in-service to a Department contract of 365 days
or more. Each PO must ensure a complete investigative forms package is
submitted within 14 days of the DPSO’s direct request.

6. All Other Positions: Each PO must have the COR submit completed contractor
employee investigative forms for each individual required to submit forms, and a
"Request for Personnel Security Officer Action" form for each individual, to the
OM:5-101 Page 7 of 16 (07/07/2005)

DPSO within 14 days of the date the contractor employee is placed in a position,
except for contractor employees in High Risk level positions who require pre-
screening. No contractor employee is permitted access to Department
information or systems until the individual has submitted investigative
forms.

7. Each PO COR must ensure that the Contracting Officer, and if necessary the
Computer Security Officer, is kept informed during the contractor employee
screening process, including notification of the screening determination.

8. Each PO COR must provide a copy of the clearance notification to the contractor
and maintain a copy for its records. If any attributes of the position change,
including the need for a higher risk level, the PO will send a new "Request for
Personnel Security Officer Action" form, showing the new position risk level to
the DPSO. The DPSO will promptly notify the PO if the contractor employee has
not met the investigative requirements for the new position risk level.

9. Each PO must maintain an updated list of all contract positions and risk level
designations covered by these policies and procedures. The list must include the
name of the employing firm, the risk level designation of each position, the name
of each contractor employee currently in that position, the date the contractor
employee investigative forms or previous screening information was submitted,
and the date of the final screening determination. The PO CORs must also ensure
that a contractor employee is not placed in a more sensitive position than that for
which he or she was previously approved, without the approval of the DPSO and
the PO’s Computer Security Officer.

10. Performance-Based Contract: Position risk levels must be assigned within 15 days
of the contractor identifying and notifying the Department of what positions will
exist and what duties and access needs those positions will have in executing the
work under the contract.

11. Each PO COR must notify the DPSO within three workdays of the termination of
a contractor employee, either voluntary or involuntary, and furnish the reason(s)
and the date of the termination, unless the termination resulted from action by the
DPSO.

12. Contractor employees occupying High Risk level IT positions must undergo a
periodic reinvestigation every five years, or sooner if necessary. Each PO must
ensure a complete investigative forms package is submitted within 14 days of the
DPSO’s direct written request.

13. Each PO will have the CORs inform the Contracting Officer that a contractor
employee is deemed not acceptable for reasonable cause, upon notification by the
DPSO, and such finding(s) makes the individual ineligible for access to
Department facilities or systems. The Contracting Officer will make the official
notification to the contractor. A final determination cannot be appealed.
OM:5-101 Page 8 of 16 (07/07/2005)

14. Each PO must immediately deny access to all Department IT systems, facilities
and information, by a contractor employee when notified by the DPSO of an
unfavorable personnel security adjudication determination.

15. The PO must contact the DPSO if it chooses to require screening for contractor
employees who will require access for 30 days or less.

Principal Offices are permitted to develop more stringent contractor personnel

security screening policies if they determine that their organization or offices require
it. However, the PO must clear any such policy with the DPSO prior to
implementation.

B. Director, Contracts and Acquisitions Management, Office of

the Chief Financial
Officer

1. The Director must ensure that personnel security screening requirements for
contractor employees are included in all solicitations and contracts issued by the
Department. The Director must ensure that potential offerors and contractors are
aware of all personnel security requirements for contractor employees at the
earliest stages of the acquisition. Except for performance-based contracts, the
Director, in coordination with the PO and others as needed, must ensure that each
contractor employee position is assigned an appropriate risk level during the
acquisition process and that this information is included in the solicitation.

2. Performance-Based Contracts: The Director, in coordination with the Contracting

Officer (CO), the PO and others as needed, must ensure that contractor employee
positions are assigned risk designation levels at the earliest possible time during
the acquisition and that this information is communicated to the contractor for
performance-based contracts.

3. All solicitations and contracts issued after the date of this directive must include
personnel security screening requirements for Department contractor employees.
Solicitations and contracts that currently do not contain appropriate wording will
require a modification to comply with this directive.

4. The Director, with the Contracting Officer, must ensure that all contractor
employees are screened in a timely manner, as required under this Policy. During
contract performance, the Director and the respective CO will ensure that the
Department's personnel security screening directive and procedures are fully
implemented. The Director will ensure that annual reviews of contracts are
conducted to ensure continued compliance with this Handbook, the
Director/Contracting Officer must act upon instances of non-compliance. The
Director may take official action against a contractor for non-compliance,
including but not limited to withholding of payment, or termination of the
contract.
OM:5-101 Page 9 of 16 (07/07/2005)

5. The Director will ensure that the respective Contracting Officer for each contract
must implement a requirement for the timely submission of completed forms by
the contractor to the PO. Existing contracts must be modified to require the
timely and complete submissions of forms to the COR within twenty-four hours
of an assignment to a Department contract. If incomplete forms are returned to
the PO by the DPSO, they must be resubmitted to the DPSO within 10 workdays
or the contractor employee must be removed from the contract.

6. The Director, through the CO, must officially notify a contractor if an individual is
deemed not acceptable for reasonable cause and such finding(s) makes the
individual ineligible to render service(s) or otherwise perform under the contract.
A final determination cannot be appealed.

C. Department Requirements for Contractor/Contractor

Employees

As contained in each solicitation or contract, contractors and/or their employees at the

Department have the following responsibilities:

1. Each contractor must ensure that all non-U.S. citizen contractor employees are
Lawful Permanent Residents of the United States or have the appropriate work
authorization documents as required by the Department of Homeland Security,
Bureau of Immigration and Appeals, to work in the United States.

2. Each contractor must ensure that its contractor employees submit all required
personnel security forms to the COR within twenty-four hours of an assignment to
a Department contract and ensure that the forms are complete.

3. Each contractor must ensure that a contractor employee is not placed in a higher
risk position than that for which he or she was previously approved, without the
approval of the Contracting Officer or his or her representative, the DPSO and the
Computer Security Officer.

4. Each contractor must report to the Contracting Officer's Representative all

instances of individuals seeking to obtain unauthorized access to any departmental
IT system, or sensitive but unclassified and/or Privacy Act-protected information.

5. Each contractor must report to the Contracting Officer's Representative any

information that raises an issue as to whether a contractor employee's eligibility
for continued employment or access to Department IT systems, or sensitive but
unclassified and/or Privacy Act-protected information, promotes the efficiency of
the service or violates the public trust.

6. Each contractor will officially notify its employee if he or she will no longer
work
on a Department contract.
OM:5-101 Page 10 of 16 (07/07/2005)

D. Department Personnel Security Officer (DPSO)

1. The DPSO, an employee of the Office of Management, will provide oversight and
guidance for all matters relative to these policies and procedures.

2. The DPSO will receive, process, and forward contractor employees' forms to the
investigating agency as necessary. The investigating agency may be a Federal
agency or individual contractor.

3. The DPSO will promptly return incomplete forms to the PO COR for proper
completion.

4. The DPSO must notify the PO COR promptly on the results of contractor
employee preliminary security screening. The preliminary security screening may
include a review of completed security forms, credit check, record checks, and
file reviews. The inquiries for the preliminary security screening must be
initiated within 5 working days after receipt of the completed security forms.
Within 5 working days after receiving the results of those inquiries, a
determination must be made regarding a contractor employee’s preliminary
acceptability. As necessary, a Background Investigation (BI) must be conducted
following completion of the preliminary screening.

5. The DPSO will request the expansion of background investigations to obtain

additional information to the extent necessary to make personnel acceptability or
suitability determinations. These determinations will be made using criteria
established by the Office of Personnel Management for the purpose of
determining suitability for employment in the Federal competitive service, as
described in 5 CFR 731.202, and other Office of Personnel Management (OPM)
guidance. The DPSO determines whether a contractor employee is acceptable
for the position from a personnel security standpoint.

6. The DPSO will inform the PO COR when he or she determines that a contractor
employee is not acceptable to render service(s) or otherwise perform under a
contract. If, after final determination by the DPSO, a decision is made that the
contractor employee is not acceptable to render services on a contract and access
is denied, the COR will inform the Contracting Officer. The Contracting Officer
must inform the employing firm that the contractor employee is not acceptable to
render services in this particular position, or to otherwise perform under the
contract. The employing firm will notify the contractor employee. A final
determination cannot be appealed.

7. The DPSO will normally provide the contractor employee an opportunity to

refute, explain, clarify or mitigate information in question.

8. The DPSO will forward verification of clearance or other notification of the

screening determination for contractor employees to the PO COR for distribution
to the Contracting Officer, Computer Security Officer, and/or the System Security
Officer.
OM:5-101 Page 11 of 16 (07/07/2005)

9. The DPSO will coordinate with the Principal Office COR when contractor
employees require periodic screenings at five-year intervals.

E. Chief Information Officer (CIO)

The Department CIO will coordinate and provide additional support, oversight, and
guidance to the DPSO on IT-related personnel security issues and activities within the
Department.
OM:5-101 Page 12 of 16 (07/07/2005)

Appendix I: Position Risk Designation Requirements for

all Contractor Positions and Screening Requirements for
all Contractor Employees
All contractor employees must be screened. Proper position risk designation is the foundation of an effective and
consistent screening program. The position risk level determines what type of screening a contractor employee
requires. As the level of authority and responsibility of a position increases, character and conduct become more
significant in deciding whether employment or continued employment would protect the integrity and promote the
efficiency of the service.

When reviewing Information Technology (IT) positions, you must consider the controls incorporated into an IT
system, such as separation of duties, least privilege (a user will only have as much access as is needed to perform his
or her duties), and individual accountability. In cases where controls cannot adequately protect the IT system or
information in it, or where individuals are authorized to bypass significant technical or operational security controls
of the system, assign risk designations in order to screen individuals commensurate with the risk and magnitude of
the harm they could cause.

To determine a position risk level for a contractor employee position, you must consider several factors, especially
the following:

1. Whether the contractor employee will be required to participate in the design, operation, maintenance or
use of sensitive automated information systems; or

2. Whether the contractor employee will require access to sensitive but unclassified or Privacy Act-protected
information. If duties involve only duties of this type, then the position is automatically designated
Moderate Risk.

Where the duties of the position involve more than one risk level, the higher risk level will be assigned to the
position.

The three position risk levels are described in the following tables. In determining position risk level designation for
IT duties, apply the criteria below. IMPORTANT NOTE: For non-IT contractors, which may include positions
ranging from custodians to couriers, you must consider whether or not it is part of their job duties to have access to
sensitive but unclassified, or Privacy Act-protected data. In such cases where no such access to this type of data is
required, Low Risk (1C) should be the default risk level.

High Risk Potential for exceptionally serious impact involving duties especially critical to the agency mission,
(HR) with broad scope of authority, with major program responsibilities, which affect a major IT system.
Examples include, but not limited to, project manager, deputy project manager, lead system
administrator, security administrators, system development lead, system testing lead production,
data entry team leader, select security officers, firewall administrators, and web server
administrators.

Moderate Risk Potential for moderate to serious impact involving duties of considerable importance to the agency
(MR) mission, with significant program responsibilities that affect large portions of an IT system, or
duties that require individuals to view or use Privacy Act-protected information. Examples are, but
not limited to, lead system administrator backup, select system development team members, select
system testing team members, data entry clerks or supervisors.

Low Risk Potential for impact involving duties of limited relation to the agency mission through the use of IT
(LR) systems. Examples are, but not limited to, select system development team members, data entry
staff.
OM:5-101 Page 13 of 16 (07/07/2005)

Position Risk Designation

for all Contractor Positions, with Emphasis Placed on
Information Technology (IT) Contractor Positions

IT Risk Level & Code Criteria for Determining Risk Level

High Risk (6C) Position involves one or more of the following attributes:

1. Responsibility for the development, direction, implementation, and administration of

Department computer security programs, including direction and control of risk
analysis or threat assessment.

2. Significant involvement in mission-critical systems.

3. Responsibility for preparing or approving data for input into a system which does
not necessarily involve personal access to the system, but which creates a high risk
for effecting grave damage or realizing significant personal gain.

4. Assignments associated with or directly involving the accounting, disbursement, or

authorization for disbursement from systems of amounts of $10 million per year or
greater, or lesser amounts if the activities of the individual are not subject to
technical review by higher authority to insure the integrity of the system.

5. Major responsibility for the direction, planning, design, testing, maintenance,

operation, monitoring, or management of systems hardware and software.

6. Access to a system during the operation or maintenance in a way that bypasses

incorporated controls, to permit high risk for causing grave damage or realizing a
significant personal gain.

7. Any other positions that involve high risk for effecting grave damage or significant
personal gain.

Moderate Risk (5C) A position whose work is technically reviewed by a higher authority at the High Risk
level to ensure the integrity of the system.

Position involves one or more of the following attributes:

1. Access to or processing of proprietary data or information protected under the

Privacy Act of 1974.

2. Accounting, disbursement, or authorization for disbursement from systems with

amounts less than $10 million per year.

3. Other positions that involve a degree of access to a system that creates a significant
potential for damage or personal gain less than that in High Risk positions.

Low Risk (1C) Includes all IT positions not falling into one of the above risk levels.
OM:5-101 Page 14 of 16 (07/07/2005)

Position Risk Level and Required Investigation and Forms

Risk Level & Investigation Requirement Forms Required*

Code
High Risk BI (Background Investigation) SF85P
(6 or 6C) and SF85P-S
PRIR (Periodic Reinvestigation) FD 258
After 5 years, and each succeeding 5 years Fair Credit Reporting Act Release
form
Moderate Risk NACIC (National Agency Checks with Written Inquiries and SF85P
(5 or 5C) Credit) FD 258
Fair Credit Reporting Act Release
Note: If a contractor NACIC investigation develops potentially form
actionable information the background screening will be
expanded to a Limited Background Investigation (LBI) or an
(MBI) at the discretion of the DPSO.

Low Risk NACI (National Agency Check with Inquiries) SF85

(1 or 1C) Limited OF306 items**
FD 258

* Description of the Investigative Forms Required:

1. SF 85, Questionnaire for Non-Sensitive Positions

2. SF 85P, Questionnaire for Public Trust Positions (Revised 9/95)
3. SF 85P-S, Supplemental Questionnaire for Select Positions
4. OF 306, Declaration for Federal Employment
5. FD 258, Fingerprint Chart
6. Fair Credit Reporting Act Release

Note: Forms must be completed to cover a period of not less than 7 years where specified.

** The contractor employee will complete items 1, 2, 8 through 13, 16 and 17a. If the official form is not available,
the specific questions may be duplicated on a separate attachment and completed by the contractor employee.
OM:5-101 Page 15 of 16 (07/07/2005)

Summary of Investigative Types and Coverage

Investigation Item Coverage
Background Conducted for High PRSI (Personal Personal Interview
Investigation (BI) Risk (6 or 6C) positions Interview)
Employment 5 years
Education 5 years and highest degree verified
Residence 3 years
Law Enforcement 5 years
Court Records 5 years
Credit 7 years

Limited Background Agency option for PRSI (Personal Personal Interview

Investigation (LBI) Moderate Risk (5 or Interview)
5C) Positions. Employment 3 years
Education 3 years and highest degree verified
Residence 1 year
References 1 year
Law Enforcement 5 years
Court Records 3 years
Credit 7 years

Minimum Agency option for PRSI (Personal Personal Interview

Background Moderate Risk (5 or Interview)
Investigation (MBI) 5C) Positions. Employment 5 years
(Coverage is by inquiry Education 5 years and highest degree verified
only except for PRSI) Residence 3 years
References As Listed on Case Papers
Law Enforcement 5 years
Credit 7 years

National Agency Conducted for Low Employment 5 years

Check with Written Risk (1 or 1C) Education 5 years and highest degree verified
Inquiries (NACI) Positions. Residence 3 years
References
Law Enforcement 5 years
NACs (National
Agency Checks)
National Agency Conducted for Employment 5 years
Check with Written Moderate Risk (5 or Education 5 years and highest degree verified
Inquiries and Credit 5C) Positions. Used at Residence 3 years
(NACI-C) Department of References
Education as the Law Enforcement 5 years
standard Moderate Risk NACs (National
investigation unless Agency Checks)
need to upgrade to MBI Credit Check
or LBI
Periodic Conducted as a 5-year PRSI (Personal Personal Subject Interview
Reinvestigation – update for High Risk Interview)
Residence (PRIR) Computer/ADP References 5 years
positions Law Enforcement 5 years
Credit 3 years
Residence
NACs (National
Agency Checks)
OM:5-101 Page 16 of 16 (07/07/2005)

Appendix II: Position Designation Record for all Contractor

Positions

PRINCIPAL OFFICE: _________________________ ORG. CODE: ____________

CONTRACTOR (Company Name): ______________________________________________

CONTRACTOR POSITION TITLE:

________________________________________________

I. INFORMATION TECHNOLOGY (IT) RISK LEVEL: _____________________________

JUSTIFICATION: _______________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
Reminder: Be sure you have considered all pertinent access controls of the relevant IT system when
determining the position risk level, such as separation of duties, least privilege and individual accountability.

If the position is Moderate or High Risk from an IT standpoint, you do not need to perform the next
step. If the position is Low Risk from an IT standpoint, the next step may adjust the final position risk
level to a Moderate Risk level position.

II. This is a Moderate Risk level position because the contractor employee will require
access to: (Please check if applicable)

_____ Sensitive but unclassified information

_____ Privacy Act-protected information.

III. FINAL POSITION RISK LEVEL PLACEMENT: _____________________________

(Where the duties of the position involve more than one risk level, the higher of the two
risk levels will be assigned to the position.)

____________________________ ______________________
________________________
(Signature) (Signature) (Signature)
Contracting Officer's Representative Computer Security Officer Executive Officer

____________________________ ______________________
________________________
Printed Name & Date Printed Name & Date Printed Name & Date

____________________________ ______________________
________________________
Telephone Telephone Telephone
OM:5-101 Page 17 of 16 (07/07/2005)