FIPS 201 requires new scrutiny of contractors

FIPS Publication 201: Personal Identity Verification of Federal Employees and Contractors

A surge in background investigations of federal employees and contractors could begin in October as agencies prepare to comply with a new governmentwide standard for personal identity credentials.

The Office of Personnel Management, which will conduct the investigations, has no idea how many will be requested. "It could be a lot," said Kathy Dillaman, deputy associate director of investigations at OPM's Center for Federal Investigative Services.

To gain access to federal buildings and information systems, employees and contractors will have to use identity credentials that meet the specifications of Federal Information Processing Standard (FIPS) 201. That standard requires agencies to conduct background checks on all new federal employees and a potentially large number of federal contractors before issuing identity credentials.

Most current federal employees have already been fingerprinted and had their backgrounds checked. They will not need to go through the process again.

Dillaman expects that background investigations on federal contractors will account for the greatest workload increase. Many agencies rely on contractors who have not undergone previous background checks because their work does not affect national security, Dillaman said. But under the mandatory FIPS 201 standard, those contractors will need background checks for the first time, she said.

The prospect of a background investigation could create anxiety for those who have not gone through the process before, Dillaman said. "When you're told someone's going to do a background investigation on you, of course that can be an unsettling thing," she said.

On the other hand, OPM's procedures ensure a high level of data privacy, security and accuracy, Dillaman said. OPM does not use the databases of companies such as ChoicePoint, LexisNexis and Acxiom when it conducts background checks, she said. Those companies have come under congressional scrutiny for failing to protect the personal data stored in their databases.

A prominent privacy expert who is often critical of the government for mishandling data gives OPM credit for its investigative procedures. "The federal government really knows its stuff on conducting background checks and tends to be very fair," said Pam Dixon, executive director of the World Privacy Forum, a nonprofit group that focuses on technology-related privacy issues.

However, when employees or contractors are denied identity credentials or have their credentials revoked, they should have an opportunity to appeal, Dixon said. OPM should give agencies new guidelines on handling such appeals fairly, she said, noting that today's standard adjudication procedures for background checks "did not anticipate the role that identity theft plays in messing up people's backgrounds."

Dillaman said the basic elements of a background investigation haven't changed as a result of FIPS 201.

At a minimum, the investigation requires OPM officials to complete a process known as a National Agency Check with Inquiries.

For the National Agency Check, OPM will query the Security/Suitability Investigations Index, Defense Clearance and Investigation Index, FBI Name Check, and FBI National Criminal History Fingerprint Check databases. The National Agency Check must be completed before agencies can issue identity credentials.