Homeland Security Presidential Directive-12, Personal Identity Verification and Credentialing, and Background Investigations for Contractors

Purpose

This Order issues the U.S. General Services Administration’s (GSA) Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors (August 27, 2004) (HSPD-12) Personal Identity Verification (PIV) and Credentialing Policy, as well as background investigation requirements for contractor employees.

Background

There are three main guiding authorities for Federal credentialing and background investigations: Office of Management and Budget (OMB) Memorandum M-19-17, “Enabling Mission Delivery through Improved Identity, Credential, and Access Management” (May 21, 2019) (OMB Memorandum M-19-17), HSPD-12, and Federal Information Processing Standard (FIPS) 201-3. In addition, this directive aligns with the Office of Personnel Management’s (OPM) “Credentialing Standards Procedures for Issuing Personal Identity Verification Cards under HSPD-12 and New Requirement for Suspension or Revocation of Eligibility for Personal Identity Verification Credentials” (December 15, 2020).

1. Per OMB Memorandum M-19-17, all executive agencies must issue a policy requiring the use of PIV credentials as the primary means of identification and authentication for access to the agency’s facilities, networks, and information systems that align with Federal Identity, Credential, and Access Management (FICAM). 
2. HSPD-12 requires all executive departments and agencies to conduct background investigations, adjudicate the results, and issue identity credentials to all Federal employees and contractor employees who require routine physical access to federally-controlled facilities and information technology (IT) systems.  HSPD-12 also requires the use of identification by Federal employees and contractor employees to gain physical access to federally controlled facilities and logical access to federally controlled information systems. GSA Access Cards (also known within GSA as PIV cards/credentials) must be:
   1. Issued based on sound criteria for verifying an individual’s identity.
   2. Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation.
   3. Rapidly authenticated electronically.
   4. Issued only by providers whose reliability has been established by an official accreditation process.
3. The National Institute of Standards and Technology (NIST) issued FIPS 201-3, which specifies the architecture and technical requirements for common identification standards for Federal employees and contractor employees, with the goal of achieving appropriate security assurance for multiple purposes by efficiently verifying the identity of individuals.

Scope and Applicability

1. This policy provides details for HSPD-12 PIV credentialing for GSA employees and contractor employees, as well as requirements regarding background investigations for contractor employees.
2. The policy must be implemented in conjunction with GSA Order ADM 9732.1E, “Personnel Security and Suitability Program Handbook,” GSA Order ADM 5400.2A, “General Services Administration Heads of Services and Staff Offices’ and Requesting Officials’ Roles and Responsibilities to Implement Homeland Security Presidential Directive-12,” and Federal Acquisition Regulation (FAR) 52.204-9, Personal Identity Verification of Contractor Personnel.

Cancellation

This Order cancels and supersedes GSA Order ADM 2181.1, “Homeland Security Presidential Directive-12 Personal Identity Verification and Credentialing Policy, and Background Investigations for Contractor Employees,” dated March 18, 2020.

Summary of Changes

1. Updated references to the current FIPS 201-3 publication, which superseded FIPS 201-2, as well as to reflect new  GSA policies. 
2. Updated Requesting Official (RO) responsibilities, requiring them to complete the necessary documentation for lost/stolen/uncollectible GSA Access Cards.
3. Added responsibilities for a GSA Employee Supervisor.
4. Updated text pertaining to investigation types. Text is now general in nature to meet Defense Counterintelligence and Security Agency (DCSA) requirements.
5. Updated GSA requirements for background investigation relating to DCSA requirements such as RapBack, Trusted Workforce, Continuous Vetting, and other DCSA requirements that may come in the future.