By Andy Williams, Contributing Editor
Need a federal ID card but you haven’t been through ‘NACI’ yet? That seems to be one of more frequently used buzzwords floating around Washington, D.C., even though the NACI requirement has been part of the federal lexicon since the early 1950s.
That’s right, NACI, or National Agency Check and Inquiries was part of Presidential Order 10/04/50 signed by President Dwight Eisenhower in 1953. Today it is at the center of efforts to ensure that employees receiving the new Personal Identity Verification (PIV) Cards are who they claim to be.
Speaking to the HSPD-12 FIPS-201 Federal ID Smart Card Implementation Workshop in early May, NIST’s Curt Barker said the order “required completion of the National Agency Check with written Inquiries for all government employees. It also had a number of requirements with respect to personnel characteristics. The material that is in the FIPS with respect to what goes into a NACI came from the Office of Personnel Management and we examined a number of alternatives to doing the NACI.”
What is NACI?
The National Agency Check (NAC) is an integral part of all the background investigations. It consists of searches of the Office of Personnel Management (OPM) Security/Suitability Investigations Index (SII), the Defense Clearance and Investigations Index (DCII), the FBI Identification Division’s name and fingerprint files, and possibly other files or indices when necessary.
Its sister, the National Agency Check and Inquiries (NACI) is considered the basic and minimum investigation required on all new Federal employees consisting of a NAC with the added security of written inquiries and searches of records covering specific areas of an individual’s background during the past five years. Inquiries are sent to current and past employers, schools attended, references, and local law enforcement.
As federal agencies rush to provide secure IDs for their employees and to verify their existing employees, NACI has gained new significance. According to Mr. Barker, “we settled on NACI (because) we found that it was already required.” The Office of Personnel Management (OPM) is the organization tasked within the government to run with NACI, he said.
With everyone seemingly in need of a NACI, this relatively simple requirement is likely to create a serious logjam as more and more agencies launch their efforts to meet the FIPS 201 requirements. But where is the logjam occurring?
“Depending on who you talk to,” said Mr. Barker, “it can take anywhere from one day … to several months (to complete a NACI). I…have been told that when we provide fingerprints as part of the check, if the fingerprints are provided in electronic form, it goes very quickly. If they are provided on paper, there is a requirement to scan them in. So that will take quite a lot longer.”
Mark Pattro, program analyst, Center for Federal Investigative Services, identified another potential logjam in the FBI name check process. “It’s a check of all other investigative files, counter intelligence, criminal, background investigations, files, things of that sort. Many, many individual names pop up in these files for reasons that have nothing to do with potentially derogatory or prejudicial information,” he said.
The problem arises when checking common names (e.g. John Smith). “We’re going to get hit and once a hit is done then the bureau has to, in some cases manually, research these files…we don’t know if it is the right John Smith. And even if it is the correct John Smith…the FBI name check is problematic in that it takes a long time to do. This is a resource problem for the bureau and we have been working with them…trying to resolve (it).”
Less common names may see a quick turnaround, but Mr. Pattro said it could take “several months (or) many months in some cases” if there is no record of the individual.
He said NACI builds on NAC, providing everything in the NAC plus mailed letters and courier, “vouchers as we call them, to people listed by the subject: employers, references, neighbors, schools, local law enforcement agencies, covering basically the last five years of the person’s life.” OPM relies on “the good faith of the individuals who receive them, to return them. They are under no obligation…(but) we do have a fairly high response rate.”
Implications for FIPS 201 and PIV
Mention was made at the GSA conference of the possibility of a “two-tier” badging system, with different background screening requirements for low-security employees and those in need of security clearance. But the implications of issuing PIV credentials based on a lower level of proofing or other criteria could undercut the PIV trust model.
“In order to establish a chain of trust,” said Mr. Pattro, “what we have done is require a minimum set of credentials and require NACI and all these other things in the identity proofing process. To establish the trust, the card that you are using in your system has gone through this rigorous process of issuing a card to the correct individual. We start with that and now we go to the part where you want to use this card. It is up to the application provider or the resource provider to decide what level of rigor do they want to go through before they allow this person or authorize this individual to access the resources.”
“To reduce the opportunities for fraudulent issuance,” added Mr. Barker, “it is required that the person appear for the credential.” But, he added, the two forms of identification required (a drivers license and birth certificate) “are unsatisfactory and there is absolutely nothing that we were able to do about that. Some of the hijackers on 9/11 had obtained valid drivers licenses fraudulently and used them to get on the aircraft.”
Another problem, he said, are birth certificates that “come in a bewildering array of formats…and there is simply no way to expect someone to be able to verify the authenticity of birth certificates, at least given the resources that the HR and local…police have at their disposal.”
To help verify applicants, they have to complete a form asking for addresses and background history such as employment and education. “All that really does is give us a chance to check on (the individual’s) assertions. I had been careless once or twice in the private industry and hired people who turned out to have last been employed by a vacant lot,” said Mr. Barker. “Hopefully, we can reduce the occurrence of issuance of valid credentials to people who should not have them.”
That is certainly the goal of the NACI as it relates to PIV. As the vetting and issuance process rolls out across agencies, more will be understood of the investigation tool’s strengths and weaknesses in situations of mass utilization.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.