POLICY ON THE PROTECTION OF

PERSONALLY IDENTIFIABLE INFORMATION

(PII)
OPM-FIS FIELDWORK SERVICES PROGRAM MANAGEMENT OFFICE (PMO)

February 2017

The information contained in this guide is confidential and proprietary to CSRA-NBIB employees only. No part
of this guide may be distributed or disclosed in any form to any third party without written permission from
CSRA.
Table of Contents

1.0 INTRODUCTION AND DEFINITIONS...................................................................................... 2

2.0 RESPONSIBILITIES ..................................................................................................................... 3
3.0 PII STORAGE REQUIREMENTS ............................................................................................... 4
3.1 Program Management Office (PMO) Storage Requirements ....................................................... 4
3.2 Domicile Storage Requirements ................................................................................................... 4
3.3 Vehicle Storage Requirements ...................................................................................................... 5
3.4 Hotel Room Storage Requirements............................................................................................... 6
3.5 Commercial Travel Storage Requirements ................................................................................... 6
4.0 PII TRANSMISSION ..................................................................................................................... 6
4.1 Text Messaging Transmission of PII ............................................................................................ 6
4.2 Email Transmission of PII ............................................................................................................ 7
4.3 Portable Media Storage Transmission of PII ................................................................................ 7
4.4 Fax Machine Transmission of PII ................................................................................................. 7
4.5 Website Transmission of PII ......................................................................................................... 8
4.6 Completed Cases ........................................................................................................................... 8
4.7 Releases......................................................................................................................................... 9
5.0 MANIFESTING REQUIREMENTS ............................................................................................ 9
5.1 Daily Manifest Requirements ....................................................................................................... 9
5.2 Package Manifest Requirements ................................................................................................. 10
6.0 REPORTING A POSSIBLE PII BREACH ............................................................................... 11
7.0 INITIAL NOTIFICATION .......................................................................................................... 12
8.0 OFFICIAL LOSS NOTIFICATION ........................................................................................... 13
9.0 COMPLIANCE ............................................................................................................................. 13

PII ACKNOWLEDGEMENT & DOMICILE STORAGE REQUIREMENTS................................. 14

1|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
1.0 INTRODUCTION AND DEFINITIONS

1.1 As personnel working on behalf of the United States Office of Personnel Management
(OPM), Federal Investigative Services (FIS), it is your responsibility to protect all
information entrusted to you at all times. The Privacy Act of 1974 assigns the same
personal responsibility to all Federal and contract employees of all Federal Government
Agencies. An essential component of meeting this responsibility is to ensure that you
properly use, protect, and dispose of Personally Identifiable Information (PII).

1.2 This policy applies to all CSRA personnel, subcontractors, and individual contractors, to
include all personnel, subcontractors, and individual contractors working under
Information Systems & Network (ISN) (hereinafter referred to only as “personnel” or
“employees”)

1.2.1 The term “employee” or “personnel” indicate individuals who have been cleared
by OPM to perform work for CSRA under the awarded contract, regardless of
that individual’s employment or contract status with CSRA or sub-contractor
ISN.

1.3 This policy has been created to implement a formal process for the proper use,
protection, and disposal of all PII in accordance with the OPM Contract, OPM’s PII
Policy, FIS Security Manual, OPM Investigator Handbook, and the office of
Management and Budget (OMB) Memorandum M-07-16.

1.4 OPM has officially adopted the verbatim definition of PII established by the Office of
Management and Budget (OMB) in 2007 and updated in 2010, which states: The term
“PII,” as defined in OMB Memorandum M-07-16 refers to information that can be used
to distinguish or trace an individual’s identity, either alone or when combined with
other personal or identifying information that is linked or linkable to a specific
individual. The definition of PII is not anchored to any single category of information
or technology. Rather, it requires a case-by-case assessment of the specific risk that an
individual can be identified. In performing this assessment, it is important for an agency
to recognize that non-PII can become PII whenever additional information is made
publicly available – in any medium and from any source – that, when combined with
other available information, could be used to identity an individual.

1.5 All personnel, are responsible for:

1.5.1 Capturing relevant information about a suspected or confirmed breach.

1.5.2 Reporting any privacy incident or suspected privacy incident to their supervisor
immediately when becoming aware of the risk – regardless of the time or day of

2|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 the week following the established reporting procedure. If the supervisor is not
available, employees are responsible for reporting to CSRA’s Program
Management Office (PMO) security administrations team via (703) 876-1180 or
email at CSRA_OPM_Security@CSRA.com.

1.6 All personnel should limit the printing and transporting of PII whenever possible to
minimize potential loss. The less hardcopy PII outside of the program’s control, the less
vulnerable the program is to a PII breach.

1.7 Chain of custody is defined as control of material pertaining to a Subject of an

investigation upon receipt until PII is properly relinquished to an approved authority or
properly destroyed.

1.8 Transfer of PII responsibility and/or accountability occurs only if the information has
been positively confirmed to have been received by the authorized parties.

1.9 A barrier is defined as an obstacle that prevents unauthorized access. When not in use,
all PII entrusted to personnel will remain within two (2) barriers at all times.

2.0 RESPONSIBILITIES

The execution of CSRA’s PII Policy is the responsibility of Ronald A. Nesbitt, Program
Manager. The day-to-day management and oversight of these policies has been further delegated
to Anthony Durante, Deputy Program Manager, Operations and Michael Mines, Deputy Program
Manager, Support. Policy implementation and maintenance is the responsibility of Vanessa
Hazzard, Retention & PII Manager. Reporting breaches and any potential loss of PII is the
responsibility of the security administrations team, managed by Alvina Hollis. Should any
questions arise regarding CSRA’s PII Policy, personnel shall contact their supervisor for
clarification.

While certain minimum standards of control are defined throughout this document, the constant
changing nature and varying circumstances associated with conducting background investigations
rely primarily on common sense and exercising good judgment in the handling of PII. The
protection of PII is an integral responsibility of all personnel.

2.1 All personnel are trusted with highly sensitive PII, the protection of which is an inherent
responsibility of all. The CSRA PII standards for the protection of PII are based on the
mandatory compliance requirements of Federal statutes, OMB guidance, and OPM-FIS
policies.

2.2 All personnel are responsible for ensuring full compliance with all aspects of the PII
policy. Personnel must immediately report any possible compromise of PII following
the established reporting procedures. Failure to adhere to the PII Policy, to include

3|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 reporting procedures, may be grounds for disciplinary or adverse action, up to and
including removal from the OPM Contract.

3.0 PII STORAGE REQUIREMENTS

When transporting PII between locations, it shall be contained within a closed container (e.g.,
closed briefcase, zippered portfolio). PII shall not be transported in an open container to reduce
the potential for inadvertent loss.

3.1 Program Management Office (PMO) Storage Requirements

3.1.1 All PII and case related materials must be returned to the CSRA PMO for
retention, and subsequent destruction (upon OPM’s consent), within thirty-
seven (37) calendar days from the date of transmission for all staff not residing
within the PMO.

3.1.2 A two (2) barrier rule applies to the protection of all PII within the PMO space.

3.1.3 The primary barrier of the PMO space shall be a locked exterior office door, to
prevent the entry of unauthorized individuals. All cipher and PIV controlled
exterior locks must be changed within twenty-four (24) hours following the
separation of an individual. For offices where a key locked entry is required, the
key must be retrieved from the separating individual. If the key was lost or
otherwise not returned, then the lock must be changed within twenty-four (24)
hours.

3.1.4 During regular office hours, personnel may serve as the second barrier for the
protection of unauthorized access to PII within CSRA’s control.

3.1.5 When the office is not staffed (outside of working hours or when authorized
staff are out of the office), PII shall be secured within a locking file cabinet or
within a designated storage area behind a separately locked internal door. In this
instance, a locked file cabinet or separately secured internal door will serve as
the second barrier. An activated alarm system may also serve as the second
barrier.

3.1.6 Individuals who are not properly cleared for authorized access to OPM office
space(s) must sign a visitor’s log and be escorted at all times. These individuals
will not have access to any PII or case related materials.

3.2 Domicile Storage Requirements

3.2.1 Case related materials may not be stored at any domicile, satellite office or any
other non-PMO locations beyond thirty-seven (37) calendar days from the date

4|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 of transmission. Under no circumstances will personnel maintain PII or case
related material beyond this timeframe. This timeframe does not apply to
materials held within the PMO.

3.2.2 Information will be secured from access by others, including family members
and guests, who may reside and/or enter the domicile.

3.2.3 When the domicile location is unattended and contains PII, the residence will be
locked and adhere to the two barrier rule at all times.

3.2.4 All personnel will provide the security administrations team with documentation
explaining how PII is stored and protected within their residence.
Documentation will be provided within thirty (30) days of receipt of the PII
Policy. In no event will OPM work be assigned prior to submission. In addition,
the documentation must be updated within thirty (30) days of any change in
domicile procedures or locations. The security administrations team will
maintain current copies of each employee’s submission and must obtain yearly
updates from all staff members. Yearly updates, within thirty (30) days of the
date signed the previous year, must be obtained for all personnel (i.e. if the
employee completed their domicile procedures on 10/1/2014, the yearly update
for 2015 must be completed no later than 11/1/2015). It is the responsibility of
the security administrations team to determine whether or not the submitted plan
is acceptable.

3.3 Vehicle Storage Requirements

3.3.1 Vehicles will be used for the transport of PII, when such transport is required for
conducting official OPM business. PII will never be left in a vehicle overnight
or for any extended period of time. While it is recognized that the storage of PII
in vehicles, under certain circumstances, will be unavoidable, whenever possible
personnel shall take PII with them and not leave it in a vehicle. While it is
emphasized that only the minimum PII necessary to work productively should
be carried into the field, it is recognized that some investigative activities, such
as those conducted in residential areas, require that the investigator travel
lightly.

3.3.2 Under these limited circumstances, PII may be secured in a locked trunk, as
long as the information is secured in a manner that complies with sections 3.3.3
through 3.3.6

3.3.3 Case material will never be left unattended while in plain view or in any area
other than the trunk of a vehicle.

5|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 3.3.4 The only authorized storage location for PII, within a parked vehicle, is within a
locked trunk. When storing PII within a locked trunk, personnel shall take
measures to place the PII in the trunk prior to arriving at their destination, so as
to avoid drawing attention to the storage of materials within the trunk.

a. If the vehicle does not have a separate locking trunk area, as is such with
certain sport utility vehicles, personnel will place the PII in the equivalent area
of the vehicle and ensure it is covered from plain view and does not attract
unusual attention.

3.3.5 Personnel will ensure the vehicle is locked and that all windows are fully closed,
prior to leaving the vehicle.

3.3.6 Personnel will ensure items of value or other material that may attract undue
attention to a vehicle are secured out of plain view (e.g. tablets, computers, GPS
units, cell telephones, purses, packages, etc.).

3.4 Hotel Room Storage Requirements

3.4.1 Never leave material containing PII in plain view to include laptops.

3.4.2 If available, PII should be stored in a locked safe inside the room. If no locking
safe is available, PII should be stored out of plain view.

3.4.3 If unable to adequately secure PII within a hotel room, personnel should
evaluate if taking the material with them for temporary storage, to include
within their vehicle, is more appropriate during times when not in the hotel
room.

3.5 Commercial Travel Storage Requirements

3.5.1 When traveling via airline or by other commercial means (bus, train, etc.), PII
material, to include laptops and any other information technology equipment
containing PII, will never be stored within checked baggage and will remain
within the control of the personnel at all times.

4.0 PII TRANSMISSION

4.1 Text Messaging Transmission of PII

4.1.1 Text messages will never to be used for transmission of PII or any case related
information.

6|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
4.2 Email Transmission of PII

4.2.1 When it is not possible to reach a Subject or source by phone or in person, and
where emails are known, personnel are permitted to use email.

4.2.2 Emails will never contain PII. For email purposes, the use of a Subject’s last
name and the case number are not considered PII.

4.2.3 Personnel will never request PII via email from a source or Subject. This will
include but not limited to case related information. See Investigators Handbook
3.2.6 for further guidance.

4.2.4 In the event a Subject or Source communicates via email, print the email and
retain it in the case notes. No further contact via email should transpire.

4.3 Portable Media Storage Transmission of PII

4.3.1 Portable media may be used to store PII data provided the device and/or
portable media is issued by OPM. PII placed on the device and/or portable
media must be encrypted and handled in accordance with established PII Policy.
The use of portable media devices must comply with all current OPM policies.

4.3.2 Personnel will never attempt to copy information from an OPM issued device
nor relinquish the device to any non-OPM cleared personnel.

4.3.3 The “windows to go stick” (USB thumb drive) will never be used in any
electronics other than the CSRA issued laptops.

4.3.4 As a reminder, no software is to be introduced to any CSRA/OPM issued

devices that has not been previously approved.

4.4 Fax Machine Transmission of PII

4.4.1 When faxing PII, the primary method for transmission of PII should be a CSRA
issued fax machine or government owned or controlled facsimile.

4.4.2 Personnel will use only the CSRA issued fax cover page when sending faxes
and will not attempt to alter the form in any way.

4.4.3 When faxing material, personnel shall maintain visual control of the
document(s) at all times. Personnel will confirm validity of fax numbers prior
to sending.

7|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 4.4.4 Frequently utilized numbers shall be pre-programmed into the fax machine and
checked periodically to avoid accidental compromise of PII.

4.4.5 The use of non-government or other commercial services (such as Kinkos or

Staples) for sending facsimiles is permitted when the sender is on TDY or does
not have access to a CSRA issued fax machine or a Government owned or
controlled facsimile machine. In such instances, the sender will never relinquish
visual control of the document and will ensure accountability of the document at
all times.

4.4.6 If receiving PII at a non-government or other commercial service facsimile, the

recipient must be present at the time of transmission to receive the document.
Personnel will never request a document containing PII be sent to a commercial
service or other non-government location or have individuals unauthorized
(hotel staff, store employee, etc.) to view or handle FIS documents receive it for
them.

4.4.7 Personnel will verify the receipt of all faxes. In cases where a machine
generated delivery confirmation is available, this document shall be retained by
personnel and will suffice as a delivery receipt. Personnel will store the
information receipt within the case notes. Retention will be in accordance with
current case retention policies.

4.4.8 Employees will never use any online services for sending or receiving faxes.
Services that digitize and email faxes to a sender are strictly prohibited (Ring
Central, My-Fax, E-Fax, etc.)

4.5 Website Transmission of PII

4.5.1 Entering PII (Subject identifiers such as a name and SSN) on public internet
sites to obtain investigative results is strictly prohibited unless specific
authorization is received through appropriate procedures and the website(s) have
been authorized for such use by OPM-FIS.

4.5.2 Authorization regarding utilization of particular sites will be disseminated to

personnel by CSRA when/if the use of such sites has been approved by OPM-
FIS.

4.5.3 Use of the internet is permissible for lead purposes. “Lead purposes” are those
activities that may assist personnel in conducting investigations more efficiently
and do not require the inputting of PII for search results. Examples include
locating addresses of facilities or phone number(s) of individuals.

4.6 Completed Cases

8|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 4.6.1 CSRA PMO ONLY- All case materials will be maintained by CSRA until 30
calendar days after OPM case closing. Within five days thereafter, all such
material must be destroyed via an approved method as per prime contract
requirements.

4.6.2 At no time will personnel outside of the CSRA PMO destroy any PII or case
related materials.

4.6.3 CSRA PMO ONLY- CSRA will ensure materials are properly destroyed per the
requirement(s) noted in 4.6.1. Personnel will maintain destruction logs of all
case materials destroyed. Destruction logs will be maintained for a period of two
(2) years. The destruction of materials will comply with the requirements of
OPM-FIS Safety and Security Manual.

4.6.4 Investigative personnel will delete cases from their computer(s) within five
business days of being directed to do so.

4.7 Releases

4.7.1 When providing a release to a source, personnel will redact the Date of Birth
and SSN from the release. The referenced information does not need to be
redacted for record providers.

4.7.2 All releases obtained during the course of an investigation shall be faxed to
CSRA’s OPM retention department, utilizing one of the following numbers.
This will replace the requirement of faxing obtained releases directly to OPM.

a. (703) 641-9812
b. (703) 641-9813
c. (703) 641-9814

5.0 MANIFESTING REQUIREMENTS

5.1 Daily Manifest Requirements

5.1.1 The submission of a daily manifest within CSRA’s Case Management System
(CMS) is required, as it provides accountability of case material in possession of
personnel while moving between their duty stations and/or authorized locations.

5.1.2 Field personnel and/or teleworking individuals will create and submit a manifest
at the start of each working day, prior to transporting any PII. A manifest is not
required if an individual is not conducting field work, not currently scheduled

9|P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 any items or cases, or otherwise not transporting PII between locations. The
creation of a multiday manifest is prohibited. Creation of manifests or
submission of a manifest more than 24 hours in advance is prohibited.

5.1.3 Supervisors will ensure full accountability for daily manifests, as outlined
above.

5.1.4 Personnel with the need to transport material containing PII will be responsible
for completing a detailed manifest. At a minimum, the manifest will contain the
following information:

a. Date of manifest
b. Staff name & Staff ID (SID)
c. Case name(s) (last), case number(s)
d. Identification of the document(s) (e.g., case papers, type of release(s), Case
Assignment Transmittals (CAT), etc.)

5.1.5 Reconciliation of the manifest must be completed upon return to/arrival at the
final duty location. Any discrepancies within the daily reconciliation of PII must
be immediately reported as outlined in this policy.

5.1.6 Manifests will be maintained for a period of two (2) years from date of final
receipt in CSRA’s CMS.

5.2 Package Manifest Requirements

5.2.1 Upon receipt of case assignments, personnel may print necessary case material
if equipped to do so and there is a specific need to print the material. This
replaces the shipment of case material whenever possible.

5.2.2 All case related materials must be returned to CSRA PMO for retention within
thirty-seven (37) calendar days from the date of transmission. In this instance,
and whenever necessary, Federal Express (FedEx) will be used to ship case
related materials and all PII to ensure each package can be tracked throughout
the entire shipping process by use of the tracking number provided. Fed Ex
shipping labels shall be provided via email from CSRA to facilitate shipping.

a. The use of any commercial carrier other than FedEx, for retention and
Government Furnished Equipment (GFE) (i.e. items shipping to and from
CSRA), is strictly prohibited (e.g. USPS, UPS, etc.). Personnel will not
initiate Fed Ex shipping labels; labels should be requested from the CSRA
PMO office at CSRA_OPM_Material@csra.com.

10 | P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 5.2.3 All case related material sent via FedEx will be fully manifested prior to
sending. The manifest will contain the case names and associated numbers for
all material contained within the shipment, along with all other relevant
documents (e.g., case papers, type of release(s), CAT, etc.) containing PII
within the shipment. The sender of the shipment will include one copy of the
manifest in the shipment and will retain a second copy for use in the event of a
lost or damaged shipment. All material will be double wrapped and sealed
utilizing the internal envelope (provided by CSRA) which will be preprinted
with the return address to in the event the exterior package is damaged. At a
minimum, the manifest will contain the following information:

a. Date of manifest
b. Staff name & SID
c. Case name(s) (last), case number(s)
d. Identification of the document(s) (e.g., case papers, type of release(s), CAT,
etc.)

5.2.4 Upon receipt of the shipment, the recipient will promptly reconcile the package
contents with the enclosed manifest. Any discrepancies will be immediately
reported to the sender and proper reporting requirements will be followed.

5.2.5 The original manifest(s) will be maintained for a period of two (2) years in
CSRA’s CMS. The recipient will destroy, per program requirements, the hard
copy of the manifest upon the reconciliation of the case materials.

6.0 REPORTING A POSSIBLE PII BREACH

6.1 The determination about whether PII has been breached will be done carefully but
promptly to ensure that the likelihood of a breach of PII is established by the
preponderance of the data available. Mere suspicion of a breach should not be reported
without further follow-up to determine the exact circumstances.

6.2 In evaluating whether or not to report a breach, personnel shall consider all relevant
factors. Instances of theft or any other immediately known loss should be reported as
such. Cases of missing packages within FedEx or other commercial carrier services
should be investigated further to determine the likelihood of a lost package, as opposed
to one that is simply delayed. In all instances, once a loss or other breach is suspected or
known, it must be immediately reported.

6.2.1 Shipments that cannot be accounted for after 48 hours shall be reported as a PII
loss.

11 | P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 6.2.2 Misdirected faxes and other dissemination of documents to unauthorized
individuals shall be reported as a PII loss.

6.2.3 In cases where it is undetermined whether or not an incident should be reported,

personnel shall immediately contact their supervisor for further guidance and
instructions.

6.2.4 The responsibility for proper follow-up and additional measures regarding the
investigation and/or recovery of lost materials will be that of the supervisor and
CSRA security administrations team.

7.0 INITIAL NOTIFICATION

7.1 Immediately upon becoming aware of a possible PII incident, the supervisor of the
individual responsible for the loss, unless the supervisor cannot be reached, will notify
the CSRA security administrations team at (703) 876-1180 or via email at
CSRA_OPM_Security@CSRA.com.

7.1.1 The security administrations team or the Supervisor of the individual

responsible for the loss will notify OPM’s Office of the Chief Information
Officer either telephonically by calling (844) 377-6109 or via email to
CyberSolutions@OPM.gov.

7.2 The reporting individual will need to provide all known details of the incident to include
name, location, number of cases, and as many details of the incident as possible.
Specific PII of individuals should not be included (e.g., SSN). When reporting a PII
breach it must be noted if National Agency Check (NAC) items are lost for proper
reporting to the originating agency.

7.3 The security administrations team will follow up with the reporting individual
immediately. A voicemail with the information requested in section 7.2 should be left in
the event the phone is not answered immediately and followed up with an email via the
information in section 7.1.

7.4 The security administrations team will correspond with the responsible individual’s
supervisor on steps to initiate recovery of the material and/or to follow up with
additional parties relevant to the loss and/or recovery of PII material.

7.5 Within four (4) hours from the point that the incident is reported to the Office of the
Chief Information Officer, the security administrations team and the supervisor of the
individual responsible for the PII loss will coordinate the submission of the FIS PII Loss
Reporting Form to the FIS Incident Response Team, via email at
FISIncidentResponseTeam@OPM.gov.

12 | P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
 7.6 Supervisors are responsible for ensuring that the security administrations team are
immediately updated on changes to initially reported information (e.g. PII is found, lost
shipment recovered, etc.) so they can inform the FIS Incident Response Team.

7.7 If, within 60 days after the PII loss was initially reported, the status of the PII loss has
not changed, or it has not been previously updated as per 7.6, the security
administrations team will provide a status update to FIS Integrity Assurance.

8.0 OFFICIAL LOSS NOTIFICATION

8.1 FIS Integrity Assurance will review each reported PII loss and make a recommendation
regarding notification to the FIS Freedom of Information and Privacy Act Office
(FOIPA). When required, FIS FOIPA will notify OPM OGC regarding appropriate
notifications. FIS FOIPA will ensure all required notifications to the affected
individual(s) are made within three business days of determination, unless specific
circumstances of an individual loss dictate faster notification. All notifications will
conform to the required internal procedures for such.

8.2 All notifications to Subject’s affected by lost PII will be made as approved by the
required procedures for such. Personnel not associated with the official notification
procedures should not notify or otherwise inform affected Subject(s) of lost PII. Any
exceptions must be coordinated through OPM-FIS Integrity Assurance and/or FIS’
Freedom of Information and Privacy Act Office.

9.0 COMPLIANCE

9.1 A signed acknowledgement of CSRA’s PII policy is required from each individual prior
to being assigned work containing PII. The signed form is to be retained by the security
administrations team and will be updated on an annual basis per 3.2.4.

9.2 FIS Integrity Assurance is responsible for the oversight to enable full compliance with
the established FIS PII Policy. For this compliance, FIS Integrity Assurance will
conduct random audits of FIS offices. All personnel must fully comply with PII Audits.

9.3 Exceptions to the standards set forth in this policy will be submitted to FIS Integrity
Assurance for review and determination. No exceptions are authorized without the prior
approval of FIS Integrity Assurance.

9.4 Failure to comply with the FIS/CSRA PII Policy may result in disciplinary action, up to
and including removal.

13 | P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com
PII ACKNOWLEDGEMENT & DOMICILE STORAGE REQUIREMENTS
February 2017

The U.S. Office of Personnel Management (OPM) requires all personnel to provide documentation
explaining how PII is stored and protected within their residence. This policy applies to all personnel who
have been cleared by OPM to perform work for CSRA, regardless of that individual’s employment or
contract status with CSRA or sub-contractor ISN.

A brief synopsis of the Domicile Storage Requirements (section 3.2 of the PII Policy) is stated below:

 Case related materials may not be stored at any domicile, satellite office or any other non-PMO locations
beyond thirty-seven (37) calendar days from the date of transmission.
 Information will be secured from access by others, including family members and guests, who may reside
and/or enter in the domicile.
 When the domicile location is unattended and contains PII the residence will be locked and adhere to the two
(2) barrier rule at all times.
 Domicile Storage documentation & PII Acknowledgement will be provided within thirty (30) days of receipt of
the PII policy and any amendments to the policy to include annual updates.
 Documentation will be submitted within thirty (30) days of any change in domicile storage procedures to
include address changes.

CHECK ALL THAT APPLY TO YOUR HOME AND HOW YOU SECURE PII IN
YOUR POSSESSION
My residence is always locked when I am not home
PII is always secured from access by others I have an active alarm system
PII is stored in a locked file cabinet/desk drawer PII is stored in a locked bag/briefcase
PII is stored in a locked room PII is stored in a locked closet
Other (specify):
MY HOME INFORMATION:
Street Address:
City State, Zip:
Personal Phone Number:

STATEMENT OF UNDERSTANDING:
I have read, understand, and agree to abide by the protocols set forth in this policy and will discuss any questions or
concerns with my supervisor. I further certify I safeguard PII by practicing consistent judgment and care while PII is
in my possession, and the method in which I administer PII practices and policies is true and accurate.

Sign: SID:

Print: Date:

THIS FORM IS TO BE RETAINED IN THE PERSONNEL FILE

14 | P a g e
CSC Government Solutions LLC, A CSRA Company
3170 Fairview Park Drive • Falls Church, Virginia 22042
Phone: (703) 876-1180 | Fax: (703) 641-9814 | Website: www.csra.com