Update: Department of Defense Privacy and Information Handling/Department of Defense Proposed Rule

By: Christine V. Williams on 08/11/2015

There is a lot going on with the government right now regarding information and privacy.  As the saying goes, it is not a matter of if the system is hacked or taken advantage of butwhen.  This update will quickly cover two new developments in the world of the Department of Defense (DoD).  First, DoD has issued an instruction on the handling of electronic data, information, and IT Services for the DoD.  Second,  DoD is seeking comments on its collection of information to support its Joint Personnel Adjudication System (JPAS) collection which requires personnel data to allow for the investigation and adjudication of information to issue security clearances/employment suitability for military, civilian employees and contractors seeking those credentials.

August 3, 2015, Department of Defense (DoD) Instruction (No. 8320.07) Regarding the Sharing of Data, Information, and Information Technology (IT) Services in the DOD

This Instruction deals specifically with DoD information/data/IT and protocol for DoD and its partners regarding the sharing of that all that data.  It sets forth the procedures and the waivers needed if the procedure is not followed.  This may be a simple brush up for some, a refresher for others, or a new subject.  For those that work with DoD, some find it very helpful to trace the origin and logic of the system to the natural outcropping to contractors.

  • DoD Instruction is issued in accordance with DoD authority that supersedes some previous instructions and works with other instructions in place regarding this subject.
  • This Instruction:
    • Establishes policy, assigns responsibilities, and prescribes procedures to implement and enable a secure sharing environment in the DoD that supports the warfighting, business, DoD intelligence, and enterprise information environment mission areas.
    • Describes or references key enablers necessary for sharing data, information, and IT services and ensuring data, information, and IT services are visible, accessible, understandable, trustworthy, and interoperable.  Key enablers include, but are not limited to, concepts, processes, governance forums, standards, models, and shared vocabularies.  For the purposes of the instruction, data sharing and information sharing are equivalent terms.  Service and IT service, are used interchangeably throughout this instruction.  IT services include DoD Enterprise Services; however, not all IT services are DoD Enterprise Services.
    • Guides the use of resources for implementing the sharing of data, information, and IT services within the DoD Information Enterprise (IE) and with mission partners.
    • Incorporates and cancels DoD 8320.02-G (Reference (c)).

JPAS, Proposed Rule Issued August 3, 2015, Filed on August 6, 2015, and Published on August 7, 2015.  Comments Due September 8, 2015.  (Citation: 80 FR 47480)

Most federal contractors have encountered JPAS and the maze that may accompany the forms and paperwork to get an employee a security clearance.  The DoD is seeking comment on this system, and the reduction in paperwork related to the JPAS data collection.  This regulation is a bit more confusing than some, as it does not seem as straight forward as most as to its goal other than “paperwork reduction” and the last line of needs and uses.  If you have been frustrated with the JPAS system in the past, now may be the chance to constructively tell an agency what translates from regulation to practice and how it may be improved.  (Even if it is not directly on point, try to work in some constructive comments when working with clients to get an agency better aligned with industry practices and practicality.)

Language from the Website

Needs and Uses: JPAS requires personal data collection to facilitate the initiation, investigation and adjudication of information relevant to DoD security clearances and employment suitability determinations for military, civilian employees and contractors seeking such credentials. Security Managers working in private companies that contract with DoD and require access to JPAS to update security-related information about their company’s employees must complete DD Form 2962 to access JPAS. Completion of the form assures users have met the requirements for access to the system of record.

Affected Public: Business or other for-profit.