5 FAM 100
INFORMATION TECHNOLOGY (IT) MANAGEMENT
5 FAM 110
IT MANAGEMENT
(CT:IM-329; 11-22-2024)
(Office of Origin: DT/BMP/SPB/PM)
5 FAM 111 Summary
(CT:IM-329; 11-22-2024)
This subchapter details Department officials and organizations that manage, support, and advise on IT activities and their primary roles and responsibilities, including those related to budget and resource requests for IT investments.
5 FAM 112 SCOPE
(CT:IM-329; 11-22-2024)
All Department organizations must follow the guidance in this subchapter when establishing the Bureau Resource Request (BRR) and the mission Resource Request (MRR) for information technology investments.
5 FAM 113 GENERAL POLICY
(CT:IM-329; 11-22-2024)
a. Department officials identified in 5 FAM 115 have primary responsibilities for the development, oversight, and implementation of the Department’s IT program and activities.
b. System managers must follow 5 FAM 800 for their specific responsibilities. IT project managers must follow requirements in 5 FAM 600 and website managers must follow requirements in 5 FAM 700.
5 FAM 114 PRIMARY RESPONSIBILITY FOR IT MANAGEMENT
(CT:IM-329; 11-22-2024)
The principal management officials and organizations that manage, advise, and support IT activities are:
(1) Under Secretary for Management (M);
(2) Chief Information Officer (CIO):
(a) Deputy CIO for Business, Management, and Planning/Chief Knowledge Officer (DCIO/BMP);
(b) Deputy CIO for Enterprise Infrastructure (DCIO/EI);
(c) Deputy CIO for Enterprise Services DCIO/ES); and
(e) Deputy CIO for Cyber Operations (DCIO/CO);
(3) E-Gov Program Board (E-GovPB):
(a) E-Gov Advisory Group; and
(b) E-Gov Program Management Office (E-Gov PMO);
(4) Assistant Secretary, Diplomatic Security (DS);
(5) Chief Financial Officer (CFO);
(6) Technology Review Board (TRB);
(7) Department program managers; and
(8) Other Department organizations (see 5 FAM 115.8 for details).
5 FAM 114.1 Under Secretary for Management (M)
(CT:IM-329; 11-22-2024)
The Under Secretary for Management (M) directs and administers the Department’s worldwide IT resources and chairs the E-GovPB. M has responsibility and authority over the IT budget.
5 FAM 114.2 Chief Information Officer (CIO)
(CT:IM-329; 11-22-2024)
The Chief Information Officer (CIO; equivalent to an Assistant Secretary) heads the Bureau of Diplomatic Technology (DT) and serves as the principal information technology adviser to the Secretary of State and M. The CIO ensures development; implementation; and as necessary, revision of IT policies, plans, and programs. (See 1 FAM 271 for additional CIO duties and responsibilities.)
5 FAM 114.2-1 Deputy CIO for Business, Management and Planning/Chief Knowledge Officer (DCIO/BMP)
(CT:IM-329; 11-22-2024)
The Deputy CIO for Business, Management and Planning/Chief Knowledge Officer (DCIO/BMP) provides assistance and advice in the execution of the CIO’s responsibilities. Additional duties include ensuring that the Department’s information resource management decisions reflect the needs of the Department’s business sponsors by anticipating changes in both technology and the business practices of the Department. Performing these duties validate that the Department’s information resource programs fully meet information, E-Government and knowledge management objectives. (See 1 FAM 275 for more information on this office.)
5 FAM 114.2-2 Deputy CIO for Enterprise Infrastructure/Chief Technology Officer (DCIO/EI)
(CT:IM-329; 11-22-2024)
The Deputy CIO for Enterprise Infrastructure (DCIO/EI) provides the day-to-day operations for the Department's worldwide technology infrastructure and assists and advises the CIO concerning technical operations. Additional duties include providing direction and policy guidance on operational activities in DT to ensure that the Department and other foreign affairs agencies receive rapid, reliable, responsive, and secure, classified and unclassified voice and data information management operating systems, networks, and programs. (See 1 FAM 276.)
5 FAM 114.2-3 Deputy CIO for Enterprise Services (DCIO/ES)
(CT:IM-329; 11-22-2024)
The Deputy CIO (DCIO) for Enterprise Service (ES) Officer assists and advises the CIO in the execution of the CIO’s responsibilities related to enterprise services that include hardware, software, and digital and collaborative resources to the benefit of the Department's mission. The DCIO sets the strategic vision and directs the budgetary resources for the ES directorate per the CIO direction.
5 FAM 114.2-4 Deputy CIO for Cyber Operations (DCIO/CO)
(CT:IM-329; 11-22-2024)
The Deputy CIO for Cyber Operations (DCIO/CO)/ carries out the information security responsibilities of the CIO under the supervision of the CIO (see 44 U.S.C. 3544). The DCIO/CO heads DT’s Cyber Operations (DT/CO) ensuring agency compliance with the Federal Information Security Modernization Act of 2014 (FISMA) (Public Law 113-283), and other applicable laws. (See 1 FAM 273.)
5 FAM 114.3 Electronic Government Program Board (E-GovPB)
(CT:IM-329; 11-22-2024)
The Electronic Government Program Board (E-GovPB) is the principal IT advisory entity to the Under Secretary for Management (M), and functions as the Department’s IT capital planning Executive Review Board. It ensures systematic selection, control, and evaluation of the Department’s E-Gov/IT plans, programs and investments; approves the Department’s IT Strategic Plan; and reviews and recommends IT funding priorities and budget requests. (See eGOV Charter.)
5 FAM 114.3-1 E-Gov Advisory Group
(CT:IM-329; 11-22-2024)
The E-Gov Advisory Group provides a business, technical, and investment evaluation of IT initiatives before submission to the E-GovPB. The group also considers potential risk, cost, benefit, alignment with the Department’s enterprise architecture, and priority of IT investments. This group also identifies and provides information on IT initiatives to the E-GovPB.
5 FAM 114.4 Assistant Secretary, Bureau of Diplomatic Security (DS)
(CT:IM-329; 11-22-2024)
a. All IT activities and programs must have a secured environment for conducting U.S. diplomacy and promoting U.S. interests worldwide. To support this objective, the Bureau of Diplomatic Security (DS) helps ensure that a secure, comprehensive, technically current and cost effective IT security program is maintained according to FISMA, and other applicable laws and National Security Directives. (See Omnibus Diplomatic Security and Anti-Terrorism Act of 1986, as amended (22 U.S.C. 4802(a)) and Delegation of Authority 214 of September 20, 1994, Section 8).
b. DS provides:
· Network Monitoring
· Cyber Incident Handling
· Cyber Threat Analysis
· Compliance Verification and Vulnerability Analysis
· Cyber Security Policy and Configuration Development
· Cyber Security Awareness and Training
· Regional Computer Security Officer (RCSO) program
c. DS is also responsible for the physical, technical, information, and personnel security programs that enable a secure IT environment, and administers the Cyber Security Incident Program. These actions help maintain a secured environment for conducting U.S. diplomacy and promoting U.S. interests worldwide.
5 FAM 114.5 Chief Financial Officer (CFO)
(CT:IM-329; 11-22-2024)
a. The Chief Financial Officer (CFO), along with the CIO, provides complete and accurate accounting of IT expenditures, related expenses, and results in accordance with the Paperwork Reduction Act of 1995 (see 44 U.S.C. 3506(b)(3)(B)). The CFO implements systems and financial policies that control the Department’s costs. The CFO, along with the CIO, is deputy co-chair of the E-GovPB. (See Sections 802 and 803 of the Federal Financial Management Improvement Act of 1996 (FFMIA) (31 U.S.C. 3512 note).)
b. The CFO publishes Department policy for identifying specific financial thresholds and other criteria to determine when software must be capitalized.
c. The CFO also provides advice on current and prospective intelligence resources and critical infrastructure protection matters, including developing strategies and initiatives for the Department.
5 FAM 114.6 Technology Review Board
(CT:IM-329; 11-22-2024)
5 FAM 114.6-1 Department’s Technology Review Board (TRB)
(CT:IM-329; 11-22-2024)
The Department’s Technology Review Board (TRB) manages the process for insertion of information technology products into the Department’s global IT environment that consists of classified, unclassified and non-enterprise networks (NENs). It sets the standard for the Department’s classified, unclassified and NENs product baselines.
5 FAM 114.6-2 Local Configuration Management
(CT:IM-329; 11-22-2024)
a. Bureaus and posts must establish and maintain a local configuration management protocol. The system level change management team at the local post or bureau reviews changes affecting systems or applications for which the bureaus or posts are responsible. The system level change management team can be in the form of a committee or it can consist solely of DT representative(s) at post. The system level change management team or POC determines whether a change request can be approved locally or if a new product is needed, which may then a require a technology insertion request submission to the TRB.
b. The post security officer must supplement the system level change management team with only a sole DT representative to avoid conflicts of interest problems.
c. Local or system level change management team must report local/post activity and system changes through the appropriate change management process.
5 FAM 114.7 Department Program Managers
(CT:IM-329; 11-22-2024)
Department program managers, in consultation with the CIO and CFO, as well as the CISO, SPO, and DS, determine IT program information resource needs and develop strategies, systems, and capabilities to meet and comply with those needs. (See the Paperwork Reduction Act of 1995 (44 U.S.C. 3506(a)(4)).) These program managers must comply with all applicable Federal laws, regulations, and mandates on managing IT activities.
5 FAM 114.8 Department Organizations that Support IT Management
(CT:IM-329; 11-22-2024)
Department organizations that are also involved in the management and oversight of IT activities and provide major additional advice and support include the Firewall Advisory Board (FAB), the Personal Identity Verification (PIV) Implementation Board, and the Smart Card Public Key Infrastructure (PKI) Biometric Governance Board (SCPBGB).
5 FAM 114.8-1 Firewall Advisory Board (FAB)
(CT:IM-329; 11-22-2024)
a. The Firewall Advisory Board (FAB) reviews, approves, and tracks configuration changes to the Department-level firewalls. The Network Technology Office (DT/EI/NT) chairs the FAB. Other members include the Virus Incident Response Team (VIRT), CO, DS, and other NT personnel.
b. The offices responsible for the FAB are DT DCIO for EI and NT. The responsibilities of the board include the following:
(1) Establishing baseline configurations for all Department-level firewall installations;
(2) Establishing criteria to control connectivity of non-Department of State organizations to Department networks;
(3) Receiving all requests for changes to the Firewall Rule Set, performing a risk assessment of each request, and authorizing appropriate changes to the rule set;
(4) Recommending changes to the firewalls and network architecture to improve network security;
(5) Providing assistance in developing firewall-related solutions to meet the operational requirements of new network applications; and
(6) Reviewing the Firewall Rule Set annually.
5 FAM 114.8-2 Personal Identity Verification (PIV) Implementation Board
(CT:IM-329; 11-22-2024)
a. The Personal Identity Verification (PIV) Implementation Board was established to implement the requirements of Homeland Security Presidential Directive (HSPD-12). The Board is co-chaired by the Deputy Assistant Secretary and Director of Countermeasures (DS/C) and the Deputy CIO for Enterprise Services (DT/ES). Other Department officials are board members.
b. The Joint Advisory Council (JAC) was also established and governed by the board. The chartered role of the JAC is to plan, coordinate, and ensure implementation of the Department’s PIV Program in compliance with HSPD-12 and National Institute of Standards and Technology, Federal Information Processing Standards (FIPS) 201. The group also provides responses on behalf of the Department of State to reporting agencies.
c. HSPD-12 was issued to help standardize the form and level of security by which Federal employees and contractors are identified for access to Federal facilities and information systems. HSPD-12 establishes U.S. Government policy to:
(1) Enhance security against potential terrorist threats;
(2) Reduce identity fraud;
(3) Increase government efficiency through standardization; and
(4) Protect the personal privacy of individuals.
d. HSPD-12 mandates that the Department establish a program to ensure that identification issued to State employees and contractors meets FIPS 201.
e. The Department must also require the use of identification by State employees and contractors that meets FIPS 201 to gain physical and logical access to federally controlled facilities and information systems, respectively.
f. Federal Information Processing Standards (FIPS) 201 implements HSPD-12 by specifying the architecture and technical requirements for a common identification standard for Federal employees and contractors.
g. The PIV program is composed of systems and processes that support a common smart card-based identity authentication platform for accessing multiple types of physical and logical access environments. Smart cards are the vehicle that carries the physical and digital components that form the user’s PIV credentials. (See 5 FAM 115.8-3.)
5 FAM 114.8-3 Smart Card Public Key Infrastructure (PKI) Biometric Governance Board (SCPBGB)
(CT:IM-329; 11-22-2024)
a. The Smart Card Public Key Infrastructure (PKI) Biometric Governance Board (SCPBGB), along with the PIV Implementation Board, coordinates a centralized approach for PIV implementation through the smart card technology for physical access, logical access, PKI, and other Department applications.
b. The PIV Working Group and DS Security Technology, Facility Security Engineering Division, Domestic Management and Engineering (DS/ST/FSE/DME) have primary roles to manage the physical access to Department domestic facilities, including the use of appropriate technologies to accomplish that mission.
c. The Under Secretary for Management designated the PKI Program Team, created under DT/ES/IS/ICAM, as the sole entity within the Department to implement public key infrastructure utilizing smart card technology.
d. The board operates in compliance with Department policies and procedures and under the auspices of the PIV Implementation Board by
(1) Identifying smart card requirements, recommending policy and procedures, and developing standards that support the use of smart cards at the Department;
(2) Providing clear, strong leadership during the development and implementation phases of the Smart Card Program;
(3) Providing guidance and assistance in implementing smart card related applications; and
(4) Providing oversight of the Department’s smart card activities, and establishing interoperability, technical, and security requirements for products related to the Department’s Smart Card Program.
e. The PIV Implementation Board and other authorities and regulations may result in additional specific responsibilities.
5 FAM 115 ROLE OF Governance and Policy (GP) in IT MANAGEMENT
(CT:IM-329; 11-22-2024)
a. DT/BMP/GRP/GP oversees the process for collecting, analyzing, and corroborating IT policy and related inquiries from respondents, and other internal and external contacts as deemed appropriate. The results of these activities are documented and compiled for dissemination.
b. The office location to submit IT policy questions or to request IT-related information on these activities is the GP’s website or email inquiries are generated automatically through the GAL via AskIRMITPolicy@state.gov. Department organizations, both domestic and abroad, must use this website for IT policy or email for all related IT issues.
5 FAM 116 policy for Accessible ict
(CT:IM-329; 11-22-2024)
a. State ensures that all employees and members of the public with disabilities have access to and use of information and communication technology (ICT) consistent with mandatory federal requirements. Such access and use must be the same or comparable to that available to people without disabilities.
b. The audience for this policy is all applicants and State federal employees, interns, volunteers, and contractors working for or on behalf of State who consume DT-provided ICT services and support.
c. State's Section 508 Program Manager withing the Bureau of Global Talent Management, Office of Accessibility and Accommodations (GTM/OAA) oversees accessibility standards and manages Section 508 for the Department following GSA's Section 508 Program Manager Responsibilities framework.
d. DT oversees the policy within the environment it manages, in consultation with GTM/OAA, for IT accessibility and accommodations.
e. Information and communication technology refers to IT and other equipment, systems, technologies, or processes for which the principal function is to create, manipulate, store, display, receive, or transmit electronic data and information and associated content. Examples of ICT include, but are not limited to: computers and peripheral equipment; information kiosks and transaction machines; telecommunications equipment; customer premises equipment; multifunction office machines; software; applications; Web sites; videos; and, electronic documents.
f. All ICT must be tested and measured against specific performance and success criteria, as indicated in 36 CFR 1194.
g. Authority for the Department’s IT Accessibility Policy and mandatory federal requirements are found within the following:
• ICT Final Standards and Guidelines: 36 CFR Part 1194 (2017; amended 2018)
• Section 508 of the Rehabilitation Act of 1973, amended 1998 (29 U.S.C § 794d)
• Communications Act of 1934 Section 255, amended in 1996 (47 U.S.C. § 255)
• FAR Section 508-based Standards in ICT (48 CFR Parts 2, 7, 10, 11, 12, and 39)
• Clinger-Cohen Act of 1996 (Information Technology Management Reform Act): 40 U.S.C. 1401(3)
• Americans with Disabilities Act of 1990
• Rehabilitation Act and Workforce Investment Act: Section 508
• Telecommunications Act of 1996 (revised provisions of Section 255 of the Communications Act of 1934)
• 21st Century Integrated Digital Experience Act (IDEA) (P.L. No: 115-336)
• OMB Circular A-130 Management of Federal Information Resources (amended July 2016)
• M-24-08 Strengthening Digital Accessibility and the Management of Section 508 of the Rehabilitation Act
M-23-22 Delivering a Digital-First Public Experience
• M-17-06 Policies for Federal Agency Public Websites and Digital Services
• Executive Order 14035: Diversity, Equity, Inclusion, and Accessibility in the Federal Workforce
• 5 FAH-8 H-500 Accessibility and Usability, and any additional DOS FAM/FAH policies regarding ICT, accessibility, and web design.
5 FAM 117 Information Technology (IT) Skills Incentive Program (Sip)
(CT:IM-329; 11-22-2024)
The Information Technology (IT) Skills Incentive Program (SIP) was established to foster the development of advanced industry standard skills, certifications, and credentials by IT professionals who must maintain certain skills and requirements to continue in the SIP. (NOTE: IT professionals must be Department employees working in certain IT-related job series to be eligible for SIP.) The Department provides monetary incentives to those IT professionals who achieve designated skill sets. The Foreign Service Institute’s School of Applied Information Technology (FSI/SAIT) administers the SIP, including the IT Skills Incentive Panel (see 5 FAM 118.1) and the Senior Advisory Panel (see 5 FAM 118.2). These organizations review SIP regularly, along with sustainment training, to meet the Department’s needs (see the SIP website for more information on SIP including eligibility and approved job series.)
5 FAM 117.1 IT Skills Incentive Program Panel
(CT:IM-329; 11-22-2024)
The Director, Foreign Service Institute (FSI), selects an FSI senior manager to chair the IT Skills Incentive Program Panel. The bureaus of Bureau of Global Talent Management (GTM), DT, an internal functional and regional bureau, and the U.S. Agency for International Development (USAID) are panel member representatives. The respective heads of the above bureaus appoint their representatives, except that each functional and regional bureau must appoint one representative on an annual rotational basis when that bureau is scheduled to have a representative on the panel. The IT Skills Incentive Program Panel makes policy recommendations to the Senior Advisory Panel. The recommendations are not limited to policies, but include other changes such as adding or deleting certifications and/or credentials, and limiting or extending the timeframes of these certifications/credentials.
5 FAM 117.2 IT Skills Incentive Program Senior Advisory Panel
(CT:IM-329; 11-22-2024)
The IT Skills Incentive Program Senior Advisory Panel adjudicates policy recommendations made by the IT Skills Incentive Panel. The Chief Information Officer (CIO), the Deputy Assistant Secretary (DAS) for GTM, and the Dean of FSI/SAIT comprise the membership of this advisory panel.
5 FAM 118 Information Security STeering Committee (ISSC)
(CT:IM-329; 11-22-2024)
a. The Information Security Steering Committee (ISSC) was established by the Under Secretary for Management (M) in 2005. The ISSC is a Department-wide deputy assistant secretary-level group consisting of owners of information systems. The ISSC is co-chaired by the Chief Information Security Officer and the Senior Coordinator for Security Infrastructure.
b. ISSC members advise and instruct in a consultative and collaborative manner that stresses transparency, responsiveness, and cooperation. This enables an information security program that is service-oriented, cost-effective and meets statutory, regulatory, and business needs in a timely manner. The ISSC:
(1) Develops priorities and advocates for the availability of resources for the security of Department information systems;
(2) Recommends to the E-Gov Program Board revisions or development of specific operating policies, objectives and priorities as required by Federal information security standards and guidance;
(3) Provides clearance on high-impact documents (e.g., Information Security Program Plan and Security Architecture);
(4) Coordinates strategic direction of the Department’s information security efforts;
(5) Offers recommendations to the Department concerning identified duplication and omissions relating to information security;
(6) Supports Department funding/budget mechanisms as they relate to information security;
(7) Establishes common or type metrics for information security-related activities;
(8) Ensures that processes and procedures are in effect to address Department information security requirements throughout the lifecycle; and
(9) Empowers integrated information security teams (IISTs) to pursue efficient implementation of and or address challenges in meeting the Department’s information security objectives.
c. The ISSC establishes IISTs that consist of cross-bureau working-level subject-matter experts from varied information security areas. Teams may be established or dissolved with the approval of the ISSC.
5 FAM 119 references
(CT:IM-329; 11-22-2024)
5 FAM 119.1 acronyms
(CT:IM-329; 11-22-2024)
BRR (Bureau Resource Request)
CFO (Chief Financial Officer)
CIO (Chief Information Officer)
CISO (Chief Information Security Office)
EA (Enterprise architecture)
E-GovPB (E-Gov Program Board)
FAB (Firewall Advisory Board)
FIPS (Federal Information Processing Standards)
FSI (Foreign Service Institute)
ICT (Information and Communication Technology)
IIST (Integrated information security teams)
ISSC (Information Security Steering Committee)
M (Under Secretary for Management)
MRR (Mission Resource Request)
PKI (Public Key Infrastructure)
RCSO (Regional Computer Security Officer)
SIP (Skills Incentive Program)
5 FAM 119.2 DEFINITIONS
(CT:IM-329; 11-22-2024)
Bureau Resource Request (BRR): Formerly the Bureau Performance Plans (BPPs). A process where regional and functional bureaus assess their multi-year budgeting needs.
Enterprise architecture (EA): Defined in 5 FAM 674.
Firewall rule set: A set of rules or operating conditions encoded into the firewall device to allow and/or disallow TCP/IP traffic to and from the public network. Rule sets are based upon either senior management or IT management defined policy.
Information and Communication Technology (ICT): Defined in 5 FAM 116
Information life cycle: Defined in 5 FAM 913.
Information resources: Defined in 5 FAM 913.
Information system: Defined in 5 FAM 913.
Information technology (IT): Defined in 5 FAM 913.
Mission Resource Request (MRR): Formerly the Mission Strategic and Resource Plan (MSRP). This document is the first and critical step in the annual planning process that informs the Senior Review process and culminates in the submission of the President’s Budget to Congress.
Personal identity verification (PIV) card: A secure, electronic, rapid, and verifiable means of individual identification that is resistant to fraud, tampering, counterfeiting, and terrorist exploitation.
Public Key Infrastructure (PKI): Defined in 5 FAM 140.
5 FAM 119.3 AUTHORITIES
(CT:IM-329; 11-22-2024)
The authorities for this policy include:
(1) Government Performance and Results Modernization Act of 2010, Public Law 111-352;
(2) Paperwork Reduction Act of 1995, Public Law 104-13 (44 U.S.C. 3501, et seq.);
(3) Clinger-Cohen Act of 1996, Public Law 104-106 (formerly known as the Information Technology Reform Act of 1996, renamed by section 808, Public Law 104-208) (40 U.S.C. 1401, et seq.);
(4) Federal Financial Management Improvement Act of 1996, Public Law 104-208, sections 802 and 803 (31 U.S.C. 3512 note);
(5) Electronic Freedom of Information Act (FOIA) Amendments of 1996, Public Law 104-231;
(6) Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283, (44 U.S.C. 3551);
(7) Omnibus Diplomatic Security and Anti-Terrorism Act of 1986, Public Law 99-399, as amended (22 U.S.C. 4802(a));
(8) E.O. 13403 (Federal Information Technology);
(9) OMB Memoranda (M-04-04), E-Authentication Guidelines for Federal Agencies;
(10) OMB Circular A-11, Preparation, Submission and Execution of the Budget (issued annually by OMB), including Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets and Capital Programming Guide, Version 1.0 Supplement to Part 7;
(11) OMB Circular A-123, Management’s Responsibility for Internal Control;
(12) OMB Circular A-123 Appendix D;
(13) OMB Circular A-130, Managing Information as a Strategic Resource;
(14) Federal Information Technology Acquisition Reform (FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015;
(15) OMB Memorandum (M-15-14); Management and Oversight of Federal Information Technology;
(16) Rehabilitation Act of 1973, Public Law 93-113, as amended, Section 508 (29 U.S.C. 794d);
(17) ICT Final Standards and Guidelines: 36 CFR Part 1194 (2017; amended 2018);
(18) Homeland Security Presidential Directive (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003;
(19) Homeland Security Presidential Directive (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004;
(20) National Institute of Standards and Technology (NIST) Special Publication (SP) 800-59, Guidelines for Identifying an Information System as a National Security System, August 2003;
(21) Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, February 25, 2005; and