Skip to main content

Military Health System

Utility Navigation Links

TRICARE Systems Manual 7950.4-M, April 2021
General Automated Data Processing (ADP) Requirements
Chapter 1
Section 1.1
General Automated Data Processing (ADP) Requirements
Revision:  
1.0  General
1.1  The TRICARE Systems Manual (TSM) describes how TRICARE business functions are implemented technically via system-to-system interactions and Government provided applications. The TSM also describes the technical concept of operations, including the responsibilities associated with various Information Systems (IS) including Defense Enrollment Eligibility Reporting System (DEERS), the contractor systems, and selected Direct Care (DC) IS.
1.2  The contractor shall comply with the Department of Defense (DoD) guidance regarding directed Ports, Protocols, and Services (PPS).
1.3  The contractor accessing DoD systems will be provided direction from DoD on connectivity requirements that comply with PPS in accordance with DoD Instructions (DoDIs).
1.4  The contractor shall ensure that laptops, flash drives, and other portable electronic devices do not contain Personally Identifiable Information (PII)/Protected Health Information (PHI) unless the device is fully encrypted and accredited per National Institute of Standards and Technology (NIST) standards.
1.5  Portable electronic devices are often used to transmit reference materials and data of a general nature at meetings and conferences. The contractor shall ensure that their computer systems can accept and load all such information, regardless of the media used to transmit it. All materials provided to contractors at meetings, workgroups, and/or training sessions sponsored by or reimbursed by the Government shall be maintained in accordance with the Records Management requirements in the TRICARE Operations Manual (TOM), Chapter 9.
1.6  This chapter addresses major administrative, functional, and technical requirements related to the flow of health care related Automated Data Processing/Information Technology (ADP/IT) information between the contractor and the DoD/Defense Health Agency (DHA). TRICARE Encounter Data (TED) records as well as provider information shall be submitted to DHA in electronic media. This information is essential to both the accounting and statistical needs of DHA in the management of the TRICARE program and in required reports to DoD, Congress, other governmental entities, and to the public. Technical requirements for the transmission of data between the contractor and DHA are presented in this section. The requirements for submission of TED records and resubmission of TED records are outlined in the Chapter 2, Section 1.1, and the Government requirements related to submission and updating of provider information are outlined in Chapter 2, Section 1.2.
1.7  DoD/DHA data includes all information (e.g., test or production data) provided to the contractor for the purposes of determining eligibility, enrollment, disenrollment, capitation, fees, claims, Catastrophic Cap And Deductible (CC&D), patient health information, protected as defined by DoD 6025.18-R, or any other information for which the source is the Government. Any information received by a contractor or other functionary or system(s), whether Government owned or contractor owned, in the course of performing Government business is also DoD/DHA data. DoD/DHA data means any information, regardless of form or the media on which it may be recorded.
1.8  The ADP requirements shall incorporate standards mandated by the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Rules, 45 Code of Federal Regulations (CFR) Parts 160 and 164 (collectively, “HIPAA Rules”), and the DoD HIPAA Issuances identified below. Contractor compliance with the HIPAA Rules and DoD HIPAA Issuances and related privacy requirements is addressed in the TOM, Chapter 1, Section 5 and Chapter 19, Section 3 and paragraph 1.12.
1.9  Management and quality controls specific to the accuracy and timeliness of transactions associated with ADP and financial functions are addressed in the TOM, Chapter 1. In addition to these requirements, DHA also conducts reviews of ADP and financial functions for data integrity purposes and may identify issues specific to data quality (e.g., catastrophic cap issue).
1.10  The contractor shall participate in development of a resolution for the issue(s) identified as appropriate upon notification of data quality issues by DHA. If DHA determines corrective actions are required as a result of Government reviews and determinations, the Contracting Officer (CO) will notify the contractor of the actions to be taken by the contractor to resolve the data issues. Corrective actions shall be taken by the contractor to correct data integrity issues resulting from contractor actions, and are the responsibility of the contractor.
1.11  The references below relate to the subject matter covered in this section.
1.12  The contractor, subcontractors and other individuals who have access to IS containing PII protected by the Privacy Act of 1974 and PHI under HIPAA shall meet all requirements below.
•  Privacy Act of 1974
•  DoD HIPAA Issuances:
•  DoD 6025.18-R, “DoD Health Information Privacy Regulation,” current revision
•  DoD 8580.02-R, “DoD Health Information Security Regulation,” current revision
•  DoD 5200.2-R, “DoD Personnel Security Program,” January 1987
•  CFR, Title 32, Part 2002, “Controlled Unclassified Information,” current edition
•  48 CFR Parts 204, 212, and 252 as amended by 76 Federal Register (FR) 69273-69282 / Vol. 78, No. 222 / Monday, November 18, 2013
•  Defense Federal Acquisition Regulation Supplement (DFARS), Subparts 252.204-7008, 7012, 7019, 7020, and 7021, current edition
•  Federal Acquisition Regulation (FAR) Clause, Subpart 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” current edition
•  DFARS, Subpart 252, 239-7018, “Supply Chain Risk,” current edition
•  DoD 5200.2-R, “DoD Personnel Security Program,” current revision
•  DoD 5400.11-R, “Department of Defense Privacy Program,” current revision
•  DoD Directive (DoDD) 5015.2,“DoD Records Management Program,” current revision
•  DoD Instruction (DoDI) 8500.01, “Cybersecurity,” current revisionDoD 5015.02-STD, “Electronic Records Management Software Applications Design Criteria Standard,” current revision
•  Homeland Security Presidential Directive 12 (HSPD-12),“Policy for a Common Identification Standard for Federal Employees and Contractors,” current revision
•  Federal Information Processing Standards Publication 201 (FIPS 201-1), “Personal Identify Verification (PIV) of Federal Employees and Contractors,” current revision
•  Directive Type Memorandum (DTM) 08-006, “DoD Implementation of Homeland Security Presidential Directive-12 (HSPD-12),” current revision
•  DoDI 8582.01, “Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information,” current revision
•  NIST Special Publication (SP) 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” current revision
•  NIST SP 800-53A, “”Guide for Assessing the Security Controls in Federal Information Systems and Organizations,” current revision
•  NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” current revision
•  NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” current revision
•  NIST SP 800-88, “Guidelines for Media Sanitization,” current revision
•  DoDD 5239.09, “Clearance of DoD Information for Public Release,” current revision
•  DoDI 5200.48, “Controlled Unclassified Information (CUI),” current revision
•  “Health Insurance Portability and Accountability Act (HIPAA), Security Standards, Final Rule,” current revision
1.13  CUI and DoD Information Contractor IS
CUI is defined in 32 CFR Section 2002.4. DoD information, nonpublic DoD information, and DoD CUI are defined in DoDI 8582.01. See also DoDD 5230.09, “Clearance of DoD Information for Public Release,” current revision. PII/PHI that is DoD information constitutes DoD CUI because PII/PHI requires safeguarding and dissemination controls unless it has been cleared for public release. Nonpublic DoD information includes Federal Contract Information (FCI) that relates to a DoD contract.
2.0  CYBERSECURITY COMPLIANCE PROGRAMS
The NIST-based cybersecurity program, commonly referred as the “NIST Program”, authorized under the DoDI 8582.01, is designed to ensure the minimum security requirements to protect the confidentiality of unclassified nonpublic DoD information, including covered defense information (i.e., DoD CUI), on a contractor’s covered information system(s) are implemented. Contractors operating their covered information systems to store, process, or transmit unclassified nonpublic DoD information or DoD CUI shall implement the NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” as prescribed in the DFARS Clause 252.204-7012. To effectively track the flow of covered defense information and assess compliance of the contractor’s known Tier 1 Level suppliers, it is imperative for the contractor to identify and track the flow of unclassified nonpublic DoD information or DoD CUI.
2.1  Compliance with Federal Programs
2.1.1  The NIST Program leverages a contractor’s compliance with existing Federal Information Security-related measures (i.e., HIPAA, Federal Information Security Management Act (FISMA), etc.) to attest to its readiness to process, store, or transmit unclassified nonpublic DoD CUI. The NIST Program requires participating contractors to document compliance with the security requirements described in the NIST SP 800-171.
2.1.2  The contractor shall, with respect to HIPAA Security Rule compliance, follow the TOM, Chapter 19, Section 3, including the requirement for contractors to designate a Security Official with specified responsibilities. Those responsibilities involve compliance with HIPAA Security Rule and DHA’s NIST Program requirements under this section.
2.2  Risk Management
2.2.1  Contractors attesting compliance with the NIST Program accept sole responsibility for the risks associated with developing and maintaining cybersecurity readiness posture.
2.2.2  NIST Compliance Requirement
2.2.2.1  The contractor shall provide and maintain its NIST compliance as required by the contract in order to store, process, or transmit unclassified nonpublic DoD information, including covered defense information (i.e., DoD CUI), and to obtain approvals to connect to a DoD IS.
2.2.2.2  The contractor shall employ, Audit Review, Analysis, and Reporting through proper Integration/ Scanning and Continuous Monitoring Capabilities (i.e., continuous monitoring for vulnerabilities) that identify the breadth, depth, and rigor of coverage during the security review process for submission of their security documentation.
2.2.2.3  The contractor shall ensure that the security requirements required by the contract are implemented correctly, operating as intended, and support the security policies of the DHA.
2.3  NIST SP 800-171 DoD Assessment Methodology
2.3.1  Requirement
2.3.1.1  The NIST SP 800-171 DoD Assessment Methodology, as required by DFARS Clause 252.204-7019, builds on DFARS Clauses 252.204-7008 and 252.204-7012 for contractors to represent they will implement NIST SP 800-171 security requirements in order to be considered for contract award. A “Basic” assessment, as defined in DFARS clause 252.204-7020, is a contractor’s self-assessment of their implementation of the NIST SP 800-171. The Basic assessment is based on a review of the System Security Plan(s) (SSP(s)) associated with the covered contractor IS, and conducted in accordance with procedures outlined in DFARS Clause 252.204-7020.
2.3.1.2  The contractor shall ensure to include the substance of DFARS Clause 252.204-7020, including paragraph (g) therein, in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items (excluding commercially available off-the-shelf (COTS) items)). The “NIST SP 800-171 DoD Assessment Methodology Scoring Template” is publicly available on the Office of the Undersecretary of Defense for Acquisitions & Sustainment (OUSD A&S) website or may be acquired from the CO or Contracting Officer Representative (COR).
2.3.2  Process
2.3.2.1  The contractor shall attest all covered IS that store, process, or transmit unclassified nonpublic DoD information or DoD CUI have the adequate safeguard controls in place as prescribed in the DFARS Clause 252.204-7012 (i.e., NIST SP 800-171) by submitting and maintaining a current (i.e., no less than one year) Basic assessment for each covered contractor IS that is relevant to the contract in the Supplier Performance Risk System (SPRS), or an authorized government defined application, as described in DFARS clause 252.204-7020. Details for reporting are identified in DD Form 1423, Contract Data Requirements List (CDRL), located in Section J of the applicable contract.
2.3.2.2  The contractor shall submit, via a government defined application, an SSP, or an extract thereof, and any associated Plans Of Action (POAs) developed to satisfy the adequate security requirements prescribed in the NIST SP 800-171. It should be noted the SSP and POAs are NIST SP 800-171 security requirements (i.e., #3.12.4 and #3.12.2). Details for reporting are identified in DD Form 1423, CDRL, located in Section J of the applicable contract.
2.3.2.3  The contractor shall provide access to its facilities, systems, and personnel to support government strategic level (i.e., Medium or High) assessments or reassessments in accordance with DFARS Clause 252.204-7020. It should be noted, High level assessments depend on the government’s resource availability. The government will offer opportunity for rebuttal and adjudication prior to posting the strategic summary level score(s) to the SPRS. The contractor has 14 business days to provide government additional information to demonstrate they meet any security requirements not observed by the government or rebut the findings that may be in question.
2.3.3  Cybersecurity Maturity Model Certification (CMMC) Requirement
2.3.3.1  The CMMC is a framework that measures a contractor’s cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes.
2.3.3.2  When required by contract, the contractor shall maintain a current (i.e., not older than three years) CMMC certificate at the CMMC level required by contract and maintain the CMMC certificate at the required level for the duration of the contract.
2.3.3.3  The contractor shall ensure to insert the substance of the DFARS Clause 252.204-7021, including paragraph (c) therein, in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items, excluding COTS items.
2.3.3.4  The contractor shall verify the current CMMC certificate is made available in the SPRS or an authorized government defined application.
2.4  Operation and Connectivity Decisions
2.4.1  The contractor shall complete, sign, and submit their SSP and any applicable POAs, via the government defined application. For plan submission requirements, see DD Form 1423, CDRL, located in Section J of the applicable contract.
2.4.2  The contractor shall maintain a current Basic assessment and verify a summary level score is posted in SPRS or an authorized government defined application. For assessment submission requirements, see DD Form 1423, CDRL, located in Section J of the applicable contract.
2.4.3  The contractor shall maintain a current CMMC certificate at the CMMC level required by contract posed in the SPRS or an authorized government defined application when required by the contract.
2.5  Cloud Computing
The contractor shall follow the cloud computing requirements as prescribed in DFARS Clause 252.204-7012. For DoD CUI constituting PHI, the contractor shall ensure the external Cloud Service Provider (CSP) is Federal Risk and Authorization Management Program (FedRAMP) authorized at the appropriate baseline/impact level and maintains compliance throughout duration of the applicable contract.
2.6  Documentation
For a server-to-server connection requirement to a DoD IS, the contractor will be provided with the most current version of the DHA Business-to-Business (B2B) Questionnaire within 10 calendar days of contract award.
2.7  Cyber Incident Reporting and Handling of DoD CUI
The contractor shall follow the cyber incident reporting and handling requirements as prescribed in DFARS Clause 252.204-7012, paragraph (c), and the TRICARE Operations Manual (TOM), Chapter 1, Section 5, and ensure to immediately (within 24 hours) notify their CO or COR upon discovery of the cyber incident.
2.8  Dissemination and Disposing of DoD CUI
2.8.1  The contractor shall follow the DoD standards, guidance, and procedures to properly mark, monitor, disseminate, de-identify, and dispose of DoD CUI shared from DoD or generated, managed, or transmitted by the contractor via their contractor ISs, as appropriate, in accordance with DoDI 5200.48 and NIST SP 800-88.
2.8.2  The contractor shall ensure to flow-down this requirement to their applicable Tier-1 level subcontractors.
2.9  Supply Chain Risk
The contractor shall identify and assess compliance of their Tier-1 level subcontractors that process, store, or transmit unclassified nonpublic DoD information, to include DoD CUI, in order to mitigate supply chain risk.
3.0  E-COMMERCE EXTRANET REQUIREMENTS
3.1  The contractor shall access the application via the Internet through a workstation browser. The application is a “thin client”, meaning that no software needs to be installed on the client workstation and no software is downloaded into the browser. Javascript and cookies must to be enabled in the browser to utilize the application.
3.2  The application is best viewed at a resolution of 1024 x 768 pixels in a Microsoft Internet Explorer (MSIE) browser (Version 8 and higher). The Extranet application also supports the use of Google Chrome.
3.3  The contractor shall access the application using the Secure Socket Layer (SSL) protocol (https://) and a Common Access Card (CAC) with the PIV Authentication certificate. The Extranet application is Internet Protocol (IP) address restricted, i.e., it only allows communications from user organizations using defined and known IP addresses.
3.4  The contractor shall request access to the Extranet using the E-Commerce User Access Request-External which will be provided by the Government. The User Access Request must list the organization IP address from which data is transferred to/from the Extranet application. Access to deliverables is granted to users at the contract level and deliverables submitted by one contractor will not be accessible to any other contractor.
3.5  Contractors shall follow the DoD standards, guidance, and procedures to properly mark, monitor, disseminate, and dispose of DoD CUI shared from DoD or generated, managed, or transmitted by the contractor via their information systems, as appropriate, in accordance with DoDI 5200.48 and NIST SP 800-88. Contractors shall ensure to flow-down these requirements to their applicable subcontractors.
4.0  PERSONNEL SECURITY ADP/IT REQUIREMENTS
4.1  Formal Designations Required
The contractor shall ensure that its personnel requiring access to the following must be in positions designated as ADP/ IT-I (critical sensitive) or ADP/IT-II (non-critical sensitive):
•  Access to a secure DoD facility.
•  Access to a DoD IS or a DoD CAC-enabled network.
•  Access to DEERS or the B2B Gateway.
4.2  ADP/IT Position Sensitivity Designations
4.2.1  An ADP/IT position category includes access to DoD IS. It is a designator that indicates the level of IT access required to fulfill the responsibilities of the position, including the potential risk for an individual assigned to the position to adversely impact DoD missions or functions.
4.2.2  The contractor’s Facility Security Officer (FSO) shall use the guidance below to determine a contractor employee’s specific ADP/IT level.
4.2.3  Contractor personnel designated for assignment to an ADP/IT position shall undergo a successful background security screening before being granted access to DoD IT systems and/or any DoD/DHA data directly extracted from those contained on any system (e.g., test and/or production) that contains sensitive data.
4.3  ADP/IT-I: Critical Sensitive Position
A position where the individual is responsible for the development and administration of Military Health System (MHS) IS/network security programs and has the direction and control of risk analysis and/or threat assessment. The required investigation is a Single Scope Background Investigation (SSBI) or equivalent. Responsibilities include:
4.3.1  Significant involvement in life-critical or mission-critical systems.
4.3.2  Responsibility for the preparation or approval of data for input into a system, which does not necessarily involve personal access to the system, but with relatively high risk for effecting severe damage to persons, properties or systems, or realizing significant personal gain.
4.3.3  Relatively high risk assignments associated with or directly involving the accounting, disbursement, authorization for disbursement from systems of:
•  Dollar amounts of 10 million dollars per year, or greater; or
•  Lesser amounts if the activities of the individuals are not subject to technical review by higher authority in the ADP/IT-I category to ensure the integrity of the system.
4.3.4  Positions involving major responsibility for the direction, planning, design, testing, maintenance, operation, monitoring, and/or management of systems hardware and software.
4.3.5  Other positions as designated by the Designated Approving Authority (DAA) that involve a relatively high risk for causing severe damage to persons, property or systems, or potential for realizing a significant personal gain.
4.4  ADP/IT II: Non-Critical-Sensitive Position
A position where an individual is responsible for systems design, operation, testing, maintenance, and/or monitoring that is carried out under technical review of higher authority in the ADT/IT-I category. The required investigation is a National Agency Check with Law Enforcement and Credit (NACLC) or equivalent. Responsibilities include, but are not limited to:
4.4.1  Access to and/or processing of proprietary data, information requiring protection, or government-developed privileged information involving the award of contracts.
4.4.2  Accounting, disbursement, or authorization for disbursement from systems of dollar amounts less than 10 million dollars per year.
4.4.3  Other positions as designated by the DAA that involve a degree of access to a system that creates a significant potential for damage or personal gain less than that in ADP/IT-I positions.
4.5  Employee Prescreening
4.5.1  The contractor shall conduct thorough reviews of information submitted on an individual’s application for employment in a position that requires either an ADP/IT background investigation or involves access via a contractor system to data protected by either the Privacy Act of 1974, as amended, or the HHS HIPAA Privacy and Security Final Rule.
4.5.2  The contractor shall include reviews for contractors working in the United States (US) and the District of Columbia, that include:
•  Verify US citizenship.
•  Verify education (degrees and certifications) required for the position in question.
•  Screen for negative criminal history at all levels (federal, state, and local).
•  Screen for egregious financial history; for example, where adverse actions by creditors over time indicate a pattern of financial irresponsibility or where the applicant has taken on excessive debt or is involved in multiple disputes with creditors.
4.5.3  The contractor shall include prescreening reviews for contractors working outside the US and District of Columbia that:
•  Verify US citizenship.
•  Verify education (degrees and certifications) required for the position in question.
•  Screen for negative criminal history, to the maximum extent possible as permitted by local laws of the host Government.
•  Screen for egregious financial history, to the maximum extent possible as permitted by local laws of the host Government.
4.5.4  The prescreening shall be conducted as part of the pre-employment screening, and shall be completed before the assignment of any personnel to a position requiring the aforementioned ADP/IT accesses. The pre-screening can be performed by the contractor’s personnel security specialists, human resource manager, hiring manager, or similar individual.
4.6  Processing Personnel Security Requirements and Granting Interim Access to DoD IS
4.6.1  Contractor requests for a NACLC/SSBI type of security investigation are submitted to the federal investigating agency, Office of Personnel Management (OPM), via the electronic Questionnaires for Investigations Processing (e-QIP) system. Contractor personnel who do not have an investigation or appropriate level of investigation to obtain access to DoD/DHA IT data, systems or networks shall complete the SF 86 in e-QIP.
4.6.2  The DHA Personnel Security Branch (PSB) may grant DHA contractor personnel who are US citizens interim ADP-IT/CAC access upon confirmation of favorable results from the advance National Agency Check (NAC), Federal Bureau of Investigation (FBI) fingerprint check and a scheduled/open investigation at OPM.
4.7  e-QIP Training and Access
4.7.1  The contractor FSO shall complete e-QIP training to access and use e-QIP.
4.7.2  The contractor FSO shall complete the e-QIP Access User Form for e-QIP user accounts to be created.
4.7.3  FSO Roles and Responsibilities
The contractor FSO shall:
•  Be a US citizen.
•  Possess a favorably adjudicated NACLC or equivalent investigation.
•  Provide list of applicants to PSB for verification of security eligibility.
•  Initiate applicant’s security questionnaire in e-QIP.
•  Select the appropriate Agency Use Block (AUB) template in e-QIP.
•  Notify the COR by email that an e-QIP request has been initiated and requires their approval.
•  Inform applicant to complete security questionnaire in e-QIP within 10 calendar days.
•  Perform initial review of applications for required information.
•  Capture and transmit e-fingerprints to OPM via Secured Web Fingerprint Transmission (SWFT) or mail two FD258 fingerprint cards to PSB.
•  Verify applicant’s citizenship and upload proof of citizenship document to investigation request before releasing case to PSB.
•  Serve as the main Point Of Contact (POC) for the applicant.
•  Monitor the e-QIP request, which includes ensuring the applicant completes the e-QIP form in designated time period.
•  Cancel or delete an e-QIP request on an applicant.
•  Act as POC if DoD Central Adjudication Facility (CAF) requires additional information on contractor employees.
4.8  Additional Requirements/Information
4.8.1  Background Investigation Request for ADP/IT-I
The contractor shall have their FSOs coordinate and submit a written request on company letterhead to the DHA COR for endorsement for their personnel requiring an ADP/IT-I investigation. The request letter shall be signed by, at a minimum, the FSO or other appropriate executive. It shall include a detailed job description which justifies the requirement for the ADP/IT-I. The justification letter shall be emailed to a company assigned POC in PSB.
4.8.2  Reinvestigation Requirements
4.8.2.1  The contractor shall have reinvestigation requirements if personnel are in positions designated as ADP/IT-I and ADP/IT-II.
4.8.2.2  ADP/IT-I positions are critical sensitive and shall be re-investigated every five years. ADP/ IT-II positions are non-critical sensitive and shall be re-investigated every 10 years. The reinvestigation shall be initiated within 60 calendar days of the closed date of the last investigation.
4.8.2.3  The FSO shall track the reinvestigation requirement for contractor employees and initiate new investigations, as required above. Fingerprints are not required for re-investigations unless specifically requested.
4.8.3  Reciprocal Acceptance of Prior Investigation
An investigation is reciprocated when a new contractor employee has an existing favorably adjudicated investigation that meets the appropriate level of investigation required; and the break in service has been two years or less. The FSO shall verify prior investigation and if valid, provide PSB new employee’s name, Social Security Number (SSN), and Date of Birth (DOB).
4.8.4  Requests for Additional Information
PSB may require additional information while the contractor employee’s investigation is in progress. The FSO will be notified to provide the information by a specified date or the investigation may be rejected or returned unacceptable. The FSOs shall review applications for required information prior to release, to reduce case rejections and requests for additional information.
4.8.5  Notification of Employee Termination and Unfavorable Personnel Security Determination
4.8.5.1  The contractor FSO shall notify PSB immediately when a contractor employee is terminated from a DHA contract. Email notification shall include the employee’s name and termination date.
4.8.5.2  The contractor shall notify PSB if a contractor moves a contractor employee to another one its DHA contracts.
4.8.5.3  The contractor shall notify PSB immediately, especially when a contractor employee is being moved from an unclassified contract to a classified contract.
4.8.5.4  PSB will notify FSOs when a contractor employee has received an unfavorable personnel security determination. Upon receipt of a denial letter from PSB, the FSO shall immediately terminate the employee’s access to DoD IT systems. The return receipt letter included with the denial letter from PSB shall be returned to PSB one week after receipt of the letter to show compliance with terminating employee’s access.
4.8.6  Transfers Between Contractors
4.8.6.1  When contractor employees transfer employment from one DHA contractor to another DHA contractor while their investigation for ADP/IT trustworthiness determination is in process, the scheduled investigation may be applied to the new employing contractor.
4.8.6.2  It shall be the responsibility of the new employer to provide notification to PSB when this type of transfer occurs. The notification shall contain employee’s name and effective date of transfer.
4.8.7  Electronic Fingerprint Capture and Submission
4.8.7.1  The contractor shall capture e-fingerprints and transmit via SWFT as it improves processing time and securely transmits fingerprints.
4.8.7.2  The contractor and subcontractor shall meet these requirements for those who have access to DoD IS containing information protected by the Privacy Act of 1974 and PHl under HIPAA.
4.8.8  Foreign Nationals
The requirements above must be met by US citizens who have access to DoD IS containing information protected by the Privacy Act of 1974 and PHI under HIPAA. The required investigation must be completed and favorably adjudicated prior to authorizing ADP/IT access to DoD system/networks.
4.8.9  Notification and Mailing
4.8.9.1  The contractor shall use the following information to contact the PSB.
4.8.9.2  The contractor shall handle sensitive information according to applicable laws and DoD policies related to privacy and confidentiality.
4.8.9.3  The contractor shall transmit PII or PHI via encrypted email or the OPM secure portal.
Mailing Address:
Defense Health Agency
ATTN: Personnel Security Branch
7700 Arlington Blvd, Suite 5101
Falls Church, VA 22042-5101
e-QIP Help Desk: (703) 681-6508
Email address: dhapsb@mail.mil
4.9  References
•  DoDD 5136.01, “Assistant Secretary of Defense for Health Affairs (ASD(HA)),” September 30, 2013.
•  DoDD 5136.13, “Defense Health Agency (DHA).”
•  DoDI 5025, “DoD Issuances Program,” June 6, 2014, as amended.
•  DoDD 52002.2-R, “Personnel Security Program,” January 1987, as amended, http://www.dtic.mil/whs/directives/corres/pdf/520002r.pdf.
•  FIPS Publication 140-2, Security Requirements for Cryptographic Modules, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
•  CFR, Title 5, Part 731, “Suitability Regulations,” January 9, 2009, as amended.
•  DoD Administrative Instruction 15, “Office of the Secretary of Defense Records and Information Management Program,” May 3, 2013.
•  Executive Order 12968, “Access to Classified Information,” August 4, 1995.
•  DoDD 5102.21, “Sensitive Compartmented Information Administrative Security Manual,” October 2012.
•  Intelligence Community Directive (ICD) 704, “Personnel Security Standards and Procedures Governing Eligibility for Access to Sensitive Compartmented Information and Other Controlled Access Program Information,” October 1, 2008.
•  United States Code (USC), Title 5, “The Privacy Act of 1974,” December 31, 1974.
5.0  PUBLIC KEY INFRASTRUCTURE (PKI) REQUIREMENTS
DoD has initiated a PKI policy to support enhanced risk mitigation strategies in support of the protection of DoD’s system infrastructure and data. DoD’s implementation of PKI requirements is specific to the identification and authentication of users and systems within DoD (DoDI 8520.02). The following paragraphs provide current DoD PKI requirements.
5.1  User Authentication
5.1.1  The contractor shall ensure all personnel accessing DoD applications and networks have obtained PKI enabled and PIV-compliant Government accepted credentials. Contractor personnel with access limited to internal contractor systems and applications are not required to obtain PKI enabled and PIV-compliant credentials. Such credentials shall follow the PIV trust model (FIPS 201-2) and be acceptable to the Government.
5.1.2  The contractor shall obtain Government-issued CACs to meet this requirement. PIV-compliant credentials are required for access to DoD systems, networks and data. Alternate sign on access will not be granted. Encryption and digital signatures shall be used for information transmitted electronically that includes DoD/DHA data covered by the Privacy Act, HIPAA, and IS and network requirements.
5.2  CAC Issuance
5.2.1  The CAC is the standard identification for Service members, DoD civilian employees, and eligible DoD contractor personnel. It is the principal card used to enable both physical access to a DoD facility and access, via logon, to DoD networks on-site or remotely. Access to the DoD network requires the use of a computer with Government-controlled configuration or use of a DoD-approved remote access procedure in accordance with the DISA Security Technical Implementation Guide.
5.2.2  Trust Associated Sponsorship System (TASS), is a web-based system that allows eligible DoD contractors to apply for a CAC through the Internet. Government sponsors (also known as Trusted Agent (TA)) approve the application to receive government credentials.
5.2.3  CACs Issued On or After January 6, 2017
5.2.3.1  The contractor shall obtain CACs from Real-Time Automated Personnel Identification Systems (RAPIDS) sites.
5.2.3.2  The contractor shall build in the distance and appointment capacity for obtaining CACs in accordance with TOM, Chapter 2 transition requirements.
5.2.3.3  The contractor shall use the RAPIDS locator website (https://idco.dmdc.osd.mil/idco/) for scheduling personnel who require CACs.
5.2.3.4  CACs issued, reissued, or replaced on or after January 6, 2017, will be issued with a blank email certificate unless the CAC holder already has a DoD approved email address. Instructions for requesting an approved email address are available in paragraph 5.2.3.3. Without an approved Government email address (and the accompanying DoD email certificate), the CAC holder will be unable to use the capabilities afforded by such a certificate, including digital signatures, digital encryption, and/or to access government systems that require a DoD approved email certificate authentication.
5.2.3.5  CAC capabilities that do not require a DoD approved email certificate for authentication will still function. If a CAC owner requires a DoD approved email certificate to perform their duties, the DHA’s DoD approved email is Defense Enterprise Email (DEE). Not all contractors require DoD approved email certificates on their CAC to perform their duties.
5.2.3.6  The contractor shall reference the specific requirements outlined in paragraph 5.2.3.2.
5.2.3.7  The contractor shall reference the specific requirements outlined in the contract for clarification.
5.2.4  Email Address Certificates on CACs
5.2.4.1  CAC owners will require a DoD approved email address certificate on their CAC in order to perform certain functions, such as the ability to digitally sign, digitally encrypt, and/or access government systems that require a DoD approved email address certificate. Some current CAC users may already have another type of email certificate that complies with DoD requirements.
5.2.4.2  The contractor shall obtain a DEE account, as described below, if a contractor requires the capabilities afforded by a DoD approved email certificate on their CAC. The DEE account provides the CAC holder with the required DoD approved email certificates needed for the CAC. It also creates an email in-box that allows the user to send/receive encrypted emails and send/receive government correspondence, among other capabilities. Once a CAC holder obtains their DEE account, the account may be accessed using Outlook Web Access (OWA) at https://web.mail.mil.
5.2.4.3  The COR/Program Manager (PM) will email the contractor’s FSO requesting a list of users’ first and last names, personnel type codes (Civilian, Military, Contractor) and DoD Identification (ID) Number, located on the back of the user’s CAC be provided to the COR.
5.2.4.4  Upon receipt, the COR/PM will forward the information to Global Service Center (GSC) DHA.ITCallCenter@mail.mil requesting DEE accounts be provided for each user listed. A DHA Add User Form is not required to only obtain DEE accounts for CAC owners.
5.2.4.5  GSC will create a DEE account for each contractor request submitted, and provide the COR/PM acknowledgment of the account creation. The COR/PM will forward the account information to the FSO, who shall provide the CAC owners the new account information with instructions on how to create or update their DEERS/RAPIDS Online profiles as described below.
5.2.4.6  When the CAC holder receives their DEE account information, they shall:
•  Update the email certificate associated with their CAC:
•  Sign in to the following link (do not select the DoD EMAIL certificate option): https://www.dmdc.osd.mil/self_service/rapids/unauthenticated?execution=e1s1
•  Within CAC Maintenance, select Change CAC Email.
•  Update the DoD approved email address on the CAC to reflect the DEE (@mail.mil) account. This will create the DoD Certs needed for the digital signature and encryption. (This may take up to 72 hours for the settings to update and be reflected in the system.)
•  Update their Global Address List (GAL) properties:
•  Sign in to the following link: https://www.dmdc.osd.mil/milconnect/
•  Select Update Work Contact Info (GAL).
•  Update contact information accordingly.
•  Access their DEE account using OWA at https://web.mail.mil.
Note:  The amount of time required to obtain a DEE account is contingent upon the independent steps performed by the parties outlined above. Activities are typically completed in hours.
5.2.5  FSO Roles and Responsibilities
5.2.5.1  Obtaining a CAC
The contractor FSO shall:
•  Identify contractor support personnel who require a CAC for accessing DoD networks and facilities.
•  Verify the applicant’s background investigation by submitting a request to PSB.
•  Complete Sections I and III of the DHA Form 33, the initial and/or renewal CAC.
•  Submit DHA Form 33 to the COR for approval.
•  Fax the completed form to (703-681-5207), ATTN: PSB/TASS/Common Access Card Branch (CACB) or email to: dha.ncr.security.mbx.personnel-security-tass@mail.mil.
5.2.5.2  Obtaining Email Address Certificate
The contractor FSO shall:
•  Assist the CAC owner with obtaining a DoD approved email address (and the accompanying email certificate) for their CAC, if one is required to perform their job duties.
•  Submit to the COR a list of user’s first and last names, persona type codes (Civilian, Military, Contractor) and DoD ID Number, for those requiring an email certificate.
5.2.5.3  Out-Processing Procedures
The FSO shall:
•  Establish out-processing procedures to collect the CAC when an employee quits, is terminated from the company or when the CAC is no longer required.
•  Notify the TA to revoke the applicant’s CAC.
•  CACs shall be returned in accordance with paragraph 5.2.6.8.
5.2.6  CAC Guidelines and Restrictions
5.2.6.1  Any person willfully altering, damaging, lending, counterfeiting, or using these cards in any unauthorized manner is subject to fine or imprisonment or both, as prescribed in Sections 499, 506, 509, 701, and 1001 of Title 18, USC. Section 701 prohibits photographing or otherwise reproducing or possessing DoD ID cards in an unauthorized manner, under penalty of fine or imprisonment or both. Unauthorized or fraudulent use of ID cards would exist if bearers used the card to obtain benefits and privileges to which they are not entitled. Examples of authorized photocopying include photocopying of DoD ID cards to facilitate medical care processing, check cashing, voting, tax matters, compliance with Appendix 501 of Title 50, USC (also known as “The Service member’s Civil Relief Act”), or administering other military-related benefits to eligible beneficiaries. When possible, the ID card will be electronically authenticated in lieu of photographing the card.
5.2.6.2  ID cards shall not be amended, modified, or overprinted by any means. No stickers or other adhesive materials are to be placed on either side of an ID card. Holes shall not be punched into ID cards, except when a CAC has been requested by the next of kin for an individual who has perished in the line of duty. A CAC provided to next of kin shall have the status of the card revoked in DEERS, have the certificates revoked, and have a hole punched through the integrated circuit chip before it is released to the next of kin.
5.2.6.3  Access
The granting of access is determined by the contractor or system owner as prescribed by the DoD.
5.2.6.4  Accountability
CAC holders shall maintain accountability of their CAC at all times while affiliated with the DoD.
5.2.6.5  Multiple Cards
In instances where an individual has been issued more than one ID card (e.g., an individual that is eligible for an ID card as both a Reservist and as a contractor employee), only the ID card that most accurately depicts the capacity in which the individual is affiliated with the DoD should be utilized at any given time.
5.2.6.6  Renewal and Reissuance
The applicant for CAC renewal or reissuance shall be required to surrender the current CAC card that is up for renewal. The CAC shall be renewed 90 calendar days prior to the CAC expiring.
5.2.6.7  Replacement
The applicant shall provide a letter from the local security office confirming the CAC has been reported lost, stolen confiscated or destroyed, and a valid (unexpired) State or Federal Government-issued picture ID.
5.2.6.8  Retrieval
The CAC is property of the US Government and shall be retrieved and returned to TASS-CACB when the card has expired, is damaged, compromised, when the applicant is no longer affiliated with the DoD contractor or no longer meets the eligibility requirements for the card.
Defense Health Agency
Mission Assurance Division
Personnel Security Branch
ATTN: TASS/CACB
7700 Arlington Blvd, Suite 5101
Falls Church, VA 22042-5101
5.2.7  Personal Identification Number (PIN) Resets
5.2.7.1  Should an individual’s CAC become locked after attempting three times to access it, the PIN shall be reset at a RAPIDS facility or by designated individuals authorized CAC PIN Reset (CPR) applications. These individuals may be contractor personnel, if approved by the Government representative. PIN resets cannot be done remotely.
5.2.7.2  The contractor shall provide all hardware for the workstation (personal computer (PC), card readers, fingerprint capture device), the Government will provide CPR software licenses.
5.2.7.3  The CPR workstation shall not be used for other applications, as the Government has not tested the CPR software for compatibility.
5.2.7.4  The CPR software shall run on the desktop and cannot be run from the Local Area Network (LAN).
5.2.7.5  The contractor shall install the CPR hardware and software, and provide the personnel needed to run the workstation.
5.2.8  Systems Requirements for CAC Authentication
5.2.8.1  The contractor shall procure, install, and maintain desktop level CAC readers and middleware. The middleware software must run on the desktop and cannot be run from the LAN. Technical Specifications for CACs and CAC readers may be obtained at https://www.dmdc.osd.mil/appj/dwp/contractor_civ_roles.jsp.
5.2.9  The contractor shall ensure that CACs are only used by the individual to whom the CAC was issued. Individuals must protect their PIN and not allow it to be discovered or allow the use of their CAC by anyone other than him or herself.
5.2.10  The contractor shall ensure access to DoD systems applications and data is only provided to individuals who have been issued a CAC and whose CAC has been validated by the desktop middleware, including use of a card reader. Sharing of CACs, PINs, and other access codes is expressly prohibited.
5.2.11  The contractor shall provide locations and approximate number of contractor personnel at each site who will require the issuance of a CAC upon contract award.
5.2.12  The contractor shall identify to DHA and DMDC the personnel that require access to the DMDC Contractor Test environment in support of systems testing activities.
5.3  System Authentication
5.3.1  The contractor shall obtain DoD-acceptable PKI server certificates for identity and authentication of the servers upon direction of the CO. These interfaces include, but are not limited to, the following:
5.3.2  Contractor systems for inquiries and responses with DEERS.
5.3.3  Contractor systems and the TED Processing Center.
6.0  SYSTEMS COMMUNICATION
6.1  MHS Demilitarized Zone (DMZ) Medical Community of Interest (MedCOI) B2B Gateway
6.1.1  The contractor shall, in accordance with contract requirements, connect to the B2B Gateway via a contractor procured Internet Service Provider (ISP) connection.
6.1.2  The contractor shall assume all responsibilities for establishing and maintaining its connectivity to the B2B Gateway. This shall include acquiring and maintaining the circuit used to connect to the B2B Gateway and the acquisition of a Virtual Private Network (VPN) device and maintenance agreement and license compatible with the VPN device. The list of compatible devices are detailed in the DHA B2B/MedCOI Gateway questionnaire.
6.1.3  The contractor shall submit a completed current version of the DHA B2B/MedCOI Gateway questionnaire to their Government sponsor or Government Program Office within 10 calendar days after new requirements have been provided to the contractor.
6.2  Contractor Provided IT Infrastructure
6.2.1  Platforms shall support Hypertext Transfer (Transport) Protocol Secure (HTTPS), web-derived Java Applets, and Secure File Transfer Protocols (SFTPs) (e.g., STFP, Secure Socket Layer (SSL)/Transport Layer Security (TLS)), and all software that the contractor proposes to use to interconnect with DoD facilities.
6.2.2  The contractor shall configure their networks to support access to Government systems (e.g., configure ports and protocols for access).
6.2.3  The contractor shall provide full time connections to a Tier 1 or Tier 2 ISP. Dial-up ISP connections are not acceptable. All IP addresses need to be publicly routable. Private address space using Network Address Translation (NAT) will not be permitted.
6.2.4  The contractor shall maintain a valid maintenance contract and pertinent licenses for all devices connecting to the MHS B2B Gateway.
6.3  System Authorization Access Request (SAAR) Defense Department (DD) Form 2875
6.3.1  The contractor shall submit the most current version of DD Form 2875 in accordance with CO guidance for all contractors that use the DoD Gateways to access Government IT systems and/or DoD applications. A DD Form 2875 shall be completed for each contractor employee who will access any system and/or application on a DoD network. The DD Form 2875 shall clearly specify the system and/or application name and justification for access to that system and/or application.
6.3.2  The contractor shall submit the completed DD Form 2875 to the DHA DPCLO for verification of ADP Designation. The DHA DPCLO will verify that the contractor employee has the appropriate background investigation completed or a request for background investigation has been submitted to the OPM. Acknowledgment from OPM that the request for a background investigation has been received and that an investigation has been scheduled will be verified by the DHA DPCLO prior to access being approved.
6.3.3  DHA will notify the user via secure/encrypted e-mail upon the establishment of a user account. User accounts will be established for individual use and may not be shared by multiple users or for system generated access to any DoD application. Misuse of user accounts by individuals or contractor entities will result in termination of system access for the individual user account.
6.3.4  The contractor shall conduct a monthly review of all contractor employees who have been granted access to DoD IS’/networks to verify that continued access is required.
6.3.5  The contractor shall provide the DHA DPCLO with a report of the findings of their review by the 10th day of each month following the review. Reports identifying changes to contractor employee access requirements shall include the name, DoD ID number from CAC, Company, IS/network for which access is no longer required and the date access will be terminated. For reporting requirements, see DD Form 1423, CDRL, located in Section J of the applicable contract.
6.4  MHS Systems Communications
6.4.1  The primary communication links shall be via encrypted tunnels (i.e., Secure Internet Protocol (IPSEC), GetVPN, or SSL) between the contractor’s primary site and the MHS B2B Gateway.
6.4.2  The contractor shall procure a primary and auxiliary VPN device for backup purposes to minimize any downtime associated with problems of the primary VPN.
6.4.3  The contractor shall send devices to the MHS VPN management authority (e.g., DHA) via postage paid and include prepaid return shipping arrangements for the devices(s).
6.4.4  The MHS VPN management authority (e.g., DHA) will remotely configure and manage the VPN appliance once installed by the contractor.
6.4.5  The contractor shall place the VPN appliance device outside the contractor’s firewalls and shall allow full management access to this device (e.g., in router access control lists) to allow Central VPN Management services provided by DHA or other source of service as designated by the MHS to remotely manage, configure, and support this VPN device as part of the MHS VPN domain.
6.4.6  The contractor shall be responsible for the maintenance and repair of contractor procured VPN equipment.
6.4.7  The Government will be responsible for the troubleshooting of VPN equipment.
6.5  Establishment of System Communications
6.5.1  The contractor shall establish system communications with the MHS through coordination with DHA.
6.5.2  The DHA/MedCOI B2B Gateway Questionnaire identifies the required System Communication infrastructure between the contractor and the MHS systems. This includes all Wide Area Network (WAN), LAN, VPN, Web DMZ, and B2B Gateway access requirements.
6.5.3  The contractor shall complete their applicable portion of the questionnaire and shall return it to the DHA designated POC for review and approval.
6.5.4  The contractor shall, upon Government request, provide technical experts to provide any clarification of information provided in the questionnaire. DHA will review and process the questionnaire when it is received.
6.5.5  DHA will coordinate any requirements for additional information with the POC and schedule any meetings required to review the Questionnaire. Upon approval of the Questionnaire, DHA will coordinate a testing meeting with appropriate stakeholders.
6.5.6  DHA will notify the contractor POC of the meeting schedule. The purpose of the testing meeting is to complete a final review of the Systems Communication requirements and establish testing dates.
6.6  Contractors Located On Military Installations
6.6.1  The contractor shall coordinate/obtain the connections with the local Markets/Military Medical Treatment Facilities (MTFs) and Base/Post/Camp communication personnel located on a military installation who require direct access to Government systems.
6.6.2  The Government shall furnish these connections.
6.6.3  The contractor located on military installations that require direct connections to their networks shall provide an isolated IT infrastructure.
6.6.4  The contractor shall coordinate with the Base/Post/Camp communications personnel and the Market/MTF in order to get approval for a contractor procured circuit prior to installation to ensure the contractor is within compliance with the respective organizational security policies, guidance and protocols.
Note:  In some cases, the contractor may not be allowed to establish these connections due to local administrative/security requirements.
6.6.5  The contractor shall be responsible for all security certification documentation as required to support DoD IA requirements for network interconnections.
6.6.6  The contractor shall provide, upon request, detailed network configuration diagrams to support IA accreditation requirements.
6.6.7  The contractor shall comply with IA accreditation requirements. All network traffic shall be via Transmission Control Protocol/Internet Protocol (TCP/IP) using ports and protocols in accordance with current Service security policy. All traffic that traverses MHS, DMDC, and/or military Service Base/Post/Camp security infrastructure is subject to monitoring by security staff using Intrusion Detection Systems.
6.7  DHA/TED
6.7.1  Primary Site
The TED primary processing site is currently located in San Antonio, TX; and operated by the DISA Defense Enterprise Computing Center (DECC), Detachment San Antonio, TX.
Note:  The location of the primary site may be changed. The contractor will be advised should this occur.
6.7.2  General
6.7.2.1  The common means of administrative communication between Government representatives and the contractor is via telephone and email. An alternate method may be approved by DHA.
6.7.2.2  The contractor shall provide the DHA the name, address, and telephone number of the person who will serve as a technical POC (update when changes occur) at the start-up planning meeting.
6.7.2.3  The contractor shall provide a separate computer center (Help Desk) number to DHA which the DHA computer operator may use for resolution of problems related to data transmissions.
6.7.3  TED-Specific Data Communications Technical Requirements
The contractor shall communicate with the Government’s TED Data Center through the MHS B2B Gateway.
6.7.3.1  Communication Protocol Requirements
6.7.3.1.1  File transfer software shall be used to support communications with the TED Data Processing Center. CONNECT:Direct is the current communications software standard for TED transmissions.
6.7.3.1.2  The contractor shall upgrade/comply with any changes to this software.
6.7.3.1.3  The contractor shall provide this product and a platform capable of supporting this product with the TCP/IP option included. Details on this product may be obtained from:
Sterling Commerce
4600 Lakehurst Court
P.O. Box 8000
Dublin OH 43016-2000 USA
Phone: (614) 793-7000
Fax: (614) 793-4040
6.7.3.1.4  The contractor shall provide TCP/IP communications software incorporating the TN3270 emulation for Ports and Protocol support.
6.7.3.1.5  Transmission size is limited to any combination of 400,000 records at one time.
6.7.3.1.6  “As Required” Transfers
Ad hoc movement of data files shall be coordinated through and executed by the network administrator or designated representative at the source file site. Generally speaking, the requestor needs only to provide the POC at the remote site, and the source file name. Destination file names shall be obtained from the network administrator at the site receiving the data. Compliance with naming conventions used for recurring automated transfers is not required. Other site specific requirements, such as security constraints and pool names are generally known to the network administrators.
6.7.3.1.7  File Naming Convention
6.7.3.1.7.1  All files received by and sent from the DHA data processing site shall comply with the following standards when using CONNECT:Direct:
POSITION(S)
CONTENT
1 - 2
TD
3 - 8
YYMMDD Date of transmission
9 - 10
Contractor number
11 - 12
Sequence number of the file sent on a particular day. Ranges from 01 to 99. Reset with the first file transmission the next day.
6.7.3.1.7.2  All files sent from the DHA data processing site shall be named after coordination with receiving entities in order to accommodate specific communication requirements for the receivers.
6.7.3.1.8  Timing
6.7.3.1.8.1  Under most circumstances, the source file site shall initiate automated processes to cause transmission to occur. With considerations for timing and frequency, activation of transfers for each application shall be addressed on a case-by-case basis.
6.7.3.1.8.2  Alternate Transmission
The contractor shall notify the DHA to discuss alternative delivery methods should the contractor not be able to transmit their files through the normal operating means.
6.8  DHA/TRICARE Duplicate Claims System (DCS)
6.8.1  The DCS is a web application accessible via MSIE, version 6.0, 7.0 or as directed by the Government.
6.8.2  The contractor shall provide internal connectivity to the public Internet and is responsible for all systems and operating system software needed internally to support the DCS. (See Chapter 4 for DCS Specifications.)
7.0  HIPAA REQUIREMENTS
7.1  The contractor shall be in compliance with the HIPAA Rules, the DoD HIPAA Issuances, the TOM, Chapter 19, Section 3, and any provisions of this manual and DoD cybersecurity guidance addressing security incident response.
7.2  The contractor shall be in compliance with HIPAA breach response requirements, which are addressed in conjunction with DoD breach response requirements in the TOM, Chapter 1, Section 5.
7.3  Data Sharing Agreements (DSAs)
7.3.1  Contractors requiring access to PII, which includes PHI, or access to de-identified data, are subject to the DHA Defense Privacy and Civil Liberties Office (DPCLO) (Privacy Office) Data Sharing Program. This program requires DHA to enter into DSAs with parties outside the MHS who use or create MHS data. (DHA contracts may use the term Data Use Agreement (DUA) rather than DSA.) DSAs assure that outside parties protect MHS data in accordance with the Privacy Act and the HIPAA Rules. To apply for a DSA, the Prime contractor submits a Data Sharing Agreement Application (DSAA) to the DHA DPCLO. The contractor submits the DSAA even if a subcontractor will be the party accessing MHS data. After review and approval of the DSAA, the Privacy Office provides a DSA to the contractor for execution. The DSAA template and other DSA guidance and forms are available at the following page on the Privacy Office website: http://health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties.
7.3.2  The contractor shall complete an Account Authorization Request Form (AARF) and have an ADP/IT-II designation for primary contractors and subcontractors requiring access to or use of MHS data. Refer to ADP/IT Category Guidance below.
7.4  Disclosure Tracking and Accounting and Other System Capabilities for Privacy Act and HIPAA Privacy Compliance
The contractor shall maintain systems (or utilize MHS systems) with the capabilities to track and report on disclosure requests, disclosure restrictions, accounting for disclosure requests, authorizations, PII/PHI amendments, Notice of Privacy Practices (NoPP) distribution management, confidential communications requests, and complaint management. Situation reports may be required to address complaints, inquiries, or unique events related to the foregoing responsibilities.
8.0  CONTINUITY OF OPERATIONS PLAN (COOP) REQUIREMENTS
The contractor shall obtain and maintain adequate hardware, software, personnel, procedures, controls, contingency plans, and documentation to satisfy DHA data processing and reporting requirements. Items requiring special attention are listed below.
8.1  COOP
The contractor shall develop a single plan, deliverable to the DHA CO on an annual basis that ensures the continuous operation of their IT systems and data support of TRICARE. The plan shall provide information specific to all actions that will be taken by the Prime and subcontractors in order to continue operations should an actual disaster be declared for their geographic area of responsibility. For plan submission requirements, see DD Form 1423, CDRL, located in Section J of the applicable contract.
8.1.1  The COOP shall ensure the availability of the system and associated data in the event of hardware, software and/or communications failures.
8.1.2  The COOP shall include the Prime and subcontractor’s plans for relocation/recovery of operations, timeline for recovery, and relocation site information in order to ensure compliance with the TOM, Chapters 1 and 6. Information specific to connection to the B2B Gateway to and from the relocation/recovery site for operations shall also be included in the COOP.
8.1.3  The contractor shall ensure all security requirements are met and appropriate processes are followed for the B2B Gateway connectivity for relocation/recovery sites. The contractor’s COOP will enable compliance with all processing standards as defined in the TOM, Chapter 1, and compliance with enrollment processing and Primary Care Manager (PCM) assignment as defined in TOM, Chapter 6.
8.1.4  The contractor’s COOP shall include restoration of critical functions such as claims and enrollment within five calendar days of the disaster. The Government reserves the right to re-prioritize the functions and system interactions proposed in the COOP during the review and approval process for the COOP.
8.2  Security Requirements
The contractor shall ensure security and access requirements are met in accordance with existing contract requirements for all COOP and disaster recovery activities. Waivers of security and access requirements will not be granted for COOP or disaster recovery activities.
8.3  Annual Disaster Recovery Tests
8.3.1  The Prime contractor shall coordinate annual disaster recovery testing of the COOP with its subcontractor(s) and the Government. Coordination with the Government will begin no later than 90 calendar days prior to the requested start date of the disaster recovery test.
8.3.2  Each Prime contractor shall ensure all aspects of the COOP are tested and coordinated with all contractors responsible for the transmission of TRICARE data.
8.3.3  Each Prime contractor shall ensure major TRICARE functions are tested.
8.3.4  The Prime contractor shall also ensure testing support activities (e.g., DEERS, TED, etc.) are coordinated with the responsible Government POC no later than 90 calendar days prior to the requested start date of the annual disaster recovery test.
8.3.5  The Prime contractor shall ensure the annual disaster recovery tests evaluate and validate that the COOP sufficiently ensures continuation of operations and the processing of TRICARE data in accordance with the TOM, Chapters 1 and 6. For reporting requirements, see DD Form 1423, CDRL, located in Section J of the applicable contract. Including, but not limited to, the annual disaster recovery testing will include the processing of:
•  TRICARE Prime enrollments in the DEERS contractor test geographic area of responsibility to demonstrate the ability to update records of enrollees and disenrollees using the Government furnished web-based enrollment system/application.
•  Referrals.
•  Preauthorizations/authorizations.
•  Claims.
•  Claims and catastrophic cap inquiries will be made against production DEERS and the Catastrophic Cap and Deductible Database (CCDD) from the relocation/recovery site.
•  The contractor shall test their ability to successfully submit claims inquiries and receive DEERS claim responses and catastrophic cap inquiries and responses.
•  The contractor shall not perform catastrophic cap updates in the CCDD and DEERS production for test claims.
•  The contractor shall process a number of claims using the DEERS contractor test geographic area of responsibility successfully demonstrate the ability to perform catastrophic cap updates and the creation of newborn placeholder records on DEERS.
•  The contractor shall demonstrate the ability to process provider, institutional and non-institutional claims. TED records will be created for every test claim processed during the claims processing portion of the disaster recovery test. These test claims will be submitted to the DHA TED landing area.
8.3.6  The contractor shall maintain static B2B Gateway connections or other Government approved connections at relocation/recovery sites that may be activated in the event a disaster is declared for their geographic area of responsibility.
8.3.7  The contractor shall submit its results of the review and/or test results to the DHA Contract Operations Division-Aurora (COD-A) within 10 business days of the conclusion of the test.
8.3.8  The contractor shall include if any additional testing is required or if corrective actions are required as a result of the disaster recovery test within the report. The notice of additional testing requirements or corrective actions to be taken shall be submitted along with the proposed date for retesting and the completion date for any corrective actions required.
8.3.9  Upon completion of the retest, a report of the results of the actions taken shall be provided to the COD-A within 10 business days of completion. See Section J of the contract for information specific to deliverables, milestones, and due dates.
9.0  SYSTEMs INTEGRATION AND TESTING MEETING REQUIREMENTS
9.1  The DHA hosts regularly scheduled meetings, via teleconference, with contractor and Government representatives. Government attendees may include, but are not limited to, DMDC and DHA program and policy offices. These meetings will:
•  Review the status of system connectivity and communications.
•  Identify new DEERS applications or modifications to existing applications, e.g., Government furnished web-based enrollment systems/applications.
•  Issue software enhancements.
•  Implement system changes required for the implementation of new programs and/or benefits.
•  Review data correction issues and corrective actions to be taken (e.g., catastrophic cap effort-review, research and adjustments).
•  Monitor results of contractor testing efforts.
•  Other activities as appropriate.
9.2  The contractor shall ensure representatives participating in the calls are subject matter experts for the identified agenda items and are able to provide the current status of activities for their organization. DHA provides a standing agenda for the teleconference with the meeting announcement. Additional subjects for the meetings are identified as appropriate.
9.3  The contractor shall ensure testing activities are completed within the scheduled time frames and any problems experienced during testing are reported via the Government defined application for review and corrective action by DHA or their designee.
9.4  The contractor shall retest the scenario upon the provision of a corrective action strategy or implementation of a modification to a software application by DHA (to correct the problem reported by the contractor), to determine if the resolution is successful. Retesting shall be accomplished within the agreed upon timeframe.
9.5  The contractor shall update the Government defined application upon completion of retesting activities.
9.6  The contractor shall retest the scenario upon the provision of a corrective action strategy or implementation of a modification to a software application by the contractor (to correct the problem reported by DHA), to determine if the resolution is successful. DHA will also document system issues and deficiencies into the Government defined application related to testing and production analysis of the contractors systems and processes. Retesting shall be accomplished within the agreed upon time frames.
9.7  The contractor shall correct internal system problems that negatively impact their interface with the B2B Gateway, MHS, DMDC, etc. and/or the transmission of data, at their own expense.
9.8  Each organization identified shall provide two POCs to DHA to include telephone numbers and emails to be used for call back purposes, notification of planned and unplanned outages and software releases. POCs will be notified via email in the event of an unplanned outage using the POC notification list, so it is incumbent upon each organization to notify DHA of changes to the POC list.
10.0  UNIFORMED SERVICES PAY CENTER REQUIREMENTS
10.1  Enrollment fees/premium payments for specified TRICARE Programs may be paid by electronic monthly allotments from military payroll. The availability of this payment option is determined by the Program requirements and the Service member’s duty status and may not be available for all TRICARE Programs. Payroll allotment data is exchanged between military payroll centers and the DHA purchased care contractors.
10.2  The contractor shall process allotment information exchanged with military payroll centers in accordance with the TOM, Chapter 6, Section 1. The following allotment processing guidance is provided in accordance with the Memorandum of Understanding (MOU) established between the DHA and Defense Finance and Accounting Service (DFAS), the US Air Force (USAF), and Public Health Service (PHS) for allotments from retired pay.
10.3  Exchange of Payroll Allotment Data
The contractor shall exchange payroll allotment data with the DFAS, US Coast Guard (USCG) and PHS, USAF and the US Navy (USN) using a specified transmission protocol.
10.3.1  DFAS
10.3.1.1  Payroll allotment data for the US Army, Air Force, Navy, and Marines shall be transmitted to DFAS via the B2B Gateway using SFTP or a secure Internet file transfer, e.g., Multi-Host Internet Access Portal (MIAP). The use of the B2B Gateway or a Government identified secure file transfer requires compliance with all security requirements in this Chapter.
10.3.1.2  The contractor shall separately provide DFAS with an SAAR DD Form 2875 requesting access to DFAS systems. This is in addition to what may have already been submitted for access to the B2B Gateway.
10.3.2  USCG and PHS
10.3.2.1  Payroll allotment data for the USCG and PHS shall be transmitted via the SilkWeb (SFTP) and Titan web application (see instructions in Addendum A). All security and data handling requirements in this Chapter remain in effect.
10.3.2.2  The contractor shall obtain User IDs and passwords from the designated POC at the PHS.
10.3.3  USAF
10.3.3.1  Payroll allotment data for the USAF shall be transmitted via a Government identified secure file transfer requires compliance with all security requirements in this Chapter.
10.3.3.2  The contractor shall separately provide USAF with an SAAR DD Form 2875 requesting access to the Air Force Integrated Personnel and Pay System (AFIPPS) (see instructions in Addendum B).
10.4  Data Transmission Requirements
10.4.1  The contractor shall provide DFAS/USAF/USN/USCG/PHS with a monthly file of retirees who have selected TRICARE Prime for their health benefit and elected monthly allotments as the methodology for paying enrollment fees.
10.4.2  DFAS will return feedback files to the contractor providing determinations of the actions, acceptance or rejection and whether the item is paid or unpaid.
10.4.3  The contractor shall provide DFAS/USAF/USN/USCG/PHS with POCs for testing, system and ongoing business requirements. POC information shall be maintained and include: name, title, contractor name, address, electronic mail address and telephone number. Updated information shall be provided to DFAS when the POC or contact information changes.
10.4.4  DFAS/USAF/USN/USCG/PHS will provide the contractor with start/stop and change allotment requests received directly from TRICARE beneficiaries.
10.4.5  The contractor shall process these requests and submit an initial file containing information for all allotments selected in time for the first submission. Subsequent files shall contain only new allotments and stops and/or changes.
10.4.6  The contractor shall send the file (initial and subsequent) using the appropriate transmission protocol determined by the receiving payroll center, e.g., DFAS, USAF, USN, USCG, or PHS.
10.4.7  The contractor shall submit an electronic mail notification to DFAS/USAF/USN/USCG/PHS notifying them of the file transmission.
10.5  File Layout
10.5.1  The contractor shall exchange the following files with DFAS:
•  Input data
•  Reject Report
•  Deduction Report
10.5.2  The contractor shall exchange the following files with USAF:
•  Premium Deduction File
•  No Match File
•  Deduct/No Deduct File
10.5.3  The contractor shall exchange the following files with USN:
•  Premium Deduction File
•  No Match File
•  Deduct/No Deduct File
10.5.4  The DFAS file layout is provided at Addendum A. The contractor will be notified of any changes to the file layout by the CO.
10.5.5  The USAF file layout is provided at Addendum B. The contractor will be notified of any changes to the file layout by the CO.
10.5.6  The contractor shall submit files using the naming convention designated by DFAS.
10.5.7  Data Transmission Schedule
10.5.7.1  The contractor or their designated subcontractor shall transmit data on the business day immediately prior to the eighth day of each month (or on the previous Thursday, should the eighth fall on a Saturday or Sunday), for allotments due on the first day of the upcoming month.
Note:  The only exception to this schedule is for the month of December when all data shall be transmitted so it is received on the first business day of December.
10.5.7.2  The contractor shall, during months when no monthly beneficiary data exists, continue to submit a file without data in accordance with the eighth day of the month rule. The file shall consist of a header and trailer record with no data in between. The electronic mail notification shall indicate the file contains no member data.
10.5.7.3  Within 24 hours of file processing by DFAS/USAF/USN/USCG/PHS, the contractor will receive a file from the pay center identifying all “rejected” submissions and the reasons for the rejection.
10.5.7.4  The contractor shall research the rejected submissions and resubmit resolved transactions on the following month’s file.
10.5.7.5  The contractor shall also notify the beneficiary in accordance with TOM, Chapter 6, Section 1.
10.5.7.6  The contractor will receive a file of the “deduct/no deduct” file that contains the “no deduct” reasons following processing of the “compute pay cycle” by the pay center.
10.5.7.7  The contractor shall research these items and resubmit resolved items, as appropriate, on the following month’s file. The “deduct/no deduct” file is informational and shall document all payments not collected as well as unfulfilled allotment requests (e.g., insufficient pay to cover deduction).
10.5.7.8  The contractor’s banking institution will receive a Corporate Trade Exchange (CTX) “payment” file from DFAS on the first business day of the month following the submission of the files.
11.0  SPECIFIED AUTHORIZATION STAFF (SAS) REQUIREMENTS
11.1  ADP Protocols
11.1.1  The contractor shall provide the capability to edit the status and entry of a 13 digit disposition code indicating if the referral was approved for Market/MTF or civilian network treatment (see paragraph 11.2). This disposition code may be used during the claims adjudication process.
11.1.2  The contractor shall provide the logic to automatically approve the referral if the SAS determination is not received within two business days of referral entry.
11.1.3  The contractor shall provide the telecommunications, hardware, and software necessary for data entry and report printing from the SAS location.
11.1.4  The contractor shall provide initial and ongoing application training and support on an “as needed” basis.
11.1.5  The contractor shall provide a data dictionary of available data elements to be sent to the SAS automated IS.
11.1.6  The contractor shall send all care referral records to the SAS in a tab delimited data flat file. The method of transfer can be SFTP or an email attachment.
11.1.7  The contractor shall provide the SAS with read-only access to their subcontractor’s claims history database.
11.1.8  The contractor shall provide the needed training to the SAS staff in order to access the claims history database.
11.2  SAS Referral Data
11.2.1  The format of the referral number will be DMISYYJJJNNNS where:
•  DMIS = the DMIS ID Code of the issuing facility (5203 = SAS);
•  YY = the year in which the referral number was issued;
•  JJJ = the Julian date on which the referral number was issued;
•  NNN = the Facility Sequence Number;
•  S = Status (the type of provider)
•  C = Civilian Care (refer to TOM, Chapter 16, Section 2, paragraph 5.3.2 for referral requirements)
•  M = Military Care (Market/MTF or clinic)
•  V = Department of Veterans Affairs (DVA)/Veterans Health Administration (VHA) Care (DVA/VHA hospital or medical facility)
•  P = Care rendered under the Department of Defense/Department of Veterans Affairs (DoD/VA) Memorandum of Agreement (MOA) for “Referral of Active Duty Military Personnel Who Sustain Spinal Cord Injury, Traumatic Brain Injury, or Blindness to Veterans Affairs Medical Facilities for Health Care and Rehabilitative Services” (refer to TOM, Chapter 17, Section 2, paragraph 3.2 for referral requirements).
11.2.2  The format of the effective date is YYYYMMDD where:
•  YYYY = the year in which the SAS referral is effective;
•  MM = the month in which the SAS referral is effective; and
•  DD = the day on which the SAS referral is effective. A retroactive authorization is indicated by an effective date prior to the issue date.
11.2.3  The format of the expiration date is YYYYMMDD where:
•  YYYY = the year in which the SAS referral expires;
•  MM = the month in which the SAS referral expires; and
•  DD = the day on which the SAS referral expires.
11.3  Data Elements
11.3.1  The following data elements are including, but not limited to the elements required by SAS for determining fitness-for-duty and for determining if care not covered under TRICARE Prime will be covered under TPR. The SAS will return the data elements furnished by the contractor when responding to a request for a fitness-for-duty or coverage/benefit determination.
11.3.2  The contractor shall include the applicable elements marked with asterisks (*) below if the contractor is asking for a coverage/ benefit determination. If, for example, the contractor cannot authorize the care it is not a covered benefit under TRICARE, the contractor will include *Not a benefit. If the contractor cannot authorize the care because the care is not medically necessary, the contractor will include **Not medically necessary.
11.3.3  The contractor shall include ***Provider not authorized if the contractor cannot authorize the care because the provider is not an authorized provider.
Data Element
Contractor To SAS
SAS To Contractor
Patient Name
X
X
Patient’s DOB
X
X
Patient’s Sex
X
X
Contact Date (for retroactive authorizations)
X
X
Service Member SSN
X
X
Service Member Branch of Service
X
X
Duty Status
X
X
PCM Location Code
X
X
DMIS-ID
X
X
Contractor’s Authorization Number
X
X
Effective Date of Authorization
X
X
*Not a Benefit
*If applicable
**Not Medically Necessary
**If applicable
***Provider Not Authorized
***If applicable
SAS Fitness-for-Duty Referral Number or Benefit Determination Number
X
Effective Date of SAS Referral
X
Expiration Date of SAS Referral
Status of Authorization (may be embedded number)
X
Number/Frequency of Services Requested for SAS Referral
X
X
Diagnosis
X
X
Procedure Code Range
X
X
Type of Service
X
X
Place of Service
X
X
Free Text (for available clinical information)
X
12.0  SAS REQUIREMENTS FOR DHA-GREAT LAKES (DHA-GL)
12.1  ADP Protocols
12.1.1  The contractor shall provide access for entry and edit of referrals into the contractor’s systems for those Government staff who will remotely access the contractor’s system from the DHA-GL location.
12.1.2  The contractor shall include a status code indicating that SAS review is required.
12.1.3  The contractor shall submit a standard management report which provides the number of deferred claims that SAS staff reviewed and processed during each month. For reporting requirements, see DD Form 1423, CDRL, located in Section J of the applicable contract.
12.1.4  The contractor shall provide the capability to edit the status and entry of a 16 digit disposition code indicating if the referral was approved for civilian network treatment (see paragraph 12.2). This disposition code may be used during the claims adjudication process.
12.1.5  The contractor shall provide the logic to automatically approve the referral if the SAS determination is not received within two business days of referral entry.
12.1.6  The contractor shall provide the telecommunications, hardware, and software required for data entry and report printing from the SAS location.
12.1.7  The contractor shall provide application training and support to the SAS staff who utilize the contractor’s referral system.
12.1.8  The contractor shall provide a data dictionary of available data elements to be sent to the SAS automated IS.
12.1.9  The contractor shall send all care referral records to the SAS in a tab delimited data flat file. The method of transfer shall be SFTP or a secure, password-protected email attachment.
12.1.10  The contractor shall provide the SAS with read-only access to their subcontractor’s claims history database.
12.1.11  The contractor shall provide the required training to the SAS staff in order to access the claims history database.
12.2  SAS Referral Data
12.2.1  The format of the referral number shall be DMISYYJJJNNNS where:
12.2.1.1  DMIS = the DMIS ID Code of the issuing facility (5203 = SAS);
12.2.1.2  YY = the last two digits of the year in which the referral number was issued;
12.2.1.3  JJJ = the Julian date on which the referral number was issued;
12.2.1.4  NNN = the Facility Sequence Number;
12.2.1.5  S = Status (the type of provider)
•  C = Civilian Care (refer to TOM, Chapter 16, Section 2, paragraph 5.3.2 for referral requirements)
•  M = Military Care (Market/MTF or clinic)
•  V = DVA/VHA Care (DVA/VHA hospital or medical facility)
•  P = Care rendered under the DoD/VA MOA for “Referral of Active Duty Military Personnel Who Sustain Spinal Cord Injury, Traumatic Brain Injury, or Blindness to Veterans Affairs Medical Facilities for Health Care and Rehabilitative Services” (refer to TOM, Chapter 17, Section 2, paragraph 3.2 for referral requirements).
12.2.2  The format of the effective date is YYYYMMDD where:
•  YYYY = the year in which the SAS referral is effective;
•  MM = the month in which the SAS referral is effective; and
•  DD = the day on which the SAS referral is effective. A retroactive authorization is indicated by an effective date prior to the issue date.
12.2.3  The format of the expiration date is YYYYMMDD where:
•  YYYY = the year in which the SAS referral expires;
•  MM = the month in which the SAS referral expires; and
•  DD = the day on which the SAS referral expires.
12.3  Data Elements
The following data elements are including but not limited to the elements required by SAS for determining whether to authorize civilian care. The SAS will return the data elements furnished by the contractor when responding to a request for authorization determination.
Data Element
Contractor To SAS
SAS To Contractor
Patient Name
X
X
Patient’s DOB
X
X
Patient’s Sex
X
X
Contact Date (for retroactive authorizations)
X
X
Service Member SSN
X
X
Service Member Branch of Service
X
X
Duty Status
X
X
PCM Location Code
X
X
DMIS-ID
X
X
Contractor’s Authorization Number
X
X
Effective Date of Authorization
X
X
*Not a Benefit
*If applicable
**Not Medically Necessary
**If applicable
***Provider Not Authorized
***If applicable
SAS Fitness-for-Duty Referral Number or Benefit Determination Number
X
Effective Date of SAS Referral
X
Expiration Date of SAS Referral
Status of Authorization (may be embedded number)
X
Number/Frequency of Services Requested for SAS Referral
X
X
Diagnosis
X
X
Procedure Code Range
X
X
Type of Service
X
X
Place of Service
X
X
Free Text (for available clinical information)
X
- END -
Follow us on Instagram Follow us on LinkedIn Follow us on Facebook Follow us on Twitter Follow us on YouTube Sign up on GovDelivery