Standard Operating Procedure: DHA Contractor Onboarding

This Standard Operating Procedure (SOP) outlines the mandatory requirements and administrative workflow for onboarding contractor personnel within the Defense Health Agency (DHA). The objective is to ensure that all non-government personnel are properly vetted, provisioned with necessary access, and fully briefed on security protocols before commencing official duties. Adherence to these steps is critical for maintaining compliance with Department of Defense (DoD) cybersecurity standards and facility safety regulations.

Phase 1: Pre-Arrival and Vetting

Before an employee arrives on-site or begins remote work, the Contracting Officer’s Representative (COR) must ensure all prerequisites are met.

• Contract Verification: Confirm the individual is listed under a valid, active task order or contract.
• Background Investigation: Ensure the contractor has a favorable adjudication for the level of sensitivity required (e.g., Tier 1, Tier 3, or Tier 5).
• CAC Eligibility: Verify the contractor is registered in the Trusted Associate Sponsorship System (TASS) to facilitate Common Access Card (CAC) issuance.
• Required Documentation: Collect signed Non-Disclosure Agreements (NDAs) and verify proof of citizenship or work authorization.

Phase 2: Information Security and Access Provisioning

DHA systems require strict adherence to Identity, Credential, and Access Management (ICAM) policies.

• Cyber Awareness Training: Ensure completion of the annual DoD Cyber Awareness Challenge.
• System Access Requests: Submit DD Form 2875 (System Authorization Access Request) for every network, application, or database required for the role.
• Public Key Infrastructure (PKI): Assist the contractor in registering their CAC at the local ID office or RAPIDS station.
• Network Provisioning: Coordinate with the local IT service desk to establish the user account, email distribution list membership, and folder permissions.

Phase 3: Facility Orientation and Physical Security

Once digital access is secured, the contractor must be integrated into the physical work environment.

• Security Briefing: Conduct a site-specific safety and security briefing, including Emergency Action Plan (EAP) procedures and fire exit locations.
• Badge Issuance: If applicable, obtain a facility-specific badge for building ingress/egress.
• Equipment Issuance: Document the serial numbers of all government-furnished equipment (GFE) provided to the contractor via an Equipment Custody Receipt.
• Policy Acknowledgement: Provide and collect signatures for the local Rules of Behavior (RoB) and acceptable use policies.

Phase 4: Final Certification and Hand-off

• Manager Introduction: Introduce the contractor to their designated points of contact and team leads.
• Performance Metrics Review: Clearly communicate expectations regarding work hours, reporting cadences, and contract deliverables.
• Completion Log: Mark the "Onboarding Complete" status in the department’s master tracker for audit readiness.

Pro Tips & Pitfalls

• Pro Tip: Begin the TASS sponsorship process at least 30 days prior to the start date. CAC issuance is often the single biggest bottleneck in contractor onboarding.
• Pro Tip: Always verify that "Privileged User" status (if required) is explicitly justified in the contract. Granting unnecessary elevated access triggers audit findings.
• Pitfall: Do not allow a contractor to begin work prior to the completion of the background investigation. Working "under-vetting" is a severe compliance violation.
• Pitfall: Failure to track GFE serial numbers frequently leads to property accountability issues during fiscal year-end audits.

Frequently Asked Questions (FAQ)

1. Can a contractor start work with only a CAC "interim" pass? No. Contractors may only commence work once their background investigation is successfully initiated and preliminary security requirements are met, and they have been fully briefed on the DHA Rules of Behavior.

2. Who is responsible for renewing a contractor's CAC? The COR or the designated TASS sponsor is responsible for ensuring the contractor’s sponsorship is updated in the system prior to the CAC expiration date to prevent account lockout.

3. What should I do if a contractor leaves the project unexpectedly? Notify the IT Security office and the local Security Manager immediately to revoke network and physical access. Submit a departure report to the Contracting Officer (KO) within 24 hours to ensure contract compliance.