Streamline Identity Management Playbook

Edit this page

Step 6 - Streamline Contractor Processing


Although contractors may require similar access to federal employees, the methods and locations for collecting and maintaining their identity data are often very different. Digital identities for the contractor population can be challenging to manage due to a number of factors, including:

  • Managing identity data for contractors has not been required to support contracting business functions, unless required based on the nature of the contract.
  • Contractor information is often obtained through a variety of different processes and managed separately for individual resources when it’s collected to support access.
  • Many agencies don’t have existing authoritative sources for contractor identity data.
  • The contractor population is fluid, as individuals often change the projects, bureau/component, or agencies they are affiliated with.

To overcome these challenges, your agency should establish a process for managing contractor identity data for contractors who require identity credentials and access to agency resources.

Checklist

 Enhance on-boarding process. Your agency should replace manual, paper-based forms and processes with digital methods (e.g., digital signatures, online portals) wherever possible during the contractor on-boarding process. This process should be communicated and followed by all relevant parties so there’s no ambiguity in the way contractors are introduced into the agency.

 Minimize collection points. Within the streamlined on-boarding process, your agency should minimize the points at which contractor data is collected. If possible, there should be one step in the on-boarding process where contractors provide their identity data, such as the background investigation process. A single collection point will help eliminate redundancy, increase efficiency, and ease management of contractor information.

 Identity gaps in contractor data. After deciding where contractor information will be collected, your agency should compare the data elements to the Core Person Model and identify discrepancies. It’s beneficial for your agency to have consistent attributes across all groups within their population, so your agency should ensure they collect similar information from contractors when creating their digital identity.

 Create a single authoritative source. Usually, agencies don’t have a single authoritative source for contractors, which can make management of their data challenging. Your agency should establish an authoritative source for contractors by either creating a separate repository or tying it into an existing system that holds employee data (e.g., IDMS).

 Analyze options for data retention. Since contractors normally begin and end many different contracts while working with an agency, agencies should analyze their options for retaining contractor data after the contract ends. Your agency should determine a length of time for maintaining contractor data in their systems that is cost-effective and compliant with the Fair Information Privacy Principle of data minimization.

 Improve account and status change processes. Your agency should establish a process for making changes to contractor information that uses current workflows and business processes. Agencies could also consider implementing a self-service portal that allows authorized individuals to make changes to their identity information and status. This option could improve data integrity and reduce the burden on the agency‘s support staff.

 Enhance off-boarding process. Your agency should establish a streamlined process for managing contractor identity records as they end their work with the agency. This process should be communicated to and followed by all relevant parties so there’s no ambiguity in the way contractors are released from the agency. The responsibility for completing the off-boarding process should be assigned to a specific person (e.g., sponsor) or office (e.g., personnel security).

 Ensure PIV card collection. Contractors’ PIV cards must be collected during the off-boarding process. Not collecting a PIV card can have a number of negative impacts on the agency including security risks, inaccurate information on the status of their contractor population, and unnecessary costs for the management of their PIV card ($3 per month per card for the GSA Managed Service Office).

 Include Contract requirement. A requirement should be incorporated into contracts requiring that all government property, including PIV cards, be returned when the contract is completed.

 Develop policies. Your agency should establish a policy that details the approach for collecting and managing contractor identity data and communicate this policy across the agency and include it in all contracts