Code of Federal Regulations (Last Updated: October 10, 2024) |
Title 32 - National Defense |
Subtitle A - Department of Defense |
Chapter I - Office of the Secretary of Defense |
SubChapter F - Security |
Part 154 - Department of Defense Personnel Security Program Regulation |
Appendix J to Part 154 - ADP Position Categories and Criteria for Designating Positions
-
Appendix J to Part 154 - ADP Position Categories and Criteria for Designating Positions
OMB Circular A-71 (and Transmittal Memo #B1), July 1978 OMB Circular A-130, December 12, 1985, and FPM Letter 732, November 14, 1978 contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees as well as the criteria for designating ADP and ADP related positions. This policy is outlined below:
ADP Position Categories
1. Critical-Sensitive Positions
ADP-I positions. Those positions in which the incumbent is responsible for the planning, direction, and implementation of a computer security program; major responsibility for the direction, planning and design of a computer system, including the hardware and software; or, can access a system during the operation or maintenance in such a way, and with a relatively high risk for causing grave damage, or realize a significant personal gain.
2. Noncritical-Sensitive Positions
ADP-II positions. Those positions in which the incumbent is responsible for the direction, planning, design, operation, or maintenance of a computer system, and whose work is technically reviewed by a higher authority of the ADP-I category to insure the integrity of the system.
3. Nonsensitive Positions
ADP-III positions. All other positions involved in computer activities.
In establishing the categories of positions, other factors may enter into the determination, permitting placement in higher or lower categories based on the agency's judgement as to the unique characteristics of the system or the safeguards protecting the system.
Criteria for Designating Positions
Three categories have been established for designating computer and computer-related positions - ADP-I, ADP-II, and ADP-III. Specific criteria for assigning positions to one of these categories is as follows:
Category Criteria ADP-I Responsibility or the development and administration of agency computer security programs, and also including direction and control of risk analysis and/or threat assessment. Significant involvement in life-critical or mission-critical systems. Significant involvement in life-critical or mission-critical systems. Responsibility for the preparation or approval of data for input into a system which does not necessarily involve personal access to the system, but with relatively high risk for effecting grave damage or realizing significant personal gain. Relatively high risk assignments associated with or directly involving the accounting, disbursement, or authorization for disbursement from systems of (1) dollar amounts of $10 million per year or greater, or (2) lesser amounts if the activities of the individual are not subject to technical review by higher authority in the ADP-I category to ensure the integrity of the system. Positions involving major responsibility for the direction planning, design, testing, maintenance, operation, monitoring, and/or management of systems hardware and software. Other positions as designated by the agency head that involve relatively high risk for effecting grave damage or realizing significant personal gain. ADP-II Responsibility for systems design, operation, testing, maintenance, and/or monitoring that is carried out under technical review of higher authority in the ADP-I category, includes, but is not limited to: (1) access to and/or processing of proprietary data, information requiring protection under the Privacy Act of 1974, and Government-developed privileged information involving the award of contracts; (2) accounting, disbursement, or authorization for disbursement from systems of dollar amounts less than $10 million per year. Other positions are designated by the agency head that involve a degree of access to a system that creates a significant potential for damage or personal gain less than that in ADP-I positions. ADP-III All other positions involved in Federal computer activities.