Standard Operating Procedure: DHA Contractor Onboarding

This Standard Operating Procedure (SOP) outlines the mandatory administrative, security, and technical requirements for onboarding contractor personnel to the Defense Health Agency (DHA). Ensuring strict adherence to these protocols is critical for maintaining compliance with Department of Defense (DoD) directives, protecting sensitive health information, and ensuring that contractors possess the necessary credentials to operate within the Military Health System (MHS). All project leads and Government Task Managers (GTMs) are responsible for the execution of these steps prior to the contractor’s first day of performance.

Phase 1: Pre-Arrival and Administrative Approval

• Verify Contractual Authority: Confirm the specific position is authorized under the active contract Statement of Work (SOW) and that funding is fully allocated.
• Submit Personnel Security Questionnaire: Initiate the background investigation request via the Defense Information System for Security (DISS) based on the required Public Trust or Secret clearance level.
• Obtain NIPRNet Access Sponsorship: Submit a completed DD Form 2875 (System Authorization Access Request - SAAR) to the Information System Security Manager (ISSM).
• Draft and Issue Common Access Card (CAC) Request: Prepare the contractor’s Letter of Authorization (LOA) through the Synchronized Pre-deployment and Operational Tracker (SPOT) system.
• Provision Equipment: Coordinate with the local IT Helpdesk to secure necessary hardware (laptop, monitor, peripherals) pre-imaged with the DHA standard build.

Phase 2: Security, Compliance, and Training

• Complete Mandatory Cyber Awareness Training: Require the contractor to complete the annual DoD Cyber Awareness Challenge.
• HIPAA and Privacy Act Training: Ensure completion of the specific DHA HIPAA/Privacy Act training modules required for all personnel handling protected health information (PHI).
• Non-Disclosure Agreement (NDA): Execute and file the DD Form 2981 (Basic Cryptologic/Personnel Security NDA) or local DHA equivalent.
• Establish Network Identity: Finalize the creation of the contractor’s DoD Enterprise Email account (mail.mil) once the identity is validated in the DMDC database.

Phase 3: Physical Access and Integration

• CAC Issuance: Direct the contractor to the nearest Real-Time Automated Personnel Identification System (RAPIDS) site for photo capture and CAC issuance.
• Facility Access: Coordinate with Physical Security to provision building badges or proximity card access.
• Workstation Setup: Verify connectivity to the DHA domain, printer access, and necessary software application permissions.
• In-Processing Briefing: Conduct an orientation covering local emergency procedures, MHS culture, communication protocols, and direct reporting structure.

Pro Tips & Pitfalls

• Pro Tip: Start the DISS investigation process at least 45–60 days before the projected start date. Delays in NACLC or Tier-1 background checks are the primary cause of onboarding bottlenecks.
• Pro Tip: Maintain a digital "Onboarding Binder" for each contractor containing copies of their LOA, SAAR, and training certificates. This is essential for external audits.
• Pitfall: Overlooking "Privileged User" requirements. If the contractor needs administrative rights, a separate, more rigorous training and approval cycle is required by the ISSM. Do not assume general access covers administrative permissions.
• Pitfall: Failure to deactivate accounts. Establish a clear "offboarding" trigger with HR to ensure that once a contract expires, all network and physical access is terminated within 24 hours.

Frequently Asked Questions

Q: Can a contractor start work while waiting for their CAC to be issued? A: Generally, no. Without a CAC, a contractor cannot authenticate into the DHA network. Exceptions are rare and require an "Emergency Interim Access" waiver from the local Security Office, which is highly restricted.

Q: Does the contractor need to re-take DHA training if they just came from another DoD agency? A: Yes. While some training may be transferable, DHA often requires agency-specific HIPAA and Rules of Behavior modules that must be completed under the DHA domain.

Q: Who is responsible for verifying the contractor's credentials (licenses, certifications)? A: The prime contractor is responsible for the initial verification, but the Government Task Manager (GTM) must perform a final audit of these documents during the onboarding phase to ensure compliance with SOW requirements.