Section 27 (Use of Information Technology Systems) on the Questionnaire For National Security Positions (SF-85/86), specifically under the first question “Unauthorized Access”, asks “…have you illegally or without proper authorization accessed or attempted to access any information technology system?”
What is meant by “…without proper authorization…”? I think I understand the difference between “unauthorized” access versus “authorized” access; but, what is “proper” authorization? The Computer Fraud and Abuse Act (CFAA) of 1986 (18 U.S.C. § 1030) through Federal Circuit court cases have opined and defined “Unauthorized Access” essentially as “outside hacking” and “Exceeds Authorized Access” as “inside hacking” where one may have some credentials to initially get into a system, but then circumvented a technological barrier and had to internally hack their way in further, or use someone else’s credentials to gain further access. Most Federal agencies require the use of a Common Access Card (CAC) or Personal Identity Verification (PIV) credential to first be used to initially enter a government computer, and then many agency IT systems (i.e. websites) limit access only to government-issued computers with a registered agency network IP address. So, if employee uses their CAC/PIV to get into the government computer and then uses their authorized username/password to access an agency website (IT system), isn’t that all with “proper” authorization, or at least until the agency revokes the employee’s authorized credentials (username/password) and/or CAC/PIV?
If you use your CAC/PIV to access a system you are authorized to use, this is authorized access.
If you use someone else’s CAC/PIV to access the same systems, this is unauthorized access.