DPSAC News Header

November 2, 2011 issue of the DPSAC NEWS

In This Issue
HHS ID Badge Rollout Scorecard
Helping New Hires Sail Through Their First Day at NIH with Early and Accurate NED Entry
Exercise Care When Selecting or Changing a Position Title in NED
Using an HHS ID Badge as Collateral Constitutes Inappropriate Use - With One Exception
New PIV Card Certificates? Now What?
NED Training Schedule for December, 2011
Helpful Tips
Safety Corner
News Briefs



Contact Us


Division of Personnel Security and Access Control


Personnel Security 

Helpdesk: 301-402-9755

e-QIP: 301-402-9735

Appointment Line: 301-496-0051

E-mail: orspersonnesecurity@ 



Access Control

Helpdesk: 301-451-4766

E-mail: facilityaccesscontrol@ 


 DHHS Logo gif   NIH Logo gif   ORS Logo gif - no text    

HHS ID Badge Rollout Scorecard


Here are the most recent NIH badging statistics provided by HHS as of October 28, 2011.  


Sponsored: 39,275    Enrolled: 38,363   Issued: 37,943 *


*This figure represents 96.6% of individuals who have been sponsored.


         ID Badge Rollout Pie Chart 10-28-11
              ID Badge Rollout Table 10-28-11

Helping New Hires Sail Through Their First Day at NIH with Early and Accurate NED Entry

Entering new employees into NED before they arrive for their first day of work brings a number of time saving benefits, not only to the new hires, but also to their ICs, DPSAC and the NIH.


Benefits for the new employees

Early and accurate NED entry can leave a positive impression on new NIH employees. The sooner an AO can enter a new hire's information into NED, the sooner that person can be fingerprinted and issued an ID badge.  


Usually, if the new employee gets fingerprinted before she shows up for her first day of work, DPSAC can expect to receive the fingerprint results before EOD and can issue the HHS ID Badge on EOD day. DPSAC recommends that AOs enter individuals into NED at least two weeks ahead of their EOD whenever possible.


Also, once the individual is entered into NED, there are a number of other NIH services in addition to the PIV process that the individual will have access to, including obtaining an Active Directory account and mailbox. Other NIH services requiring a NED presence include parking hangers, Transhare, NIH Library privileges and VPN remote access.  


In short, once individuals are entered into NED, they can avail themselves of these and other services in a matter of hours instead of the days or weeks it might take if they have to wait to be entered into NED and/or wait to be issued their HHS ID Badge.


Benefits for DPSAC and NIH

If the new employee fills out and submits the e-QIP questionnaires and any other background investigation forms before their EOD, DPSAC will be able to initiate a background investigation even before the person arrives for their first day of work.


ICs should note that NIH is assessed the charges for a background investigation when OPM schedules the investigation.  OPM will not schedule the investigation until ALL forms are completed.


Exercise Care When Selecting or Changing a Position Title in NED


DPSAC wants to remind AOs that selecting the correct position title and the corresponding sensitivity level in NED must be done carefully since these selections drive the type of background investigation that will be conducted for that individual.  


AOs not sure what position the person will be occupying or what position is most appropriate should check with the person's project officer or supervisor before entering the position title into NED.   


Selecting the correct position title and corresponding sensitivity level ensures that the IC will be charged the correct investigation price and that the individual will complete the appropriate paperwork. 


DPSAC wants to caution AOs to avoid arbitrarily changing an individual's position title. Since a new position title may have a different sensitivity level associated with it, the change may trigger a new investigation, requiring new forms as well as additional charges to the IC.  


Note: if you change the position title in NED but the corresponding sensitivity level remains the same, there won't be a new background investigation. A new background investigation will be triggered only when that sensitivity level is changed to a different level.


Costs for the five most commonly ordered investigations at NIH are listed in the table below. As you can see, selecting the wrong position title (and corresponding sensitivity) level can trigger a background investigation requiring unnecessary additional paperwork and costing hundreds and even thousands of dollars more than was required.  


Remember, if you're not sure which position title is most appropriate, double check with the person's project officer or supervisor first. If you're still unsure, you should check with DPSAC's Personnel Security Help Desk for assistance. Not every position title is listed in NED.   


Bkgrd Investigation Table 5 by Cost  

Using an HHS ID Badge as Collateral Constitutes Inappropriate Use - With One Exception


The October 5, 2011 issue of DPSAC News reprinted an e-mail from NIH Chief Security Officer Dr. Alfred Johnson to ORS and ORF staff about "Misuse of the HHS ID Badge" and the serious consequences that come with lending out one's ID Badge.  


As a result of that article DPSAC News received an interesting inquiry from a reader asking whether the practice of requiring users to leave their HHS ID Badge as collateral in exchange for a key to a conference room violates some policy.


The answer is yes, it does violate policy. DPSAC Director, CAPT Theresa Minter responds: "When each employee or contractor is issued a badge they agree to have the card in only their possession and not to share cards or access.  Additionally, they receive a copy of what they agreed to when they leave the badge issuance office.   


We can never emphasize enough the need to take the PIV badge serious and protect it as you would your computer password or government laptop," CAPT Minter concludes.  


NIH Manual Chapter 2811 - NIH Policy on Smart Card Authentication spells out this policy (see: http://oma.od.nih.gov/manualchapters/management/2811/ : Section G (Responsibilities), Paragraph 3):


"NIH Staff are responsible for maintaining possession of their smart cards and protecting the confidentiality of the private PKI keys contained on the smart cards."


An exception to the rule

NIH employees with Building 33 access privileges on their NIH ID badge will utilize this ID to gain access to the building.


NIH employees who do not have access privileges on their ID Badge for Building 33 will be treated as visitors.  


If the employee does not have a picture ID he/she will not be granted access into the building.


Law enforcement/Security personnel at Building 33 are authorized to take temporary custody of an HSPD-12 Badge (the HHS ID Badge) in exchange for a Temporary Building 33 Badge.


New PIV Card Certificates? Now What?  


DPSAC News has been beating the drum recently to make sure everyone understands that their expiring or expired PIV Card certificates need to be updated or reissued. All of this energy to make sure that everyone's certificates are up to date does indeed have a purpose.  


For now, up-to-date PIV Card certificates are required not only for those who must use their HHS ID Badge to login to their government computers [e.g., AO Sponsors, all users of the NIH remote access Virtual Private Network (VPN)], but also for individuals who want to receive encrypted e-mail and/or to digitally sign their e-mails.


Eventually, up-to-date certificates will take on a much larger role as the Federal government moves toward two factor authentication for logical access for all Federal agencies, including NIH.*


In the August 10, 2011 issue of DPSAC News, an article on 'Key Recovery' explained how cardholders with valid PIV Cards and certificates could log into the HHSIdentity PIV Portal via an HHSNet connection and recover current or expired certificates.  


Once your certificates have been updated and/or your old certificates have been retrieved, there are still a few steps you'll need to complete before you can begin receiving encrypted e-mails or digitally signing your e-mails.


Receiving Encrypted E-mail

To continue to receive encrypted e-mail with your new certificates, you must: 

  • Make sure the SENDER has updated their local contacts list with your new certificates. This can be accomplished by having the sender update your contact information from the GAL or by sending them a digitally signed e-mail which they would then use to update your contact information.


Reading Old E-mails

You can continue to read old encrypted e-mail even if the certificates that were used to originally encrypt that e-mail have long since expired or been revoked. All that's needed to read the old e-mail is a copy of your previous digital certificate and associated private key. Click here for instructions on how to obtain prior copies of your smart card certificates.


For more information about working with certificate updates, visit the OCIO website at: http://www.smartcard.nih.gov/PIV_update.htm#CONFIGURE  


* With dual- or two-factor authentication, two independent items of authentication are used to prove that the individual is an authorized user of the system. The two items used are: (1) something the user has [e.g., the PIV Card/HHS ID Badge or SecureID token]; and (2) something the user knows [e.g., the PIN associated with the PIV Card/HHS ID Badge.]    


NED Training Schedule for December, 2011


The HSPD-12 Program Office is offering four classes in December for NED beginners and experienced NED users. Take advantage of this opportunity to quickly master NED in a hands-on computer lab environment.


NED for Beginners
    Date: Thursday, December 1, 2011

    Time:  9 a.m. - 12:00 p.m.

    Location: Building 12A, Room 49/51


    Date:  Monday, December 19, 2011

    Time:  9 a.m. - 12:00 p.m.

    Location:  6120 Executive Blvd., Room 2 (EPS)    



NED for Advanced Users
   Date: Thursday, December 1, 2011

   Time:  1:00 p.m. - 4:00 p.m.

   Location: Building 12A, Room 49/51


   Date:  Monday, December 19, 2011

   Time:  1:00 p.m. - 4:00 p.m.

   Location:  6120 Executive Blvd., Room 2 (EPS)


Contact Lanny Newman at newmanl@mail.nih.gov to reserve a space. In your e-mail, provide Lanny with your name and IC and which course you would like to attend. Sign up soon to ensure your place in the class. Seating is limited.

Helpful Tips 


No Need to Miss a Single Issue of DPSAC News-- if you know someone who would benefit from receiving DPSAC News, just have that person send a request to be added to the DPSAC News listserv along with his/her e-mail address to: newmanl@mail.nih.gov.


Also, all past issues are posted on the ID Badge website (now found at: http://www.ors.od.nih.gov/ser/dpsac/resources/newsletter/Pages/newsletter.aspx). 



Remembering your PIN -- When you are issued your HHS ID Badge, or when you go for a PIN reset, you are advised to select a PIN that will be easy to remember. Unfortunately, if you don't have occasion to use your PIN on a regular basis, the more likely it is you will forget it.  


One way to ensure that you are using your PIN regularly is to make it your code for retrieving voicemails or accessing your ATM.  


The more opportunities you have to use your PIN, the easier it will be to remember.


Also, if your card reader and software are currently installed on your desktop, consider using dual factor authentication now. You'll be computing in a more secure IT environment and, of course, you'll be using your PIN on a regular basis.*

 With dual- or two-factor authentication, two independent items of authentication are used to prove that the individual is an authorized user of the system. The two items used are: (1) something the user has [e.g., the PIV Card/HHS ID Badge or SecureID token]; and (2) something the user knows [e.g., the PIN associated with the PIV Card/HHS ID Badge.]  

Safety Corner

The following fire safety awareness article was prepared by the ORS Division of the Fire Marshal.


Play it Safe When Using Space Heaters in NIH Buildings


Space HeaterEach year at this time, questions arise concerning the use of space heaters at NIH owned facilities. The guidelines that follow below do not pertain to NIH leased facilities. Please be aware that if you work in a leased facility, there may be more stringent requirements from the building owner and/or local fire-safety "Authority Having Jurisdiction."  


Please check with your Office of Research Facilities (ORF) Facility Manager (http://orf2.od.nih.gov/AboutORF/BuildingsandFacilityManagers.asp) before purchasing or using a space heater in any NIH leased facility.


Before a space heater can be considered for an NIH-owned facility, any difficulties in regulating or maintaining a comfortable temperature must first be directed to ORF to have a building engineer attempt to make mechanical adjustments to the heating system.  


If it is determined by ORF that an area cannot be adequately heated, written approval will be provided by the ORF Facility Manager assigned to the building to support the purchase and use of a space heater in designated areas only.


Space heaters are not permitted, under any circumstances, in laboratories, patient care units, or clinics.


Prior to installing any space heater, ORF must also verify that the electrical service to the area is adequate to safely accommodate the heater. Space heaters can easily overload electrical circuits in a building, therefore, additional circuits may need to be installed.  


If electrical work is required, the occupant's IC should initiate a work request. If ORF has available funds and it is clear the building is not capable of providing reasonable levels of heat (70 degrees) in that particular room, ORF will fund the electrical work.


The Division of the Fire Marshal, Office of Research Services, does not endorse any particular brand or manufacturer of space heaters; however, a convection-type heater is preferable.


Convection models slowly warm the air around them and pose less of a burn hazard since their surface temperatures are generally lower. Prior to purchasing the heater, be sure that the unit has been tested by an approved testing laboratory such as Underwriters Laboratory (UL) and is equipped with ALL of the following features to minimize fire hazards typically associated with these devices:


* A multi-directional tip-over switch - space heaters can easily tip over. This switch automatically turns off the unit regardless of which way it may fall.


* An overheat sensor - this sensor limits the heat output of the space heater and automatically turns off the unit if it becomes too hot.


* A visible on/off indicating switch and light.


Proper placement of the space heater is important for safety as well as for comfort. Make sure the unit is placed on a hard, non-combustible surface instead of carpet. All combustible materials (e.g., paper, plastics, wood, etc.) must be stored at least three feet away from the heater. The power cord must not be covered by carpeting or other materials and extension cords should not be used.  


Electrical current used for space heaters can cause extension cords to overheat and potentially cause a fire. Plug the space heater directly into a properly grounded outlet.


Never leave the heater in operation when an area is unattended/unoccupied.


If you have questions concerning the selection and use of space heaters, please contact the Division of the Fire Marshal, Office of Research Services at 301-496-0487.


News Briefs   

HSPD-12 Department Database (SCMS) Modified to Accept Expanded Social Security Number Area Designations


Prior to June 25, 2011, a valid Social Security Number (SSN) could not have an area number between 734 and 749, or above 772, the highest area number which the Social Security Administration (SSA) allocated.  


Effective June 25, 2011 the SSA began assigning SSNs randomly and now allow for the assignment of area numbers between 734 and 749 and above 772 through the 800s.  


The Indian Health Service reported that this change created a problem in Albuquerque, NM. Corrections are being made to the SCMS that will enable the system to accept these expanded SSN designations.




 Card ReaderQ.  How do I go about obtaining a card reader for my computer?


A. The Information System Security Office (ISSO) for  

each IC is responsible for assuring that all Employees, Contractors and Affiliates are supplied with a card reader at their desktop and/or laptop.


ICs are responsible for purchasing whatever card readers are needed.  


The designated Information Systems Security Officer (ISSO) for your IC is posted on the OCIO website at:    



A biweekly e-newsletter from the Office of Research Resources, Division of Personnel Security and Access Control (ORS/DPSAC) to keep you informed as NIH rolls out "Homeland Security Presidential Directive 12" (HSPD-12) establishing a common identification standard to better safeguard NIH and its workforce.