DPSAC News - Year in Review
Some of the headlines from past issues of DPSAC News in 2011. Clicking on the date will take you to that issue of the newsletter.
January 12, 2011
Tracking Smart Card Certificate Renewal Deadlines
Smart card subscribers receive an e-mail notification from HHS 60 days before their digital certificates expire informing them that they need to update their HHS ID Badge (Smart Card).*
ICs can now track the certificate status for individuals in their organization. This information can be helpful when planning appointments with local Lifecycle Work Station (LWS) operators who will be renewing the certificates on site.
The HHS notification mentioned above does not apply to the renewal of software certificates (i.e., certificates NOT stored on the Smart Card). Individuals who need to update their software certificates should follow the instructions posted at: http://pki.nih.gov/PKI_request.htm.
NIH Director Francis S. Collins, M.D., Ph.D., recently sent the following notice to all NIH Employees announcing availability of a new "Guide for Identifying and Handling Sensitive Information at the NIH."
The Department of Health and Human Services (HHS), Office of Management and Budget (OMB), and Federal Information Security Management Act (FISMA) require implementation of stringent controls to protect the confidentiality, integrity, and availability of sensitive information.
In an effort to assist the NIH community in using good judgment to protect information considered to be "sensitive," we have produced the Guide for Identifying and Handling Sensitive Information at the NIH, which can be found at the following link: http://ocio.nih.gov/security/NIH_Sensitive_Info_Guide.pdf
First NED Classes of 2011 -- Date: January 28, 2011
January 26, 2011
Shortened Operating Schedule for Clinical Center Enrollment Station
The Enrollment Station located in the Clinical Center South Lobby (Room 1C52) will no longer offer enrollment appointments on Tuesdays and Thursdays; enrollment appointments will continue to be available Monday, Wednesday and Friday.
It is still possible to make HHS ID Badge Issuance appointments Monday through Friday at the Clinical Center Badging Center (South Lobby, Room 1C52).
Do You Know Your PIN? Countdown Begins for Logical Access
DPSAC is preparing for a possible rush of PIN resets at its Badge Issuance stations as IC's prepare to ready their computers and laptops for the eventual migration to 'logical access.'
February 9, 2011
Revoking Legacy Badges of Individuals Who Have Not Received an HHS ID Badge
The HSPD-12 Program Office reports that hundreds of NIH staff who require an HHS ID Badge have not completed enrollment and/or badge issuance. The Program Office will soon begin notifying these individuals by e-mail that they will have 30 days to complete the enrollment and badging process or their NIH legacy badge will be revoked. Once this action is taken, the badges can no longer be used to gain access to NIH facilities. Individuals who are not required to receive HHS ID Badges (e.g., Extended Visitors, Service Providers) will not be affected.
Department Revises HHS 207 Form (Request for Security Clearance)
The Office of the Secretary/Office of Security and Strategic Information (OSSI) recently announced that the HHS 207 Form, "Request for Security Clearance," has been revised. The Department is in the process of updating the OSSI intranet site to add this revised form.
February 23, 2011
Follow these three important steps when processing individuals who are leaving NIH service -- (1) Deactivate the person's NED Record; (2) Collect the person's HHS ID Badge (or NIH Badge); (3) Send the Badge to DPSAC.
If the individual leaving NIH still has outstanding travel reimbursements through GovTrip, please be sure to leave their NED record active until all reimbursements have been completed. Deactivating the NED record prior to completing travel reimbursements will halt the GovTrip process prematurely.
March 9, 2011
Two New Classifications in NED: Collaborator (Clinical) and Collaborator (Non-Clinical)
NED will soon add Clinical and Non-Clinical Research Collaborators to its selection of classifications to reflect the NIH Architecture Review Board's recent approval of these new categories. The new classifications will appear following the release of NED v2.9, tentatively scheduled for release on April 18, 2011.
March 23, 2011
OPM Provides Guidance on Investigation Policy for Minors
Is it ok to conduct background investigations on students under the age of 18 (minors). Until now, the rules were unclear. Some sources have indicated that it is OK to conduct background investigations on minors as long as parental consent is given. Others have said that you cannot conduct an investigation on a person under age 18.
The OPM's Agency Systems and Liaison Branch Investigative Services recently provided the following guidelines: "OPM will accept investigative requests for individuals age 16 and up. (OPM) does not define any 'parental signature' requirement."
"...[T]he scope of our investigations will only go back to subject's 16th birthday so if a subject is 17 years old and the investigation is a 5-year coverage period, you would not get the full 5 years of coverage as we can only go back to the 16th birthday."
ID Badge Re-Issuance Procedures Guide Distributed to AO Sponsors
The HSPD-12 Program Office recently sent out an easy-to-use reference guide, "ID Badge Re-Issuance Procedures," to all IC Executive Officers for distribution to their AO Sponsors. This handy quick-reference Guide explains how to go about replacing an HHS ID Badge (Smart Card) under various circumstances: Lost or Stolen Badge; Classification Changes; Badge Renewals; Broken or Damaged Badge; and, Name Changes.
April 6, 2011
Revised Standard Form 86 Implementation
In March 2010, the Office of Management and Budget approved the revised version of the Standard Form (SF) 86, Questionnaire for National Security Positions. The revised (form) was loaded into the Electronic Questionnaires for Investigations Processing (e-QIP) system on December 17, 2010, and is now available to other investigation service providers (ISP). The 2010 revised SF 86 will be available in e-QIP to OPM customer agencies in the spring of 2011, following training and advance coordination.
The SF 86 revisions include expanded or branching questions that allow applicants to provide more complete and accurate information about their backgrounds.
Request Goes Out to Temporarily Remove Security Freezes on Credit Information
The Office of Personnel Management (OPM), Federal Investigative Services Division (FISD), has experienced an increase in the number of national credit bureau checks that are unobtainable due to individuals of investigation placing a security freeze on their credit file. When OPM-FISD is unable to obtain a tri-bureau credit report due to one, two, or all three bureaus having a security freeze, the overall effect is an incomplete investigation.
In order to ensure the quality of OPM's investigative products, effective immediately, if you have a security freeze in place, it must be temporarily lifted prior to submission of the e-QIP to the DPSAC office.
Only individuals in positions of public trust or higher are being asked to temporarily lift the security freeze on their credit file to national credit bureau checks to enable the extra coverage that is required for these positions."
April 20, 2011
DPSAC to Accelerate the Initiation of Background Investigations for NIH Staff
Now that DPSAC has issued HHS ID Badges (smart cards) to all NIH staff, it is moving on to the next phase of HSPD-12 implementation. One of the important pieces is the completion of background investigations on all NIH staff that do not have a current investigation on file at the appropriate level [per Executive Order 10450 and Homeland Security Presidential Directive 12 (HSPD-12)].
NED Version 2.9 Goes Live
An updated version of NED, NED v. 2.9, went live on Monday, April 18. The NED Project team reports that the new release introduces new features requested by NED users, the Division of Personnel Security and Access Control (DPSAC), the Office of Intramural Research (OIR), and the Division of Amenities and Transportation Services (DATS) along with fixes for defects identified in the current version of NED.
May 4, 2011
Badging Authority by Classification Table and NIH 2866 Instructions Updated
The new NED v2.9 brings many new enhancements and fixes, including the addition of the new "Collaborator" classification for which there are two variations: "Clinical" and "Non-Clinical."
The expanded "NIH Badging Authority by Classification Table" is now posted online at: http://www.idbadge.nih.gov/policies/docs/PositionCategory041511.pdf. Also, the instructions for the NIH 2866 have been updated to reflect these changes and are posted in NED.
ORS Is New Host to ID Badge Website
Starting at the close of business on Thursday May 5, 2011, the "IDBadge.nih.gov" domain name will be moving to ORS where it will become part of ORS' newly revamped public-facing website. The re-designed ORS website makes navigation simple and intuitive, allowing users to find ORS services easily, including information about DPSAC and the ID Badge.
Users of the ID Badge website may continue to access the site via the existing http://idbadge.nih.gov domain name.
May 18, 2011
DPSAC Asks ICs to Boost LWS Use to Avert Renewal Backlog
DPSAC is concerned that significant backups and delays are coming unless ICs begin stepping up use of the Lifecycle Work Stations they purchased. Only about one third of the 70 LWSs purchased and deployed by ICs were used in April for renewing expiring certificates. As the number of expired certificates grow, so will the lines at DPSAC's badge issuance stations.
June 1, 2011
Help DPSAC Reduce Paper Consumption - Avoid Faxing Unnecessary e-QIP Documents
DPSAC is approaching full automation of the investigations process that will eliminate the need for most paper. Currently, however, customers who are faxing in their e-QIP forms to DPSAC are including many unnecessary pages that eventually wind up in the shredder. Customers can help DPSAC eliminate this unnecessary blizzard of paper by faxing only the necessary attachments and NOT faxing the investigation questionnaire itself.
NIH HSPD-12 Helpdesk Transitions to HHS-Wide HSPD-12 Helpdesk
Beginning Wednesday June 1, 2011, the NIH HSPD-12 helpdesk will transition to an HHS-wide HSPD-12 helpdesk. Any and all requests regarding IDMS portal functions, Card Issuance Station (CIS) operations, Lifecycle Workstation (LWS) operations, and Enrollment Workstation (EWS) Operations should be directed to: HHSIdentityAdmins@deloitte.com or 571-249- 2273.
The NIH administrative community should understand that general badge inquiries should still be directed to the DPSAC helpdesk at 301-402-9755. If needed, DPSAC will escalate your issue to the HHS Identity helpdesk or appropriate personnel.
HHS Revises Notification to Renew HHS ID Badge (PIV Card) Certificates
The Department of Health and Human Services (HHS) recently updated the NIH certificate renewal notification that it sends to NIH holders of the HHS ID Badge (PIV card) whose certificates are about to expire.
In accordance with FIPS 201 guidance, HHS PIV cards (HHS ID Badges) may be valid for up to five years after issuance. However, HHS policy allows certificates on the PIV cards to be valid for no longer than three (3) years.
This difference in validity durations between the PIV card and the certificates on the card necessitates the need for a Cardholder to bring their valid PIV card (HHS ID Badge) to an Issuance Station to have their certificates renewed (replaced) before the certificates expire.
The proposed solution to this situation is to begin sending "certificate expiration notifications" to the PIV Cardholders (HHS ID Badge holders) starting six (6) weeks prior to the certificate expiration date. These... e-mails...will alert the Cardholder of the impending expiration and provide OPDIV-specific directions on how to get their certificates renewed.
June 15, 2011
PIV Card/HHS ID Badge To Be Required For All VPN Remote Access User Logins
Beginning July 11, 2011, all users of the NIH remote access Virtual Private Network (VPN) will be required to use their PIV Card (HHS ID Badge) to login to the VPN.
June 29, 2011
Are You Ready for 2-Factor Authentication?
By now, all NIH Employees, Contractors and Affiliates should have completed their 2011 NIH Information Security Awareness Annual Refresher training that included information about 2-Factor Authentication. Below are excerpts from this training module to help ensure that everyone with access to the NIH network is optimally protected from cyber attacks.
Various Federal requirements and directives are driving a transition toward the use of 2-factor authentication - a more secure user authentication than passwords alone. This means that you will need two things to access a system: 1. Something you know, like a PIN; 2. Something you have, like a PIV Card (HHS ID Badge)
ICs have already transitioned their staffs to require this type of authentication for remote access VPN. (described in this issue of DPSAC News). You can expect an increasing number of systems will soon require two-factor authentication.
July 13, 2011
PIV Card/HHS ID Badge Now Required For All VPN Remote Access User Logins
As of July 11, 2011, all users of the NIH remote access Virtual Private Network (VPN) are required to use their PIV Card (HHS ID Badge) to login to the VPN.
ID Badge Reissuance Procedures "Quick Reference Guide" Posted Online
The ID Badge Reissuance Procedures "Quick Reference Guide" is now viewable online under the "What's New" section of the ID Badge main page: http://www.ors.od.nih.gov/ser/dpsac/Pages/Home.aspx.
August 10, 2011
The 'Key' to Accessing Encrypted E-Mails With Your New Badge or Certificate
'Key' - A cryptographic key allows a cardholder to encrypt and/or digitally sign e-mails, thereby enhancing security and confidentiality. Keys, associated with certificates, are stored on the integrated circuit chip of the HHS ID Badge (Smart Card).
If you've been issued or re-issued a new HHS ID Badge (Smart Card) or you've renewed your Smart Card certificate, there are still some steps you'll need to take so that you can read old e-mails that were encrypted with an earlier certificate or read encrypted e-mails on external devices such as a Blackberry.
Those steps, known collectively as 'Key Recovery,' allow cardholders with valid PIV Cards (HHS ID Badges) and certificates, a card reader and applicable software, to log into the HHSIdentity PIV Portal via an HHSNet connection and recover current or expired certificates.
HHS To Disable Inactive AMS Accounts
Due to a recent upgrade in the HHS Access Management System (AMS), HHS has begun sending out e-mail messages to any user who has not logged into their AMS account in the past 60 days. If more than 60 days have passed since the user last logged in, their AMS account will be "disabled," preventing the person from using AMS Service.
August 24, 2011
DPSAC News Getting a 'Facelift'
Starting September 7, 2011, DPSAC News will begin publishing on a more robust platform to offer our subscribers an enhanced reading experience. Readers will notice the addition of graphics and other visual elements along with dynamic links to help us tell the story better.
September 7, 2011
OPM Publishes 2012 Investigations ... Policy Changes
Notice No. 11-07: "Discontinuing the 2008 Standard Form (SF) 86; Implementing the Fully Electronic 2010 SF86"
Effective October 1, 2011, OPM will be removing the ability to initiate new Electronic Questionnaires for Investigations Processing (e-QIP) requests on the 2008 SF 86, and paper or hardcopy submissions of the 2008 version will no longer be accepted (unless previously submitted and returned as unacceptable).
The 2010 SF 86 includes branching questions that expand based on the applicant's responses, asking for more detailed information.
September 21, 2011
HHS Sending Out "Action Required" E-mails to Renew Digital Certificates
The Department of Health and Human Services (HHS) recently began sending "certificate renewal notifications" to HHS ID Badge holders (PIV card holders) starting six (6) weeks prior to the certificate expiration date. These notifications alert the cardholder of the impending expiration and provide directions on how to renew certificates.
October 5, 2011
Pharmacy Is First Clinical System in the Clinical Center to Use HHS ID Badge for Logical Access
The Clinical Center Pharmacy Department has begun requiring staff to use their HHS ID Badges (Smart Cards/PIV Cards) to access government computers.
Lending Your HHS ID Badge Comes With Serious Consequences
The following message from Dr. Alfred C. Johnson, Director of ORS and Chief Security Officer for NIH, which went out to all ORS and ORF staff on September 15, 2011, underscores the serious consequences that come with allowing others to use your ID Badge. Dr. Johnson's e-mail is excerpted below:
Several recent incidents have occurred where individuals have allowed unauthorized personnel to fraudulently use their personal identification badge to access the NIH campus and buildings.
The practice of sharing your badge to either expedite someone's campus access or to intentionally bypass the required security checks is a felony offense of 18 U.S.C., part 499 punishable by up to 5 years imprisonment and a substantial fine. Four individuals have been arrested and are currently facing felony prosecution.
October 19, 2011
Online Appointment System Goes Live for HHS ID Badge Certificate Renewals
Making an appointment to renew your HHS ID Badge (PIV card) certificates just got a little easier with the recent modification to the Background Information Tracking System (BITS). This modification allows users to create appointments from their desktop or laptop.
An AO receiving an applicant's request for a certificate may refer the applicant to the NIH online scheduling system link:
GAO Study Reveals Government Information Security Incidents Up by 650% in Past 5 Years
November 2, 2011
Helping New Hires Sail Through Their First Day at NIH with Early and Accurate NED Entry
Entering new employees into NED before they arrive for their first day of work brings a number of time saving benefits, not only to the new hires, but also to their ICs, DPSAC and the NIH.
Exercise Care When Selecting or Changing a Position Title in NED
DPSAC wants to remind AOs that selecting the correct position title and the corresponding sensitivity level in NED must be done carefully since these selections drive the type of background investigation that will be conducted for that individual. AOs not sure what position the person will be occupying or what position is most appropriate should check with the person's project officer or supervisor before entering the position title into NED.
November 16, 2011
Updated e-QIP Will Streamline PIV Process, Reduce Applicant Confusion (Hopefully)
OPM will soon release a new version of eQIP (v. 3.0) that will offer expanded functionality and performance and should take some of the confusion out of the personal identity verification (PIV) process for applicants.
One of the more significant changes will enable users to digitally sign e-QIP documents. This welcome feature will eliminate the laborious and time consuming process that required the applicant to print various documents, sign them, and then, upload them or mail/fax them to DPSAC....
Prevent Inadvertent NED Record Auto-Deregistration
(from NED News 'Tip of the Month,' October/November 2011 Vol. II)
The NED support team receives many questions regarding how to prevent a NED record from being auto-deregistered. A NED record can be auto-deregistered by the not to exceed (NTE) date or a change in an external "authoritative source."
November 30, 2011
OPM Sets Reinvestigations at Every 5 Years for 'Public Trust' Feds
Starting Dec. 9, agencies will have to reinvestigate employees in "public trust" positions every five years.
The rule identifies public trust positions as those that are "designated at a moderate or high risk level, based on the position's potential for adverse impact on the efficiency or integrity of the service."
December 14, 2011
PSC Regional Offices Now Offer Enrollment, Badge Issuance and Certificate Renewal Services to NIH Personnel
The NIH has contracted with the Program Support Center (PSC) to offer badging services at its Regional Offices to NIH personnel located around the country. This arrangement provides a solution for the many individuals who require enrollment or badge issuance services as well as certificate re-certifications, but travel to DPSAC's facilities in Bethesda or other satellite locations would be impractical.
e-QIP 3.0 Scheduled to Deploy in January, 2012
OPM recently announced that it will move the delivery date for e-QIP 3.0 from December 4, 2011 to January 22, 2012. According to OPM, the additional time "will ensure appropriate connectivity and technical testing is completed." E-QIP version 3.0 is a full system upgrade that involves changes to OPM hardware, servers, databases, and all of its connection points.
Throughout 2011 DPSAC News ran timely safety stories prepared by Security and Emergency Response Divisions for the protection of the NIH community and their families. Below is a sampling of headlines to these stories.
- Spot Common Fire Safety Hazards in the Workplace
- Get the Cold Facts about Winter Safety
- NIH's Police Canine Unit - Protecting the NIH Workforce Ice Safety
- Strange Odor in the Workplace? Know Who to Call for Help!
- Fire Safety Tips for Using Microwave Ovens
- Staying Safe When Using Your Propane-Fueled Barbecue Grills
- Enjoy Fireworks the Safe Way - at a Public Display
- Fire Prevention Week (October 9 - 15, 2011) ... Protect Your Family from Fire
- Play it Safe When Using Space Heaters in NIH Buildings (ors division of fire marshal)