Division of Personnel Security and Access Control (DPSAC),
Office of Research Services
Appointment Line: 301-496-0051
Here are the most recent NIH badging statistics from HHS as of
October 27, 2013:
Sponsored: 38,416 Enrolled: 38,014 Issued: 37,606*
*This figure represents 97.9% of individuals who have been sponsored.
Note: the Department's official tally of individuals who have been sponsored, enrolled and issued new HHS ID Badges at NIH, regularly reported in each bi-weekly issue of DPSAC News, will now appear only in the first issue for that month, starting November 13, 2013.
NIST Updates its Federal Information Processing Standard, Spells Out PIV Card Termination Requirements
The National Institute of Standards and Technology (NIST) recently published an update to its Federal Information Processing Standard (FIPS 201) that defines a reliable, government-wide identity credential for use in applications such as access to federally controlled facilities and information systems.*
PIV Card Termination Requirements -- Clearing Personnel for Separation or Transfer
The updated Standard, signed on September 5, 2013, known as FIPS 201-2, Personal Identity Verification of Federal Employees and Contractors, contains a section that will be of particular interest to those in the NIH administrative community with responsibilities for clearing personnel for separation or transfer.
Section 2.9.4 of the revised Standard, titled 'PIV Card Termination Requirements' states:
"A PIV card is terminated when the department or agency that issued the card determines that the cardholder is no longer eligible to have a PIV card. The PIV Card shall be terminated under the following circumstances:
- a federal employee separates (voluntarily or involuntarily) from federal service;**
- a contractor (or affiliate) changes positions and no longer needs access to federal buildings or systems;
- a cardholder passes away;
- a determination is made after completion of a cardholder's background investigation that the cardholder should not have a PIV Card; or
- a cardholder is determined to hold a fraudulent identity
Similar to the situation in which the card or a credential is compromised, normal termination procedures must be in place as to ensure the following:
- The PIV Card itself is revoked:
- The PIV Card shall be collected and destroyed, if possible.
- Any databases maintained by the PIV Card issuer that indicate current valid (or invalid) Federal Agency Smart Credential Number (FASC-N) or Universally Unique Identifier (UUID) values must be updated to reflect the change in status.
- If the PIV Card cannot be collected and destroyed, the Certificate Authority (CA) shall be informed and the certificates corresponding to the PIV Authentication key and the asymmetric Card Authentication key on the PIV Card shall be revoked. The certificates corresponding to the digital signature and key management keys shall also be revoked, if present.
- The Personally Identifiable Information (PII) collected from the cardholder is disposed of in accordance with the stated privacy and data retention policies of the department or agency.
If the card cannot be collected, normal termination procedures shall be completed within 18 hours of notification. In certain cases, 18 hours is an unacceptable delay and in those cases emergency procedures must be executed to disseminate the information as rapidly as possible. Departments and agencies are required to have procedures in place to issue emergency notifications in such cases."
NIH employees, contractors and affiliates must use NIH Form 2737 (Rev. 11/12)- Clearance of Personnel for Separation or Transfer in order to obtain proper clearance for their position. Under 'Item 7, Items to be Cleared,' the Clearance Official coordinates with the AO to note which clearance points are applicable by checking them under "Check if Applicable."
Three items on the list require special attention for purposes of security:
- Update the NIH Enterprise Director (NED) system
- NIH Identification Card (PIV Card)
- Office/Building Keys/Cardkeys
* Since its inception in 2005, FIPS 201 has provided federal agencies with guidance as to how to comply with Homeland Security Presidential Directive 12, or HSPD-12. FIPS 201-2 defines the standards by which federal employees and contractors must be identified and authenticated to gain access to Federal facilities and information systems.
This Standard specifies a Personal Identity Verification (PIV) system within which a common identity credential can be created and later used to verify a claimed identity. For the Department and its OPDIVs, that credential is the HHS ID Badge (a.k.a., PIV Card or smart card).
The Standard also identifies federal government-wide requirements for security levels that are dependent on risks to the facility or information being processed.
** Also applies to contractors and affiliates
NED Training Schedule for October, 2013 through March, 2014
The HSPD-12 Program Office is pleased to announce its NED training schedule for October, 2013 through March, 2014. The Program Office is offering four "NED for Beginners" and four "NED for Advanced Users" classes which have been designed to help you quickly master NED in a hands-on computer lab environment. All classes are FREE!
How to Enroll
The NED courses are posted on the CIT Training site where visitors can view availability for any class and receive a confirmation immediately after registering. The catalog of NED classes is posted at http://training.cit.nih.gov/coursecatalog.aspx under "General Seminars."
When you see a course you want to take, just click on the course name (listed in the right column of the table). You'll be taken to the HHS Learning Management System (LMS) where you can register for the course online.
To log onto the HHS Learning Management System you can use either your PIV card and PIN or your NIH credentials. If you experience any difficulties accessing the LMS, please contact the CIT Training Program at 301-594-6248 or send an e-mail to: firstname.lastname@example.org.
Also, the HSPD-12 Program Office will continue to post the NED training schedule in DPSAC News and on the DPSAC website at: http://www.ors.od.nih.gov/ser/dpsac/Training/Pages/nedweb.aspx.
Entering "Badge Lost" Task in NED Will REQUIRE Applicant to Complete a New Enrollment & Issuance Process
Task enabling AO to "Restore" a Badge will be discontinued
In the past, when an individual reported a lost or stolen badge to his or her AO, the AO would enter this information into NED (Screen shot 'A' below) and the individual would have a seven-day grace period during which the AO could "restore" the functionality of the ID Badge.
Likewise, if an AO initiated a re-issuance or renewal process in NED, s/he could reverse the process any time within the seven days after initiating the process.
Beginning October 21, 2013, once an applicant reports his or her badge lost or stolen and the AO records the badge as lost in NED, the AO will no longer have the ability to "restore" the badge. The applicant will need to go through the full Enrollment/Issuance process (Screen shot 'B' below).
Likewise, if the AO initiates the badging process in NED -- even if the AO started the process by mistake -- the applicant will need to go through the Enrollment/Issuance process and complete the transaction.
Important! Software Upgrade Required for ALL NIH Lifecycle Work Stations (LWS)
The HSPD-12 Program Office requests that all Institutes, Centers and Offices review their Lifecycle Work Stations (LWS) to ensure they are all running the most recent software version (version 2.5.1). If your LWS software is not the most current version, you must update it as soon as possible.
Determining the software version installed on an LWS device
Once you launch the LWS software, you will find the version number in either the top right or top left corner of the screen, depending on which version is being used. To view a sample screen shot, open the LWS training guide posted on the DPSAC web page at:
For assistance with updating your LWS software, contact the HHS Identity Help Desk at: HHSIdentityAdmins@deloitte.com.
Note: LWS operators will not be able to renew certificates for anyone with a newer type of PIV Card (128k cards) if their LWS is using an outdated version of the software.
New Access Card Utility (ACU) Software
The Access Card Utility (ACU) software provides an easy alternative for individuals to renew their certificates from a local Windows computer.
The newest version of the ACU - version 1.4.2 - is now available on the ISDP website at: http://isdp.nih.gov/isdp/version.action?prodid=198.
Note: installation of v.1.4.2 requires system administrator privileges.
Those Institutes, Centers and Offices that have deployed the ACU (or plan to do so) are encouraged to upgrade their ACU software to this latest version, along with ActivClient (v188.8.131.52) and the latest hotfix, also available on the ISDP website at http://isdp.nih.gov/isdp/version.action?prodid=127, to support the coming round of certificate renewals.
OCIO Web Page Explains Where to Locate, How to Use ACUs
Contract stipulations for access to sensitive information will generally require background investigations
-- even if physical and/or network access, or issuance of an HHS ID Badge (PIV Card) is not required.
Updating Your Computer to Use Your New Certificates --
once you renew your digital certificates (see DPSAC News, September 4, 2013
), or replace your HHS ID Badge (PIV Card), you will need to update your computer to use the new certificates. Instructions for this process can be found on the OCIO website at: https://ocio.nih.gov/Smartcard/Pages/NewCertificates.aspx
Do not lend your HHS ID Badge (a.k.a. Smart Card, PIV Card) to anyone! -- lending out your PIV Card (HHS ID Badge) is prohibited. The issuance of the new HHS ID Badge is based on strict identity proofing and the determination of one's suitability for a specific position classification.
ICs that want to add LWS operators to the approved roster -- send a written request to Richie Taffet at: email@example.com. Your request should include the new operator's name, their IC, their NED number, as well as the operator's e-mail address, building/room and phone number.
Once Mr. Taffet has approved the request, he will forward the name(s) to HHSIdentityAdmins@deloitte.com to complete the approval process, add the name to the LWS operator roster and inform the IC that the individual is now approved to operate the LWS.
Need to make changes to the LWS operator directories? -- drop an e-mail to Lanny Newman, firstname.lastname@example.org, and let him know what needs changing (e.g., adding new operators or LWS locations, removing operators, etc.). Remember, before a new operator can be added to the LWS directory, s/he must first be approved by Richie Taffet (see preceding Helpful Tip).
If an LWS is not available in your IC or your immediate area, and you work in the greater Bethesda or Rockville area -- please call 301-451-4766 or 301-402-9755 to schedule an appointment with the Division of Personnel Security and Access Control located in Building 31, Room B1A26 or in Building 10, South Lobby, Room 1C52.
If you work outside the Bethesda/Rockville area, contact your local badge issuance office.
OPM No Longer Accepting 'Hard Copy' Requests for Investigations as of October 1, 2013
Effective October 1, 2013, the Office of Personnel Management (OPM) is no longer accepting Standard Form (SF) hard copy investigative submissions.
All Standard Form (SF) investigative requests to OPM must be submitted through e-QIP. Any hard copies that are received will be returned to the submitting office.
Shutdown Cancels Oct. 2 and October 16 DPSAC News
Due to the shutdown of the federal government October 1-16, the October 2 and October 16 issues of DPSAC News were canceled.
Q. I renewed my HHS ID Badge yesterday and it didn't work when I tried to enter the NIH campus this morning. I had to go to the NIH Gateway Center and get a temporary pass to enter the campus. What should I do to get the card to work?
A. We're sorry for the inconvenience. You should take your HHS ID Badge back to the issuance station to check the badge's functionality. If the issuer determines that the badge is broken, s/he will issue you a new badge at that time.
Play it Safe When Using Space Heaters in NIH Buildings
The following fire safety awareness article was prepared by the Division of the Fire Marshal, ORS.
Each year at this time, questions arise concerning the use of space heaters at NIH owned facilities. The guidelines that follow below do not pertain to NIH leased facilities. Please be aware that if you work in a leased facility, there may be more stringent requirements from the building owner and/or local fire-safety "Authority Having Jurisdiction."
Please check with your Office of Research Facilities (ORF) Facility Manager (http://orf2.od.nih.gov/AboutORF/Buildingsand Facility Managers.asp) before purchasing or using a space heater in any NIH leased facility.
Before a space heater can be considered for an NIH owned facility, any difficulties in regulating or maintaining a comfortable temperature must first be directed to ORF to have a building engineer attempt to make mechanical adjustments to the heating system.
If it is determined by ORF that an area cannot be adequately heated, written approval will be provided by the ORF Facility Manager assigned to the building to support the purchase and use of a space heater in designated areas only.
Space heaters are not permitted, under any circumstances, in laboratories, patient care units, or clinics.
Prior to installing any space heater, ORF must also verify that the electrical service to the area is adequate to safely accommodate the heater.
Space heaters can easily overload electrical circuits in a building, therefore, additional circuits may need to be installed.
If electrical work is required, the occupant's IC should initiate a work request. If ORF has available funds and it is clear the building is not capable of providing reasonable levels of heat (70 degrees) in that particular room, ORF will fund the electrical work.
The Division of the Fire Marshal, Office of Research Services, does not endorse any particular brand or manufacturer of space heaters; however, a convection-type heater is preferable.
Convection models slowly warm the air around them and pose less of a burn hazard since their surface temperatures are generally lower.
Prior to purchasing the heater, be sure that the unit has been tested by an approved testing laboratory such as Underwriters Laboratory (UL) and is equipped with ALL of the following features to minimize fire hazards typically associated with these devices:
- A multi-directional tip-over switch - space heaters can easily tip over. This switch automatically turns off the unit regardless of which way it may fall.
- An overheat sensor - this sensor limits the heat output of the space heater and automatically turns off the unit if it becomes too hot.
- A visible on/off indicating switch and light.
Proper placement of the space heater is important for safety as well as for comfort. Make sure the unit is placed on a hard, non-combustible surface instead of carpet.
All combustible materials (e.g., paper, plastics, wood, etc.) must be stored at least three feet away from the heater. The power cord must not be covered by carpeting or other materials and extension cords should not be used.
Electrical current used for space heaters can cause extension cords to overheat and potentially cause a fire. Plug the space heater directly into a properly grounded outlet.
Never leave the heater in operation when an area is unattended or unoccupied.
If you have questions concerning the selection and use of space heaters, please contact the Division of the Fire Marshal, Office of Research Services at 301-496-0487.
A biweekly e-newsletter from the Office of Research Services, Division of Personnel Security and Access Control (ORS/DPSAC) to keep you informed as NIH rolls out "Homeland Security Presidential Directive 12" (HSPD-12) establishing a common identification standard to better safeguard NIH and its workforce.