DPSAC News Header

July 8, 2015 issue of the DPSAC NEWS

In This Issue

Contact Us

 

Division of Personnel Security and Access Control (DPSAC),  

Office of Research Services  

 

Personnel Security 

Helpdesk: 301-402-9755

e-QIP: 301-402-9735

Appointment Line: 301-496-0051

E-mail: orspersonnelsecurity@ 

mail.nih.gov

 

Access Control

Helpdesk: 301-451-4766

E-mail: facilityaccesscontrol@ 

mail.nih.gov

 

       

        HHS logo small Logo Mark NIH Logo Mark    

OPM Temporarily Shuts Down e-QIP to Address Security Issues, Vulnerabilities

Interim guidelines direct agencies to use paper copies of employees' background investigation forms

 

Per HHS policy, part of the requirement to receive an ID badge is to complete required background investigation forms. The Office of Personnel Management (OPM) requires that these forms be completed using its online system called the Electronic Questionnaires for Investigations Processing (e-QIP). Recently, this system has been taken offline to address security issues and vulnerabilities.

OPM and HHS have provided guidance regarding an interim process that must be followed to complete these forms. While e-QIP remains offline (current estimated downtime is 4-6 weeks), individuals will be required to complete their background investigation forms via fillable PDF and paper forms.

Individuals who need to complete these forms will receive an e-mail with instructions from ORSPersonnelSecurity@mail.nih.gov. A sample e-mail is attached to this message.

These forms must be submitted to the Division of Personnel Security & Access Control (DPSAC) via one of the following approved methods*: 

  • Hand-delivery: Main Campus, Bethesda, MD, Bldg 31, Rm 1B03
  • Fax: (301) 480-0108
  • Mail: via traceable delivery method (i.e. USPS Priority Mail, FedEx)
National Institutes of Health/ORS
Division of Personnel Security and Access Control
31 Center Drive, MSC 2143
Building 31, Room 1B03
Bethesda, MD 20892-2143


Individuals must still be fingerprinted in order to receive an ID badge. People will be notified via e-mail to schedule a fingerprinting appointment.  

Once the fingerprint check and required forms are completed, individuals will be notified via e-mail to schedule an appointment to obtain a temporary ID badge that is valid for up to six (6) months.

Please note that once OPM's e-QIP system is back on line, individuals receiving a temporary badge will be required to complete the investigation forms in e-QIP to obtain a permanent ID badge.

DPSAC would like to apologize to all NIH staff who are inconvenienced by this system outage. We appreciate your patience and understanding.

If you have any questions or concerns, please contact our office at ORSPersonnelSecurity@mail.nih.gov or (301) 402-9755. 


* Individuals at remote facilities like Research Triangle Park, NC (NIEHS) and Rocky Mountain Laboratories, Hamilton, MT (NIAID) should contact their local security office for submission instructions.  

 

NIH Personnel Security Office to Notify New HHS ID Badge Applicants to Use Paper Background Investigation Forms While e-QIP is Off Line

Beginning immediately, the NIH Personnel Security Office, DPSAC, will begin sending out the following e-mail to new employees, contractors and affiliates who must complete a background investigation as part of their requirements for federal employment: 

                                            ***
Dear colleague:

 

As a member of the NIH community, you are required to have a background investigation.  The statutes directing this requirement are embodied in Executive Order 10450 and Homeland Security Presidential Directive 12. If you are receiving this message, you must complete a background investigation.

Due to the temporary suspension of the Office of Personnel Management's (OPM) Electronic Questionnaires for Investigations Processing (e-QIP) system, the NIH, in accordance with HHS guidance, is requesting the steps outlined below be completed.

These forms must be completed before you can receive a temporary ID badge that is valid for six months. Please note that once OPM's e-QIP system is back on line, you will be required to complete the investigation forms in e-QIP to obtain a permanent HHS ID badge.

Step 1: Download & Save

  • Download the attached form-fillable security questionnaire and any additional forms attached to this e-mail.
  • You can save the blank form to your computer.

Step 2: Enter Information

  • Enter all of information for each form.
  • Information entered on each form can be saved as separate pdf documents to your computer.  Exiting a form prior to saving to your computer will clear all the information entered.

Step 3: Print & Sign

  • Print copies of your completed security questionnaire and any additional forms attached to this email.
  • Sign any signature blocks using a pen & ink signature and be sure to include the signature date.

Step 4: Submit

  • Submit your printed security questionnaire along with all additional forms attached to this e-mail to the NIH Personnel Security Office.

        Options for Submitting Signed Completed Forms: 

        (presented in order of preferred methods for submission)  

 

  • Hand-delivery: Main Campus, Bethesda, MD, Bldg 31, Rm 1B03
  • Fax: 301-480-0108
  • Mail: via traceable delivery method (i.e.USPS Priority Mail, FedEx):
     
       National Institutes of Health/ORS
       Division of Personnel Security and Access Control
       31 Center Drive, MSC 2143
       Building 31, Room 1B03

       Bethesda, MD 20892-2143

If you have any questions, please contact us at (301) 402-9755 or ORSPersonnelSecurity@mail.nih.gov.

 

Sincerely,

 

NIH Personnel Security Office


 

How are we doing? DPSAC wants to hear from our customers.

Share your experience in a short Customer Service Survey:http://go.usa.gov/pv6j


This document may contain information that is privileged and confidential. If you are not the intended recipient, you are on notice that any unauthorized disclosure, copying, distribution, or taking of any action in reliance on the contents of the electronically transmitted materials is prohibited. All personal messages express views solely of the sender, which are not to be attributed to the National Institutes of Health, and may not be copied or distributed without this disclaimer. If you received this message in error, please notify the Personnel Security Office immediately at (301) 402-9755.

  

                                              ***  

 

Update to All HHS Staff on OPM Cybersecurity Incidents    

This update was distributed to all HHS staff on July 6, 2015

 

Dear Colleagues,

 

I am writing to provide an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM). OPM is working hard to improve customer service, complete its forensics effort, and to conduct a comprehensive IT systems review. Many of your questions and concerns about these incidents are addressed here.

 

Personnel Records Incident

First, OPM is working to complete the process of notifying individuals whose personally identifiable information (PII) may have been compromised by the incident involving personnel records announced on June 4th. 

All notices will be sent by letter or e-mail. Notification letters are being sent by first class mail to those individuals from whom an e-mail bounce back message was received.

 

OPM is offering credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. All affected employees are automatically enrolled for a comprehensive, 18-month membership, whether or not they have yet received a notice from OPM.

For more information on the CSID services and for contact information, please visit this HHS Intranet webpage:
http://intranet.hhs.gov/security/ossi-cyber-incident.html

 

We have heard your concerns regarding these notifications and CSID's customer service - and HHS has been working with OPM to improve the quality of your experience. We understand that many of you are concerned about providing PII to CSID to register for this service. OPM has confirmed that it is not possible for CSID to provide credit monitoring services without your Social Security Number, but that you will still receive identity theft protection even if you do not register. 

 

Background Investigation Incident

Second, regarding the separate but related cyber incident affecting background investigations announced on June 15, we understand that many of you are concerned and are seeking more information. This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). 

The investigators are working to determine the complete list of affected individuals. Once this information is available, OPM will coordinate with agencies to send notifications to those affected individuals as soon as possible, but this will take some time. We expect to provide information regarding affected individuals and our notification process during the week of July 6.

 

E-QIP Suspension

OPM recently announced the temporary suspension of the e-QIP system, a web-based platform used to complete and submit background investigation forms. The suspension is to enable OPM to implement vulnerability mitigation. 

The actions OPM has taken are not the direct result of malicious activity on its network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network. 

OPM expects e-QIP could be offline for four to six weeks while these security enhancements are implemented.  It is unlikely that this situation will affect many current employees. In the unlikely event it does, affected individuals will be contacted directly by their HHS division representative.

 

Resources for You

OPM also continues to update their Frequently Asked Questions which you can find here: http://www.opm.gov/cybersecurity

We encourage you to review OPM Director Katherine Archuleta's recent blog which also addresses many of these concerns: 

http://www.opm.gov/blogs/Director.

OPM is the definitive source for information on the recent cyber incidents and we will continue to update you as we learn more information.

Personal Safety and Cybersecurity Reminders

The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

 

Safety of Personal Information Resources from National Counterintelligence and Security Center:

  • Employees can find information about the measures they can take to ensure the safety of their personal information at the National Counterintelligence and Security Center (NCSC) at: http://www.ncsc.gov

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at http://www.annualcreditreport.com/ or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus - Equifax®, Experian®, and TransUnion® - for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, http://www.ftc.gov/.
  • Review resources provided on the FTC identity theft website, http://www.identitytheft.gov/.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

Precautions to Help You Avoid Becoming a Victim

  • Be suspicious of unsolicited phone calls, visits, or e-mail messages from individuals asking about you, your employees, your colleagues or any other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
  • Do not reveal personal or financial information in e-mail, and do not respond to e-mail solicitations for this information. This includes following links sent in e-mail.
  • Do not send sensitive information over the Internet before checking a website's security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
  • Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an e-mail request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
  • Install and maintain anti-virus software, firewalls, and e-mail filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
  • Take advantage of any anti-phishing features offered by your e-mail client and web browser.
  • Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center at http://www.ic3.gov/.
  • Additional information about preventative steps by consulting the Federal Trade Commission's website, http://www.consumer.gov/idtheft. The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.

Identity Theft Clearinghouse

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

https://www.identitytheft.gov/

1-877-IDTHEFT (438-4338)

TDD: 1-202-326-2502

 

If you have questions or comments regarding the content above, please contact the sponsoring organization listed. If you have accessibility issues with any of the linked content in this e-blast, please notify ASPA/DCD (http://wcdapps.hhs.gov/AccessibilityAssistance/).

 

*Please note you are receiving this e-mail because you are using an e-mail account supported by the Department of Health and Human Services. HHS News cannot remove you from this e-mail list. 

Please do not respond to this e-mail. If you have questions or comments regarding the content above, please contact the sponsoring organization listed. If you would like to submit a message for HHS News dispersal, please email HHS.News@hhs.gov. Thank you.
 

 

NED Training Schedule: July - September, 2015

   
Whether you are new to NED or an advanced NED user who needs to hone your NED skills, the HSPD-12 Program Office has a training program for you. These classes are designed to help beginners and advanced users quickly master NED in a hands-on computer lab environment. All classes are FREE!    

   

       

How to Enroll

The NED courses are posted on the CIT Training site where visitors can view availability for any class and receive a confirmation immediately after registering. The catalog of NED classes is posted at: http://training.cit.nih.gov/coursecatalog.aspx under "General Seminars." 

 

When you see a course you want to take, just click on the course name (listed in the right column of the table). You will be taken to the HHS Learning Management System (LMS) where you can register for the course online.

 

To log on to the HHS Learning Management System, you can use either your PIV card and PIN or your NIH credentials. If you experience any difficulties accessing the LMS, please contact the CIT Training Program at 301-594-6248 or send an e-mail to: cittraining@mail.nih.gov.   

         

Helpful Tips

AOs who wish to obtain sponsor authority -- must complete the sponsor training (available at: http://www.ors.od.nih.gov/ser/dpsac/Training/Pages/administrators.aspx) and e-mail a copy of your signed certificate to the NIH HSPD-12 Program Office at hspd12@od.nih.gov. Upon receipt of the certificate, the Program Office will authorize the AO as a sponsor.

ICs that want to add Lifecycle Work Station (LWS) operators to the approved roster -- send a written request to Richie Taffet at: taffetr@mail.nih.gov. Your request should include:  
  • the new operator's name
  • his/her IC
  • his/her NED number
  • the operator's e-mail address, building/room and phone number
Once Mr. Taffet has approved the request, he will forward the name(s) to HHSIdentityAdmins@deloitte.com to complete the approval process, add the name(s) to the LWS operator roster, and inform the IC that the individual is now approved to operate the LWS.

Need to make changes to the LWS operator directories?
-- drop an e-mail to Lanny Newman,
newmanl@mail.nih.gov, and let him know what needs changing (e.g., adding new operators or LWS locations, removing operators, etc.). Remember, before a new operator can be added to the LWS directory, s/he must first be approved by Richie Taffet (see preceding Helpful Tip).
 
If an LWS is not available in your IC or your immediate area, and you work in the greater Bethesda or Rockville area -- please call 301-451-4766 or 301-402-9755 to schedule an appointment with the Division of Personnel Security and Access Control located in Building 31, Room B1A26 or in Building 10, South Lobby, Room 1C52.
 

Privacy Awareness - Everyone's Responsibility   

 

NIH takes protecting the privacy of its workforce seriously. As part of its ongoing effort to safeguard the privacy of its workforce, NIH each year requires all of its employees, contractors and affiliates to take the NIH Privacy Awareness course.


In light of the recent revelations about the hacking of government personnel records maintained by OPM, DPSAC and the HSPD-12 Program Office would like to offer this brief review of a critical component of the privacy course, namely, protecting an individual's Personally Identifiable Information, commonly referred to as PII.

 

Knowing what constitutes PII is the first step in safeguarding that information from compromise.


Below is a definition of PII as well as a few examples of PII, some of which may surprise you. If you would like to review the NIH Privacy Awareness course, you can log on to the NIH Security Training site at:

http://irtsectraining.nih.gov/ 

 

Personally Identifiable Information (PII)

PII is "any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history which can be used to distinguish or or trace an individual's identity, such as their name, SSN (full number and last 4 digits), date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual." Other examples of PII:

  • Name for purposes other than contacting federal employees
  • Photographic identifier
  • Fingerprint/voiceprint
  • Driver's license
  • Vehicle identifier
  • Personal mailing/phone/e-mail address
  • Medical record number
  • Medical notes
  • Certificates, legal documents
  • Device identifier, web URL
  • IP address (when collected with regard to a particular transaction)
  • Military status
  • Foreign activities
  • Identifier that identifies, locates or contacts an individual
  • Identifier that reveals activities, characteristics or details about a person

FAQs  

 

Avoiding Badging Delays with Timely Registration of New Employees into NED  

 

The following FAQs, which first appeared in the June 24, 2015 DPSAC News, have been modified slightly for clarification purposes in response to inquiries from DPSAC News readers.  


Q. Can I put someone into NED even though that person's Entry On Duty (EOD) date is a few weeks off?

A. Yes you can!  It is actually encouraged to enter new staff into NED a few weeks before EOD. 


Q. If a contractor is converting to an FTE, can I, as an AO, reclassify the contractor to FTE via a NED update prior to their first day as an FTE without causing the person's badge to be revoked?

A. Yes you can! A contractor badge (with the green stripe) will continue to work until the badge holder receives the HHS ID Badge (PIV Card) with a white 'stripe' that is issued to FTEs.


Foreign national contractors require special attention when they are converting to an FTE or are renewing their PIV card.

Due to limitations in the HHS smart card management system, AOs need to be aware that renewing the badge of a foreign national currently in possession of a PIV card or reclassifying a foreign national with a PIV card from contractor to FTE results in the immediate revocation of the PIV card.
    

To help mitigate this problem, foreign nationals with PIV cards should make their badge enrollment and issuance appointments on the same day as the sponsorship action to help avoid any interruption to physical or logical access due to a deactivated badge.

If the affected foreign national is not immediately notified via e-mail to schedule his/her enrollment and badge issuance appointments once NED is updated, the individual should visit DPSAC (or his/her local security office) to request an appointment.

AOs should reach out to their foreign national customers before starting the badge renewal or sponsorship task and explain the importance of picking up their new RLA badge on the same day that their PIV card is revoked.

By coordinating the timing of these activities, the AO can help foreign nationals obtain their new RLA badges quickly and avoid any interruption to their access privileges at NIH.


Q. After a contractor has been reclassified to FTE in NED, can he or she make appointments for Enrollment and Badge Issuance before their FTE EOD date?

A. Yes s/he can! It's important that the person be reclassified to FTE, and other NED information be updated as necessary, otherwise, the individual won't be able to get an appointment! Once the AO updates NED and DPSAC updates their database, the person can get an appointment.

Please note: a person can be enrolled and adjudicated prior to his or her EOD date, but NED will not authorize issuance of the badge until the person's EOD date.

 
News Briefs

NIST's NextGen PIV Card Strengthens Security and Authentication

From NIST Tech Beat: June 16, 2015

The National Institute of Standards and Technology (NIST) has updated its technical specifications and guidance for the next generation of "smart" identity cards used by the federal government's workforce. The new specifications add enhanced security features to verify employees' and contractors' identities, as well as new capabilities that work with mobile devices and media such as smart phones.

Federal employees and contractors use Personal Identification Verification (PIV) Cards for secure access to government facilities and computers. The PIV Card features a microchip with the employee's photo, PIN, fingerprint information and other details.

The next generation PIV Card can be used with mobile devices, enabling federal employees to connect securely to government computer networks from such devices. This feature is in addition to the Derived PIV Credential as specified in Guidelines for Derived Personal Identity Verification (PIV) Credentials, issued in December 2014. The card provides stronger identity assurance for federal workers to enter many government facilities and use computers at those locations.

The revised Federal Information Processing Standard 201-2 of 2013 sets the stage for the new generation of PIV Cards by specifying new technologies for the strong authentication credential and provides enhanced support for mobile devices based on lessons learned from federal agencies.

NIST has issued updates to two key documents that lay out the technical details identified in FIPS 201-2 for government PIV Cards:

  • Interfaces for Personal Identity Verification (Special Publication 800-73-4), governs the PIV Card's credentials: how the credentials are stored on the PIV Card and how to retrieve and check them. The update provides additional ways to authenticate, or prove, the cardholder's identity. One method, called on-card biometric comparison, helps preserve a cardholder's privacy because the individual's fingerprint data never leave the card.

    A new specification protects wireless communications between the PIV Card and mobile device when the cardholder uses authentication, signature or encryption services with a mobile device. Another new security feature prevents a cardholder from changing the PIN to one that is too short.
     
  • The revised publication, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (Special Publication 800-78-4), provides the technical cryptographic details needed to maintain the security of the next-generation PIV Card.
These publications are designed for U.S. government agencies to upgrade their PIV Cards, for vendors that make the cards, and for vendors that develop hardware and software to work with the cards.



 



NIH badging statistics from HHS as of July 3, 2015  
 
Sponsored: 37,234  Enrolled: 36,468   Issued:35,448 *

 

*This figure represents 95.0% of individuals who have been sponsored.

 

Note: the Department reports weekly on the number of individuals who have been sponsored, enrolled and issued new HHS ID Badges for each OPDIV.

DPSAC News reports the latest Departmental figures for NIH in the first issue published for that month.   


Safety Corner

Red Cross: How to Stay Safe in Hot Weather

  









     Avoid strenuous exercise during the hottest part of the day.

 

The long, hot days of summer can bring dangerously high temperatures. The American Red Cross has steps people can follow to stay safe when it's hot outside.

HOT CARS CAN BE DEADLY

Never leave children or pets in your vehicle. The inside temperature of the car can quickly reach 120 degrees. Other heat safety steps include:

  • Stay hydrated by drinking plenty of fluids. Avoid drinks with caffeine or alcohol.
  • Avoid extreme temperature changes.
  • Wear loose-fitting, lightweight, light-colored clothing. Avoid dark colors because they absorb the sun's rays.
  • Slow down, stay indoors and avoid strenuous exercise during the hottest part of the day.
  • Postpone outdoor games and activities.
  • Use a buddy system when working in excessive heat. Take frequent breaks if working outdoors.
  • Check on family, friends and neighbors who do not have air conditioning, who spend much of their time alone or who are more likely to be affected by the heat.
  • Check on animals frequently to ensure that they are not suffering from the heat. Make sure they have plenty of cool water.
  • If someone doesn't have air conditioning, they should choose places to go to for relief from the heat during the warmest part of the day (schools, libraries, theaters, malls).

HEAT EXHAUSTION
If someone is exhibiting signs of heat exhaustion (cool, moist, pale or flushed skin, heavy sweating, headache, nausea, dizziness, weakness exhaustion), move them to a cooler place, remove or loosen tight clothing and spray the person with water or apply cool, wet cloths or towels to the skin. Fan the person. If they are conscious, give small amounts of cool water to drink.

Make sure the person drinks slowly. Watch for changes in condition. If the person refuses water, vomits or begins to lose consciousness, call 9-1-1 or the local emergency number.

HEAT STROKE LIFE-THREATENING

Signs include hot, red skin which may be dry or moist; changes in consciousness; vomiting and high body temperature. Call 9-1-1 or the local emergency number immediately if someone shows signs of heat stroke. Move the person to a cooler place. Quickly cool the person's body by immersing them up to their neck in cold water if possible. Otherwise, douse or spray the person with cold water, or cover the person with cold, wet towels or bags of ice.


For more information on what to do when temperatures rise, download the
Red Cross Heat Wave Safety Checklist, or the free Red Cross Emergency App. The app also gives users the option to receive alerts for excessive heat watches, warnings and heat advisories. People can learn how to treat heat-related and other emergencies by taking First Aid and CPR/AED training online or in person. Go to redcross.org/takeaclass for more information.

 

A biweekly e-newsletter from the Office of Research Services, Division of Personnel Security and Access Control (ORS/DPSAC) to keep you informed as NIH rolls out "Homeland Security Presidential Directive 12" (HSPD-12) establishing a common identification standard to better safeguard NIH and its workforce.