DPSAC News Header

July 22, 2015 issue of the DPSAC NEWS

In This Issue

Contact Us

 

Division of Personnel Security and Access Control (DPSAC),  

Office of Research Services  

 

Personnel Security 

Helpdesk: 301-402-9755

e-QIP: 301-402-9735

Appointment Line: 301-496-0051

E-mail: orspersonnelsecurity@ 

mail.nih.gov

 

Access Control

Helpdesk: 301-451-4766

E-mail: facilityaccesscontrol@ 

mail.nih.gov

 

       

        HHS logo small Logo Mark NIH Logo Mark    

OPM Temporarily Shuts Down e-QIP to Address Security Issues, Vulnerabilities
The following article, which first appeared in the July 8, 2015 DPSAC News, has been modified to reflect new hiring procedures for FTEs and revised procedures for registering contractors and affiliates converting to FTEs while the e-QIP system is down.     

Interim guidelines direct agencies to use paper copies of employees' background investigation forms 

 

Per HHS policy, part of the requirement to receive an ID badge is to complete required background investigation forms. The Office of Personnel Management (OPM) requires that these forms be completed using its online system called the Electronic Questionnaires for Investigations Processing (e-QIP). Recently, this system has been taken offline to address security issues and vulnerabilities.

DPSAC requires three specific actions to occur in order to successfully screen a candidate:

 

1. NED Entry 
This is the first step that triggers DPSAC to send an individual the required security forms and to set up a fingerprint appointment.

2. Security Forms 

OPM and HHS have provided guidance regarding an interim process that must be followed to complete the required investigation forms. While e-QIP remains offline (current estimated downtime is 4-6 weeks), individuals will be required to complete their background investigation forms via fillable PDF and paper forms.  


3. Fingerprinting
Individuals who need to complete these forms will receive an e-mail with instructions from ORSPersonnelSecurity@mail.nih.gov. A sample e-mail is attached to this message.

These forms must be submitted to the Division of Personnel Security & Access Control (DPSAC) via one of the following approved methods*: 

  • Hand-delivery: Main Campus, Bethesda, MD, Bldg 31, Rm 1B03
  • Fax: (301) 480-0108
  • Mail: via traceable delivery method (i.e. USPS Priority Mail, FedEx)
National Institutes of Health/ORS
Division of Personnel Security and Access Control
31 Center Drive, MSC 2143
Building 31, Room 1B03
Bethesda, MD 20892-2143


Individuals must still be fingerprinted in order to receive an ID badge. People will be notified via e-mail to schedule a fingerprinting appointment.    


Once the fingerprint check and required forms are completed, individuals will be notified via e-mail to schedule an appointment to obtain a temporary ID badge that is valid for up to six (6) months.

Once OPM's e-QIP system is back online, individuals receiving a temporary badge will be required to complete the investigation forms in e-QIP to obtain a permanent ID badge.

 

Please note that incomplete NED entries, missing information on security forms and use of paper fingerprint cards will cause delays in DPSAC's ability to screen individuals. As a rule of thumb, sixty-six percent of the online e-QIP forms have missing information.

DPSAC is urging AOs, ATs and other IC staff who counsel candidates during the on-boarding process to stress the importance of being as thorough as they can be when filling out these forms to expedite the process!     


Hiring of new federal employees

The guidance provided by OPM and HHS will fundamentally change how the Office of Human Resources (OHR) makes a final offer of employment to new federal hires. Before a final offer letter can be provided to a new hire, the prospective employee will be required to fill out and submit to DPSAC the appropriate security forms and have fingerprints taken.


In order for DPSAC to provide the necessary forms and fingerprinting instructions, an Administrative Officer (AO) must first register the prospective employee in the NIH Enterprise Directory (NED).

DPSAC and OHR are advising AOs to register new employees in NED as soon as a tentative offer is made. If the employee's exact EOD date is unknown at the time of NED registration, it is best to err on the side of entering an earlier date, which an AO can later correct. Individuals who are not active in NED will not be scheduled for orientation.
 

   

Contractors and Affiliates Converting to an NIH FTE 

While the e-QIP system is down, DPSAC will be simplifying the process for individuals currently supporting the NIH in another capacity (e.g., contractors or affiliates) who are already active in NED and will be converting to an NIH FTE. AOs should not register these individuals in NED.

Instead, they should update the existing record to reclassify the person to an NIH FTE and update other pertinent information such as position title, work location information, etc. AOs should do this no later than the effective date of the individual's orientation with OHR (a few days in advance is okay). DPSAC is working with OHR to ensure these people can be scheduled for new employee orientation in a timely manner.

 

The HSPD-12 Program Office will soon send an e-mail to the AO/AT community summarizing the changes to background investigations and badging policies resulting from the temporary suspension of the e-QIP system. 

 

DPSAC recognizes that this system outage will inconvenience many current and future NIH staff. We appreciate your patience and understanding.   

   

If you have any questions or concerns, please contact our office at: ORSPersonnelSecurity@mail.nih.gov


* Individuals at remote facilities like Research Triangle Park, NC (NIEHS) and Rocky Mountain Laboratories, Hamilton, MT (NIAID) should contact their local security office for submission instructions.  

 

 

NIH Personnel Security Office to Notify New HHS ID Badge Applicants to Use Paper Background Investigation Forms While e-QIP is Offline
The following article first appeared in the July 8, 2015 DPSAC News


Beginning immediately, the NIH Personnel Security Office, DPSAC, will begin sendin
g out the following e-mail to new employees, contractors and affiliates who must complete a background investigation as part of their requirements for federal employment or to work as a contractor for a federal agency:

                                      
Dear colleague:

 

As a member of the NIH community, you are required to have a background investigation.  The statutes directing this requirement are embodied in Executive Order 10450 and Homeland Security Presidential Directive 12. If you are receiving this message, you must complete a background investigation.

Due to the temporary suspension of the Office of Personnel Management's (OPM) Electronic Questionnaires for Investigations Processing (e-QIP) system, the NIH, in accordance with HHS guidance, is requesting the steps outlined below be completed.

These forms must be completed before you can receive a temporary ID badge that is valid for six (6) months. Please note that once OPM's e-QIP system is back online, you will be required to complete the investigation forms in e-QIP to obtain a permanent HHS ID badge.

Step 1: Download & Save

  • Download the attached form-fillable security questionnaire and any additional forms attached to this e-mail.
  • You can save the blank form to your computer.

Step 2: Enter Information

  • Enter all of information for each form.
  • Information entered on each form can be saved as separate pdf documents to your computer. You will be able to refer to these saved documents if you are not able to complete the form in one sitting. Note that exiting a form prior to saving to your computer will clear all the information entered.

Step 3: Print & Sign

  • Print copies of your completed security questionnaire and any additional forms attached to this email.
  • Sign any signature blocks using a pen & ink signature and be sure to include the signature date.

Step 4: Submit

  • Submit your printed security questionnaire along with all additional forms attached to this e-mail to the NIH Personnel Security Office.
     
Options for Submitting Signed Completed Forms: 
(presented in order of preferred methods for submission)  

 

  • Hand-delivery: Main Campus, Bethesda, MD, Bldg 31, Rm 1B03
  • Fax: 301-480-0108
  • Mail: via traceable delivery method (i.e.USPS Priority Mail, FedEx):
     
       National Institutes of Health/ORS
       Division of Personnel Security and Access Control
       31 Center Drive, MSC 2143
       Building 31, Room 1B03

       Bethesda, MD 20892-2143


If you have any questions, please contact us at (301) 402-9755 or
ORSPersonnelSecurity@mail.nih.gov.

 

Sincerely,

 

NIH Personnel Security Office                                         

Office of Personnel Management (OPM) Cybersecurity Incident Updates

The following information was prepared by the Office of Human Resources, NIH, OD, and published in the July 17, 2015 "HR News."  



Virtually all HHS employees are impacted by the incident involving personnel records. Because of this, OPM is offering credit restoration and monitoring services and other protections through CSID, a company that specializes in identity theft protection and fraud resolution.

In the coming weeks, OPM will begin notifying people whose Social Security Number appeared in files impacted by the background investigation records incident. OPM and the Department of Defense (DOD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide services. Notifications to those affected by this [second] incident have not yet begun.

 

In addition to providing identity protection services, OPM launched a new, online incident resource center, located at https://www.opm.gov/cybersecurity.

The resource center offers up-to-date information regarding the OPM cybersecurity incidents as well as materials, training and useful information on best practices to secure data, protect against identity theft, and stay safe online. If you have questions after reviewing the website or have suggestions for additional content, please email: cybersecurity@opm.gov.

 

The interim acting director of OPM, Beth Cobert, has a strong HR background and comes from a career in consultancy at McKinsey and Company. 

Her plan is to use a data-driven approach for a turnaround, as well as hypotheses formation from listening to stakeholders and viewing the problem from different perspectives. Additionally, it is expected that the Cybersecurity Information Sharing Act of 2015 will be taken up by the Senate before August.

This Act includes provisions for businesses to share information about cyberattacks with the government in exchange for assurances they'll be protected from lawsuits and antitrust actions. For more information on OPM cybersecurity updates, see OPM's online incident resource center.

 

Beware of Phone and E-mail Scams Targeting NIH Staff

NIH Police Alert Workforce of Phone Scams


The NIH Police want the NIH community to be aware of recent phone scams directed at staff. Typically the caller will claim to be a government employee (usually from the IRS or the Department of Homeland Security) threatening the NIH staffer with arrest and imprisonment if he or she doesn't immediately send the caller a sizeable sum of money.

According to the NIH Division of Police, ORS, these phone scams usually take one of three forms:

1.  The caller says he or she is from the IRS, that taxes are owed and must be paid immediately or the person will be arrested.  

2.  The caller states s/he is from the Department of Homeland Security and that there is an issue with the person's visa. Money must be sent immediately or the person will be deported.  

3.  The caller states that he or she is from a police department, and that the person has an outstanding warrant.  If the person sends money, the warrant will be cancelled.
 
The method of payment demanded is usually a "greendot" prepaid card. The caller will instruct the person to buy the prepaid card (sometimes the caller will stay on the line while the card is purchased) and give them an address to send the card, which can be a valid government address. They will also ask for the serial number from the card. 

Once the perpetrators have the serial number, they can electronically transfer the funds from the card and the card becomes worthless.    

The number the perpetrator calls from usually originates from a "MagicJack" or similar Voice over Internet Protocol (VoIP) service. According to the NIH Police, a VoIP service can have a local area code but be located anywhere in the world.

A tip that the call is bogus: no government agency demands payment using prepaid cards, Western Union, etc.

The NIH Police want to remind everyone that the best way to avoid these scams is to be aware they exist. If you do receive one of these calls, you can report it to Sgt. Mike McGraw at 301-496-9862.

    

                                                 ***         

HHS Warns Op-Divs of 'Phishing' Campaign Targeting HHS Users

The Department sent the following e-mail to all HHS staff on July 15, 2015    

 

HHS has identified a phishing campaign targeting HHS users. The phishing e-mail appears to come from an HHS e-mail address and warns the user about a suspicious login attempt on the user's e-mail account.

 

The e-mail states that the user's e-mail address will be blocked unless users validate their e-mail credentials by following a link. Clicking the link takes the user to a website designed to look like an HHS Outlook Web Access (webmail) login page.

Note: If you enter your credentials, they will be harvested by the malicious sender before you are sent to the actual HHS Outlook Web Access page.
        

 

This is not a legitimate e-mail from anyone at HHS or HHS Operating Divisions.

  1. Do not click on any links contained in the e-mail. Do not reply to the e-mail. 
  2. Forward the e-mail to the NIH reporting mailbox (irt@nih.gov) and to the HHS Spam mailbox (spam@hhs.gov).
  3. Delete the message from your inbox.
If you receive a copy of this phishing e-mail please take the following steps to report the e-mail to the HHS Spam mailbox (spam@hhs.gov) and to the NIH mailbox: irt@nih.gov.

If you think that you may have clicked on a phishing link or been the target of a phishing attack, please use the contact information above to report the incident to your OpDiv. 

 

Frank Baitman, HHS Chief Information Officer & Sara Hall, HHS Chief Information Security Officer.  

NED Training Schedule: August - September, 2015

   
Whether you are new to NED or an advanced NED user who needs to hone your NED skills, the HSPD-12 Program Office has a training program for you. These classes are designed to help beginners and advanced users quickly master NED in a hands-on computer lab environment. All classes are FREE!    

   

       

How to Enroll

The NED courses are posted on the CIT Training site where visitors can view availability for any class and receive a confirmation immediately after registering. The catalog of NED classes is posted at: http://training.cit.nih.gov/coursecatalog.aspx under "General Seminars." 

 

When you see a course you want to take, just click on the course name (listed in the right column of the table). You will be taken to the HHS Learning Management System (LMS) where you can register for the course online.

 

To log on to the HHS Learning Management System, you can use either your PIV card and PIN or your NIH credentials. If you experience any difficulties accessing the LMS, please contact the CIT Training Program at 301-594-6248 or send an e-mail to: cittraining@mail.nih.gov.   

         

Helpful Tips

AOs who wish to obtain sponsor authority -- must complete the sponsor training (available at: http://www.ors.od.nih.gov/ser/dpsac/Training/Pages/administrators.aspx) and e-mail a copy of your signed certificate to the NIH HSPD-12 Program Office at hspd12@od.nih.gov. Upon receipt of the certificate, the Program Office will authorize the AO as a sponsor.

ICs that want to add Lifecycle Work Station (LWS) operators to the approved roster -- send a written request to Richie Taffet at: taffetr@mail.nih.gov. Your request should include:  
  • the new operator's name
  • his/her IC
  • his/her NED number
  • the operator's e-mail address, building/room and phone number
Once Mr. Taffet has approved the request, he will forward the name(s) to HHSIdentityAdmins@deloitte.com to complete the approval process, add the name(s) to the LWS operator roster, and inform the IC that the individual is now approved to operate the LWS.

Need to make changes to the LWS operator directories?
-- drop an e-mail to Lanny Newman,
newmanl@mail.nih.gov, and let him know what needs changing (e.g., adding new operators or LWS locations, removing operators, etc.). Remember, before a new operator can be added to the LWS directory, s/he must first be approved by Richie Taffet (see preceding Helpful Tip).
 
If an LWS is not available in your IC or your immediate area, and you work in the greater Bethesda or Rockville area -- please call 301-451-4766 or 301-402-9755 to schedule an appointment with the Division of Personnel Security and Access Control located in Building 31, Room B1A26 or in Building 10, South Lobby, Room 1C52.
 
News Briefs

OPM to Charge Agencies for Services Offered to Hack Victims 
Excerpted from an article published July 21, 2015 in GovExec.com by Eric Katz
 
The Office of Personnel Management is asking agencies to pitch in to help pay for the credit monitoring services being offered to the 21.5 million individuals affected by the hack of background investigation data it maintains.
 

OPM and the Interior Department paid for the costs of the services offered to victims of the initial hack of 4.2 million former and current federal employees' personnel files stored on a server housed at Interior.

In a recent e-mail to all agencies, however, acting OPM Direct Beth Cobert said this time around all agencies will have to contribute a yet-to-be determined amount from their fiscal 2015 appropriations.
       

Federal agencies will have to make the payments for the first year of the credit monitoring services and other benefits out of their fiscal 2015 appropriations.

With the fiscal year set to end Sept. 30, the last-minute expense could prove disruptive to planned agency spending. Agencies will also be on the hook for credit monitoring costs for fiscal 2016 and fiscal 2017, as OPM has promised the "suite of services" to hack victims for three years. 
     

Cobert said in an e-mail to other agencies the cost for each federal entity is not yet known.
        

An OPM spokesman said the costs will be proportional to the total number of individuals affected by the breaches at each agency, a strategy that was developed "in concert with" OMB.

 
"OPM is committed to providing those affected by the recent cyber incident involving federal background investigations data with information and appropriate resources in a timely and effective manner," said Sam Schumach, the agency's press secretary.

The contract related to the first hack cost OPM and Interior $21 million. That affected far fewer individuals and OPM promised just 18 months of credit monitoring services that were not as extensive as those for the second wave of victims.

 
Cobert said in the e-mail to other agencies, however, those costs "will be recovered via FY 2016 price adjustments."

 
The former OMB official who took over as OPM chief when Katherine Archuleta resigned in the wake of the hacks said OPM will also have to raise the prices it charges agencies for conducting background investigations.

Cobert said its costs have gone up and the agency can no longer "sustain operations and financial stability" until it stabilizes its revenue. The price hike will be retroactive to the beginning of fiscal 2015."

 C
obert acknowledged the increased investigations fees, coupled with the credit monitoring costs, will cause some problems at the affected agencies.

"We understand and appreciate the complexities of this late in FY15 request for funds," Cobert wrote.

To read the full article, click on the following link: Credit Monitoring


FAQs  

 

Q. If a contractor is converting to an FTE, can I, as an AO, reclassify the contractor to FTE via a NED update prior to their first day as an FTE without causing the person's badge to be revoked?

A. Yes you can! A contractor badge (with the green stripe) will continue to work until the badge holder receives the HHS ID Badge (PIV Card) with a white 'stripe' that is issued to FTEs.


Foreign national contractors require special attention when they are converting to an FTE or are renewing their PIV card.

Due to limitations in the HHS smart card management system, AOs need to be aware that renewing the badge of a foreign national currently in possession of a PIV card or reclassifying a foreign national with a PIV card from contractor to FTE results in the immediate revocation of the PIV card.
          

To help mitigate this problem, foreign nationals with PIV cards should make their badge enrollment and issuance appointments on the same day as the sponsorship action to help avoid any interruption to physical or logical access due to a deactivated badge.

If the affected foreign national is not immediately notified via e-mail to schedule his or her enrollment and badge issuance appointments once NED is updated, the individual should visit DPSAC (or his/her local security office) to request an appointment.

AOs should reach out to their foreign national customers before starting the badge renewal or sponsorship task and explain the importance of picking up their new RLA badge on the same day that their PIV card is revoked.

By coordinating the timing of these activities, the AO can help foreign nationals obtain their new RLA badges quickly and avoid any interruption to their access privileges at NIH.


Q. After a contractor has been reclassified to FTE in NED, can he or she make appointments for Enrollment and Badge Issuance before their FTE EOD date?

A. Yes he or she can! It's important that the person be reclassified to FTE, and other NED information be updated as necessary, otherwise, the individual won't be able to get an appointment! Once the AO updates NED and DPSAC updates their database, the person can get an appointment.

Please note: a person can be enrolled and adjudicated prior to his or her EOD date, but NED will not authorize issuance of the badge until the person's EOD date.

 
Safety Corner

Summer Storm Season
Reprinted from the June 26, 2015 issue of 'HR News'

Summer officially started on Sunday, June 21 and has already brought several instances of severe weather to the Washington, DC metropolitan area. In the past, strong summer storms have occasionally resulted in a change in the federal government's operating status.

Even if a storm isn't severe enough to result in a change in operating status, you may be faced with emergency circumstances individually. We want to remind all NIH employees of the importance of being prepared for when such situations arise.

Be telework ready:
  •     Ensure your employees know their tier designation;
  •     Check to see if any new employees are not yet on a telework
        agreement;
  •     Update staff contact information; and
Communicate with all of your employees your expectations if an emergency should arise.

Important resources to review include:
 
A biweekly e-newsletter from the Office of Research Services, Division of Personnel Security and Access Control (ORS/DPSAC) to keep you informed as NIH rolls out "Homeland Security Presidential Directive 12" (HSPD-12) establishing a common identification standard to better safeguard NIH and its workforce.