DPSAC News Header

August 19, 2015 issue of the DPSAC NEWS

In This Issue

Contact Us

 

Division of Personnel Security and Access Control (DPSAC),  

Office of Research Services  

 

Personnel Security 

Helpdesk: 301-402-9755

e-QIP: 301-402-9735

Appointment Line: 301-496-0051

E-mail: orspersonnelsecurity@ 

mail.nih.gov

 

Access Control

Helpdesk: 301-451-4766

E-mail: facilityaccesscontrol@ 

mail.nih.gov

 

       

        HHS logo small Logo Mark NIH Logo Mark    

HHS Issues Guidelines to OPDIVs to Begin Implementing Revised e-QIP 

Full Resumption of e-QIP at NIH Will Occur in Stages 
DPSAC's Personnel Security Office has indicated that there are still important procedural issues that need to be resolved before e-QIP can resume at NIH.

DPSAC anticipates that it will be able to resume e-QIP by network access in early to mid September, 2015.


OPM will now require all applicants to use a 14-character (alpha/numeric) temporary PIN to register in the e-QIP system. Upon entering the system, the individual will be prompted to create his or her own 14-character password. Below are posted a number of frequently asked questions regarding the continued use of the temporary background investigation process and what to expect when e-QIP resumes.


FAQ FAQs Address NIH's Temporary Background Investigation Process

On June 29, 2015 OPM suspended electronic background investigations (e-QIP) government-wide following the discovery of security issues and vulnerabilities to the system. Toward the end of July,OPM announced that fixes to e-QIP had been implemented and that agencies would soon be able to start using the online system. NIH is in the process of modifying its own procedures to incorporate OPM's changes and expects to be back online by early to mid September 2015. In the meantime, DPSAC will continue to use the interim procedures established by OPM.

Below are questions and answers relating to the implementation of revised onboarding standards for FTEs and non-FTEs.
  
Q. Once e-QIP is back online, will the applicant still need to complete the three steps before being issued a badge, i.e., submitting e-QIP, getting fingerprinted and having DPSAC review e-QIP for completeness and submitting it to OPM?

A. The three-step process will stay in place once e-QIP goes back online. DPSAC is now required to receive and review the background investigation forms and release them to OPM prior to any Badge (HHS ID or RLA) being issued. This new HHS requirement affects all HHS OpDivs.

Also new to the process, DPSAC will have to communicate with the applicant and supply him/her with a personalized and unique 14 character (alpha and numeric) temporary PIN. The new 14-character temporary PIN will be required to initially log into e-QIP and must be used every time the applicant returns to e-QIP to update his/her responses. DPSAC can phone the applicant with the new PIN or securely e-mail it to him/her.

If the applicant's e-mail is not ".gov" or ".mil," DPSAC will have to use NIH's Secure E-mail File Transfer service (SEFT) (https://secureemail.nih.gov/ bds/Main.do) to send the newly required PIN. Therefore, it now becomes imperative that an IC AO collect and enter into NED a current personal e-mail address and current personal phone number.


Q. How is the administrative officer going to be told that non-FTEs have been cleared and can proceed to EOD? 

A. AOs can use the "Track Badge Status" feature in NED to view the badge status of their non-FTEs. After the AO sees in NED the status as "DPSAC authorized ID badge Issuance," the IC will be responsible for establishing  a date on which the individual can start at the NIH. 


Q. Can you give us an approximate timeline beforehand of when this new process will be applied to non FTEs so we can warn them and their sponsors that the process will take longer?  

A. For non-FTEs there are a number of variables out of DPSAC's control, including, but not limited to, the following: 
  • whether or not DIS is involved if it is a foreign national, because DIS needs to see original documentation once they are here

  • how long it takes for the non-FTE to complete the background investigation forms completely and accurately so that DPSAC can review them and release them to OPM (between 60-70% have issues preventing a release to OPM)

  • whether or not the non-FTE has a closed and adjudicated background investigation on file with OPM that DPSAC can use based on "reciprocity"
     
  • whether or not his/her fingerprints are "cleared" by the FBI
     
  • whether or not there are pay-setting issues that the IC is dealing with  
     
  • how quickly the non-FTE can start at NIH
These and other factors make it impossible for DPSAC to approximate any timelines for processing these individuals.


Q. Is there a clear process that you can provide for foreign fellows like the one spelled out for FTEs?

A. The process for foreign fellows has not changed. Foreign fellows must be entered into NED as "Fellows" first; then they must be cleared by DIS.

DPSAC will not send out fingerprint cards to individuals in foreign countries as there is no way to assure that the individual has been "Identity Proofed" and that the fingerprints are actually his/hers. DPSAC will fingerprint foreign fellows once they arrive at NIH.
 
e-QIP can be completed anywhere in the world and returned to DPSAC, so that would not be an issue.

Note: many foreign fellows arrive with no Social Security Number (SSN), which is the "key" to completing e-QIP. DPSAC advises them to go to the Social Security Administration (SSA) office (in Rockville, MD) and apply for a Social Security Account Number (SSAN). 

Once the IC AO enters the SSN into NED, e-QIP can be initiated. Reminder: this process now requires the individual to enter his or her unique temporary 14-character PIN to register in e-QIP. 


Q. Do non-FTEs need to be cleared by DPSAC before their Fellowship Payment System (FPS) award can be activated?  If so, where is the policy documenting this?
 
A. For answers to your questions regarding FPS, you will need to check with the Office of Financial Management (OFM). For DPSAC's purposes, it is essential that the IC AO enter the information into NED accurately.


Q. DPSAC reports that approximately 60-70% of e-QIP submissions are incomplete. It would be nice to have guidelines that AOs could provide to individuals to help them complete these forms in a timely manner to avoid any delays in the hiring process. 

A. DPSAC has prepared helpful guides that individuals can refer to while completing the various background investigation forms. These guides are posted on the DPSAC website at: http://www.ors.od.nih.gov/ser/dpsac/forms/Pages/Backcheck.aspx. According to DPSAC, the most common error is leaving some information blank or not completing all the requested information.  


Q.
Is there a way that an applicant can fax the completed background information forms to the IC/AO, who can then hand deliver the documents to DPSAC with a receipt of delivery. The reason I ask is that I have a new medical officer that is sending all of his documents for credentialing at the Clinical Center (CC) and forms (from another country) using our FEDEX account.

A. The completed background information forms cannot be sent to the IC/AO. 

Credentialing at the CC is a completely separate process from what DPSAC does or needs. Given that e-QIP contains extremely sensitive and personal information, AOs should not be receiving or handling these forms.

DPSAC has a secure fax line for direct transmission of e-QIP forms and releases. The fax number is 301-480-0108. 

A recent review of the Adobe fillable background investigation forms shows the following most common problems and issues:
  • U.S. male citizens, born after December 31, 1959, are not registering with Selective Service.  Many do not know that requirement and don't register thinking we now have an all-volunteer military. It is a requirement to be federal employee if you are a male U.S. citizen, born after that date
  • Incomplete or missing addresses, phone numbers, POCs, etc.
  • Unsigned forms
  • No required attachments submitted (ex: appropriate Credit or Medical Releases or no Signature Page)
  • No OF-306s or OF-612s accompanying the background investigation forms
  • No explanations to specific "YES" questions (ex: Being Fired from a Job or Arrest Records)
  • Incomplete Social Security Number 
  • Completing all the required forms in a language other than English

Q. Can you confirm that no appointment is needed for fingerprinting (i.e., that walk-ins are acceptable)? Also, what happens if the individual lives outside the immediate area?

A. Walk-ins for fingerprinting are fine. Fingerprinting should be done as soon as possible once the individual is entered into NED.

Please note that the DPSAC website has published all locations where NIH has the capability to capture fingerprints. In addition, DPSAC has made special arrangements with the ten HHS Regional Offices, via the Program Support Center (PSC) at each location. 

Individuals can go to specific locations in: Boston, New York City, Philadelphia, Atlanta, Chicago, Dallas, Kansas City, Denver, San Francisco and Seattle.

DPSAC will receive the fingerprint results from these locations. Once DPSAC is in receipt of the results, and if e-QIP and the individual's background investigation are cleared by BOTH OPM and DPSAC, the appropriate Badge (HHS ID or RLA) is printed in DPSAC and securely sent to the HHS Regional Office for issuance. 

As would be the case for someone on the NIH campus, the individual will need to make two separate trips, the first to get fingerprinted, and the second to pick up his or her ID badge.


NOT IN NED = NOT ENTERING ON DUTY 

This article is reprinted from the August 5, 2015 DPSAC News
           
For some time, the Division of Personnel Security and Access Control (DPSAC), together with the Office of Human Resources (OHR), have been trying to "clear" future federal new hires so that they can be sent a final offer letter by OHR.


Under the current process, OHR sends DPSAC a listing of potential new hires [from OHR's Workflow Information Tracking System (WITS)], generally twice a week. DPSAC then reviews these listings and responds back to OHR with the status of each name on the list.

DPSAC has noticed a troubling trend in this process. For example, a July 30 report from OHR to DPSAC contained 233 names. A review of the 233 names resulted in the following:

  • 122 individuals were clear for a final offer letter and the scheduling of an Entry on Duty (EOD) date;
     
  • 39 individuals could not be cleared because they had not completed their background investigation forms;
     
  • 12 individuals could not be cleared for an EOD until they were interviewed and cleared by the Division of International Services (DIS); and
     
  • 60 individuals were not entered into the NIH Enterprise Directory (NED) by the IC's administrative staff.
This last figure (60 out of 233, or 26% of the OHR list) indicates that no further action can be taken for 60 individuals by either OHR or DPSAC because they can't be seen by DPSAC.
 

"Not in NED" translates to being invisible to DPSAC

IMPORTANT: It is imperative that future new hires be entered into NED

 

Why? DPSAC needs to gather their Personally Identifiable Information or PII (Full Legal Name, SSN, Date of Birth and Place of Birth) in order to check OPM's database to see if the individual has a closed background investigation on file. This search requires DPSAC to have the individual's PII from the NED data entry.

The check of the OPM database may indicate that the future new hire may not need another background investigation, thus saving the IC money and saving the new hire the time needed to complete background investigation paperwork. Entering the person into NED also saves DPSAC time since it won't have to initiate a new background investigation, review the investigation when it is returned and release it to OPM. This obviously speeds up the new hiring process for DPSAC, OHR and the IC.

Again, it is imperative that the administrative community enter future new hires into NED as soon as possible so that DPSAC can determine if a new background investigation is needed.

Simply stated: Not in NED = Not Entering on Duty     

 

NED Training Classes Cancelled for Remainder of FY '15  
 
Recent temporary staffing restrictions have prompted the HSPD-12 Program Office to cancel the final four beginner and advanced NED training classes originally scheduled for August 11 and September 15. The Program Office plans to resume these classes in October and will announce the new schedule in DPSAC News and on the DPSAC website once the schedule is finalized. 

How to Enroll
The NED courses will also be posted on the CIT Training site where visitors can view availability for any class and receive a confirmation immediately after registering. The catalog of NED classes is posted at: http://training.cit.nih.gov/coursecatalog.aspx under "General Seminars." 
 
When you see a course you want to take, just click on the course name (listed in the right column of the table). You will be taken to the HHS Learning Management System (LMS) where you can register for the course online.
 
To log onto the HHS Learning Management System, you can use either your PIV card and PIN or your NIH credentials. If you experience any difficulties accessing the LMS, please contact the CIT Training Program at 301-594-6248 or send an e-mail to: cittraining@mail.nih.gov.   
         

News Briefs 

Two-Factor Is Better Than One: Celebrating Progressive Government IT
(Excerpted from an article appearing in NextGov.com, August 4, 2015 by Tony Busseri (CEO of Route1 Inc).

Sometimes, the darkest clouds produce the shiniest of silver linings. The data breach at the Office of Personnel Management announced in June was a terrible event, but it has been a major catalyst for positive change in regards to government cybersecurity practice.
 
Federal officials have seized the opportunity to critically examine security standards, identify weak points and aggressively address them. The government is now leading the charge for secure mobility, especially with its planned rollout of mandatory two-factor authentication for all agencies.

The Office of Management and Budget, along with U.S. CIO Tony Scott, initiated a 30-day "cyber sprint" June 12. There can no longer be any excuse for not keeping mobile data secure, and the government is taking the lead on patching critical vulnerabilities.
 
Among those initiatives included in the cyber sprint was the mandatory implementation of smart card-based two-factor authentication across the federal workforce. This rollout stems from Homeland Security Presidential Directive 12 (HSPD-12), which mandates a standard for reliable forms of authentication for government networks, including personal identity verification cards and Common Access Cards.

OMB officials are aggressive in their push to implement HSPD-12 compliance for all federal personnel, with a mid- to late-August deadline for two-factor authentication implementation for 75 percent of government employees. In fact, the government's push for two-factor authentication use is light years ahead of most private enterprises.

Mandating that remote access to critical networks requires multiple forms of authentication provides a necessary layer of security that maintains the integrity of sensitive data. Two-factor authentication facilitates and enforces PIV- or CAC-based access - individuals will have to input their PIN associated with their PIV or CAC (something you know and something that you have) to access sensitive data from a mobile device. The physical nature of the smart card ensures these technologies are much harder to compromise than a username and password.

The cyber sprint, which officially ended July 12, has already led to major progress in secure access methodology rollout. A number of agencies have hit 100 percent adoption, and across the entire government that number is 20 percent.

The U.S. government is putting in place both immediate and long-term steps to drastically enhance data security. Additionally, two-factor authentication mitigates the potential for breaches stemming from remote access, allowing federal agencies to avoid the massive financial and reputational costs incurred by a breach.


OPM Announces Immediate and Retroactive FY 2015 Price Adjustment for Background Investigations
OPM's Federal Investigative Services (FIS) issued Notice No. 15-04 on July 21, 2015 announcing a retroactive price increase, effective immediately, on the reimbursable billing rates previously published in Federal Investigation Notice (FIN) 14-07, Investigations Reimbursable Billing Rates Effective October 1, 2014.

During the July billing cycle, OPM FIS will bill agencies for the additional amount required for each case previously ordered and billed thus far in FY 2015, and all remaining cases ordered in FY 2015 will be billed at the increased rates reflected in this FIN.

The new pricing schedule for the eight most commonly ordered investigations at the NIH is posted on the DPSAC website at: http://www.ors.od.nih.gov/ser/dpsac/bgchecks/Pages/pricing.aspx. The schedule also shows the rates that were replaced.

To view a listing of all new Investigations Reimbursable Billing Rates and Investigations Discontinued Billing Rates, click on the link: FY 2015 Price Adjustments.

All cases ordered as of the effective date of FIN No. 15-04 will be billed the updated case price as shown in the FY 2015 Price Adjustment table.

OPM plans to provide additional information to agencies and answer questions through stakeholder briefings. "Please do not charge back the July 2015 invoice you will receive in August 2015, as it will only delay the required transactions," the Notice concludes.


Helpful Tips

AOs who wish to obtain sponsor authority -- must complete the sponsor training (available at: http://www.ors.od.nih.gov/ser/dpsac/Training/Pages/administrators.aspx) and e-mail a copy of your signed certificate to the NIH HSPD-12 Program Office at hspd12@od.nih.gov. Upon receipt of the certificate, the Program Office will authorize the AO as a sponsor.

ICs that want to add Lifecycle Work Station (LWS) operators to the approved roster -- send a written request to Richie Taffet at: taffetr@mail.nih.gov. Your request should include:  
  • the new operator's name
  • his/her IC
  • his/her NED number
  • the operator's e-mail address, building/room and phone number
Once Mr. Taffet has approved the request, he will forward the name(s) to HHSIdentityAdmins@deloitte.com to complete the approval process, add the name(s) to the LWS operator roster, and inform the IC that the individual is now approved to operate the LWS.

Need to make changes to the LWS operator directories?
-- drop an e-mail to Lanny Newman,
newmanl@mail.nih.gov, and let him know what needs changing (e.g., adding new operators or LWS locations, removing operators, etc.). Remember, before a new operator can be added to the LWS directory, s/he must first be approved by Richie Taffet (see preceding Helpful Tip).

Know someone who could benefit by receiving DPSAC News? -- just have that person contact Lanny Newman, newmanl@mail.nih.gov, and ask to be put on the mailing list.   
 
FAQs  

Q.
We see that six-month badges are still being issued. When will this stop? Also, do you know if HR policies of not supplying a final EOD without fingerprints and e-QIP will still remain in place?

A. Issuing six-month badges will continue until NIH resumes e-QIP. Although OPM announced that e-QIP is operational, the Department only recently sent out instructions to its OPDIVs on how next to proceed. For NIH, there are still a number of procedural and practical issues that need to be resolved before e-QIP can resume at NIH.

DPSAC will notify the administrative community and other stakeholders before it reactivates e-QIP (see FAQs above). You should expect the process for obtaining a badge to remain the same once NIH is able to resume e-QIP -- i.e., the individual will need to submit his or her e-QIP, the individual will need to be fingerprinted, DPSAC will need to review, approve and release the completed e-QIP to OPM.     

 
Q. Were contractors affected by the OPM security breach?

A. Yes. While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases.

According to the OPM website [https://www.opm.gov/cybersecurity], "If you underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF-86 (PDF file) [7.09 MB], SF-85 (PDF file) [204.92 KB], or SF-85P (PDF file) [513.33 KB] for either a new investigation or a reinvestigation), it is highly likely that you are impacted by the incident involving background investigations. If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely."

Visit the OPM website to learn more about who was impacted and the protections OPM is working to put in place.


Q. An issue came up regarding a person who has an FDA badge that no longer works at the NIH campus entry gates (physical access). This began in early August. Therefore they need to go through the visitor entrance each time they come to campus. Is there a new process for issuing physical access to them?

A. Yes. Since NIH has no way to validate whether an HHS ID Badge/PIV Card from another OpDiv is "valid" and hasn't been revoked by the agency, all individuals holding an HHS ID Badge from another OpDiv (including FDA) must go through the Gateway Center or the Commercial Vehicle Inspection Facility.

The fact that an individual possesses an HHS ID Badge from FDA that "looks good" doesn't necessarily mean it is still valid.  It could have been revoked by FDA and never collected by FDA. An individual may try to use the revoked (deactivated) badge as a "flash pass."

Until NIH is able to "verify" an HHS ID Badge through the HHS Certificate Revocation List (CRL), it cannot assume that all other HHS OpDiv badges are good.

Note: an exception can be made for individuals who have official business on a regular basis at NIH. In these instances, the individual will need to be sponsored by a PIV-sponsored Administrative Officer. Also, an e-mail should be sent to Alex Salah (salaha@ors.od.nih.gov), DPSAC, informing him of this request.


Q. After a contractor has been reclassified to FTE in NED, can he or she make appointments for Enrollment and Badge Issuance before their FTE EOD date?

A. Yes. It's important that the person be reclassified to FTE, and other NED information be updated as necessary, otherwise, the individual won't be able to get an appointment! Once the AO updates NED and DPSAC updates their database, the person can get an appointment.

Please note: a person can be enrolled and his or her background investigation can be adjudicated prior to his or her EOD date, but NED will not authorize issuance of the badge until the person's EOD date.

 
A biweekly e-newsletter from the Office of Research Services, Division of Personnel Security and Access Control (ORS/DPSAC) to keep you informed as NIH rolls out "Homeland Security Presidential Directive 12" (HSPD-12) establishing a common identification standard to better safeguard NIH and its workforce.