DPSAC News Header

September 16, 2015 issue of the DPSAC NEWS

In This Issue

Contact Us

 

Division of Personnel Security and Access Control (DPSAC),  

Office of Research Services  

 

Personnel Security 

Helpdesk: 301-402-9755

e-QIP: 301-402-9735

Appointment Line: 301-496-0051

E-mail: orspersonnelsecurity@ 

mail.nih.gov

 

Access Control

Helpdesk: 301-451-4766

E-mail: facilityaccesscontrol@ 

mail.nih.gov

 

       

        HHS logo small Logo Mark NIH Logo Mark    

NED Team Deploys NED v.3.7.5

NED completed deployment of a maintenance release (NED v.3.7.5) on September 5. This release includes functionality for NED to e-mail an OD/Office of Human Resources (OHR) e-mail distribution list when the Division of Personnel Security and Access Control (DPSAC) completes pre-screening of a prospective new NIH FTE (employee).

DPSAC pre-screening includes adjudication of the prospective employee's fingerprints and validation that the e-QIP forms completed by the prospective employee are ready for DPSAC to submit to OPM.
 
This added functionality will save both DPSAC and OHR considerable time and commitment of personnel in determining when OHR is able to extend a final offer letter to a prospective new employee.

                                                               
NIH Begins Enforcing REAL ID Act October 10
DPSAC News is rerunning this article that first appeared in the September 2, 2015 issue for readers who may be able to advise visitors planning a visit to NIH who may be affected by the REAL ID Act.  

Will Require Use of 'Compliant' Drivers' Licenses and ID Cards to Access Federal Facilities Requiring Proof of Identity 
The following article is based on information contained on the Department of Homeland Security (DHS) website (http://www.dhs.gov/real-id-enforcement-brief) that explains the REAL ID Act and recent updates to its implementation. NIH will begin enforcement of the Act starting October 10.

What is REAL ID?
REAL ID is a coordinated effort by the states and the federal government to establish minimum standards for the production and issuance of state-issued driver's licenses and identification cards to improve the reliability and accuracy of state-issued identification documents.

The REAL ID Act (The Act), passed by Congress in 2005, prohibits federal agencies from accepting non-compliant versions of these documents for official purposes such as airline travel and admission to federal facilities requiring proof of identity.    

According to the DHS, the Act "should inhibit terrorists' ability to evade detection by using fraudulent identification." REAL ID implements a 9/11 Commission recommendation urging the federal government to "set standards for the issuance of sources of identification, such as driver's licenses."

Current regulations state that federal agencies "may not accept state-issued driver's licenses or identification cards for official purposes from individuals unless the license or card is REAL ID-compliant and was issued by a compliant state as determined by DHS."
   
Impact at NIH Facilities
Individuals holding drivers licenses from non-compliant jurisdictions listed in the table below will need alternative identification to access NIH facilities beginning on October 10, 2015.  

+ Federal officials may continue to accept Enhanced Drivers Licenses. For more information, visit: www.dhs.gov/enhanced-drivers-licenses-what-are-they 
 
Limitations
Access for activities directly relating to safety and health or life preserving services, to law enforcement, and to constitutionally protected activities, including legal and investigative proceedings will not be affected. Existing agency policies will still apply.
 
The Act does not require individuals to present identification where it is not currently required to access a federal facility (such as to enter the public areas of the Smithsonian) nor does it prohibit an agency from accepting other forms of identity documents other than documents from non-compliant states (such as a U.S. passport or passport card).          

The Act's prohibitions do not affect other uses of driver's licenses or identification cards - including licenses and cards from non-compliant states - unrelated to official purposes as defined in the Act. For example, the Act does not apply to voting, registering to vote, or for applying for or receiving federal benefits.  

For more information, please contact the DHS Office of State-Issued Identification Support at
osiis@hq.dhs.gov
 
 
Customers Continue to Give DPSAC High Marks
  
Six months after being activated, customers using the 'HappyOrNot' interactive kiosks installed at DPSAC's Building 31 enrollment and badging offices are continuing to report very high customer satisfaction.
Figure 1 below shows results from the month of August 2015. Out of a total of 584 individuals who gave responses at the Enrollment and Badging kiosks, 568 (97%) reported having a very positive 'happy' or 'somewhat happy' experience, whereas 16 (3%) reported being less than happy. 

The figures generated from the kiosks in August are very similar to those reported following the first full month of their use at the end of March, when 993 of 1108 respondents (98%) reported being happy or somewhat happy with their enrollment or badging service while 15 people (2%) reported being somewhat unhappy or unhappy.

 
                                                Figure 1 
Customers are asked to record their experience at the kiosks situated near the exits of the enrollment and badging offices. These eye-catching displays operate wirelessly, producing automated and quick-to-read reports and analytical data.
The customers are presented with a single question posted on the kiosk -- "How was your experience through Enrollment" or "... through Badge Issuance?" -- by pushing one of four buttons with 'emojis' representing (1) a 'happy' experience; (2), a 'somewhat happy' experience; (3) a 'somewhat unhappy' experience; and (4), an 'unhappy' experience.
According to Richie Taffet, Program Manager of the HSPD-12 Program Office, "These results indicate that our customers are generally having a good experience during the enrollment and badging processes. They also indicate that there's room for improvement."

"The fact that we can view 'to-the-hour' reports gives us instant feedback and an excellent snapshot of the quality of service we're providing," Taffet noted. "With this information at our fingertips, we are able to make corrections quickly if problems become apparent," he added. 
 
In order to provide the best customer service possible, DPSAC also includes a Customer Service Survey at the end of every e-mail communication with its customers. Recipients see the following message:
How are we doing? DPSAC wants to hear from our customers.
Share your experience in a short Customer Service Survey: http://go.usa.gov/pv6j

A link to the survey is also posted under the 'What's New' section of the DPSAC website: http://www.idbadge.nih.gov.
"We're finding that the interactive kiosks and the more detailed customer surveys are providing DPSAC valuable feedback and allowing us to quickly address issues as they are uncovered," said Taffet. "We want all of our customers to experience great service every day!" he concluded.  

 
NIH Resumes e-QIP Initiations 
 
On June 29, 2015 OPM suspended electronic background investigations (e-QIP) government-wide following the discovery of security vulnerabilities to the system. In late July, OPM announced that it had implemented fixes to e-QIP and that agencies would soon be able to start using the revised online system.

Since OPM's announcement, NIH's Division of Personnel Security and Access Control (DPSAC) has been busy modifying its own procedures to incorporate OPM's changes in order to resume e-QIP. While e-QIP was offline, individuals had to complete paper forms and were only able to receive ID badges valid for six months.

With the new security measures in place, DPSAC was recently able to resume e-QIP initiations. Individuals who had earlier completed the paper background investigation forms will be notified by DPSAC to complete e-QIP. OPM has stated the paper forms cannot be submitted to their offices.

Now that e-QIP has been reactivated, DPSAC will no longer authorize the six-month ID badge. Remember, DPSAC must receive and review the background investigation forms and release them to OPM before it can issue an HHS ID or RLA Badge. This requirement affects all HHS Operating Divisions, including NIH.

Temporary registration PIN now required
New to the process, DPSAC will have to communicate with the applicant and supply him/her with a personalized and unique 14 character (alpha and numeric) temporary registration PIN.

The new registration PIN will be required for the applicant to initially register for his/her username and password. The applicant will enter his/her username and password each subsequent time he or she returns to e-QIP to update responses. DPSAC can phone the applicant with the new temporary registration PIN or securely e-mail it to him/her.

If the applicant's e-mail is not ".gov" or ".mil," DPSAC will send the temporary registration pin through e-QIP directly or will use the NIH Secure E-mail File Transfer service (SEFT):
https://secureemail.nih.gov/bds/Main.do 

Therefore, it now becomes imperative that an IC AO collect and enter into NED a current personal e-mail address and current personal phone number.

If you have any questions, please contact DPSAC at:
ORSPersonnel Security@mail.nih.gov.

Helpful Tips

'How to' guides for applicants completing e-QIP -- Filling out the e-QIP investigation forms can be a time-consuming, and on occasion, confusing task. DPSAC has prepared a series of guides to help applicants navigate e-QIP and fully complete the necessary forms. According to DPSAC, leaving fields on the form blank or not completing all the requested information are the most common reasons e-QIP questionnaires are returned to applicants. These helpful guides are posted on the DPSAC website at: http://www.ors.od.nih.gov/ser/dpsac/forms/Pages/Backcheck.aspx.
 
AOs who wish to obtain sponsor authority -- must complete the sponsor training (available at: http://www.ors.od.nih.gov/ser/dpsac/Training/Pages/administrators.aspx) and e-mail a copy of your signed certificate to the NIH HSPD-12 Program Office at hspd12@od.nih.gov. Upon receipt of the certificate, the Program Office will authorize the AO as a sponsor.
ICs that want to add Lifecycle Work Station (LWS) operators to the approved roster -- send a written request to Richie Taffet at: taffetr@mail.nih.gov. Your request should include:  
  • the new operator's name
  • his/her IC
  • his/her NED number
  • the operator's e-mail address, building/room and phone number
Once Mr. Taffet has approved the request, he will forward the name(s) to HHSIdentityAdmins@deloitte.com to complete the approval process, add the name(s) to the LWS operator roster, and inform the IC that the individual is now approved to operate the LWS.

Need to make changes to the LWS operator directories?
-- drop an e-mail to Lanny Newman,
newmanl@mail.nih.gov, and let him know what needs changing (e.g., adding new operators or LWS locations, removing operators, etc.). Remember, before a new operator can be added to the LWS directory, s/he must first be approved by Richie Taffet (see preceding Helpful Tip).

Know someone who could benefit by receiving DPSAC News? -- just have that person contact Lanny Newman, newmanl@mail.nih.gov, and ask to be put on the mailing list.   
 
FAQs
 
Q. Our office recently hired a person through a third party staffing company to assist us over the next three months. Because she is temporary she was not issued a PIV card. I believe this person is considered a "contractor" and should be sponsored for an RLA badge? Is this correct?

A. Not quite. Contractors cannot be entered into NED for less than six months.  If she is a US citizen, she will get a PIV card.  If she is a foreign national, she will get an RLA badge. Either way, DPSAC will require her to complete e-QIP.

Any group that normally receives a PIV card can be classified as short-term and thus get an RLA badge except contractors. That leaves the following who can get an RLA badge as a 'short-termer':
  • FTEs
  • Fellows
  • Guest Researchers
  • Special Volunteers
  • Collaborators

These individuals all go into NED, where they are flagged as less than six months.  



Q. Is there a way that an applicant can fax the completed background information forms to the IC/AO, who can then hand deliver the documents to DPSAC with a receipt of delivery?


A. The completed background information forms cannot be sent to the IC/AO. 

Given that e-QIP contains extremely sensitive and personal information, AOs should not be receiving or handling these forms.

DPSAC has a secure fax line for direct transmission of e-QIP forms and releases. The fax number is 301-480-0108.

         
Q. What is the proper procedure for disposing of an ALT Card that was returned to our designated ALT card distributor because it was defective? 
 
A. Please send the defective ALT Card to: 
 
           DPSAC
           Attn: Alex Salah
           31 Center Drive, Room 1B03
           Bethesda, MD 20892  
 
News Briefs

OPM, DoD Announce Identity Theft Protection and Credit Monitoring Contract
OPM issued the following news release on September 1, 2015

Victims of Cybercrime to Receive Three Years of Services

WASHINGTON, D.C. - The U.S. Office of Personnel Management (OPM) and the U.S. Department of Defense (DoD) today announced the award of a $133,263,550 contract to Identity Theft Guard Solutions LLC, doing business as ID Experts, for identity theft protection services for 21.5 million individuals whose personal information was stolen in one of the largest cybercrimes ever carried out against the United States Government.

These services will be provided at no cost to the victims whose sensitive information, including Social Security numbers, were compromised in the cyber incident involving background investigations.

"We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future," said Beth Cobert, Acting Director of the Office of Personnel Management.

"Millions of individuals, through no fault of their own, had their personal information stolen and we're committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling."

ID Experts will provide all impacted individuals and their dependent minor children (under the age of 18 as of July 1, 2015) with credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for a period of three years. This task order was awarded under GSA's Blanket Purchase Agreements (BPA) for Identity Monitoring, Data Breach Response and Protection Services which GSA awarded today.

The U.S. Government, through the Department of Defense, will notify those impacted beginning later this month and continue over the next several weeks. Notifications will be sent directly to impacted individuals.
For more information, or to sign up for email alerts, please visit: https://www.opm.gov/cybersecurity.

OPM has previously issued the following guidance to affected individuals:

*  Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

*  Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus - Equifax®, Experian®, and TransUnion® - for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.

*  Review resources provided on the FTC identity theft website, www.ftc.gov/idtheft. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

*  You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

How to avoid being a victim:
*  Be suspicious of unsolicited phone calls, visits, or e-mail messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

*  Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.

*  Do not reveal personal or financial information in e-mail, and do not respond to e-mail solicitations for this information. This includes following links sent in e-mail.

*  Do not send sensitive information over the Internet before checking a website's security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013)

*  Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

*  If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

*  Install and maintain anti-virus software, firewalls, and e-mail filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).

*  Take advantage of any anti-phishing features offered by your e-mail client and web browser.

Affected individuals can obtain additional information about the steps they can take to avoid identity theft from the following agencies. The FTC also encourages those who discover that their information has been misused to file a complaint with them.

For California Residents:
Visit the California Office of Privacy Protection (www.privacy.ca.gov) for
additional information on protection against identity theft   

For Kentucky Residents:
Office of the Attorney General of Kentucky
700 Capitol Avenue, Suite 118
Frankfort, Kentucky 40601
Telephone: 1-502-696-5300

For Maryland Residents:
Office of the Attorney General of Maryland
Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
Telephone: 1-888-743-0023

For North Carolina Residents:
Office of the Attorney General of North Carolina
9001 Mail Service Center
Raleigh, NC 27699-9001
Telephone: 1-919-716-6400

For all other US Residents:
Identity Theft Clearinghouse
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)
TDD: 1-202-326-2502

A biweekly e-newsletter from the Office of Research Services, Division of Personnel Security and Access Control (ORS/DPSAC) to keep you informed as NIH rolls out "Homeland Security Presidential Directive 12" (HSPD-12) establishing a common identification standard to better safeguard NIH and its workforce.