- Background Investigation Questions
- Why does NIH conduct background checks on Federal applicants, employees, and contractors?
The Federal government requires that all employees and contractors meet investigative standards for the level of sensitivity assigned to their job with NIH. Therefore, the background investigation mandated by the new ID badge application process is a Federal job requirement.
- I'm working with someone who is resisting getting a background check until he gets his loan for a house purchase. Will a background check affect his credit score?
This question was posed to a veteran loan officer with a large mortgage company. According to this expert, "a credit check for a background check should have minimal if any effect on the person's credit score rating. 'Hard inquiries' for revolving debts (credit cards) are the types of inquiries that can take their toll on a person's credit score if there are too many inquiries within a short period of time." The expert concludes that "there is no reason this person should be concerned."
Also, it's important for that person to understand that the background check is a Federal government job requirement. Providing information is voluntary, but if s/he chooses not to provide the required information, s/he will not meet the requirements of the job and will therefore not be considered further for employment with the Federal government. If s/he is already employed by the Federal government, their appointment will be terminated. The courts have upheld this principle.
- Can you tell me why the NIH Personnel Security Office is asking me for clarification of a ‘discrepancy’ regarding my birth name that appeared in my e-QIP questionnaire?
Yes. The Personnel Security Office is asking you to clarify whether the name you listed on your security questionnaire is your actual full name given at birth, or if one of the other names you listed on your questionnaire (under Section 5: Other Names Used) would have been your full legal name at birth.*
Ther Personnel Security Office asks this question knowing that once the questionnaire is forwarded to the Office of Personnel Management (OPM), that agency will always ask for clarification to an individual's full name at birth, based on an individual's response to Section 5: Other Names Used.*
Section 5: Other Names Used: Give other names you have used and the priod of time youused them [for example: maiden name, name(s) by a former marriage, former name(s), alias(es), nickname(s)]. If the other name is your maiden name, check the "nee" box.
- Some of the information required for entry in e-QIP and the additional requested forms (OF612, OF306) is frustratingly redundant. Can't DPSAC simplify this process?
You are correct that the OF 612 and OF 306 are redundant and seem burdensome. NIH regularly expresses this concern to Office of Personnel Management (OPM) leadership and at meetings with the OPM Training and Oversight Division.
OPM uses these two forms to validate information in the e-QIP questionnaire. Personnel at the Agency and OPDIV level are working hard to have this requirement removed; however, OPM is in charge of the process.
Note: OPM will soon release an updated version of e-QIP (v. 3.0) that will enable users to digitally sign certain e-QIP documents. This feature will eliminate a number of time consuming and laborious steps.
- Why do I need a background investigation?
National security regulations require that all persons employed by the government shall be reliable, trustworthy and of unswerving loyalty to the United States. This means that the appointment of each civilian employee in any department or agency of the government is subject to investigation. The scope of the investigation will vary, depending on the nature of the position.
- I am a contractor and recently read the DPSAC News article on required forms for background checks. Do I have to fill out the OF 612?
No. Everyone except contractors must complete and submit this form per OPM guidelines. Those required to fill out form OF 612 should begin with Question 4; Questions 1-3 are for individuals who are not already Federal employees and who are applying for a Federal position.
- What is ‘position sensitivity level’ and how is it determined?
Each position at NIH is assigned a level of risk and sensitivity that determines the kind of background investigation required for that job. The NIH Personnel Security Subcommittee has developed a guide to assist IC’s in determining job sensitivity levels. These worksheets are available in NED. Currently, all individuals are being processed at a non-sensitive level unless IC’s notify DPSAC that applicants need a higher level of clearance.
- If another IC was willing to let us use their LWS, would we be able to reset PINs that way? Or is each Lifecycle Work Station specific to an IC?
Any LWS can update any individual who has an HHS ID Badge (Smart Card). There are no restrictions based on which IC purchased it. Some of the ICs have already established agreements with neighboring ICs to share LWS support.
- I recently completed my e-QIP questionnaire and wanted to know whether I will receive a copy of my background investigation once it is completed?
When DPSAC completes an individual's background investigation, the individual will receive an e-mail from DPSAC's database letting them know the investigation is complete. For Federal employees, their employee personnel file (eOPF) will be updated as well. Individuals may request a copy of their investigation file under provisions of the Privacy Act. For an OPM investigation request, contact DPSAC Personnel Security (Phone: 301-402-9755; E-mail: email@example.com); or, write to OPM-CIS, FOIP, Post Office Box 618, Boyers, PA 16018-0618. You must include: your full name, Social Security Number, date and place of birth, and you must sign your request.
- Will I need a new background investigation?
All NIH employees, contractors and affiliates must have the background investigation required for their position sensitivity level. If you do not have the proper background investigation on file, you will be required to complete one.
- What is involved in the background check?
The background check, also known as a personnel security investigation, is an examination into an individual's loyalty, character, trustworthiness, and reliability to ensure that he or she is eligible to access classified information or for an appointment to a sensitive position or position of trust. It may include a number of database checks, written inquiries, and interviews, depending on the level of sensitivity of your job.
- Do you take my fingerprints?
- I'm not a criminal. Why do you want my fingerprints?
So that we can verify your claim that you're not a criminal by checking the FBI's fingerprint files. Executive Order 10450 requires that all Federal employees be fingerprinted.
- Do I have to go to a police station to be fingerprinted?
No. NIH has digital fingerprinting systems in place and NIH personnel security staff will fingerprint you in most cases. In rare instances, a person may have to go to a police station to be fingerprinted.
- What will happen if I refuse to give you some of this personal information?
The investigation is a job requirement. Providing the information is voluntary, but if you choose not to provide the required information, you will not meet the requirements of the job and will therefore not be considered further. If you are already employed by the Federal government, your appointment will be terminated. The courts have upheld this principle.
- What if problems are identified?
A personnel security specialist reviews each background investigation. If problems arise, you will have the opportunity to clarify background information with a personnel security specialist to work through any issues.
- What if I have something negative in my background history?
If you have something negative on your record, it is best to be upfront and honest about the issue. We utilize the ‘whole person concept' when reviewing background history. This means that any negative information will be placed into context and evaluated as just one piece of your entire history. We look for evidence of character that makes people suitable for government employment.
- I've already had a background check. Will I need a new one?
Although the new ID badge process does not require a reinvestigation, some individuals may need a new investigation because they had a break in continuous Federal service or there is no record of their previous investigation if it was conducted over 15 years ago. The U.S. Office of Personnel Management (OPM) maintains most investigative files only for 15 years.
When you are notified to apply for your new ID badge, an NIH representative will let you know if your current background investigation file (if you had one) is sufficient. If it is not, he or she will help you complete the appropriate forms; you will only complete the questionnaire pertinent to the level of sensitivity assigned to your job.
- Is it true that the investigation may include a credit report about me?
Yes. A search of the records of commercial credit reporting agencies is an integral part of almost all background investigations. A less than favorable credit history is not necessarily a reason for concern when doing a background investigation. Mitigating circumstances will be considered.
- From the background check, what information is stored about me?
We keep the following information in our records: your full name, facial photograph, two fingerprints, date of birth, home address, home phone number, your background investigation form, the results of your background check, the approval signature of the person who registers you in the system, your badge expiration date, and the badge serial number.
- Can I see the investigation report prepared about me?
You have the right to request a copy of your investigation file The only persons authorized to see this information are Personnel Security, Suitability, and Investigations professionals who have been investigated and have a demonstrated need to review the information. You may request a copy of your investigation file under provisions of the Privacy Act. For an OPM investigation request, Contact the DPSAC Personnel Security office or write to OPM-CIS, FOIP, Post Office Box 618, Boyers, PA 16018-0618. You must include your full name, Social Security Number, date and place of birth, and you must sign your request.
- I am being considered for a Federal job and have been given a personnel security questionnaire. It's very long and asks a lot of personal questions. Do I have to answer all the questions on the form? Much of that information is already on my resume.
Yes. The resume is part of the application process. The Security Questionnaire is part of the investigation process. All of the security questionnaire questions should be answered fully, accurately, and honestly.
- What should I do if I remember something later, after I've filled out the form and returned it?
Immediately notify the security officials to whom you submitted the questionnaire.
- My brother works for one of the largest companies in the world, but he didn't have to go through all this. Why should I?
Congress, through statutes, the President, through executive orders, and the agencies charged with carrying out these laws and orders have required this process. There is, generally, no requirement for private employers to use the same guidelines as public employers. Of course, if your brother's job with the private employer required him to have access to classified national security information as a contractor to the Federal government, even your brother would have to be investigated.
- Are you going to interview people other than those I name on the questionnaire? If so, why?
Yes. Background Investigators are required to identify, locate, and interview a sufficient number of people who know you well. We want a balanced and unbiased investigation. It would be a questionable investigative practice to only interview persons whom the individual being investigated identified for us.
- Do you ever interview someone's ex-spouse or relatives?
Yes, although, in many instances, interviewing ex-spouses or relatives is not mandatory.
- Why do you need information about my relatives?
Relatives sometimes influence the actions of family members. We need to determine if you could be exploited by threats or pressure against your relatives or if they themselves could exert pressure against you.
- Is it okay if I guess at dates and addresses that I barely remember?
Providing information that is as complete and accurate as possible will assure that your investigation is completed in an efficient and timely manner. If you are unable to answer a question with precision, provide approximate information and note that you have done so on the questionnaire. If you are interviewed in person, point out the approximated information on the questionnaire to the Investigator.
- Will I get a chance to explain some of the answers I provide?
Yes. Many types of background investigations involve a personal interview. Moreover, you may submit information on extra pages with your questionnaire if you feel you need to more fully explain details or circumstances of the answers you put on the form.
- What if you talk to someone who just doesn't like me and they lie about me?
We talk to as many knowledgeable people as possible to get a balanced, accurate, and comprehensive picture of the person being investigated. Later, you may have an opportunity to refute any misleading or false information that was reported about you.
- I have a physical disability. Will that hurt my chances for a job?
No. It is against Federal law to discriminate against an individual based on his or her disability.
- Are you going to tell my supervisor that I'm looking for a job?
It is a requirement of a background investigation, and actual employment, that your current employer be contacted. We must verify your employment data and make other inquiries concerning your background. If you are a Federal employee or contractor, for example, it may be that your current employer needs you to have a security clearance for the work you do. In other instances, you are asked to complete the investigative form for an investigation and clearance only after a conditional offer of employment has been made for a position requiring a security clearance.
- Why is detailed information about my education required?
Educational history is necessary for jobs that require specific education and expertise. Any information supplied by the applicant must be verified.
- I was politically active during the last elections. Will that hurt my chances for a job or a clearance?
No. It will neither hurt nor help your chances.
- Doesn't the FBI conduct all Federal background investigations?
The U.S. Office of Personnel Management, the Department of Defense, and a few other agencies share this responsibility. The FBI mostly conducts investigations on the following: high level Presidential appointees, cabinet officers, agency heads and staff who may work at the White House directly for the President.
- Many contractors say that a security clearance is needed to apply for their jobs. How can I get a clearance in advance so I can apply for these jobs? Can I pay for it myself?
The Office of Personnel Management has no procedure for an individual to independently apply for an investigation, positions maintained by contractor, or security clearance. Clearances are based on investigations requested by Federal agencies, appropriate to specific positions and their duties. Until a person is offered such a position, the government will not request or pay for an investigation for a clearance. Once a person has been offered a job (contingent upon satisfactory completion of an investigation), the government will require the person to complete a Standard Form 86, Questionnaire for National Security Positions, initiate the investigation, adjudicate the results, and issue the appropriate clearance.
We know that some Defense Department contractors require applicants to already have a clearance, and they have the right to administer their personnel hiring procedures the way they want as long as they don't discriminate based on prohibited factors (such as race or religion). Persons who already have clearances are those who are already employed by a government contractor (or by the government itself) and are looking for other job opportunities.
- How long does a background investigation take?
The timeliness of a background investigation depends on the type of investigation conducted. Depending on the type of background investigation, the scope of the investigation may require coverage for specific items.
The need for a security clearance may affect the time period in which an investigation is completed. Each background investigation requires that certain areas are covered before an investigation is completed.
- Who decides if I get the job or a security clearance?
Adjudications officials at the agency requiring the investigation will evaluate your case and communicate their recommendation to the appropriate personnel or security office.
- Can you explain what is meant by the adjudication process?
The adjudicative process is the careful weighing of a number of variables known as the “whole person concept.” Available, reliable information about the person, past and present, favorable and unfavorable, should be considered in reaching a determination. The final suitability determination will be based on good judgment and common sense after consideration of all these variables.
The criteria to use in making a suitability decision, including the specific factors to consider as a basis for finding an individual unsuitable for Federal employment, are found in 5 CFR Part 731.
Tips on Adjudication:
- Voluntarily report any unfavorable information
- Be truthful and complete in responding to questions
- Seek assistance and follow professional guidance, where appropriate
- Resolve suitability concerns favorably, (e.g., credit problems)
- Demonstrate positive changes in behavior and employment
- Can I appeal the decision if NIH refuses to issue me a new ID badge or revokes my ID badge?
Yes. If an ID badge (PIV card) is denied or revoked, you have the right to appeal. You will be provided a written statement of the reason(s) why your badge was denied or revoked, and the procedures for filing an appeal. You may respond to the decision in writing and furnish documentation that addresses the validity, truthfulness, and/or completeness of the specific reasons for the determination in support of your response. If you believe the information gathered about you during the background investigation was misleading or inaccurate, you will be given the opportunity to correct or clarify that information.
- Can I still fax my Signature Form for my e-QIP application to DPSAC? .
No. Your completed, original Signature Form must be dropped off at the DPSAC Enrollment Center in Building 31, Rm. 1B03.
- As part of my background investigation instructions, I am being asked to fill out a new Form OF-612 (a job application form), even though I have worked at NIH for 20 years. Is this really necessary? Plus, by signing the “612” aren’t I saying that I’m appl
We receive many inquiries about this very issue. The short answer is “Yes,” it is necessary to fill out Form OF-612. The Office of Personnel Management (OPM) is the agency that conducts the background investigation for NIH and requires a completed OF-612 as part of the process. The good news is that you will have just completed the online e-QIP application, so the information asked for in Form OF-612 will be readily available.
For existing employees, we recommend that you answer Boxes 1, 2 and 3 as follows: Box 1 (Job Title in Announcement) – fill in your current job title; Box 2 (Grade(s) applying for) – fill in your current grade; Box 3 (Announcement Number) – fill in “N/A” (see graphic below).
Instructions for Current Employees
Click Image to see larger view
- I’ve reached the bottom of my E-QIP online application. I answered all of the questions and filled in all the blanks but I don’t think I’m finished. Am I right?
Yes, there are still a few steps you must take before your e-QIP application can be processed. Once you have completed your online e-QIP application, print a copy for yourself. Also, print the required signature pages and then…hit the “submit/transmit” button. Your application is now complete and submitted for processing by DPSAC.
Remember, the printed Signature forms must be delivered to DPSAC (Bldg 31,
Rm 1B03) in order to complete the background investigation process.
- I’ve read that supervisors will be notified when the applicant’s Background Investigation (BI) is completed and has been favorably adjudicated. Does this also apply for contractors?
Yes, in all instances, the supervisor and/or Project Officer will be notified via e-mail.
- General Questions
- I missed my opportunity to take advantage of expedited fingerprinting on my Entry On Duty (EOD) day. What should I do now?
Since you missed your opportunity to get fingerprinted during your EOD, you will need to call DPSAC's appointment line at: 301-496-0051 (8 a.m. - 4:00 p.m.)
Please remember to bring two forms of identification (driver's license, passport, etc.) to your enrollment appointment.
- DPSAC at one time offered Enrollment and Badging Services at Executive Plaza. I need to reset my PIN. Any plans to offer PIN reset/Certificate renewal services off campus?
Unfortunately, because of recent budget cuts, a traveling enroller/badge who would have been assigned to visit your location on a regular basis to update PINs, etc. will not be making the rounds. DPSAC is only able to staff the Badge Issuance Stations (for resetting PINs and renewing Digital Certificates) located in Building 31 (B1A26) or the Clinical Center South Lobby. Many ICs have purchased Lifecycle Work Stations (LWS) so that they can offer PIN resets and Certificate renewals by an IC-approved LWS operator at local sites. (See: http://idbadge.nih.gov/badge/lifecycle.asp for a list of ICs and approved LWS operators/contact information).
- If I’m using my Smart Card (HHS ID Badge) to access my NIH network computer, do I need to remove it and then reinsert it when my computer requires another login (at the timeout)?
Yes. The Smart Card works just like a User ID/Password, except it is more secure and does not require you to keep changing the PIN. When your computer screen locks, you can unlock your screen by re-inserting the Smart Card and typing in your PIN in the same way you now unlock your screen by re-entering your User ID/Password.
- Can you clarify whether parental consent is required for background checks on minors (under age 18) who will be working at NIH?
Minors who will be working at NIH for 180 days or less are issued an NIH Legacy Badge. This requires a name check (NCIC check) which is administered by the NIH Police. The NCIC requires parental consent. Minors who will be at NIH longer than 180 consecutive days and require the HHS ID Badge (PIV Card) will undergo a NACI check. This is an OPM-administered background check and does not require parental consent for minors (see: March 23, 2011 DPSAC News).
- If an employee, contractor or affiliate moves to another Institute or Center, does s/he need to be issued a new HHS ID Badge?
No. Moving from one Institute/Center to another does not require badge reissuance -- unless that person is also changing from an Employee (no stripe) to a Contractor or Affiliate (green stripe) or from a Contractor ro Affilliate (green stripe) to FTE (no stripe). Note, however, that with the release of NED v 2.9, "an individual's badge will no longer be revoked when changing classification to an FTE. The revocation will still occur when changing classification from an FTE."
Note: switching ICs may require contacting Facilities Access Control (301-451-4766; or, firstname.lastname@example.org) for physical access to the new IC's duty station.
- I work in Rockville and need to get my HHS ID Badge certificate renewed. Do I have to go to the DPSAC Badge Issuance Station on campus to complete this task or can my IC renew my certificate?
You likely don't have to visit a DPSAC badge issuance station to renew your HHS ID Badge certificate. Many Institutes and Centers have purchased Lifecycle Work Stations (LWS) and trained staff to operate the units to issue PINs and renew badge certificates for their staffs.
To locate an LWS operator from your IC, click on the following link: http://www.ors.od.nih.gov/ser/dpsac/badge/Pages/lifecycle.aspx.
The table lists the operators alphabetically by IC and includes their contact information. In the event you IC si not listed on this table, you should check with your AO to determine wheether your IC may have made arrangements to use another IC's LWS nearby. If not, you will need to contact one of DPSAC's on-campus Badge Issuance stations.
- One of our Special Volunteers collaborates remotely from the Philippines with researchers in Bethesda via a laptop with no card reader. Since remote laptop users must use their PIV card/card reader to access the NIH network, what do you advise?
Actually, individuals who do not have a PIV card (NIH knows who you are) may continue to use userid/password until alternative tokens (e.g., SecureID) are available. Under these circumstances no waiver is required. Individuals who do have PIV cards, but cannot use them for remote access, must file a waiver through their IC Information System Security Officer (ISSO) explaining their 'special circumstances.' If the waiver is approved, they too may continue to use userid/password until alternative tokens are available.
- We have a disabled staff member who has a PIV card but cannot make it into the office to have her PIN reset for her PIV Card (HHS ID Badge). What are the options for her and other staff like her?
One possibility is to issue her a "token" that would be used to log into the IT system. The "token" may be issued by your IC's Information System Security Officer (ISSO). The Office of the Chief Information Officer (OCIO) has posted ISSOs for all ICs at: http://ocio.nih.gov/nihsecurity/scroster.html.
- If I discover that my HHS ID Badge certificates are expired, can I have my IC's Lifecycle Work Station (LWS) operator reissue new certificates.
Yes. Once your PIV Card certificates are expired, you can have them reissued either by an LWS operator or at a DPSAC Badge Issuance Station. In either case, you will need to make an appointment.
- My IC bought several Lifecycle Work Stations. Is any special training offered or certification required in order to operate these Lifecycle Work Stations?
Special certification is not requied to operate the Lifecycle Work Station; however, a training manual that explains how to operate the LWS is now available and posted online at: http://www.idbadge.nih.gov/training/lifecycle.asp.
This manual provides helpful overviews of the Lifecycle Work Station, the Management Agent, Loggin into LWS software, as well as the precesses for resetting PINs and renewing certificates.
Also, please be aware that a table containing the names and contact information for many of the LWS administrators is posted at: http://www.idbadge.nih.gov/badge/lifecycle.asp.
- Do I need to enter a new PIN if I forget my old PIN, or can I re-use my old PIN?
There is no limit to the number of times one can use the same PIN. PINs never expire. You can reset your PIN using the same sequence of digits every time you do a reset.
If you have trouble remembering your PIN, you may want to use it as your code for retreiving your voice mails. This way, every time you retrieve your voice mails you will be using your PIN and will be less likely to forget it when the time comes to use it to update your HHS ID Badge.
- Our IC has two employees who work in remote locations full-time (North Carolina and Texas). How do we go about resetting PINs for these individuals? Do they have to travel back to NIH or are there alternative locations or methods for doing this?
Depending on where your folks are in North Carolina and Texas we may have options. NIEHS at Research Triangle Park, NC can reset PINs and renew certificates.
The HSPD-12 Program Office has an agreement with the Program Support Center (PSC) in HHS that makes a location in Dallas available for PIN resets and certificate renewals. This agreement provides NIH staff the ability to visit any regional HHS/PSC office for badge-related issues.
- I have customers asking what they need to do if they forget their PIV card but need to use their card to access “sensitive applications” on their computers. What are the current NIH plans for handling this?
According to the Office of the Chief Information Officer, their short answer is "do not forget your PIV card."
NIH is working with HHS to provide 'backup' cards for Senior Executives and people on travel, but most users will need to learn how important it is to *always* have their PIV card with them if they need to access 'sensitive' applications.
Also, it is estimated that the 'backup' cards will not be available until some time in 2012.
Please note that the U.S. Military as well as many public and private organizations have adopted this policy for their workforces.
- Do I need to enter a new PIN if I forget my old PIN, or can I re-use my old PIN?
There is no limit to the number of times the same PIN can be used. PINs never expire. You can reset your PIN using the same sequence of digits every time you do a reset.
- If another IC is willing to let us use their Lifecycle Work Station (LWS), would we be able to reset PINs that way? Or is each Lifecycle Work Station specific to an IC?
Any LWS can update an individual that has an HHS ID Badge (Smart Card). There are no restrictions based on which IC purchased it. Some of the ICs have already established agreements with neighboring ICs to share LWS support.
- I recently switched from a visiting fellow position to a contractor in the same Institute. I was wondering if I need to be re-issued a new badge and, if yes, how that process must be initiated.
No. You do not need to do anything. Your badge will continue to be valid as a contractor, whether you changed Institutes or not. Were you to have switched to Federal employee (FTE) status, you would have had to switch your HHS ID Badge (from green stripe to white stripe).
- Does an AT need to take the NED class to be able to have access to NED?
No. NED training is not required.
- I’m an AT and I’m hearing a lot of chatter that if you do not have a card reader on your desk you will not be able to use computers after July 1, 2011. Is this true? Will the employee receive e-mail notification regarding their card reader?
Unfortunately you received inaccurate information from individuals who seem to e confusing logging in to the NIH network with accessing the NIH Virtual Private Network (VPN). On July 11, 2011 NIH adopted two-factor authentication just for VPN remote access user logins. As noted in the accomapny DPSAC News article about VPN remote access user logins:
"As of July 11, a majority of remote access VPN users began using PIV card access; everyone else will be moved to alternate methods of 2-factor authentication as soon as possible. Once everyone is migrated to 2-factor authentication, current use of a username/password VPN login will be disabled. The date when NIH will be ready to disable password login for all remote access VPN login is yet to be determined."
By now, ICs have either installed card readers, or are in the process of installing card readers on their staffs' desktop computers in preparation for the eventual migration, NIH-wide, to two-factor authentication with the HHS ID Badge (PIV card).
If you don't have a card reader to use with your computer, you should contact your IC's ISSO office.
- In a few weeks I’ll be leaving FDA to take a job at NIH. Will I need a new ID Badge or can I use the PIV Card issued by FDA when I begin working at NIH?
Since you will be moving from one OPDIV (FDA) to take a position at another OPDIV (NIH), you will need to be sponsored by the Administrative Officer (AO) in your Institute/Center you are assigned to.
Once your AO sponsors you, you will need to be enrolled and issued a new HHS ID Badge (PIV Card). Your new badge will contain digital certificates that will need to be updated periodically.
To read about the badging process, visit http://www.idbadge.nih.gov. This website describes in detail how to apply for anew HHS ID Badge (including enrollment and badge issuance) and the Personal Identification (PIV) process required of everyone issued a new badge.
Note: if you plan to continue working for FDA while working at NIH, you will keep your FDA PIV card and NIH will issue you an NIH legacy badge for access to the NIH campus and any restricted facilities to which you have approved access.
- We would like to install Lifecycle Work Station on one of our PCs located off campus. Are there requirements that the person operating the machine have special training or be an administrative officer? We'd want a program support person to operate the LWS
Any employee or contractor in you IC can be assigned as a Lifecycle Work Station (LWS) operator. The individual must already have an HHS ID Badge and must know their own PIN.
As for training, once your LWS is purchased (either software only, or laptop and software) the HSPD-12 Program Office can arrange to have someone provide basic training to the individual. Operating the equipment is straightforward.
Note: The LWS can only be used for PIN resets and certificate renewals.
- How do I go about obtaining a card reader for my computer?
The Information System Security Office (ISSO) for each IC is responsible for assuring that all Employees, Contractors and Affiliates are supplied with a card reader at their desktop and/or laptop.
ICs are responsible for purchasing whatever card readers are needed.
The designated ISSO for your IC is posted on the OCIO website at: http://ocio/nih.gov/nihsecurity/scroster.html.
- What is HSPD-12?
In August of 2004, the President issued Homeland Security Presidential Directive 12 (HSPD-12). This Directive called for a government-wide identification standard for people gaining physical access to Federal buildings and information systems. The HSPD-12 Directive also set out to establish a uniform Personal Identity Verification Card (PIV Card) that would operate across Federal agencies. NIH compliance with this directive is mandatory.
- If ID Badges are not collected and the NED records are not deactivated will our IC continue to be charged the monthly $6.33 badge fee by HHS?
Deactivation in NED will flow to the Department's IDMS and stop the $6.33/month fee. A head count is taken on the 10th of the month. For security reasons it's also a best practice to collect the NIH Legacy or HHS ID Badges and send them back to DPSAC.
- From time to time I need to refer to the NED User Guide. Can this be viewed online?
- What is the PIV Process?
The PIV Process requires two steps. In Phase I, all employees and contractors gaining access to Federal facilities and information systems must have a background investigation based on their position. In Phase II, these individuals will be issued a PIV Card that will operate across Federal agencies. The PIV Card replaced all NIH ID badges for employees, contractors and affiliates.
- My question is in regard to the small font size of the expiration date printed on our HHS ID Badges. I've noticed that when a security guard is manually checking for facial recognition against the picture and for an active expiration date, the small font
Unfortunately, the font sizes used on the HHS ID Badge were established by the National Institute of Standards and Technology (NIST). NIST set the specification standards for all HSPD-12 Badges (Smart Cards).
NIST periodically reviews change requests from Federal agencies, so we will forward your comments and voice concern over the font size to the HSPD-12 Liaison at HHS in the hopes that they will champion larger font sizes - or better placement of the expiration date (not so close to the NIH logo).
We will report back if we get any feedback from HHS and/or NIST.
You may also be interested to learn that our many shuttle drivers at NIH actually examine the HHS ID Badge to see if the expiration date is still 'valid' as riders board the NIH shuttle to Executive Plaza, Rockledge, Mid-Pike Plaza, and around campus. They have already identified some contractors with expired HHS ID Badges. So the size and placement of the expiration date is of concern to us.
- What is the value of the PIV Process?
The program ensures that individuals with access to Federal facilities and information systems are who they claim to be. The background investigations also verify that individuals are suitable for Federal employment.
- Why do I need a new ID badge to access NIH facilities and systems?
- What is a PIV Card?
The PIV Card (also referred to as the HHS ID Badge) is the ID card that grants access to Federal facilities. It is part of a personal identify verification (PIV) system for protecting Federal buildings, building occupants, computers, applications, and data. It is secure and reliable because it is based on your verified identity and it is extremely hard to fake, change, or duplicate. If you previously had a government ID badge, your PIV Card will replace it.
- What is stored on the PIV Card?
The PIV Card displays your printed picture, your full name, agency, organization, card expiration date, card serial number, and a Federal agency smart credential number that uniquely identifies your agency and you. The card also stores a personal identification number (PIN), a unique identifier, an authentication key, and two electronic fingerprints.
- What if I lose my badge?
Report lost/stolen ID Badges to Access Control (301-451-4766) and to your Administrative Officer (AO). Your AO will need to enter the necessary information into the NIH Enterprise Directory (NED) to authorize a replacement ID badge. Those who have not yet undergone the PIV process will need to schedule an appointment with Personnel Security to be fingerprinted and have their background investigation initiated.
- How do I replace my ID badge if something happens to it?
Badge holders working at the Bethesda campus or at nearby locations should bring their broken badge to the DPSAC Badge Issuance Center in Bldg. 31, Rm. B1A26 or at the Badging Station in Bldg. 10-Clinical Research Center for a replacement. If a broken badge has not expired and the badge can be authenticated, Access Control will issue you a new badge. The expiration date on the new badge will be the same as the date on your broken badge. As of January 16, 2009, Administrative Officers are no longer required to initiate the replacement of a broken badge in the NIH Enterprise Directory (NED).
*Instructions for replacing a broken badge at certain remote satellite facilities can be found at the following links:
- What if I'm an NIH visitor or vendor?
If you are an extended visitor, service provider or vendor you will continue to receive your access approval through the NIH police. See Table describing the 14 current position categories and corresponding badging authority (DPSAC or NIH Police Department).
- What happens when I use my ID badge?
When you show your ID badge to an authorized person, or swipe or insert your badge into a reader, your identity will be verified. That person will look at the picture on your ID badge and compare it to your face. The reader also will compare the data stored on the ID badge to the database of cardholders. (The machine may compare the fingerprint stored on the ID badge to your actual fingerprint.) When you gain access to HHS facilities or systems, your information is validated (non-intrusively) to ensure you have proper authorization.
- I already have a badge. Why must I apply for a new ID badge?
- How do I apply for the new ID badge?
You will be notified when you should apply for your new ID badge and you will be given directions as to which forms you will need to fill out to complete your application.
- Where can I go for help in completing my application?
Your personnel security representative (for current employees), human resources representative (for new employees), or Project Officer (for contractors) will serve as your primary point of contact and help guide you through the process.
- What if an employee is located in an area without an ID card facility nearby?
- Federal employees (e.g., current points-of-contact for ID card issues) will be trained and designated as Enrollment Officials. They will conduct the identity proofing required by HSPD-12 and facilitate the issuance of the new PIV cards.
- When other Departments have certified procedures, we expect to arrange to use those approved facilities nearest to the employee.
- How will all these HSPD-12 officials be trained?
- Web-based training is available on the ORS web page www.idbadge.nih.gov for all personnel in the process (Enrollment Official, Registrar, Applicant, etc).
- Training will take less than 10 minutes.
- What should I do if I forget my ID badge?
If you forget your ID badge, you will have to go to the NIH Gateway Center to obtain a visitor pass. You will need to show identification before being issued your visitor pass that permits you onto the NIH campus. The pass is good only for that day. Remember to bring your permanent badge with you when you return to NIH.
- I missed my opportunity to take advantage of expedited fingerprinting on my Entry On Duty (EOD) day. What should I do now?
Since you missed your opportunity to get fingerprinted during your EOD, you will need to call DPSAC's appointment line at 301-496-0051 (8:00 a.m. – 4:00 p.m.)
Please remember to bring two forms of identification (e.g., driver’s license, passport, etc.).
- If I discover that my HHS ID Badge certificates are expired, can I have my IC's Lifecycle Work Station (LWS) operator reissue new certificates?
Yes. Once your PIV Card certificates are expired, you can have them re-issued either by an LWS operator or at a DPSAC Badge Issuance Station. In either case, you will need to make an appointment.
- Can I be processed for an ID Badge before I report for my first day of work?
Yes, in fact, DPSAC encourages AOs to work with applicants in advance of their first work day to get a head start on the fingerprinting and ID Badge issuance process. These processes can begin as soon as you are entered into NED and authorized for an ID badge. After you are sponsored by your AO you should schedule a fingerprinting appointment.
- When individuals end their employment at NIH, where should they go to turn in their badge and parking hanger?
NIH Badge Holders who are terminating their relationship with NIH should turn in their badge and parking hanger to their AO or supervisor.
- I left my form at DPSAC but I missed my appointment. When I returned I had to complete the form again. What happened to my original form?
Due to the large volume of cases, DPSAC does not retain paperwork for 'no show' cases. If you miss your appointment, all forms are shredded and you must complete them again when you next appear at DPSAC.
- From time to time I attend meetings requiring verification that I have a security clearance on file. What do I need to do to verify that I have a security clearance?
Your security clearance can be confirmed by an authorized DPSAC staff member.
In order to verify your security clearance, the security officer from the requesting organization (e.g., the sponsor of a meeting you have been asked to attend) will need to e-mail DPSAC requesting the clearance information. The requesting officer needs to specify in the e-mail:
- why the clearance information is needed;
- the date this information will be used;
- where to fax or mail the information;
- the Point Of Contact (POC).
- I recently retired from NIH after 30 years of Federal service at the National Library of Medicine. From time to time there are functions at NLM and NIH that I’d like to attend. Can I enter the campus without having to always go to the Gateway center?
As an NIH retiree who visits campus, you can receive an “Extended Visitor” ID badge. An “Extended Visitor” badge remains valid for one year and allows you to access campus without having to go through the Gateway Center. Once you receive your badge you can enter the campus at any of the perimeter gates.
To apply for an “Extended Visitor” ID badge, contact the NIH Police Department (301-496-2387, Building 31, Room B3B17). They will process your request and will perform a minimal security check before issuing your “Extended Visitor” badge.
- My badge hasn’t expired, but when I swiped it at the gate this morning, the arm didn’t go up. Do I need a new badge?
If the arm doesn’t rise, your ID badge may be damaged or broken. If this happens, please contact the Access Control Help Desk at (301) 451-4766 to troubleshoot the problem. Please do not contact your AO for a new badge unless instructed to by the Help Desk.
- I’m a member of the Commissioned Corps working at NIH and my badge will be expiring in a couple of months. Who do I talk to about renewing my badge?
There are nearly 400 Commissioned Corps Officers working at NIH. As with the civilian workforce at NIH, your AO will enter your personal information into NED to begin the badge renewal process. Once your information is entered into NED, however, your background investigation will be conducted by the Surgeon General’s office. You will receive instructions via e-mail to complete the SF-86 Questionnaire for National Security Positions using the e-QIP System (see the related discussion about reinvestigation of Commissioned Corps Officers).
- I know that I need to use my PIN when I eventually have to update my HHS ID Badge digital certificate. I’m afraid I’m going to forget my PIN. Do you have any tips for remembering my PIN?
One useful way to remember your PIN is to use the same number sequence as your code for retrieving your voice mail messages. This way you will have occasion to use your PIN on a regular basis and will be less likely to forget it.
- Is it still possible to make an Enrollment or Badging appointment on Wednesday evenings?
No, it is not possible. As of July 28, 2010, DPSAC discontinued after-hour enrollment and badge issuance services. Once NIH reached its goal of issuing the new HHS ID Badge to all of its eligible employees, contractors and affiliates, there was no longer a need to keep these stations open after hours.
- Implementation Questions
- What documents/programs are currently available to help agencies implement FIPS 201?
- NIST Special Publication 800-47: Security Guide for Interconnecting Information Technology Systems
- NIST Special Publication 800-73 specifies PIV card interface characteristics
- NIST Special Publication 800-76 specifies PIV card biometric characteristics
- NIST Special Publication 800-78 specifies cryptographic algorithm requirements and characteristics
- NIST Special Publication 800-79 provides guidance for PIV issuer accreditation
- OMB M-05-24 provides implementation guidance on HSPD-12
- GSA memorandum of August 10, 2005 specifies the procedures for ordering goods and services in compliance with the Presidential Directive
- NIST Special Publication 800-85 provides conformance tests for validating PIV components as complying with SP 800-73
- NIST Special Publication 800-87 contains codes for the identification of Federal and federally-assisted organizations, needed in PIV identifiers
- NIST Special Publication 800-100 Information Security Handbook: A Guide for Managers
- NIST IR 7329: Information Security Guide For Government Executives
- OMB M-05-24 provides policy guidance and deadlines supplementary to HSPD-12
- OMB M-06-18 provides updated acquisition guidance to Federal agencies
- Federal Identity Management Handbook
- Smart Card Handbook
- Is there a list of "approved" identity proofing and registration processes?
There is not a list of "approved" identity proofing and registration processes, per se. "Approved" means that the process has met the control objectives, and the head of the agency has approved in writing that the process does meet the objectives. SP 800-79 provides further guidance on the certification and accreditation of PIV card issuing organizations. (See FIPS-201, Section 2)
- Is Personal Identity Verification different from access authorization such that having a PIV card or achieving identity verification does not automatically entitle the cardholder to physical or logical access?
Yes. Access control remains the purview of the local facility or IT system security policy.
- Will agencies maintain records of access to facilities by individuals?
This is outside the scope of the standard. It can be anticipated that agencies will continue to maintain records, in accordance with the Privacy Act, of access to and unsuccessful attempts to access their facilities and systems as required for their security and audit needs.
- Does compliance to FIPS 201 mean that every door in every Federal building and every Federal computer terminal must have a PIV card reader?
No. Generally, agencies will implement FIPS-201 access controls on facility access points (i.e. entry doors) first. Further deployment within the facility is at the discretion of the agency facility security manager. Logical access controls that provide for authentication of Federal employees and contractors based on PIV credentials are recommended for IT Systems operating at E-Authentication Level 3 or higher. As agencies develop their plans in accordance with HSPD 12, they should focus on the highest-risk facilities and systems for initial deployment of readers. Over time, this could expand to lower-risk systems and facilities. (Ref: OMB M-04-04, DOJ Vulnerability Assessment of Federal Facilities Report - June 1995, ISC Security Design Criteria for New Construction and Major Modernizations - December 2004 and Security Standards in Leased Space - Jan 2005.)
- Does the PIV Sponsor, Registrar, PIV Card Approval and the PIV issuer have to be all different people or can one person have multiple roles?
A two-way separation of roles is the absolute minimum that could possibly meet the FIPS 201 test. In practice, however, it would be challenging to define two roles such that each provides a reliable cross-check on all critical actions of the other. Special Publication 800-79 recommends "the roles of Applicant, Sponsor, Registrar, and PCI [PIV Card Issuer] must be played by different people when issuing a PIV Card." Such a three-way separation of roles can generally be sufficient to insure that the test of FIPS 201 is met, namely, "a single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential." However, the requirement for a particular separation of roles depends on the implementation of the PIV issuance system.
- Does Registrar record signing only apply to pen-and-paper records, or does it also apply to electronic enrollment records?
The requirement applies to both paper and electronic storage. The method is left to individual departments and agencies. If cryptographic signature processes are employed, they must conform to the requirements of NIST standards and guidelines.
- During reissuance, if an attribute has changed, who is responsible for verifying the change and recording the change and the reason for it?
This function is best performed by the Registrar since this is the individual rechecking the records during card re-issuance. However, this is open to individual agency discretion which may choose to utilize an alternative process.
- Is support for PIV card logical access mandatory on enrollment systems and/or issuance systems? If so, is PIV card verification required for all operator logins?
Credential-based identification support is specified in FIPS 201. Use of the identity credentials for specific access control applications is not. However, use of a PIV card to verify Registrar, Sponsor, Approval, or Issuer roles for card issuance activities as an on-going activity would be an effective mechanism for maintaining the security of the process.
- For the facial image, is there a specific color backdrop that should be used?
There is no backdrop color requirement; however, per the recommendation of the International Committee for Information Technology Standards (INCITS) 385, the background should be uniform.
- Can identity proofing be conducted by Federal employees and also "trusted agents," where trusted agents might include contractors?
FIPS 201 does not prohibit contractors from being employed to conduct identity proofing activities under the supervision of government employees in accordance with departmental or agency security and contracts management policies.
- How can agencies receive an advance report of the fingerprint check results?
Agencies who receive their investigations from OPM, may obtain advance reports of fingerprint check results by putting the code "R" in the Codes block of the Agency Use section of any of the standard investigative forms (SF-86, SF-85P, or SF-85).
- Does the FIPS 201 standard include a physical access control system?
No. FIPS 201 does not specify the physical access control system (PACS). In order to effectively implement HSPD-12, each agency will need to implement a PACS for internal use. The Smart Card Interagency Advisory Board has published Technical Implementation Guidance Smart Card Enabled Physical Access Control System (TIG SCEPACS) 2.2 as a guide to assist agencies in this implementation, which is referenced by FIPS 201.
- Policy Questions
- If employees/contractors working for another Federal agency are working on contracts/services supporting the tenant agency, can a PIV card be issued by the agency whose property they work at or must the PIV card be issued by the employing agency
The authorization for card issuance should originate with the employing agency (or contracting agency in the case of contractors). However, there is nothing to prohibit one agency from providing issuance services to another agency in accordance with interagency MOA/MOU.
- Does HSPD-12 require that a PIV credential be issued before a new employee is granted any access to Federal facilities or information systems?
No. Agencies may, at their discretion, issue new employees temporary ID badges for access while PIV enrollment and card issuance is in process. These temporary badges must be physically and electronically distinguishable from PIV credentials.
- Does the policy for obtaining an ID badge for Summer Students apply to students who may begin their internships during the Fall, Winter, or Spring, or is the process different?
The Summer Student policy is truly different based on the volume (approximately 1,500+ Summer Students) coming on board in a relatively short time period and the fact that their NIH 'Legacy' (non-PIV) badge has an expiration date of September 30 of that year. Applications for these positions are accepted from late November through March 1 each year.
Students should apply online at: http://www.training.nih.gov/apps/publicForms/sip/forms/sipApp.aspx, or they may want to contact Ms. Kathy Hilburn for details (301-402-1651 or KHilburn@cc.nih.gov). Students will receive notice of application acceptance by early April.
- Can a PIV card be used by other organizations for other purposes (e.g., access to private facilities, identification for airline travel)?
HSPD-12 and FIPS-201 do not impose any restrictions on the use of the PIV card as an identity credential.
- What is FIPS 201?
FIPS 201 is the Standard identified in HSPD-12 that sets out the requirements for a Federal government-wide identity credential for employees and contractors.
- Is a Special Agreement Check (SAC) necessary or recommended in order to fulfill the FIPS 201 investigative mandate?
No. The investigative requirements set forth in FIPS 201 state: "…The process shall begin with initiation of a National Agency Check with Written Inquiries (NACI) or other Office of Personnel Management (OPM) or National Security community investigation required for Federal employment…" A SAC investigation will not meet the requirements of FIPS 201.
- Who must register with the Selective Service System?
'Fast Facts' published by the Selective Service System Office of Public and Intergovernmental Affairs (http://www.sss.gov/FactSheets/FSwho.pdf) explains the Selective Service System, including who must register and who is exempt. Almost all male U.S. citizens, and male aliens living in the U.S. who are 18 through 25 are required to register with Selective Service.
It's important to know that even though he is registered, a man will not automatically be inducted into the military. In a crisis requiring a draft, men would be called in sequence determined by random lottery number and year of birth. Then, they would be examined for mental, physical and moral fitness by the military before being deferred or exempted from military service or inducted into the Armed Forces.
You may want to bookmark the link to this fact sheet that also addresses non-citizens, dual nationals, hospitalized or incarcerated men, disabled men, national guard and reserves, full-time military and conscientious objectors.
- Can agencies use other investigative service providers in lieu of OPM to conduct the investigations required by FIPS 201?
No, unless an agency has original or OPM delegated authority to conduct background investigations. Contractor investigations must follow FIPS 201 and agency employee investigation processes.
- Must reinvestigations be conducted to keep PIV credentials valid?
No. PIV credentials do not require reinvestigations to remain valid. Agencies must, however, continue to comply with the reinvestigative requirements set forth in the national security investigative standards.
- Can Federal agencies use the standard for other purposes beyond the scope of the standard to include national security applications?
Yes. The Directive specifically tasks agencies to identify additional applications important to security for which the standard might be employed. Such wider use must conform to Office of Management and Budget (OMB) policy (including the relevant privacy provisions) and, if national security systems are involved, the applicable requirements to protect national security information and systems.
- Am I required to complete another National Criminal History Check (NCHC) for existing employees if my agency did not save my fingerprints from the initial NCHC?
For employees and contractors hired prior to October 27, 2005, if the agency has maintained records indicating the investigative requirements (including fingerprint check) were completed for these individuals, and they were successfully adjudicated, then these employees and contractors will not need to complete a new NCHC. However, for any employees or contractors hired on or after October 27, 2005, agencies should maintain a copy of the prints (either the full set or just the two prints required by FIPS 201) so a biometric match may be conducted in the future as necessary. Additionally, as agencies implement their enrollment stations during FY2007 and FY2008, they must ensure these employees and contractors are in full compliance with FIPS 201 Section 4.4.1, particularly the requirement that fingerprints taken during the PIV enrollment action "shall be used for one-to-many matching with the database of fingerprints maintained by the FBI." This ensures that fingerprints taken during the same enrollment action are used for the PIV Card templates and the FBI National Criminal History Check of the PIV applicant.
- If a person has had a "break in service" (i.e., left a job for which they had to be investigated to meet FIPS 201 requirements), must a new investigation be conducted for that person to receive a new PIV credential?
If the "break in service" is two years or more, a new investigation must be conducted before a PIV credential can be issued. In accordance with Executive Order 12968, if the break in service is less than two years, an updated security questionnaire should be completed and any admitted issues resolved as appropriate.
- If there is a NACI on record that is over 15 years old, does a new NACI have to be submitted?
While there is no requirement for a NACI to be renewed, there must be a record on file indicating the employee or contractor has completed at least the minimum background check requirements. If an employee or contractor completed the NACI process and records cannot be located, the individual would need to undergo the NACI (or equivalent) process again.
Note that many employees and contractors will have background checks superior to a NACI (e.g. LBI); in these cases the individuals would not need to complete the NACI process as long as there is a record that the investigative requirements were met.
An exception to the above requirements occurs when there is a break in service of over two years. In this case, an individual would need to undergo a new background check.
- Can a National Agency Check with Law and Credit (NACLC) be used for PIV credential issuance?
The NACLC is often used as the minimum investigative requirement for access to Secret information and below for military service personnel and Federal contractors. For purposes of PIV credential issuance, the NACLC satisfies the essential requirements.
- How can agencies assess their existing infrastructure to tell if they are FIPS 201 compliant? Do you have any specific publication (like 800-53)?
FIPS 201 is the governing Standard for HSPD-12 compliance. FIPS 201 contains normative references to additional documents. Enrollment and Card Issuance organizations and processes must be accredited in accordance with SP 800-79. Data objects produced by Card Issuance systems are tested according to SP 800-85B, assisted by the 800-85B test toolkit. Implementation of infrastructure for utilizing the cards is covered by FISMA reporting and SP 800-53. (Ref: http://csrc.nist.gov/publications/nistpubs/index.html).
- How do I verify whether or not a NACI (or equivalent) has already been completed on an existing employee or contractor?
Authorized personnel security offices may get this information directly from the OPM investigations database. If an agency's personnel security office does not have access, they should contact OPM's Agency Liaison Group at 703-603-0442. Additionally, older "Official Personnel Folders" contain SF-86s and SF-171s bearing a stamp which usually reads "Investigated to 10450 standards". Agencies may take this as evidence a NACI was completed.
- Are there standards by which PKI Shared Service Providers must comply regarding RA/CA communication and key escrow?
- FIPS-201, Section 5.4.2 states: "All certificates issued to support PIV Card authentication shall be issued under the Common Policy". Does this statement refer to all PIV-defined keys and their corresponding certificates?
Yes. The intent of this statement is that all certificates in the PIV data model shall be issued under the Common Policy.
- The FPKI Common Policy limits CA keys to a 6 year lifetime. Subscriber keys are limited to a maximum of half that (3 years). FIPS 201 allows credentials to be valid for up to 5 years. The 5-year cards require maintenance during their lifecycle.
This is correct. To use a PIV card for the maximum five years, new PKI credentials will need to be obtained at the three year point. This is a security feature, as well as mitigating the risk of large CRLs. There are currently no plans to modify either FIPS 201 or the Common Policy. Technically, certificate renewal can be performed by the user from the desktop, or the agency may choose to re-issue smart cards every three years and align it with the PKI certificate issuance cycle.
- Privacy Questions
- Is my privacy protected?
The only persons authorized to see your personal information are personnel security, suitability, and investigations professionals who have the appropriate security clearance and who have a demonstrated need to access the information.
- Where can I get more information about how my information is used?
If you have questions regarding the use of your information, you may contact your NIH representative or contract project officer.
- Who has access to my background investigation or FBI fingerprint check?
Information about you that we store to issue you an HHS ID badge (PIV card) and run the program is considered a system of records subject to the Privacy Act of 1974, 5 U.S.C. § 552a(b). The Act permits NIH to give your information to: the appropriate government organization if your records show a violation or potential violation of law; to the Department of Justice, a court, or other decision-maker when the records are relevant and necessary to a law suit; to a Federal, State, Local, Tribal, or Foreign agency that has records we need to decide whether to retain an employee, continue a security clearance, or agree to a contract; to the Office of Management and Budget to evaluate private relief legislation; to agency contractors, grantees, affiliates, or volunteers, who need access to the records to do agency work and who have agreed to comply with the Privacy Act; to the National Archives and Records Administration for records management inspections; and to other Federal agencies to notify them when your badge is no longer valid. NIH may also give your information to a Member of Congress or to congressional staff at your written request. The full system of records notice with complete description of routine uses was published in the Federal Register.
- How does FIPS 201 protect privacy?
During card issuance and life cycle management, all agencies are required to comply with FIPS 201, Section 2.4, "PIV Privacy Requirements," which outlines strict control measures to ensure the privacy of PIV card applicants and card holders is protected. In addition, Personally Identifiable Information (PII) stored on the card is minimal, as is PII acquired and retained by the issuance system. PII such as electronic fingerprints will be encoded as minutiae templates while stored on a PIV card. The PIV card, once activated, is in the control of the individual it identifies, who can then determine where and under what circumstances to present it. (Refer to OMB Memorandum 06-19 for additional information)
- FIPS 201 2.4 requires that all systems provide continuous auditing of privacy compliance covering collection, use, and distribution of information during program operation. Exactly what information needs to be recorded, how should it be recorded?
Privacy Compliance is the responsibility of the Senior Agency Official for Privacy and should follow OMB guidance for privacy documentation. Part one of FIPS 201 outlines these requirements and NIST Special Publication 800-79 provides accreditation guidelines.
- Are there any specific requirements for when and/or how identity data should be protected, and who should or should not be able to access it? How does this requirement specifically affect communications with the IDMS and the FBI IAFIS for PIV-related fing
It is the responsibility of the Senior Agency Official for Privacy to ensure the identity data is properly protected from unauthorized disclosure. Agencies may use alternative methods for protecting information in transit and at rest. Interface specifications are under development and information on these may be accessed at http://www.idmanagement.gov. (Ref: FIPS 201, Section 2.4)
- I don't want everybody reading my personal information. Who sees this information?
The only persons authorized to see your personal information are Personnel Security, Suitability and Investigations professionals who have been investigated at the appropriate level and who have a genuine and demonstrated need for access to the information.
- Procedure Questions
- Since the AO enters the CAN into NED, do individuals still have to complete the HHS/NIH ID Badge Request Form?
Yes. DPSAC still needs individuals to complete the HHS/NIH ID Badge Request Form. This form is used to collect the information necessary to initiate the background investigation.
- I recently switched from a visiting fellow position to a contractor in the same Institute/Branch/Section. I was wondering if I need to be re-issued a new badge and, if yes, how that process must be initiated.
No. You do not need to do anything. Your badge will continue to be valid as a contractor, whether you changed Institutes or not. Were you to have switched to Federal employee (FTE) status, you would have had to switch your HHS ID Badge (from green stripe to white stripe).
- When I recently went to have my HHS ID Badge certificates renewed, my fingerprints could not be verified. Do I have to re-enroll?
Yes. If DPSAC determines that the fingerprints cannot be verified, a new attempt to capture fingerprints will be required. This is done during re-enrollment, at which time you will be photographed and fingerprinted again. During the process, DPSAC is required to identity proof the individual using two forms of original source documents. One must be a Federal or State government issued photo ID. This can include the HHS PIV Badge itself, but DPSAC must have a second docuement to verify identity. Click on the link http://www.idbadge.nih.gov/badge/docs/Table.pdf to see a list of acceptable identification documents as provided on the Federal I-9 form. All documents must be unexpired.
- Can AOs make fingerprinting appointments for ‘customers’ online?
Yes, AOs often help applicants with the PIV process by making fingerprinting appointments online for them. The Executive Officer (EO) must register the AO with DPSAC before the AO can be granted online appointment-making authority. When the EO provides DPSAC with the AO’s name, DPSAC will provide access to the online system that allows the AO to arrange appointments.
- I understand that DPSAC notifies individuals of different actions via e-mail. I set my e-mail to filter out junk mail. Can you tell me what kind of subject lines I should expect from DPSAC e-mail so I don’t inadvertently filter out important DPSAC e-mail
First, it should be noted that all DPSAC e-mails will originate from the “ORS Personnel Security” e-mail account. Based on user feedback that some DPSAC e-mails are being filtered out as “junk,” we have changed the subject lines for all standard e-mails from DPSAC so that recipients can avoid filtering out important messages from DPSAC and ORS Personnel Security. Below are the subject lines for all standard e-mails:
- DPSAC:Your Appointment Request Has Been Received
- DPSAC:ID Badge Authorization
- DPSAC:Background Investigation Initiation
- DPSAC: Background Investigation Re-Initiation
- DPSAC: Background Investigation and Fingerprinting Re-Initiation
- DPSAC:Background Investigation Complete
- Technical Questions
- What is the rationale behind the selection of smart card, fingerprint, and PKI technologies?
The presidential directive required a standard for secure and reliable identification and authentication of Federal employees and contractors that incorporates rapid electronic validation, but did not specify how to achieve it. Several organizations (most notably DOD) had on-going smart card programs that demonstrated the efficacy of this technology in meeting the needs of HSPD-12. The decision to include PKI and fingerprint technologies was made to improve the security profile of the smart card for both physical and logical access. PKI provides a digital credential that can be used to electronically verify the identity of the cardholder, while the fingerprint ties the card irrevocably to a specific individual and can be used to ensure the cardholder is the individual to whom the card was issued. Of the several potential means of personal biometric marker verification (e.g., DNA, iris scans, hand geometry, handwritten signatures, facial images, or fingerprints), fingerprints were chosen as being the least invasive and most cost-effective, reliable, repeatable, and accurate means of verification available using publicly available technology.
- I use a Macintosh computer and want to know if I’ll be able to access the NIHnet using my HHS ID Badge (smart card/PIV card).
Yes. Macintosh computers can accommodate two factor authentication with either a PIV card and card reader or with an RSA Secure ID token. This is also true for Macintosh Virtual Private Network (VPN) remote access.
Dual factor authentication with PIV cards is fully supported in MAC OS versions 10.5 or 10.6 (Leopard and Snow Leopard respectively); it is not supported in the newest MAC OS (Lion), which was just released this month and should not be an issue.
The NIH is currently testing a couple of solutions that will support PIV card authentication in MAC OS (Lion).
VPN dual factor authentication also requires the installation of the new Cisco AnyConnect VPN client.
Please contact the NIH Helpdesk if you need assistance with the installation of any of the components mentioned above.
Dual factor authentication is not a requirement if using the wireless networks and access points within the NIH perimeter. Users connecting to wireless networks within the NIH perimeter will be able to connect with either a PIV card or a username and password.
- What information must be stored on the card?
The PIV Card must contain the following mandatory Personally Identifiable Information:
- Personal Identification Number (PIN)-this data is used to authenticate the cardholder to the card--in the same way a PIN is used with an ATM card. The PIN never leaves the card, and it cannot be read from the card.
- A Cardholder Unique Identifier (CHUID)-this number uniquely identifies the individual within the PIV system.
- Two fingerprint biometrics that are PIN protected.
- One asymmetric cryptographic key pair used to authenticate the card to the PIV system.
- Is there a quick way for me to check my PIV Card's certificate expiration date?
Yes. In the Windows environment, just follow these five easy steps to check your PIV Card's certificate expiration date:
Using Windows Internet Explorer (IE) select:
1. Tools; 2. Internet Options (from drop down menu); 3. Content (Tab of Internet Options pop-up window); 4. Certificates (button in middle of Internet Option pop-up window contents tab); 5. Personal (tab in Certificate's pop-up window).
At least four certificates should be displayed (3 in your name and one called PIV users). All four should have the same expiration date. If there are multiple sets of four, the latest expiration date is the expiration date of your certificates.
Also, your IC is able to track the certificate status for individuals in their organization. This information can be helpful when planning appointments with local Lifecycle Work Station (LWS) operators who will be renewing the certificates on site.
The Office of the Chief Information Officer (OCIO) has posted on its website a spreadsheet listing, alphabetically by IC, the names of subscribers along with their SAC or Admin Code, certificate expiration date, and other information that would be helpful to the ICs.
The expiration dates will be posted chronologically and will be added to the list based on a rolling two-year time frame (one year for contractors).
To view the Smart Card subscriber spreadsheet, click on: http://smartcard.nih.gov/PKI_subscribers.htm. From there, click on the link found under the first bullet: "NIH Smart Card (PIV) badge holders as of xx/xx/20xx (spreadsheet)."
Note: Do not bookmark this latter link ("NIH Smart Card (PIV) Badge holders...") as it is subject to change due to periodic updates.
- I was issued an NIH ID badge (non-PIV badge) as a Special Volunteer because I will only be with NIH for 5 months. Will I be able to access computer systems?
Yes. The date for requiring use of a PIV badge to login to computers/Active Director accounts within the NIH network has not yet been set. However, if you log in through a Virtual Private Network, 'two factor' authentication is now required. Thus, if you access the NIH network via VPN you will need to be issued a PIV badge or work with your IC's IT department to find other options.
- Key Recovery: Can the holder of a PIV Card recover active certificates?
Yes. Active certificates can be recovered for situations such as transferring certificates to a PDA device (e.g., BlackBerry).
- Key Recovery: Are there special criteria for the required 'passphrase,' such as length and character type?
No. There are no set criteria for the passphrase.
- Key Recovery: Does the user have to remember the passphrase?
Yes. The user will have to remember the passphrase to install the Key Recovery. If they forget it, they will have to return to the HHSIdentity Portal, create a new passphrase, and download the key(s) again.
- Key Recovery: Does it matter which reason is chosen for the Key Recovery?
No. There are no set requirements for the reason; it is merely for tracking purposes.
- Key Recovery: What if I receive an error during Key Recovery?
- Why is the standard divided into 2 parts?
The standard is divided into two parts so agencies can make an orderly migration-in terms of both technology and "identity proofing" from their current systems to the requirements established by the standard and meet the deadlines established by the President in HSPD 12. Part 1 deals with the security objectives as they apply to uniform personnel identity proofing and vetting activities, while Part 2 focuses on the technical interoperability requirements, including the issuance of compliant identity badges and the implementation of the government-wide infrastructure to support the effective use of the badges.
- What are the primary requirements for an agency to implement FIPS 201?
Revise the identity proofing and identity card issuance process of the agency to meet FIPS-201 requirements and implement access control mechanisms for facilities and IT systems that utilize the capabilities of the compliant identity credential. Establish control measures that mandate privacy protections with information assurance that is auditable. FIPS 201 requirements include the issuance of an identity badge that utilizes smart card technology, both contact and contactless, and incorporates a standardized Card Holder Unique Identifier (CHUID), digital credentials, and biometric templates.
- What does the card look like?
Card topology is described and pictured in the Standard. Each card contains a required set of information: a printed picture of the cardholder, name, expiration date, and agency affiliation. Additional optional information (e.g., signature, agency seal, issue date, etc.) may be selected by each agency within the parameters set by the Standard and further refined by OMB, where applicable.
- What does "logical access" mean in FIPS 201?
Logical access, as used in FIPS 201, refers to use of the credential as part of identification and authentication processes that are used by automated information systems access-control processes (e.g., log on actions and digital signatures).
- Which fingers are required for capture on the PIV card. Should the choice of which fingers to capture for the PIV card be automatic, or should the operator have the final say?
The Index fingers are designated as primary for capture to the PIV card. Fingerprint substitution should only take place if the primary fingerprint cannot be imaged successfully (e.g. missing or badly scarred). (Ref: FIPS 201 Section 4.4.1)
- In the event fingerprint capture is not possible, what should the alternative biometric be, and how should it be handled throughout the registration and issuance process?
In the event fingerprint capture is not possible, agencies must collect an alternative biometric. The most common is probably a facial image, however this is not specified by FIPS 201. For the purposes of the criminal history check, there is no alternate biometric. Where prints are not available, OPM will rely on the name check for criminal history. (Ref: FIPS 201 4.4.1)
- At PIV card issuance, should the applicant's fingerprints be matched against the enrollment record, the PIV card biometrics, either, or both? Is this actually mandatory?
Biometric match of fingerprints at card issuance is mandatory. The match should be made against the templates placed on the PIV card from the record captured at enrollment. Whether this record is in the IDMS or on the PIV card is at the agency's discretion; however, matching to the PIV card has the added advantage of validating the biometric record on the PIV card. (Ref. FIPS 201, Section 5.3.1)
- What is the relationship of a Device CA to the PIV trust model?
Device authentication is outside the scope of the Personal Identity Verification (PIV) program objectives. However, provisions have been made in the Federal Common Policy Framework for device certificates and agencies are encouraged to issue under this policy if interoperability with other Federal organizations is desired. (Ref: X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework)
- Security Questions
- How is security being improved by HSPD-12?
The standardization of identity proofing and vetting, and the implementation of a standardized identity credential that is tamper-resistant and can be rapidly verified electronically across Federal agencies will improve access control to Federal facilities and IT systems by providing a means to identify fraudulent or expired credentials and ensure the holder of the credential is the individual to whom it was issued. In addition, the PIV Card provides three factor authentication capability: something you have (the card with a PIV authentication certificate); something you know (the personal identification number or PIN); and something you are (the biometric).
- What is a concise security policy statement that can be used for implementing and operating a PIV system?
One sample might be: "It is the policy of this organization to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy by adopting and using procedures, components, and systems for secure and reliable identification and authentication of Federal government employees and contractors (including contractor employees and authorized affiliates) as specified in FIPS 201 and its supporting documents."