NICHD Information Technology Security Policies, Forms and Procedures for Contracts

DHHS requires employees and contractors to protect the Department's data by complying with the DHHS Automated Information Systems Security Program (AISSP) Handbook.  As part of NIH and DHHS, NICHD is subject to these requirements.

    1. Designated contractor IT staff must apply for a Public Trust Suitability Determination (personnel security clearance).
    2. Contractor IT staff to complete and submit appropriate level Security clearance forms based on Suitability designated.
    3. Contract employees must sign a Non-Disclosure Agreement and complete annual security awareness training.
    4. The contractor may be required to submit a System Security Plan



1. Suitability Assessment Information

Complete a roster of personnel working on the contract using the spreadsheet below. The contractor is to complete the first section of the spreadsheet including name, e-mail, position and data access requirements pertaining to security designations. For example, at one end of the spectrum would be a typical user who has access to non-sensitive information from their desktop via a web application. This would probably translate to a 1C designation and a minimal investigation. An individual who was the system administrator for the web server that provided that information has greater access to data and might require a 5c designation and more extensive investigation.

The completed spreadsheet is to be sent to the NICHD project officer (PO) and the information system security officer (ISSO) who will determine the level of Suitability investigation required. A copy of the completed form will be sent back to the contractor and can be used by both parties to track progress.



2. Security Clearances

The Project Officer and Information Systems Security Officer (ISSO) determine which contract employees need suitability determinations and the level of clearance needed. The contractor will be informed which positions require security clearances and the levels for each.

Contract employees should fill out the appropriate forms and return them to the NICHD CIO’s office at the following address:

Aubrey Callwood
6100 Executive Boulevard

Suite 5F01 MSC 7510
Bethesda MD 20892-7510

The forms will be checked for completeness and filled in with the appropriate agency codes at the top of the form.

Links to additional information about OPM investigations and clearances are provided at the end of this document.

Personnel Security Clearance Forms

Level 1C. The following forms are required for each contract employee assigned to a Level 1C position:

Level 5C and 6C. The following forms are required for each contract employee assigned to a Level 5C & 6C position:

Optional. Continuation Sheet for Questionnaires SF 85 and SF 85P, if needed.

* Instructions for filling out the SF85 and SF85P can be found at http://www.nichd.nih.gov/stand/security/forms_tips.htm.

** Contractors in the Bethesda, Maryland area can obtain digital fingerprints from the NIH Police. Fingerprint cards are not needed for digital fingerprints. There are several advantages to the electronic system: 1) you will know immediately if the print is good enough or if it has to be re-taken, 2) NIH Police have arranged to send the electronic fingerprints directly to OPM.

To have the NIH Police make a digital copy of your fingerprints, contact:

Sgt. Mike McGraw
Intelligence Coordinator
NIH Police
301-496-9862

To set up an appointment for digitized fingerprints. Sgt. McGraw and the NIH Police prefer that you come in the morning between 8-11 A.M. to the Bldg. 31 office in the B3 (ground) level of the C wing directly behind the parking office; the room number is B3-B17.

If digitized fingerprints have been or will be obtained, it is important to notify your Project Manager or Project Officer. This has to be documented in a memo attached to the forms package to make sure the individual's package does not get rejected for lack of a fingerprint card. Why? Because digitized fingerprints are transmitted directly to OPM so there will be no fingerprint card. If there is no statement and no fingerprint card, NICHD will presume that the investigations package is incomplete and will return it to the sender.

If you have questions about the process, you may E-mail the NICHD ISSO (NIHNICHDisso@mail.nih.gov)

Additional information about investigations and clearances:


3. Security Awareness Training and Non-Disclosure Agreement

Contract staff with access to computer systems are required to have annual computer security awareness training and sign a Non-Disclosure Agreement Form prior to starting work on the contract. NIH has an excellent web-based course, NIH Computer Security Awareness Training that can be used to fulfill this requirement.


4. Systems Security Plan

A System Security Plan (SSP) is required when the overall sensitivity and criticality level is moderate or greater. However, there may be instances when a SSP is required when the sensitivity and critically levels are low. If required, contractors must use the

Microsoft Word DocumentNIH Application/System Security Plan Template.

 

Last updated: November 08, 2004


Policies | Accessibility

Department of Health and Human ServicesNational Institutes of HealthFirstGov.gov