FAQs

Appointment Questions
- Am I allowed to bring my child to my appointment with DPSAC?
  - Children are NOT allowed at any DPSAC office, except for Building 31. No children are allowed in the Clinical Center/Building 10 unless they are a patient. DPSAC customers with appointments in the Clinical Center/Building 10 that bring children (person under the age of 16) will be turned away.
Background Investigation Questions
- I'm confused about the question regarding marijuana usage in the background investigation form. Isn't marijuana legal in some states?
  - Please note that any fellowship offer (at all training levels) is contingent on the fellow's ability to successfully pass a federal background check, which is required for logical and physical access to NIH facilities and systems. As part of the clearance process, all fellows/applicants will be asked: “In the last year, have you used, possessed, supplied, or manufactured illegal drugs?" This question pertains to the use of controlled substances or drugs as defined under federal law. Please be aware that while marijuana may be legal or decriminalized within your home jurisdiction, it remains illegal under U.S. federal law. The use, possession, supply, or manufacture of marijuana may preclude you from obtaining the necessary clearances to participate in NIH intramural training programs, even if you were initially offered a position.
    If you have questions about this policy or would like guidance on the clearance process, please reach out to oite@nih.gov (please put eligibility inquiry in the subject line).
- I'm working with someone who is resisting getting a background check until he gets his loan for a house purchase. Will a background check affect his credit score?
  - This question was posed to a veteran loan officer with a large mortgage company. According to this expert, "a credit check for a background check should have minimal if any effect on the person's credit score rating. 'Hard inquiries' for revolving debts (credit cards) are the types of inquiries that can take their toll on a person's credit score if there are too many inquiries within a short period of time." The expert concludes that "there is no reason this person should be concerned."
    
    Also, it's important for that person to understand that the background check is a Federal government job requirement. Providing information is voluntary, but if s/he chooses not to provide the required information, s/he will not meet the requirements of the job and will therefore not be considered further for employment with the Federal government. If s/he is already employed by the Federal government, their appointment will be terminated. The courts have upheld this principle.
- Can you tell me why the NIH Personnel Security Office is asking me for clarification of a ‘discrepancy’ regarding my birth name that appeared in my e-QIP questionnaire?
  - Yes. The Personnel Security Office is asking you to clarify whether the name you listed on your security questionnaire is your actual full name given at birth, or if one of the other names you listed on your questionnaire (under Section 5: Other Names Used) would have been your full legal name at birth.*
    
    Ther Personnel Security Office asks this question knowing that once the questionnaire is forwarded to the Defense Counterintelligence and Security Agency (DCSA), that agency will always ask for clarification to an individual's full name at birth, based on an individual's response to Section 5: Other Names Used.*
    
    Section 5: Other Names Used: Give other names you have used and the priod of time youused them [for example: maiden name, name(s) by a former marriage, former name(s), alias(es), nickname(s)]. If the other name is your maiden name, check the "nee" box.
- I recently completed my e-QIP questionnaire and wanted to know whether I will receive a copy of my background investigation once it is completed?
  - When DPSAC completes an individual's background investigation, the individual will receive an e-mail from DPSAC's database letting them know the investigation is complete. For Federal employees, their employee personnel file (eOPF) will be updated as well. Individuals may request a copy of their investigation file under provisions of the Privacy Act.
    Working for or on behalf of the United States Federal Government begins with a multi-step on-boarding process which will include a background investigation. The Defense Counterintelligence and Security Agency (DCSA), Federal Vetting Center (FVC), is mandated to complete that background investigation if you are working for or on behalf of the Executive Branch of the United States, per Executive Order 13467, as amended. DCSA also completes some background investigations for other branches of the government when it is the most efficient use of Government resources and in the best interest of National Security.
    
    As noted on the DCSA website, "If your current employer, or agency that is looking to hire you, is requesting the initial, reinvestigation, or continuous vetting investigation for you and you should talk with them about this process if you have any questions or concerns, we hope you will find some useful resources in this section of the DCSA website." This includes information about your background investigation.
- Some of the information required for entry in e-QIP and the additional requested forms (OF612, OF306) is frustratingly redundant. Can't DPSAC simplify this process?
  - You are correct that the OF 612 and OF 306 are redundant and seem burdensome. NIH regularly expresses this concern to Office of Personnel Management (OPM) leadership and at meetings with the OPM Training and Oversight Division.
    OPM uses these two forms to validate information in the e-QIP questionnaire. Personnel at the Agency and OPDIV level are working hard to have this requirement removed; however, OPM is in charge of the process.
    Note: OPM will soon release an updated version of e-QIP (v. 3.0) that will enable users to digitally sign certain e-QIP documents. This feature will eliminate a number of time consuming and laborious steps.
General Questions
- One of our Special Volunteers collaborates remotely from the Philippines with researchers in Bethesda via a laptop with no card reader. Since remote laptop users must use their PIV card/card reader to access the NIH network, what do you advise?
  - Actually, individuals who do not have a PIV card (NIH knows who you are) may continue to use userid/password until alternative tokens (e.g., SecureID) are available. Under these circumstances no waiver is required. Individuals who do have PIV cards, but cannot use them for remote access, must file a waiver through their IC Information System Security Officer (ISSO) explaining their 'special circumstances.' If the waiver is approved, they too may continue to use userid/password until alternative tokens are available.
- How do I go about obtaining a card reader for my computer?
  - For each NIH Institute or Center (IC), each is responsible for assuring that all Employees, Contractors and Affiliates are supplied with a smart card reader at their desktop and/or laptop. Please contact the NIH IT Service Desk to request one. For more information, please visit the OCIO website here: https://ocio.nih.gov/Smartcard/Pages/PIV_cardreader.aspx.
- If I’m using my Smart Card (HHS ID Badge) to access my NIH network computer, do I need to remove it and then reinsert it when my computer requires another login (at the timeout)?
  - Yes. The Smart Card works just like a User ID/Password, except it is more secure and does not require you to keep changing the PIN. When your computer screen locks, you can unlock your screen by re-inserting the Smart Card and typing in your PIN in the same way you now unlock your screen by re-entering your User ID/Password.
- What does the card look like?
  - Card topology is described and pictured in the Standard. Each card contains a required set of information: a printed picture of the cardholder, name, expiration date, and agency affiliation. Additional optional information (e.g., signature, agency seal, issue date, etc.) may be selected by each agency within the parameters set by the Standard and further refined by OMB, where applicable.
Key Recovery Questions
- Key Recovery: Can the holder of a PIV Card recover active certificates?
  - Yes. Active certificates can be recovered for situations such as transferring certificates to a PDA device (e.g., BlackBerry).
- Key Recovery: Are there special criteria for the required 'passphrase,' such as length and character type?
  - No. There are no set criteria for the passphrase.
- Key Recovery: Does the user have to remember the passphrase?
  - Yes. The user will have to remember the passphrase to install the Key Recovery. If they forget it, they will have to return to the HHSIdentity Portal, create a new passphrase, and download the key(s) again.
- Key Recovery: Does it matter which reason is chosen for the Key Recovery?
  - No. There are no set requirements for the reason; it is merely for tracking purposes.
- Key Recovery: What if I receive an error during Key Recovery?
  - Contact the HHSIdentity Helpdesk at: hhsidentityadmins@deloitte.com
LWS Questions
- My IC bought several Lifecycle Work Stations. Is any special training offered or certification required in order to operate these Lifecycle Work Stations?
  - Special certification is not required to operate the Lifecycle Work Station; however, a training manual that explains how to operate the LWS is now available and posted online here. This manual provides helpful overviews of the Lifecycle Work Station, the Management Agent, Loggin into LWS software, as well as the precesses for resetting PINs and renewing certificates.
    
    Please be aware that a directory containing the ICs, names and contact information for many of the LWS administrators is posted here.
- If another IC is willing to let us use their Lifecycle Work Station (LWS), would we be able to reset PINs that way? Or is each Lifecycle Work Station specific to an IC?
  - Any LWS can update an individual that has an HHS ID Badge (Smart Card). There are no restrictions based on which IC purchased it. Some of the ICs have already established agreements with neighboring ICs to share LWS support.
- We would like to install Lifecycle Work Station on one of our PCs located off campus. Are there requirements that the person operating the machine have special training or be an administrative officer? We'd want a program support person to operate the LWS
  - Any employee or contractor in you IC can be assigned as a Lifecycle Work Station (LWS) operator. The individual must already have an HHS ID Badge and must know their own PIN.
    
    As for training, once your LWS is purchased (either software only, or laptop and software), the HSPD-12 Program Office can arrange to have someone provide basic training to the individual. Operating the equipment is straightforward. You may find LWS training material on our website here.
    
    Please note: The LWS can only be used for PIN resets and certificate renewals (before certificates expire).
- What if my digital certificates expired? Can I have my IC's Lifecycle Work Station (LWS) operator reissue new digital certificates?
  - No. Once your PIV Card digital certificates are expired and passed the expiration date, then you must visit DPSAC's on-campus Badge Issuance stations to get them renewed. You can only get your digital certificates reissued by an LWS operator before they expire. For more information on these three options, please go under "Services" then "Badge Issuance" to find this page on "Renewing Digital Certificates and ID Badge."
NED Questions
- Does an AT need to take the NED class to be able to have access to NED?
  - No. NED training is not required.
- From time to time I need to refer to the NED User Guide. Can this be viewed online?
  - You're in luck. The NED User Guide is available to users from within the NED user application (https://ned.nih.gov/ned) by clicking the "Help" link.
    
    There's also a link to a PDF version of the Guide on the NED Sharepoint site at: http://intranet.cit.nih.gov/DOtab/deca/CAB/NED/Help%20Documents/NED_User_Guide.pdf.
New Employee or Transfer Questions
- I missed my opportunity to take advantage of expedited fingerprinting on my Entry On Duty (EOD) day. What should I do now?
  - Since you missed your opportunity to get fingerprinted during your EOD, you will need to call DPSAC's appointment line at: 301-496-0051 (8 a.m. - 4:00 p.m.)
    
    Please remember to bring two forms of identification (driver's license, passport, etc.) to your enrollment appointment.
- If an employee, contractor or affiliate moves to another Institute or Center, does s/he need to be issued a new HHS ID Badge?
  - No. Moving from one Institute/Center to another does not require badge reissuance -- unless that person is also changing from an Employee (no stripe) to a Contractor or Affiliate (green stripe) or from a Contractor or Affiliate (green stripe) to FTE (no stripe). Note, however, that with the release of NED v 2.9, "an individual's badge will no longer be revoked when changing classification to an FTE. The revocation will still occur when changing classification from an FTE."
    
    Note: switching ICs may require updating your certificate and contacting Facilities Access Control (301-451-4766; or, facilityaccesscontrol@mail.nih.gov) for physical access to the new IC's duty station.
- I recently switched from a visiting fellow position to a contractor in the same Institute. I was wondering if I need to be re-issued a new badge? What about contractor to FTE, FTE to contractor, or FTE to fellow?
  - No. You do not need to do anything. When converting from a fellow to a contractor, the PIV badge will continue to work and be valid, whether you changed Institutes or not. When converting from a contractor to FTE, your contractor badge will not be deactivated until you pick up your new FTE badge.
    On the other hand, when switching to a Federal employee (FTE) status, you must switch your HHS ID Badge (from green stripe to white stripe). Additionally, when you go from FTE to a contractor or fellow, the FTE badge will immediately be terminated/revoked since the classification will be changed in NED.
- I recently switched from a Contractor to a Federal employee (FTE). Will my PIV badge still work?
  - If you are switching from a Contractor to a Federal employee (FTE) status, you will have to switch your HHS ID Badge (from green stripe to white stripe). During this switch, your contractor badge will not be deactivated until you pick up your new FTE badge. However, if it is the other way around (from FTE to contractor or fellow), the FTE badge will immediately be terminated/revoked since the classification will be changed in NED.
- In a few weeks I’ll be leaving FDA (or another HHS agency) to take a job at NIH. Will I need a new ID Badge or can I use the PIV Card issued by FDA (or the other HHS agency) when I begin working at NIH?
  - The new NIH badge cannot be fully processed or issued until the FDA PIV Card (or the PIV Card from another HHS agency) is first turned in AND they must disable it in the system. Afterwards, since you will be moving from one OPDIV (FDA) to take a position at another OPDIV (NIH), you will need to be sponsored by the Administrative Officer (AO) in the NIH Institute/Center you are assigned to. Once your AO sponsors you, you will need to be enrolled and issued a new HHS ID Badge (PIV Card). Your new badge will contain digital certificates that will need to be updated periodically.
    
    However, if needed, your NIH AO can initiate the request to bring you on board at NIH prior to your leaving FDA. This will begin the NIH Prescreening process and assessment of whether you will need a new background check.
    
    To read about the badging process, visit http://www.idbadge.nih.gov. This website describes in detail how to apply for a new HHS ID Badge (including enrollment and badge issuance) and the Personal Identification (PIV) process required of everyone issued a new badge.
    
    Note: if you plan to continue working for FDA while working at NIH, you will keep your FDA PIV card, and your NIH Institute ALT Coordinator will issue you an ALT Card for access to NIH Systems. For physical access to the NIH campus, your Institute AO can put in a request to our Access Control group to program your FDA PIV for NIH Physical Access.
- What needs to be done if an individual need to change their RLA badge to a PIV card?
  - In general, an individual will need to complete prescreening or a new investigation if the Position Sensitivity Level (PSL) changed or if the individual changed position from contractor/affiliate to FTE or vice versa. In this case, most individuals with an RLA who need to change their badge to a PIV card will require a new investigation since most RLAs are issued on the NAC-1 PSL while the PIVs requires T1 or higher PSL.
PIN or Certificate Questions
- Where can I go for a PIN reset and/or digital certificate renewal?
  - PIN resets can be completed by visiting their local Lifecycle Work Station (LWS) or by making an appointment at any of our NIH badging offices in Maryland, North Carolina, or Montana.
    If your digital certificates are not yet expired, they can be renewed by the individual themselves if they have an NIH-Issued Windows Laptop with the Access Card Utility software (ACU). This is the easiest and most recommended method to renew digital certificates. If ACU is not an option for you to use, then you may use an LWS to renew your digital certificates before they expire. Many Institutes and Centers (ICs) have purchased LWS and trained their staff to operate the units to issue PINs and renew badge certificates for their staffs. You may find your IC's LWS here. If you cannot find an LWS to renew your digital certificates, then you may make an appointment at any of our DPSAC's on-campus Badge Issuance stations in Maryland, North Carolina, or Montana. If the ACU, LWS and a badging office are all not viable options, then in some cases, your IT Department at your IC may authorize a temporary login token to gain system access without a PIV badge.
    Please note: if you wait to renew your digital certificates after they expire, then you must visit DPSAC's on-campus Badge Issuance stations to get them renewed. ACU and LWS are not able to renew digital certificates after they expire.
    Both PN resets and Certificate renewals can be done at a DPSAC Badge Issuance Office located in Building 31 (B1A26) or the Clinical Center South Lobby. Many ICs maintain Lifecycle Work Stations (LWS) so that they can offer PIN resets and Certificate renewals locally as well. For more information, please look under "Services" and "Badge Issuance" to read up on resetting PINS and renewing digital certificates on our Additional Badge Services page.
- What if my digital certificates expired? Can I have my IC's Lifecycle Work Station (LWS) operator reissue new digital certificates?
  - No. Once your PIV Card digital certificates are expired and passed the expiration date, then you must visit DPSAC's on-campus Badge Issuance stations to get them renewed. You can only get your digital certificates reissued by an LWS operator before they expire. For more information on these three options, please go under "Services" then "Badge Issuance" to find this page on "Renewing Digital Certificates and ID Badge."
- Do I need to enter a new PIN if I forget my old PIN, or can I re-use my old PIN?
  - There is no limit to the number of times one can use the same PIN. PINs never expire. You can reset your PIN using the same sequence of digits every time you do a reset.
    
    If you have trouble remembering your PIN, you may want to use it as your code for retreiving your voice mails. This way, every time you retrieve your voice mails you will be using your PIN and will be less likely to forget it when the time comes to use it to update your HHS ID Badge.
- Our IC has employees who work remotely full-time. How do we go about resetting PINs for these individuals? Do they have to travel back to NIH or are there alternative locations or methods for doing this?
  - DPSAC has an agreement with the Program Support Center (PSC) in HHS that allows NIH staff to use any of the ten PSC regional offices for PIN resets and certificate renewals. For instructions on requesting remote services, please click here and go to the bottom of the page to see the “Other Remote Locations” section.
- Is there a quick way for me to check when the digital certificate's expiration date is on my PIV Card?
  - Yes. In the Windows environment, just follow these five easy steps to check your PIV Card's certificate expiration date:
    
    Using Windows Internet Explorer (IE) select:
    
    1. Tools; 2. Internet Options (from drop down menu); 3. Content (Tab of Internet Options pop-up window); 4. Certificates (button in middle of Internet Option pop-up window contents tab); 5. Personal (tab in Certificate's pop-up window).
    
    At least four certificates should be displayed (3 in your name and one called PIV users). All four should have the same expiration date. If there are multiple sets of four, the latest expiration date is the expiration date of your certificates.
    
    Also, your IC is able to track the certificate status for individuals in their organization. This information can be helpful when planning appointments with local Lifecycle Work Station (LWS) operators who will be renewing the certificates on site.
    
    The Office of the Chief Information Officer (OCIO) has posted on its website a spreadsheet listing, alphabetically by IC, the names of subscribers along with their SAC or Admin Code, certificate expiration date, and other information that would be helpful to the ICs.
    
    The expiration dates will be posted chronologically and will be added to the list based on a rolling two-year time frame (one year for contractors).
    
    To view the Smart Card subscriber spreadsheet, click on: http://smartcard.nih.gov/PKI_subscribers.htm. From there, click on the link found under the first bullet: "NIH Smart Card (PIV) badge holders as of xx/xx/20xx (spreadsheet)."
    
    Note: Do not bookmark this latter link ("NIH Smart Card (PIV) Badge holders...") as it is subject to change due to periodic updates.
- Are there other options to renew my PIV card digital certificates without having to come to the DPSAC main office?
  - There are three options that PIV card holders can choose from to renew their digital certificates:
    Access Card Utility
    Lifecycle Work Stations (LWS)
    NIH Badging Locations
    Therefore, it is highly likely that you don't need to visit a DPSAC badge issuance station to renew your digital certificates on your HHS ID Badge. For more information on these three options, please go under "Services" then "Badge Issuance" to find this page on "Renewing Digital Certificates and ID Badge."
    In summary, ACU is a Windows laptop/desktop computer application that allows PIV card holders to renew digital certificates on their own before they expire. This is the easiest and most recommended method to renew digital certificates. If ACU is not an option for you to use, then you may use an LWS to renew your digital certificates before they expire. Many Institutes and Centers (ICs) have purchased LWS and trained their staff to operate the units to issue PINs and renew badge certificates for their staffs. You may find your IC's LWS here. The table lists the operators alphabetically by IC and includes their contact information. In the event you IC is not listed on this table, you should check with your AO to determine wheether your IC may have made arrangements to use another IC's LWS nearby. If not, then you will need to contact one of DPSAC's on-campus Badge Issuance stations to renew your digital certificates.
    Please note: if you wait to renew your digital certificates after they expire, then you must visit DPSAC's on-campus Badge Issuance stations to get them renewed.
- I know that I need to use my PIN when I eventually have to update my HHS ID Badge digital certificate. I’m afraid I’m going to forget my PIN. Do you have any tips for remembering my PIN?
  - One useful way to remember your PIN is to use the same number sequence as your code for retrieving your voice mail messages. This way you will have occasion to use your PIN on a regular basis and will be less likely to forget it.
PIV Card Questions
- I have customers asking what they need to do if they forget their PIV card but need to use their card to access “sensitive applications” on their computers. What are the current NIH plans for handling this?
  - According to the Office of the Chief Information Officer, their short answer is "do not forget your PIV card."
    
    NIH is working with HHS to provide 'backup' cards for Senior Executives and people on travel, but most users will need to learn how important it is to *always* have their PIV card with them if they need to access 'sensitive' applications.
    
    Please note that the U.S. Military as well as many public and private organizations have adopted this policy for their workforces.
- Which fingers are required for capture on the PIV card. Should the choice of which fingers to capture for the PIV card be automatic, or should the operator have the final say?
  - The Index fingers are designated as primary for capture to the PIV card. Fingerprint substitution should only take place if the primary fingerprint cannot be imaged successfully (e.g. missing or badly scarred). (Ref: FIPS 201 Section 4.4.1)
- At PIV card issuance, should the applicant's fingerprints be matched against the enrollment record, the PIV card biometrics, either, or both? Is this actually mandatory?
  - Biometric match of fingerprints at card issuance is mandatory. The match should be made against the templates placed on the PIV card from the record captured at enrollment. Whether this record is in the IDMS or on the PIV card is at the agency's discretion; however, matching to the PIV card has the added advantage of validating the biometric record on the PIV card. (Ref. FIPS 201, Section 5.3.1)
- What is the relationship of a Device CA to the PIV trust model?
  - Device authentication is outside the scope of the Personal Identity Verification (PIV) program objectives. However, provisions have been made in the Federal Common Policy Framework for device certificates and agencies are encouraged to issue under this policy if interoperability with other Federal organizations is desired. (Ref: X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework)
Policy Questions
- Are there standards by which PKI Shared Service Providers must comply regarding RA/CA communication and key escrow?
  - PKI Shared Service Providers must comply with the Federal Common Policy Framework which details requirements for PKI operations. (http://www.cio.gov/fpkipa/documents/CommonPolicy.pdf)
- Who must register with the Selective Service System?
  - Almost all male US citizens and male immigrants, who are 18 through 25, are required to register with Selective Service. For more information, please look here: https://www.sss.gov/register/who-needs-to-register/.
    It’s important to know that even though he is registered, a man will not automatically be inducted into the military. In a crisis requiring a draft, men would be called in a sequence determined by random lottery number and year of birth. Then, they would be examined for mental, physical, and moral fitness by the military before being deferred or exempted from military service or inducted into the Armed Forces.
- The FPKI Common Policy limits CA keys to a 6 year lifetime. Subscriber keys are limited to a maximum of half that (3 years). FIPS 201 allows credentials to be valid for up to 5 years. The 5-year cards require maintenance during their lifecycle.
  - This is correct. To use a PIV card for the maximum five years, new PKI credentials will need to be obtained at the three year point. This is a security feature, as well as mitigating the risk of large CRLs. There are currently no plans to modify either FIPS 201 or the Common Policy. Technically, certificate renewal can be performed by the user from the desktop, or the agency may choose to re-issue smart cards every three years and align it with the PKI certificate issuance cycle.
- How can agencies assess their existing infrastructure to tell if they are FIPS 201 compliant? Do you have any specific publication (like 800-53)?
  - FIPS 201 is the governing Standard for HSPD-12 compliance. FIPS 201 contains normative references to additional documents. Enrollment and Card Issuance organizations and processes must be accredited in accordance with SP 800-79. Data objects produced by Card Issuance systems are tested according to SP 800-85B, assisted by the 800-85B test toolkit. Implementation of infrastructure for utilizing the cards is covered by FISMA reporting and SP 800-53. (Ref: http://csrc.nist.gov/publications/nistpubs/index.html).
- FIPS-201, Section 5.4.2 states: "All certificates issued to support PIV Card authentication shall be issued under the Common Policy". Does this statement refer to all PIV-defined keys and their corresponding certificates?
  - Yes. The intent of this statement is that all certificates in the PIV data model shall be issued under the Common Policy.
Privacy Questions
- How does FIPS 201 protect privacy?
  - During card issuance and life cycle management, all agencies are required to comply with FIPS 201, Section 2.4, "PIV Privacy Requirements," which outlines strict control measures to ensure the privacy of PIV card applicants and card holders is protected. In addition, Personally Identifiable Information (PII) stored on the card is minimal, as is PII acquired and retained by the issuance system. PII such as electronic fingerprints will be encoded as minutiae templates while stored on a PIV card. The PIV card, once activated, is in the control of the individual it identifies, who can then determine where and under what circumstances to present it. (Refer to OMB Memorandum 06-19 for additional information)
- FIPS 201 2.4 requires that all systems provide continuous auditing of privacy compliance covering collection, use, and distribution of information during program operation. Exactly what information needs to be recorded, how should it be recorded?
  - Privacy Compliance is the responsibility of the Senior Agency Official for Privacy and should follow OMB guidance for privacy documentation. Part one of FIPS 201 outlines these requirements and NIST Special Publication 800-79 provides accreditation guidelines.
- Are there any specific requirements for when and/or how identity data should be protected, and who should or should not be able to access it? How does this requirement specifically affect communications with the IDMS and the FBI IAFIS for PIV-related fing
  - It is the responsibility of the Senior Agency Official for Privacy to ensure the identity data is properly protected from unauthorized disclosure. Agencies may use alternative methods for protecting information in transit and at rest. Interface specifications are under development and information on these may be accessed at http://www.idmanagement.gov. (Ref: FIPS 201, Section 2.4)
- I don't want everybody reading my personal information. Who sees this information?
  - The only persons authorized to see your personal information are Personnel Security, Suitability and Investigations professionals who have been investigated at the appropriate level and who have a genuine and demonstrated need for access to the information.
Procedure Questions
- I recently switched from a visiting fellow position to a contractor in the same Institute. I was wondering if I need to be re-issued a new badge? What about contractor to FTE, FTE to contractor, or FTE to fellow?
  - No. You do not need to do anything. When converting from a fellow to a contractor, the PIV badge will continue to work and be valid, whether you changed Institutes or not. On the other hand, when switching to a Federal employee (FTE) status, you will have to switch your HHS ID Badge (from green stripe to white stripe). During this switch, when you are going from contractor to FTE, your contractor badge will not be deactivated until you pick up your new FTE badge. However, if it is the other way around (from FTE to contractor or fellow), the FTE badge will immediately be terminated/revoked since the classification will be changed in NED.
- When I recently went to have my HHS ID Badge certificates renewed, my fingerprints could not be verified. Do I have to re-enroll?
  - Yes. If DPSAC determines that the fingerprints cannot be verified, a new attempt to capture fingerprints will be required. This is done during re-enrollment, at which time you will be photographed and fingerprinted again. During the process, DPSAC is required to identity proof the individual using two forms of original source documents. One must be a Federal or State government issued photo ID. This can include the HHS PIV Badge itself, but DPSAC must have a second docuement to verify identity. See a list of acceptable identification documents HERE. All documents must be unexpired.
- Does the procedure to obtain an ID badge for Summer Students apply to students who may begin their internships during the Fall, Winter, or Spring, or is the process different?
  - In summary, Summer Students will undergo a fingerprint check administered by the Division of Personnel Security and Access Control (DPSAC) in order to receive an NIH Restricted Local Access (RLA) ID Badge. The RLA Badge will be valid for the duration of the Summer Student’s appointment, but will expire no later than September 30 of the year it is issued. The badge will provide perimeter physical areas to NIH as well as logical access to the NIH IT network.
    Applications for these positions are accepted from late November through March 1 each year. Students should apply online at: http://www.training.nih.gov/apps/publicForms/sip/forms/sipApp.aspx. Students typically receive notice of application acceptance in April.
    For more information on other types of fellows, please visit this section of our website: https://ors.od.nih.gov/ser/dpsac/applicants-employees/know-before-you-go/info-for-fellows/Pages/default.aspx.
- In the event fingerprint capture is not possible, what should the alternative biometric be, and how should it be handled throughout the registration and issuance process?
  - In the event fingerprint capture is not possible, agencies must collect an alternative biometric. The most common is probably a facial image, however this is not specified by FIPS 201. For the purposes of the criminal history check, there is no alternate biometric. Where prints are not available, OPM will rely on the name check for criminal history. (Ref: FIPS 201 4.4.1)
Technical Questions
- I just got my new laptop. Why am I unable to log in with my badge or PIN number?
  - Please be sure to first check if you are connected to the WiFi, then connect to the VPN on the bottom right of your login screen before you log in to your laptop. You must be connected to the VPN first before logging in. If you are still running into technical difficulties, please contact the NIH IT Service Desk.
- I was issued an NIH ID badge (non-PIV badge) as a Special Volunteer because I will only be with NIH for 5 months. Will I be able to access computer systems?
  - Yes. The date for requiring use of a PIV badge to login to computers/Active Director accounts within the NIH network has not yet been set. However, if you log in through a Virtual Private Network, 'two factor' authentication is now required. Thus, if you access the NIH network via VPN you will need to be issued a PIV badge or work with your IC's IT department to find other options.
- I use a Macintosh computer and want to know if I’ll be able to access the NIHnet using my HHS ID Badge (smart card/PIV card).
  - Yes. Macintosh computers can accommodate two factor authentication with either a PIV card and card reader or with an RSA Secure ID token. This is also true for Macintosh Virtual Private Network (VPN) remote access.
    Dual factor authentication with PIV cards is fully supported in MAC OS versions 10.5 or 10.6 (Leopard and Snow Leopard respectively); it is not supported in the newest MAC OS (Lion), which was just released this month and should not be an issue.
    The NIH is currently testing a couple of solutions that will support PIV card authentication in MAC OS (Lion).
    VPN dual factor authentication also requires the installation of the new Cisco AnyConnect VPN client.
    Please contact the NIH Helpdesk if you need assistance with the installation of any of the components mentioned above.
    Dual factor authentication is not a requirement if using the wireless networks and access points within the NIH perimeter. Users connecting to wireless networks within the NIH perimeter will be able to connect with either a PIV card or a username and password.
- What does "logical access" mean in FIPS 201?
  - Logical access, as used in FIPS 201, refers to use of the credential as part of identification and authentication processes that are used by automated information systems access-control processes (e.g., log on actions and digital signatures).

The Office of Research Services (ORS), Division of Personnel Security & Access Control (DPSAC) is undertaking a customer service assessment on the background investigation and badging services provided to the NIH.

To help us ensure that we offer you the best service, we invite you to take our DPSAC Customer Service survey. Your responses are anonymous and this brief assessment will provide us with critical input on the quality of customer service provided to the NIH community. The survey should not take longer than 5 minutes to complete. If you encounter any problems with the survey, please contact Personnel Security at: orspersonnelsecurity@mail.nih.gov.

Thank you for your participation! We value your feedback.