NHLBI Information Technology Security Policies, Forms and Procedures for Contracts

DHHS requires employees and contractors to protect the Department's data by complying with the HHS Information Security Program Policy.  NHLBI as part of NIH and DHHS is subject to these requirements.

  1. Contract employees should have annual security awareness training.
  2. Designated contractor IT staff must apply for a Public Trust Suitability Determination (personnel security clearance).
  3. The contractor may be required to submit a System Security Plan

Security Awareness Training

Contract staff with access to computer systems should have annual computer security awareness training. NIH has an excellent Web-based course, NIH Computer Security Awareness Training that can be used to fulfill this requirement.

Security Clearances

Contractor IT staff working on federal contracts hold Public Trust positions and must have background investigations at the appropriate level. A brief outline of the clearance process is given below, along with links to sample filled-out forms.  Links to additional information about OPM investigations and clearances are provided at the end of this document.

The requirement for background investigations applies only to applicable contractors. Offerors are not required to obtain background investigations to submit a proposal. Refer to Section L of the RFP to determine if security investigations will be required for any contract resulting from an award.

Personnel Security Clearance Process

The Project Officer and Information Systems Security Officer (ISSO) determine which contract employees need background investigations and level of clearance needed.  The Contracting Officer will inform the contractor which positions require background investigations and the levels for each, and request a contact e-mail address and phone number for each person who needs a background investigation.  Contract employees will receive further instructions via email from the NIH Division of Personnel Security and Access Control (DPSAC).  Contract employees must use the web application e-QIP, to complete the forms, except for the Fingerprint Card.

Personnel Security Investigation Forms

Level 1. The following forms are required for each contract employee assigned to a Level 1, low sensitivity position:


Level 5  and 6. The following forms are required for each contract employee assigned to a Level 5 moderate and 6 high sensitivity position:


* Contractors in the Bethesda, Maryland area can obtain digital fingerprints from the NIH Police. Fingerprint cards are not needed for digital fingerprints.

If you have questions about the process, you may e-mail the appropriate ISSO

Additional information about investigations and clearances:

Systems Security Plan

A System Security Plan (SSP) is required when the overall sensitivity and criticality level is moderate or greater; however, there may be instances when a SSP is required when the sensitivity and criticality levels are low. Contractors must use the NIH System Security Plan (SSP) Outline (FIPS 200 - Extended version) Microsoft Word Document.



Last updated: March 4, 2009




Skip footer links and go to content
Twitter iconTwitterExternal link Disclaimer         Facebook iconFacebookimage of external link icon         YouTube iconYouTubeimage of external link icon         Google+ iconGoogle+image of external link icon