Accessible Search Form           Advanced Search

Skip left side navigation and go to content


NHLBI Information Technology Security Policies, Forms and Procedures for Contracts

DHHS requires employees and contractors to protect the Department's data by complying with the HHS Information Security Program Policy. NHLBI as part of NIH and DHHS is subject to these requirements.

  1. Contract employees should have annual security awareness training.
  2. Designated contractor IT staff must apply for a Public Trust Suitability Determination (personnel security clearance).
  3. The contractor may be required to submit a System Security Plan

Security Awareness Training

Contract staff with access to computer systems should have annual computer security awareness training. NIH has an excellent Web-based course, NIH Computer Security Awareness Training that can be used to fulfill this requirement.

Security Clearances

Contractor IT staff working on federal contracts hold Public Trust positions and must have background investigations at the appropriate level. A brief outline of the clearance process is given below, along with links to sample filled-out forms.  Links to additional information about OPM investigations and clearances are provided at the end of this document.

The requirement for background investigations applies only to applicable contractors. Offerors are not required to obtain background investigations to submit a proposal. Refer to Section L of the RFP to determine if security investigations will be required for any contract resulting from an award.

Personnel Security Clearance Process

The Project Officer and Information Systems Security Officer (ISSO) determine which contract employees need background investigations and level of clearance needed.  The Contracting Officer will inform the contractor which positions require background investigations and the levels for each, and request a contact e-mail address and phone number for each person who needs a background investigation.  Contract employees will receive further instructions via email from the NIH Division of Personnel Security and Access Control (DPSAC).  Contract employees must use the web application e-QIP, to complete the forms, except for the Fingerprint Card.

Personnel Security Investigation Forms

Level 1. The following forms are required for each contract employee assigned to a Level 1, low sensitivity position:

  • SF 85–Questionnaire for Non-Sensitive Positions
  • OF 306 –Declaration for Federal Employment
  • FD 258–Fingerprint Card*
  • Current Resumé

Level 5  and 6. The following forms are required for each contract employee assigned to a Level 5 moderate and 6 high sensitivity position:

  • SF 85P–Questionnaire for Public Trust Positions
  • DHHS Credit Release Form
  • OF 306–Declaration for Federal Employment
  • FD 258–Fingerprint Card*
  • Current Resumé

* Contractors in the Bethesda, Maryland area can obtain digital fingerprints from the NIH Police. Fingerprint cards are not needed for digital fingerprints.

If you have questions about the process, you may e-mail the appropriate ISSO

Additional information about investigations and clearances:

Systems Security Plan

A System Security Plan (SSP) is required when the overall sensitivity and criticality level is moderate or greater; however, there may be instances when a SSP is required when the sensitivity and criticality levels are low. Contractors must use the NIH System Security Plan (SSP) Outline (FIPS 200 - Extended version).

Last updated: March 4, 2009

Twitter iconTwitterimage of external icon Facebook iconFacebookimage of external icon YouTube iconYouTubeimage of external icon Google+ iconGoogle+image of external icon