NHLBI Information Technology Security Policies, Forms and Procedures for Contracts
DHHS requires employees and contractors to protect the Department's data by complying with the HHS Information Security Program Policy. NHLBI as part of NIH and DHHS is subject to these requirements.
- Contract employees should have annual security awareness training.
- Designated contractor IT staff must apply for a Public Trust Suitability Determination (personnel security clearance).
- The contractor may be required to submit the following system security deliverables:
- FIPS 199 Assessment
- IT Security Plan (IT-SP)
- IT Risk Assessment (IT-RA)
- IT Security Certification and Accreditation (IT-SC&A)
Security Awareness Training
Contract staff with access to computer systems should have annual computer security and privacy awareness training. NIH has two excellent web-based courses, NIH Computer Security Awareness Training and NIH Privacy Awareness Training that can be used to fulfill this requirement.
Contractor IT staff working on federal contracts hold Public Trust positions and must have background investigations at the appropriate level. A brief outline of the clearance process is given below, along with links to sample filled-out forms. Links to additional information about OPM investigations and clearances are provided at the end of this document.
The requirement for background investigations applies only to applicable contractors. Offerors are not required to obtain background investigations to submit a proposal. Refer to Section L of the RFP to determine if security investigations will be required for any contract resulting from an award.
Personnel Security Clearance Process
The Project Officer and Information Systems Security Officer (ISSO) determine which contract employees need background investigations and level of clearance needed. The Contracting Officer will inform the contractor which positions require background investigations and the levels for each, and request a contact e-mail address and phone number for each person who needs a background investigation. Contract employees will receive further instructions via email from the NIH Division of Personnel Security and Access Control (DPSAC). Contract employees must use the web application e-QIP, to complete the forms, except for the Fingerprint Card.
Personnel Security Investigation FormsNon-Sensitive Positions (Level 1) make up the majority of HHS positions because of the nature of the primary responsibilities of this Department. The following forms are required for each contract employee assigned to a Level 1 *:
- FD 258 Fingerprint Card or digital fingerprint **
- Current Resumé
Level 5 and 6. The following forms are required for each contract employee assigned to a Level 5 moderate and 6 high sensitivity position:
- FD 258 Fingerprint Card or digital fingerprint *
- Current Resumé
* ORS DPSAC Personnel Security will provide instructions as to which form(s) are required for a contract employee’s particular background investigation. For more information on the background process and the forms required, please visit http://www.ors.od.nih.gov/ser/dpsac/bgchecks/Pages/forms.aspx.
** Digital fingerprints can be obtained through the DPSAC Personnel Security office on NIH Campus. For locations please visit http://www.ors.od.nih.gov/ser/dpsac/badge/Pages/locatingbadge.aspx. If you have questions regarding your background check, please contact a personnel security specialist in the DPSAC Personnel Security office, email them at firstname.lastname@example.org, or visit DPSAC online at http://www.ors.od.nih.gov/ser/dpsac/bgchecks/Pages/default.aspx.
If you have questions about the process, you may e-mail the appropriate ISSO.
Additional information about investigations and clearances:
FIPS 199 Assessment
The Federal Information Processing Standards (FIPS) 199 Assessment was designed by the Federal Government to develop standards for categorizing information and information systems in order to protect both the Government and contractors from the risks associated with compromise of the confidentiality, integrity, or availability of information. The security categories are based on the potential impact on an organization should certain events occur that jeopardize the information and information systems needed by an organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.
Systems IT Security Plan (IT-SP)
A System IT Security Plan (IT-SP) is required when the overall sensitivity and criticality level is moderate or greater; however, there may be instances when an SSP is required when the sensitivity and criticality levels are low.
IT Security Risk Assessment (IT-RA)
The purpose of an information technology risk assessment (IT-RA) is to provide the Federal Government, as well as senior leaders/executives and principal investigators, with the information needed to determine appropriate courses of action in response to identified risks. Risk assessments also help organizations monitor operations on an ongoing basis to determine whether risks have increased to unacceptable levels and have exceeded the organizations risk tolerance.
IT System Certification and Accreditation (IT-SC&A)
The information technology certification and accreditation be used by the Designated Approving Authority (DAA) on the contract to acknowledge compliance with the documented security controls associated with the contract system(s) or application(s) under their control. The documented security controls and impact analysis are located in the respective IT Security Plan (IT-SP), FIPS 199 Assessment, and IT Risk Assessment (IT-RA). The IT-SC&A should be signed by the DAA on the contract. The DAA is the individual who formally assumes responsibility for operating the information technology systems under the contract’s purview at an acceptable level of risk. The DAA is often the contractor’s Director of Information Technology, Chief Information Officer or similar role.
The federal government has established a policy for the protection of federal information in cloud services under the Federal Risk and Authorization Management Program (FedRAMP). Under the FedRAMP policy, agencies that leverage existing cloud based-services or plan to acquire cloud based services (other than private cloud-based services) must initiate an authorization and use the FedRAMP information security and privacy requirements (including security and privacy controls, and controls selected for continuous monitoring) for cloud services to support authorization decisions. Contacts that will utilize cloud-based systems must use FedRAMP templates rather than the NHLBI IT Security deliverable templates provided. Additional information regarding FedRAMP can be found at http://www.fedramp.gov/.