NCI Information Technology Contractor
Security Requirements
DHHS requires employees and contractors to protect the Department's data by complying with the DHHS Information Security Program Handbook. As part of NIH and DHHS, NCI is subject to this policy, which requires contractor personnel to fulfill a number of requirements. Below is a brief summary of the requirements:
·
The
contractor must submit a roster of
contractor personnel for use as a tool to track compliance for each contractor
working on a project.
·
Contractor
staff with access to NIH or NIH computer resources must complete and submit all
forms required for initiation of a background investigation.
·
Contractor
staff with access to NIH computer resources must meet the NIH security training
requirements.
·
Contractor
staff with access to sensitive information must sign a Non-Disclosure
Agreement.
·
Contractor
must complete the IT
security separation checklist for staff leaving the contract and return the
completed form to the project officer.
·
The
contractor may be required to submit a System Security Plan based upon AIS
security contract language.
Background Investigations
Background investigations are required for all contractor/subcontractor personnel who have (1) access to sensitive government information, or (2) access to Federal information systems (including those hosted at contractor facilities), or (3) regular or prolonged physical access to Federally-controlled facilities.
The NIH Office of Research Services, Division of Personnel Security and Access Control (ORS/DPSAC) manages the background investigation process. Their website at http://idbadge.nih.gov/background/index.asp provides more information on this subject and discusses the process that is involved. Applicants are required to complete and submit a number of forms electronically through an Office of Personnel Management online system called e-QIP. In addition, all applicants must also be fingerprinted. The requirements for this process are changing regularly, so please check the ORS/DPSAC website often.
Additional information about
investigations and clearances:
o OPM's Investigations
Information: (includes links for FAQs)
o 
NCI
"Acquisitions IT Security, and the Suitability Investigations
Process" Powerpoint Presentation
o 
NCI
Suitability Investigations Roster Template
o 
NCI IT Security Separation Checklist
o 
Non-Disclosure
Agreement Form
Security Training
Contract staff with access to NIH computer systems must meet a number of computer security training requirements. Initially, contractors must complete the NIH Computer Security Awareness Training at http://irtsectraining.nih.gov prior to beginning work on a contract. Following that, there is a requirement for an annual computer security awareness refresher that must be completed on a schedule announced by NIH each year. Contract personnel designated by the government as having “significant IT security responsibilities” will be required to take security training related to their role. More information on the NIH security training is available at http://irm.cit.nih.gov/security/security-communicating.htm
Personnel
Separation Documentation
Contractor must complete the employee separation checklist immediately upon removal of an employee from the contract and return the form to the project officer. This is required so that NCI can quickly remove employee’s access to NCI IT systems.
Systems Security Plan
A
System Security Plan (SSP) is required for all IT systems hosted at a contractor
or subcontractor facility. A contractor system is defined as a general support
system or application hosted or maintained by contractor staff. When a system
security plan is required, contractors must follow the NIST Special Publication
800-18 Guide for Developing Security Plans for Federal Information Systems. NIST Special Publication 800-18 Guide for Developing Security
Plans for Federal Information Systems.
Last updated: January 26, 2007
