1. The purpose of this policy is to establish the responsibilities for managing non-U.S. person visitor access to all National Institutes of Health (NIH) facilities (owned, leased, and occupied). This policy outlines measures that safeguard NIH assets, information systems, facilities, and staff while ensuring that the NIH mission is fully supported.

2. This interim policy governs the initial implementation of new (or significantly revised) visitor access controls. As NIH learns from localized pilot efforts and moves forward with full-scale implementation, we anticipate the development, evaluation, and refinement of procedures that will provide further guidance regarding risk acceptance and exceptions. Exceptions to this interim policy require a collaborative approach among ORS, event coordinators, and visit hosts to devise event-specific security plans with compensating controls to ensure that event participants remain in the vicinity of the meetings, conferences, and other events and that access is not allowed to controlled areas (to include critical infrastructure).

1. This policy defines a non-U.S. person visitor as an individual who is not a U.S. citizen or lawful permanent resident (Green Card holder), and who does not possess an unexpired NIH-issued Department of Health and Human Services (HHS) identification (ID) badge.

2. This policy must be adhered to by all NIH personnel, including but not limited to federal employees, contractors, volunteers, fellows, guest researchers, on-site research collaborations, trainees, and interns, hereafter referred to as NIH staff. NIH staff must follow this policy before inviting non-U.S. persons to access NIH facilities.

3. This policy applies to all NIH-owned, -leased, or -occupied property, building, or campus, hereafter referred to as NIH facilities. In the case of multi-tenant facilities, the term NIH facility only applies to areas occupied by NIH.

4. This policy applies to all non-U.S. person visitors with a legitimate business reason for accessing NIH facilities.

The NIH has a responsibility to establish and maintain scientific collaborations and discuss topics of mutual concern related to biomedical research with visitors to the NIH, both nationally and internationally. The NIH also has a responsibility as a federal agency to ensure that physical and network/system (logical) access to the NIH is managed in a manner that protects sensitive information, systems, and facilities. As an interim measure toward the development of a comprehensive visitor access management policy and program for the NIH that balances openness with risk awareness, this Manual Chapter establishes a non-U.S. person visitor access policy for the NIH in conformance to the HHS Foreign National Access Management Policy (FNAMP). 

1. Non-U.S. person visitors to NIH facilities must be pre-registered with the HHS Office of National Security (ONS) at least ten (10) business days in advance of their visit.

   1. Hosts, and/or designated Requesters, are responsible for coordinating with non-U.S. person visitors to ensure that all required pre-registration information is submitted in time to be received by HHS ONS, up to 90 days before, and no less than 10 days prior to the visit. NOTE: Pre-registration information requirements can be found in Appendix B.

   2. ORS will ensure pre-registration information for non-U.S. person visitors is submitted in a confidential and encrypted manner to HHS ONS for review and approval in accordance with the HHS FNAMP. In rare circumstances, specific risk indicators might be identified that require prohibition, delay for additional screening, or additional restrictions on a case-by-case basis.

   3. In rare, unusual, or emergency instances, waivers from the 10-day advance requirement may be requested for visits involving access to non-critical infrastructure, non-high-risk restricted, or non-restricted areas. The process for requesting and obtaining these waivers should be further defined by the NIH ORS Chief Security Officer (CSO) or their designee(s).

   4. Non-U.S. persons whose access is expected to exceed a total of 180 calendar days in a consecutive 12-month period are subject to the requirements of Homeland Security Presidential Directive 12 (HSPD-12). ORS Division of International Services (DIS) processing may be required.

2. Non-U.S. person visitors must be hosted by an NIH federal employee who is also a U.S. person. Non-U.S. persons are not permitted to host other non-U.S. persons. Hosts are required to complete the NIH Host and Escort Security Training within the Learning Management System (LMS).

3. All visitors are subject to security screening. This includes both physical screening at the NIH facility (e.g., x-ray machine of bags and packages) as well as review and assessment of visitor information provided as part of the pre-registration process. Physical security inspection while in or on NIH property is in accordance with The Interagency Security Committee (ISC) Standard for physical screening of visitors, their packages, briefcases, and other containers in the immediate possession of the individual. 

4. Non-U.S. person visitors must provide a government-issued ID that is valid (an original document that has not expired), legible, and has a clear picture of the individual. 

   1. The following is a list of suitable documents non-U.S. person visitors can present to gain access to the NIH:

      1. Passport (Bio Data Page)

      2. U.S.-issued Visa (if required)

   2. Any visitor 18 years of age and older is required to provide identification. Children 17 years of age and younger are not required to provide photo identification, but they must be accompanied by an NIH staff member for the duration of the visit.

   3. For detailed information about identification requirements related to perimeter security, visit NIH Visitors and Security websites at these URL addresses: http://www.nih.gov/about/visitorsecurity.htm and http://www.security.nih.gov.  

5. Non-U.S. person visitors may be required to be escorted during their visit by an NIH staff member who is also a U.S. person, in accordance with procedures established by the NIH ORS CSO and/or their designee(s). Escort-to-visitor ratios should be at least one Escort per five visitors at all times while inside NIH facilities, except in areas designated as open to the public in site-specific security plans1.

6. Escorts are required to complete the NIH Host and Escort Security Training within the Learning Management System (LMS).

7. Non-U.S. person visitors may take photographs, films or videos while at NIH facilities, unless it violates security regulations, policies, or is prohibited by appropriate signs. See Guidelines for Photography, Filming, or Video Recording at the NIH. Additional stipulations are found in 45 CFR 3.42(c) and Clinical Center’s C-003 – Photographs, Audio and Video Recording by Patients or Visitors in the NIH Clinical Center.

8. Upon arrival at an NIH facility, if a non-U.S. person visitor is denied entry for any reason, NIH guards will collect information in accordance with procedures designed by the NIH ORS CSO or their designee(s).

9. NIH Information Security and Technology.

   1. Non-U.S. person visitors are not permitted to attach USB cables, thumb drives, or any other equipment to any NIH information technology (IT) system or hardware. If required, all requests for access or connection for a legitimate business purpose (e.g., lecture presentation, product demonstration, etc.) must obtain approval through the respective ICO Information System Security Officer (ISSO).

   2. NIH staff must contact their respective ICO ISSO to turn over all electronic gifts from non-U.S. person visitors for inspection, such as novelty USB drives, through processes established by the ISSO. This in addition to any applicable ethics-related policies or procedures.

   3. Although a non-U.S. person visitor may be granted access to an NIH facility, pursuant to the restrictions in this policy, they must still be restricted from accessing sensitive information or information technology. Information access must be commensurate with the purpose of the visit.

1. Site-specific security plan template forthcoming.

1. NIH Office of Research Services (ORS) Chief Security Officer (CSO):

   1. Ensures that the implementation of this policy and any systems developed to facilitate implementation of the policy are in accordance with federal privacy laws and policies including, but not limited to the E-Government Act of 2002 [E-Gov], the Privacy Act of 1974 [PRIVACY], and OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 [OMB322], as applicable. 

   2. Appoints an NIH Non-U.S. Person Visitor Access Program Manager who shall be responsible for working with ICOs on the implementation of this policy. 

   3. Ensures consistent and transparent policies, standards, and procedures for implementation and administration of this policy, to include any requirements or exceptions specific to patients, clinical study participants, or events open to the public, and providing guidance for the development and documentation of site-specific security plans.

   4. Assigns a designee(s) to approve/deny any waiver requests to this policy.

   5. Coordinates with HHS ONS leadership on the status of the NIH implementation of the HHS’s FNAMP.

2. NIH Police or Local Security Office:

   1. Coordinates with event organizers to address any special security needs for scheduled conferences, meetings, or events, as necessary.

   2. Reviews all itineraries received for scheduled conferences, meetings, or events and provides concurrence and/or feedback to event organizers.

   3. Safeguards the transmission of Personally Identifiable Information (PII) when sharing information with NIH Hosts, ICO Points of Contact (POCs), or law enforcement appropriate personnel.

3. NIH Institutes, Centers, and Office (ICO) Executive Officers (or other ICO leadership):

   1. Identifies an ICO POC(s) for non-U.S. person visitor access who shall be responsible for working with the ORS Non-U.S. Person Program Manager on the implementation of this policy. The ICO POC(s) will:

      1. Coordinate development of internal procedures and site-specific plans to ensure compliance with this policy.

      2. Act as the focal point for NIH Hosts, Escorts, and Requestors for training, coordination, and facilitation of non-U.S. person visits.

      3. Report all visitor misconduct, unusual behavior, and policy violations to [email protected]. In an emergency, call 911 to reach the NIH Police or local law enforcement agency with jurisdiction.

   2. Ensures that event coordinators notify the NIH Police (or local Security Office) in advance of events that will include non-U.S. visitors.

4. NIH staff: 

   1. Coordinates with their ICO POC(s) to ensure all non-U.S. person visitors are pre-registered in accordance with procedures outlined in this policy.

   2. Complies with this policy when requesting non-U.S. person visitor access to NIH facilities, systems, and information.

   3. Completes Host/Escort training requirements, as needed. NOTE: Additional information can be found in Appendix A.

   4. Reports all visitor misconduct, unusual behavior, and policy violations to [email protected]. In an emergency, call 911 to reach the NIH Police or local law enforcement agency with jurisdiction. 

Badges must be worn above the waist, front torso, in full view at all times within NIH facilities and campuses, except in areas or situations where the badge might compromise safety.

1. 5 USC § 552a Records maintained on individuals.
2. 18 USC § 1028 – Fraud and related activity in connection with identification documents, authentication features, and information
3. 5 USC Chapter 5 § 552 “Public Information; Agency Rules, Opinions, Orders, Records, and Proceedings”
4. 22 USC § 6010 “United States person” defined

5. Department of Health and Human Services (HHS) Office of the Chief Information Officer (OCIO) Policy for Information Security and Privacy (IS2P), November 18, 2021.

6. HHS “HHS Counterintelligence and Insider Threat Policy,” dated Jun 5, 2015 (not a public document).

7. HHS Rules of Behavior for the Use of HHS Information and IT Resources Policy, dated February 2023.

8. Executive Order 12333, “United States Intelligence Activities,” dated December 4, 1981, as amended.

9. Executive Order 13587, “Structural Reform to Improve the Security of Classified Information Networks and Responsible Sharing and Safeguarding of Classified Information,” dated October 7, 2011.

10. Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” dated February 12, 2013.

11. 41 CFR Appendix to Part 102-74 Rules and Regulations Governing Conduct on Federal Property (Under The Authority of GSA)

12. Federal Register Vol. 72, No. 72, Notices, pg. 19000, Monday, April 16, 2007

13. Homeland Security Presidential Directive 12 (HSPD-12), “Policy for a Common Identification Standard for Federal Employees and Contractors,” dated August 27, 2004

14. Privacy Act of 1974, U.S. Public Law 93-579, 1974

15. E-Government Act of 2002, U.S. Public Law 107-347, 2002.

16. Executive Order 12968, Access to Classified Information (EO 12968)

17. M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, OMB, September 26, 2003

18. Code of Federal Regulations, Title 45: Public Welfare, Part 3: Conduct of persons and traffic on the National Institutes of Health Federal Enclave

19. HHS Foreign National Access Management Policy, released November 17, 2022 (not a public document)

20. NIH Manual Chapter 1405, NIH Physical Access Control

21. NIH Manual Chapter 1443, HSPD-12 Implementation Policy 

22. NIH Manual Chapter 1743, Managing Federal Records

23. NIH Manual Chapter 2300-752-3, Restricting and /or Removing Individuals from NIH workplaces

24. NIH Manual Chapter 2808, NIH Enterprise Architecture Policy, March 25, 2005

25. NIH Manual Chapter 3015, Admittance to Minors in Hazardous Areas, July 26, 2017
     

1. Children / Minors — Persons under the age of 18 years old as defined by the NIH.
2. Clinical Study Participant — A person who is enrolled into a clinical study or trial.
3. Contractors — Non-NIH federal employees who may be present at NIH facilities providing goods and/or services to the NIH. Includes but is not limited to: Construction Management Personnel, Animal Care Workers, Clinical / Research / Administrative staff positions, Food Service Managers/Supervisors, Housekeeping Staff, Parking Lot Attendants and Shuttle Bus Drivers.
4. Escort — An NIH staff member authorized to accompany a non-U.S. person visitor while at an NIH-owned, -leased, -maintained, or occupied facility and who is responsible for escorting the visitor during their visit, including ensuring the visitor arrives to and departs from the facility upon completion of the purpose of the visit. All Escorts must complete the NIH Host and Escort Awareness Training before assuming this role. Escorts may also serve as Hosts and/or Requestors if they meet the eligibility requirements.
5. Full Time Equivalent (FTE) — An individual who is Wage Grade, Wage Leader, Wage Supervisor, General Schedule, Senior Executive Service, Scientific and Professional, Senior Biomedical Research Service, Title 42, Title 38, Title 32, Senior Leaders, and PHS Commissioned Corps and Students (other than summer students).
6. Host — A U.S. person and NIH federal employee authorized to invite one or more non-U.S. person visitors and who assumes responsibility for those visitors attempting to access NIH facilities, information technology systems or equipment, and/or proprietary and sensitive information during the visit. (Contractors and trainees are not authorized to serve as Hosts). All Hosts must complete the NIH Host and Escort Awareness Training before assuming this role. Hosts may also serve as Escorts and/or Requestors if they meet the eligibility requirements.
7. Health and Human Services (HHS) — U.S. Department whose mission is to enhance and protect the health and well-being of all Americans by providing for effective health and human services and fostering advances in medicine, public health, and social services.
8. ICO Point of Contact (POC) — Representative(s) of each NIH Institute, Center, and Office responsible for working with NIH Hosts, Escorts, and the ORS Non-U.S. Person Program Manager to address ongoing questions and/or issues related to this policy and related processes.
9. Local Security Office — Any office that is assigned center- or office-wide, division, field location, or other work unit responsibilities relating to security issues.
10. NIH Facility — Any NIH-owned, -leased, or -occupied property, building, or campus. In the case of multi-tenant facilities, the term NIH Facility only applies to areas occupied by NIH.
11. NIH Federal Employee — For the purposes of this policy, a Full-Time Equivalent (FTE; U.S. or non-U.S. person) who has been issued physical access credentials to an NIH facility. This includes individuals designated as General Schedule (GS), Senior Executive Service (SES), Title 42 (including both U.S. and non-U.S. person research fellows and clinical fellows). This excludes contractors, non-Title 42 consultants, visiting fellows, trainees, and volunteers. 
12. NIH Staff — For the purposes of this NIH policy, NIH personnel, including but not limited to federal employees, contractors, volunteers, fellows, guest researchers, on-site research collaborations, trainees, and interns.
13. Non-U.S. Person — Any individual who is not a U.S. citizen or lawful permanent resident (Green Card holder).
14. Personal Identity Verification (PIV) Card — A card that is “personalized” with data needed by the PIV system to later grant access to the subscriber to federal facilities and information systems; assure appropriate levels of security for all applicable federal applications; and provide interoperability among federal organizations using the standards.
15. Personally Identifying Information (PII) — Information that can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, user login, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and/or place of birth, mother’s maiden name, etc. (defined in OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information).
16. Requestor — An NIH staff person who is also a U.S. person, and serving as a proxy for the Host, coordinates with the visitor, Host and Escort(s), to ensure all pre-registration, Host and Escort training, and IT support requirements are completed prior to visitor pre-registration information being submitted for approval. All requesters must complete the NIH Host and Escort Awareness Training before assuming this role. Requestors may also serve as Hosts and/or Escorts if they meet the eligibility requirements.
17. Sensitive Information — Information that is not specifically classified in the interest of national defense or foreign policy, however, if accessed without authorization, lost, misused or modified, could adversely affect the national interest or the conduct of federal programs or privacy to which individuals are entitled under 5 U.S.C. § 552a.
18. Trainees — high school and college students, recent college graduates, graduate students, professional students, postdoctoral, research fellows, and clinical fellows (either U.S. & non-U.S. persons) training in the NIH intramural program to gain practical research or clinical experience. These intramural trainees are designated as IRTA, Cancer Research Training Award (CRTA), Visiting Fellow, Clinical Fellow, or Research Fellow.
19. U.S. Person — Any United States citizen, whether born or naturalized in the United States, or a person admitted for permanent residence in the United States. 
20. Visitor — Any individual accessing an NIH facility who does not possess an unexpired NIH-issued Department of Health and Human Services (HHS) identification (ID) badge.