Skip Navigation Links

icon

Transmittal Notice

  1. Explanation of Material Transmitted: This chapter is being revised to update the policy, procedures, and organizational responsibilities relating to the National Institutes of Health (NIH) Physical Security Project Requirements for NIH Owned and Leased Facilities, formally the Physical Security Program. This chapter ensures compliance with applicable federal security standards and guidelines which have changed since the last issuance for construction, renovation, and major equipment installation projects affecting active and passive security systems.
  2. Filing Instructions:

Remove: NIH Manual Issuance 1381, dated 2/15/1990.
Insert: NIH Manual Issuance 1381, dated 07/24/2014.

PLEASE NOTE: For information on:

This Manual Chapter ensures that all owned or leased NIH facilities are designed, constructed, and/or renovated are in compliance with all applicable federal physical security requirements. This chapter serves as the basis for the NIH Physical Security Project Requirements for NIH Owned and Leased Facilities and establishes the authority of the Division of Physical Security Management (DPSM) as one of the NIH organizations responsible for safeguarding the NIH community against terrorism, criminal activity, and potential or actual threats by individuals or groups.

Following the September 2001 terrorist attacks, the Department of Health and Human Services (HHS), Office of the Inspector General (OIG), conducted a comprehensive assessment of the NIH security operations and functions, including physical security policies, procedures and protective systems. Using the Department of Justice Vulnerability Assessment of Federal Facilities standards and guidelines, the OIG designated the NIH Bethesda Campus as a Facility Security Level (FSL) IV installation. The FSL determination mandates specific security requirements to mitigate vulnerabilities identified in the OIG assessment.  

In response to the OIG report, the NIH Associate Director for Security and Emergency Response (ADSER) further developed existing security design guidelines and procedures to comply with increased federal mandates and increased threat levels. The security design guidelines and procedures were based on proven federal methodologies and best practices that provided the basis for the NIH Physical Security Program. Since then, there continue to be a number of additions and changes to federal standards and guidelines as new threats emerge. Therefore, the standards and guidelines included in the Reference Section of this chapter are subject to periodic updates.

The Division of Physical Security Management (DPSM) was established to ensure that physical and engineering security initiatives at all NIH owned or leased facilities work in concert with the Office of Security and Emergency Response (SER) Divisions to provide the most secure environment possible for the NIH community. The DPSM mission is to ensure all NIH facilities are protected against current and emerging threats by balancing high-quality, cost-efficient security systems and operations with increasing federal mandates. Collaborating in this effort with the NIH community, DPSM strives to achieve optimum results for a safe environment that does not restrict, but promotes the mission and goals of the NIH.

This policy establishes a process to identify and obtain DPSM’s approval of the physical security requirements for alteration, construction, improvement, renovation, repair by replacement, and major equipment installation projects that take place in NIH owned and NIH leased facilities. This policy will help ensure NIH physical security requirements are met and risks are mitigated. Any NIH organization that is planning the alteration, new construction, repair-by-replacement, renovation, or major equipment installation at NIH owned or NIH direct-leased facilities must coordinate with the Office of Research Facilities Development and Operations (ORFDO) and DPSM. Project Managers should consult with DPSM as early as possible during the initial project planning stages. Any additional contract impacts and unplanned physical security costs resulting from not receiving prior approval from DPSM will be borne by the offending organization.

Privacy Policy Regarding Systems
Records identifying individuals entering and or exiting NIH owned and NIH leased facilities are subject to the Privacy Act because they contain personally identifiable information that is stored in a paper or electronic record system designed to be retrieved by the name of the subject individual or a unique identifier linked to or assigned to the individual by ORS, or another office (biometric information, photographic images). The records are covered by NIH Systems of Record Notice 09-25-0054, Administration: Property Accounting (Card Key System) HHS/NIH/ORS. All staff who handles the records maintained in this record system must safeguard and protect them in accordance with the Privacy Act SORN (http://oma.od.nih.gov/public/ms/privacy/pafiles/0054.htm).

Note: This policy is not applicable to General Services Administration (GSA) leased facilities. The Federal Protective Service (FPS) oversees GSA lease facilities and is responsible for providing risk assessments and physical security requirements for such facilities. Upon request, the DPSM may provide consultative support to the NIH customer on FPS physical security requirements and when NIH is renovating space under Contracting Officer Representative (COR) authority in a GSA lease.

New and emerging threats to the United States necessitate periodic updates to federal security requirements. Therefore, physical security requirements and guidelines unique to the mission of the NIH include, but are not limited to:

  1. DHS Interagency Security Committee (ISC) StandardsThe Risk Management Process for Federal Facilities

  2. DHS National Infrastructure Protection Plan (NIPP)

  3. NIST Federal Information Processing Standards (FIPS)

  4. HHS Internal Critical Infrastructure Protection (CIP) Policy (Not a public document.)

  5. NIH Design Requirements Manual

  6. NIH Manual Chapter 1405 - Access Control (pending)

  7. NIH Manual Chapter 1415 - Key and Lock Services

  8. NIH Manual Chapter 1743 - Keeping and Destroying Records

  9. DPSM Physical Security Policies and Design Requirements (Not a public document.)

  10. Americans with Disabilities Act and Architectural Barriers Act Accessibility Guidelines  

  11. ABA Standards for (Federal Facilities)

  12. Americans with Disabilities Act (ADA)

  13. International Building Code (IBC)

  14. National Fire Protection Association (NFPA)  Life Safety Code (NFPA 101)

  15. 5 U.S.C. Section 552a (The Privacy Act of 1974, as amended): http://www.justice.gov/opcl/privacy-act-1974

For more information on current editions or additional sources not listed, contact the DPSM at (301) 443-7287.

E. Definitions

  1. Alterations - Improvements or changes to an existing property to allow its use for a different purpose or function. See also the definition of Improvements

  2. Biometric - The measurement of physical characteristics, such as fingerprints, DNA, or retinal patterns, for use in verifying the identity of individuals.

  3. Construction - The erection of a building, structure, or facility, including the installation of equipment, site preparation, landscaping, associated roads, parking, environmental mitigation, and utilities, which provides space not previously available. It includes freestanding structures, additional wings or floors, enclosed courtyards or entryways, and any other means to provide usable program space that did not previously exist (excluding temporary facilities).

  4. Facility Security Level (FSL) - Because of the differences among federal buildings and their security needs, the Interagency Security Committee (ISC) categorized federal facilities into five classes based on building size, agency mission and function, tenant population, and the degree of public access to the facility The ISC developed security standards corresponding to the security level needed for each class.

  5. Facility Security Level (FSL) IV - Buildings composed of 150,000 square feet or more; staffing level of  450 federal employees or more, and a high level of public access.

  6. Facility Project Approval Agreement (FPAA) - A written agreement between designated HHS Operating Division (OPDIV) officials (i.e., Project Manager, Project Director and OPDIV Board Member) and the Department evidencing the OPDIV’s commitment to execute a particular project. A FPAA is required for all facility construction and improvement projects exceeding $1M and all repair projects exceeding $5M. The FPAA documents the project’s scope and description, basis of need, funding source(s), and total cost from all sources. It identifies project schedule milestones, including completion of design, construction, activation and operational phases.

  7. Federal Protective Service (FPS) - A federal law enforcement agency that provides integrated security and law enforcement services to federally owned and leased buildings, facilities, properties and other assets.

  8. General Services Administration (GSA) - A central management agency that sets federal policy for federal procurement and real property management and information resources.

  9. Improvements (Renovations/Alterations) - Any enhancement or change to an existing property to allow continued or more efficient use within its designated purpose (Renovation), or for use for a different purpose or function (Alteration). Building improvements also include upgrading of primary mechanical, electrical, or other building systems, and site improvements not associated with construction projects.

  10. Interagency Security Committee (ISC) criteria - The ISC’s mandate is to enhance the quality and effectiveness of physical security in, and the protection of, buildings and nonmilitary federal facilities in the United States (government-owned, leased or managed; to be constructed, renovated, or modernized; to be purchased).

  11.  Major Equipment Installation - The installation of a new piece of equipment that may have an adverse impact on existing security features such as reinforced walls, ceilings, floors, windows, gates, doorways, security workstations and closets, as well as security systems identified in 13 and their related connectivity infrastructure such as security conduit, cabling, wiring, etc.

  12. Office of the Inspector General (OIG) - Charged with identifying, auditing, and investigating fraud, waste, abuse, and mismanagement within an agency.

  13. Physical Security Systems - systems include, but are not limited to, access control devices such as card readers, biometric devices and secure locking systems, security lighting, electronic surveillance and video recording systems, intrusion detection and alarm systems, blast mitigation techniques, pedestrian and vehicle barriers, facility/perimeter protection measures, and other specialized security systems

  14. Physical Security Review and Comments - DPSM will review, comment and provide guidance for all projects requiring new or impacting existing physical security systems or features.

  15. Program of Requirements (POR) - One of the planning and programming documents used to describe a proposed facility. It includes estimates of design and construction costs, space requirements, environmental requirements, and other program information.

  16. Renovation - Improvements or changes to an existing property to allow continued or more efficient use within its designated purpose (See definition of Improvements).

F. Responsibilities

  1. The Associate Director, Security and Emergency Response (ADSER) is designated as the Deputy Chief Security Officer for the NIH and is responsible for all day-to-day security functions at the NIH. The ADSER’s security responsibilities are implemented through the SER subordinate organizations: Division of the Fire Marshal, Division of Police, Division of Fire and Rescue Services, Division of Emergency Preparedness and Coordination, Division of Personnel Security and Access Control and the Division of Physical Security Management.

  2. The Director, Division of Physical Security Management (DPSM) is responsible for ensuring that all NIH owned or leased facilities are in compliance with federally mandated physical security requirements and approved security systems that mitigate current and emerging threats.  Physical security systems include, but are not limited to, access control devices such as card readers, biometric devices and secure locking systems, security lighting, electronic surveillance and video recording systems, intrusion detection and alarm systems, blast mitigation techniques, pedestrian and vehicle barriers, facility/perimeter protection measures, and other specialized security systems. The Director, DPSM will:

    1. Establish and maintain all NIH physical security related policies and guidelines.

    2. Ensure new construction and renovation projects are in compliance with NIH physical security related policies and guidelines and other applicable federal physical security policies and requirements.

    3. Provide recommendations and cost saving strategies to enhance the overall security in the absence of clearly defined federal requirements.

    4. Coordinate and consult with applicable representatives of the ORFDO and Institutes and Centers (ICs) to identify physical security program requirements.

    5. Ensure appropriate DPSM staff participation in ORFDO’s Pre-Project Planning Board (PPPB) and Project Definition Rating Index (PDRI) meetings to identify physical security requirements to be incorporated into the scope of a project (i.e. Basis of Design [BOD], Bridging documents, Facility Project Approval Agreement [FPAA], Program of Requirements [POR], etc.)

    6. Approve physical security requirements for new construction and renovation projects from the planning through the commissioning phase of a project.

    7. Ensure appropriate DPSM staff participation in reviewing master plans, site improvements, statements/scopes of work, and submittals for construction, renovation, or major equipment installation projects.

    8. Conduct security assessments and systems troubleshooting as needed from the design phase through commissioning.

    9. Assist with ORFDO’s Permit Review Process in identifying, coordinating and approving physical security requirements.

  3. The Office of Research Facilities Development and Operations (ORFDO) will submit all proposed alteration, new construction, repair by replacement, renovation and major equipment installation, projects including those in the NIH Master Plan, and NIH direct lease replacement to DPSM to identify and approve physical security requirements.

    1. Pre-Project Planning Phase: ORFDO will notify DPSM of all Pre-Project Planning Board (PPPB) and Project Definition Rating Index (PDRI) meeting schedules for DPSM’s participation.

    2. Planning Phase: ORFDO will ensure DPSM’s participation in development and approval of documents to include the POR, FPAA and others as required based on the specific project requirements.

    3. Pre-Design Phase: ORFDO will submit the Statement of Work (SOW) for all projects with physical security requirements to DPSM for approval prior to initiating contract actions for design, such as contract solicitations, requests for proposals, etc.

    4. Design Phase: ORFDO will submit design documents at various phases to DPSM for review and approval consistent with ORFDO’s Permit Review Process.

    5. Construction Phase: ORFDO will submit to DPSM all project change orders that involve existing or new physical security systems and features, for review and guidance.

    6. NIH direct lease concurrence:

      1. ORFDO/Real Estate Contracting Branch (RECB) Contracting Officer (CO) will issue a draft lease to DPSM for review and comment for physical security requirements. DPSM will provide a response within the schedule for Government review.

      2. RECB CO will submit the final lease revisions to DPSM for concurrence. DPSM will provide concurrence within the schedule provided for Government review.
  4. NIH Institutes/Centers (ICs) officials authorized to conduct construction, renovations, major equipment installations, etc. will adhere to this document. Officials should consult with DPSM as early as possible during the initial project planning stages. Any contract impacts and unplanned physical security costs resulting from not receiving prior approval from DPSM, will be borne by the offending Institute or Center.
  1. Pre-Project Planning Phase:

    1. All alterations, new construction, repair by replacement, renovation and major equipment installation, in NIH owned or NIH direct-leased facilities must be coordinated with ORFDO and DPSM prior to actions being taken that impact existing physical security features when new systems are required, or due to the critical nature or location of the work.

    2. DPSM will identify physical security requirements for each project during the Pre-Project Planning Phase.

    3. DPSM will participate in ORFDOs Pre-Project Planning Board and Project Definition Rating Index meetings to ensure required physical security features are understood and included for each project.

  2. Planning Phase:

    1. The planning phase may include the development of a POR, FPAA, bridging or other documents based on the type of procurement action anticipated. 
      When applicable, DPSM will endorse the FPAA, POR or other planning documents to validate the physical security requirements that are included in the project.

    2. Planning documents must be approved by customers/stakeholders prior to the start of the design phase.

  3. Design Phase:

    1. DPSM will adhere to the ORFDO Permit Review Process in coordinating project physical security requirements with the design teams.

    2. DPSM will perform a security assessment, develop recommendations, a Statement of Work (SOW), and coordinate proposed actions with the customer and other stakeholders on an as needed basis.  The SOW may include approved equipment and functionality; evaluation and other applicable project security requirements.

    3. DPSM will review design documents in accordance with the ORFDO Permit Review Process and verify the security system requirements that will satisfy the designated threat level identified by the ISC criteria.

    4. For designs/projects that impact existing or include new security systems or features, final design submissions must be approved by the Director, DPSM prior to being released for bid. If a design is amended during the advertisement/award period impacting the physical security requirements, DPSM must review the scope of the amendment to ensure it remains in compliance with federal security requirements.

    5. For GSA lease replacement through the General Services Administration (GSA), Institutes and Centers may request DPSM to serve as a security consultant. In such cases, DPSM will offer recommendations and coordinate activities with the Federal Protective Service as necessary.

  4. Construction/Renovation/Project Completion Phases:

    1. Change Orders: The ORFDO PO will notify DPSM of change orders affecting the physical security features or requirements. DPSM shall review each physical security change and provide comments within the schedule established for Government reviews.

    2. Ongoing/Periodic Security Assessments: DPSM will conduct periodic security risk assessments and systems troubleshooting assessments during ongoing construction, renovation, or major equipment installation projects.

    3. Final Security Assessment: All construction, renovation, or major equipment installation projects that impact existing, or provide new security features/systems, must be approved by DPSM prior to closeout/completion of the project.

H. Records Retention and Disposal

All records (e-mail and non-e-mail) pertaining to this chapter must be retained and disposed of under the authority of the NIH Manual 1743, “Keeping and Destroying Records,” Appendix 1, “NIH Records Control Schedule,” Section 1100 - General Administration, Item 1100-B-1, Policy Files, Section 2600 Procurement, Property and Supply Management, B. Public Buildings and Space, (including all items that apply), and Section 1300 Station Management, Item 1300-C Protection and Security (including all items that apply).

NIH e-mail messages, including attachments that are created on the NIH computer systems or transmitted over the NIH networks that are evidence of the activities of the agency or have informational value are considered Federal records. These records must be maintained in accordance with current NIH Records Management guidelines. Contact your IC Records Liaison for additional information.

All e-mail messages are considered Government property, and if requested for a legitimate Government purpose, must be provided to the requester. Employees' supervisors, the NIH staff conducting official reviews or investigations, and the Office of Inspector General may request access to or copies of the e-mail messages. E-mail messages must also be provided to the Congressional Oversight Committees, if requested, and are subject to the Freedom of Information Act requests. Back-up files are subject to the same requests as the original messages.

I. Internal Controls

The purpose of this chapter is to set forth policy for NIH Physical Security Project Requirements for NIH owned and NIH direct-leased facilities in order to safeguard the NIH community.

  1. Office Responsible for Reviewing Internal Controls Relative to this Chapter: Through this manual chapter, DPSM, ORS is responsible for the method used to ensure that internal controls are implemented and working
  2. Frequency of Review: Ongoing.
  3. Method of Review:  In accordance with Manual Chapter 1710, Section J., the DPSM will maintain ongoing program oversight and ensure effective implementation and compliance with this policy. This will be accomplished by assessing documentation (i.e. design documents, change orders, etc.); communication in management and project meetings; project technical reviews and security assessments; monitoring monthly performance data in conjunction with the ORFDO project status database,  and ongoing review of current applicable security guidelines, policies, and standards. This policy is reviewed annually by DPSM and updated as required. 
  4. Review Reports: All issues are communicated to the Associate Director, Security and Emergency Response (ADSER) on a weekly basis.  Issues of special concern will be brought to the attention of the ADSER immediately and communicated to the Director ORS and/or ORF as needed.

* If you require a 508 compliant PDF version of a chapter please contact policymanual@nih.gov
Arrow UpBack to Top