The purpose of this chapter is to establish a policy for the issuance of identification (ID) badges and the authorization of physical access to NIH campuses, buildings, and specific locations within them

This policy applies to the NIH Bethesda, Maryland, Rocky Mountain Laboratories, Hamilton,  Montana, Research Triangle Park, North Carolina, National Cancer Institute, Frederick Maryland, the National Cancer Institute Shady Grove campuses, the Bayview Research Center, Baltimore Maryland, as well as NIH leased facilities. 

The NIH faces a significant challenge in maintaining security and providing physical access to geographically dispersed campuses that have a unique combination of sensitive facilities, hospitals, and research that are utilized by tens of thousands of employees, contractors, affiliates, and visitors each day.  The NIH utilizes Physical Access Control Systems (PACS) to facilitate timely access to NIH facilities while meeting regulatory security requirements. These systems allow for automated entry based on access rights which are granted on an individual basis.

The Office of Research Services (ORS), Office of Security and Emergency Response (SER), Division of Personnel Security and Access Control (DPSAC) maintains overall responsibility for managing physical access to NIH facilities. The ORS, SER, Division of Physical Security Management (DPSM), approves the use and installation of electronic locking systems. The execution of this responsibility is conducted by the local/satellite security offices at NIH installations. The security offices at each NIH facility manage both the PACS and individual access requests.

Access permission levels are provided in conjunction with the issuance of an ID badge. NIH issues several different types of ID badges dependent on various factors outlined in Manual Chapter 1443: Homeland Security Presidential Directive (HSPD)-12 Implementation Policy. For details on current types of ID badges, please visit the NIH Badging Table.

The operations of issuing ID badges are largely governed by HSPD-12 which mandates the establishment of a government-wide standard for secure and reliable forms of identification. HSPD-12 was created to eliminate wide variations in the quality and security of forms of identification used to gain access to federal facilities and systems. To satisfy the requirements of HSPD-12, the National Institute of Standards and Technology (NIST), developed the Federal Information Processing Standard (FIPS) 201-3 “Personal Identity Verification of Federal Employees and Contractors.” FIPS 201-3 specifies a standard to be implemented for issuing ID badges.

Controlling access to NIH facilities on an emergency and non-emergency basis is paramount to providing a safe working environment for research to be conducted in support of the NIH mission.

The NIH's policy is to only issue ID badges to individuals after completing the security requirements outlined in Manual Chapter 1443: HSPD-12 Implementation Policy. Individuals are then authorized physical access to NIH locations based on the roles and responsibilities of their position description. 

NIH utilize various PACS in compliance with NIH Manual Chapter 2808: NIH Enterprise Architecture Policy, OMB-M-19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management to manage, increase, decrease, restrict, or terminate access to NIH campuses, buildings, or specific locations within them. 

The local/satellite NIH security offices operate as the badging authority responsible for issuing ID badges to individuals who require physical access to NIH facilities. NIH facilities with ID badge issuance services and the requisite security office are identified in Appendix 2.

1. The Associate Director for Security and Emergency Response (ADSER), Office of Research Services (ORS) is responsible for: 
   1. Planning and directing service programs for public safety, security operations, scientific and regulatory programs, and a wide array of other service programs.
   2. Providing services dedicated to supporting NIH’s biomedical research goals in a safe work environment for NIH employees, visitors, research, and facilities.
   3. Providing oversight of the access control program to ensure compliance with this policy.
   4. Managing physical access control to NIH facilities.
   5. Identifying conditions where limited access to space may be granted and emergency /non-emergency access will be maintained.
   6. Addressing when key overrides are permitted (i.e., generally limited to fire department access) as part of a card reader installation.
   7. Ensuring all processes and procedures are functioning effectively.
   8. Providing timely customer service support.
   9. Generating system reports.
   10. Responding to information technology (IT) requirements and managing quality control.
   11. Providing input on the operations PACS to control access to NIH facilities. 
   12. Granting facility access based on an individual’s affiliation with the NIH and organizational responsibilities.
   13. Validating and identifying individuals in the PACS and verifying that the appropriate access is authorized.
   14. Printing, distributing, and inputting badge identification numbers into the PACS to activate the badge.
   15. Issuing ID badges to employees, contractors, affiliates, and other individuals.
   16. Determining the required security level and the device to install to mitigate the risk.
2. The NIH Institutes, Centers, and Offices (ICOs) are responsible for:
   1. Managing organizational access control requests consistent with Facility Access Control (FAC) guidelines.
   2. Providing administrative support for access control requirements.
   3. Submitting access control requests to the responsible security office.
   4. Notifying the Division of Physical Security Management (DPSM) at DPSM-ServiceRequest@mail.nih.gov to obtain approval and assistance before commencing any task related to the installation of a card reader not associated with a construction project. This includes unique circumstances such as card reader installation requests to doors that also have hard keys with lock cylinders, in which case DPSM will require justification and a key control plan for approval.
   5. Complying with Federal Protective Services (FPS) and Department of Homeland Security (DHS) Interagency Security Committee (ISC) Standards along with NIH requirements in leased facilities, when applicable.
   6. Ensuring access control requests comply with the terms and conditions stipulated in this policy.
   7. Identifying spaces that require restricted access and the controls in place to support emergency and non-emergency access.
3. The NIH Office of Research Facilities (ORF), is responsible for:
   1. Providing keys for access control systems when authorized.
   2. Reporting planned power outages to the local/satellite security badge issuance offices to minimize impacts to card readers and the ability to lock down areas through the PACS system.
   3. Managing the contract that includes the installation of, and repairs to, badge readers.
4. NIH employees, contractors, affiliates, and any individual issued an ID badge is responsible for complying with the policies stated herein and for the safe keeping of ID badges.

1. NIH employees, contractors, affiliates, and any individual in need of an ID Badge must provide two original documents consistent with the requirements of NIH Policy Manual 1443-Homeland Security Presidential Directive 12 (HSPD-12) Implementation Policy for background investigations and validation.
   1. Must report lost/stolen badges to the local/satellite security badge issuance office and the associated ICO the individual works for.
   2. Broken badges should be brought to the local/satellite security/badge issuance office for a replacement.
   3. If a broken badge has not expired, the individual will be issued a new badge.  The expiration date on the new badge will be the same as the date on the broken badge.
   4. Individuals departing NIH must contact their AO before their departure date.
2. The NIH ICOs:
   1. Administrative Officers with the requisite security training must:
      1. Sponsor individuals to obtain an HHS ID badge (PIV Card) in accordance with NIH Policy Manual 1443.
      2. Request issuance of an ID badge to an individual.
      3. Complete sponsorship actions for HHS ID Badges through the NIH Enterprise Directory (NED).
      4. Identify the roles and responsibilities of applicants for issuance of the correct category of ID badge.
      5. Remain aware of the individual’s status and continuing need for holding an ID badge and updating NED accordingly.
      6. Request written changes to physical access privileges to access restricted or other sensitive areas in NIH facilities. If you have any questions, please contact the Access Control office at facilityaccesscontrol@mail.nih.gov or (301) 451-4766. 
      7. Collect individual ID badges when they depart the NIH and return it to the local/satellite security badge issuance office within eighteen (18 hours) of termination.
         1. Failure to surrender a badge will be reported to the Division of Police as possessing unauthorized property.
         2. When possible, withholding of payment may be authorized.
      8. Contact ORS DPSM at DPSM-ServiceRequest@mail.nih.gov when planning the installation of a card reader to control access to a sensitive area.
3. The ADSER, ORS:
   1. Local and/or Satellite Security Offices, ORS
      1. Inputs, operates, and maintains PACS to control access to NIH facilities as shown in Appendix 2.
      2. Validates the identity of individuals in the PACS and verifies the appropriate access is authorized by NIH Policy Manual 1443 for NIH-owned and leased facilities exclusive of those with direct leases through the General Services Administration (GSA).
      3. Prints, distributes, and inputs badge identification number into the PACS row to activate a badge.
      4. Grants access to NIH facilities based on the individuals position description.
      5. Maintains a list of restricted access spaces to include individuals and organizations authorized access on an emergency and non-emergency basis. 
   2. Division of Personnel Security & Access Control (DPSAC), ORS:
      1. Reviews operations of the Local and/or Satellite Security Offices to ensure compliance with this policy.
      2. Ensures the effectiveness of the standard operating procedures for accessing restricted spaces on an emergency and non-emergency basis complies with the applicable Federal Protective Services (FPS), DHS Interagency Security Committee (ISC) Standards, and NIH requirements.
      3. Utilizes Appendix 2 – Access to Controlled/Restricted Space in NIH Facilities to ensure access to controlled areas on an emergency and non-emergency basis. 
   3. ​​​​​​Division of Physical Security Management (DPSM), ORS:
      1. Ensures that physical and engineering security initiatives at all NIH-owned or leased facilities comply with federally mandated physical security requirements and approved security systems that mitigate current and emerging threats.  This includes electronic access control security, Video Surveillance System (VSS), and electronic door locking systems.
      2. Assesses facilities to determine the required security level and the appropriate devices to install to mitigate the risks to include card key readers.
      3. Reviews and approves or denies requests for keys to access restricted areas controlled by a card reader system in owned facilities.
      4. An area’s sensitivity depends on the type, value, and vulnerability of the property to be protected or controlled. When a high degree of protection is justified by security needs, the security of the area will be accomplished with the installation of a high security mechanical or electronic lock and card reader. Requests for electronic controlled locks and card reader access should be submitted to DPSM-ServiceRequest@mail.nih.gov. DPSM Security Specialist will evaluate the area for an approval decision.
      5. Requests for high-security mechanical locks, along with justification for special security requirements for high-risk/sensitive areas, should be submitted to DPSAC and DPSM for evaluation and collaboration with ORF ASU Locksmith Section.  Generally, these are not issued, and requests must be approved by the DPSM director.
      6. For leased facilities with a direct lease through GSA, serves as the Facility Security Committee (FSC) Facilitator as a consultant for security-related items, decision making, costs, and implementation.
4. The Division of Facilities Operations and Maintenance (DFOM) Technical Support Team (TST)/Security/Locksmith, ORF:
   1. Provides keys for access control systems when authorized.
   2. Utilizes Appendix 3 to provide emergency and non-emergency access to designated areas.
5. The NIH Clinical Center  (CC):
   1. Utilizes the following Clinical Center Administrative Policies to manage access to clinical spaces:
      1. CC Administrative Policy FP-004- Managing Access in the Clinical Center Complex, as part of the program to manage security risks, staff can request and be issued a key(s) and/or card key reader access to areas in the Clinical Center Complex (CCC) based on their duties and responsibilities.
         1. Oversight of the CCC program is within the office of the Chief Operating Officer.
         2. Doors in patient care units and departments accessible by card key readers also have locksets to permit access in the event of a disruption or outage.
         3. Where required by law, certain offices and laboratories are sensitive with restricted access controlled by the Division of Police.
   2. S-002 Security Risk Management in the Hospital
      1. Used to manage risks within the hospital by completing evaluations and implementing prudent control measures to reduce the risk of damage and harm to persons and property.
      2. Incorporates electronic, physical, and/or administrative controls.

1. Federal Information Processing Standard (FIPS) 201-2, “Personal Identity Verification of Federal Employees and Contractors”
   http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-3.pdf
2. Office of Management and Budget (OMB) Memorandum M-19-17, Enabling Mission Delivery through Improved Identity, Credential and Access Management
3. National Institutes of Standards and Technology (NIST) SP-800: Guidelines for the Use of PIV Credentials in Facility Access 
4. DHS Homeland Security Presidential Directive: 12: Policy for Common Identification Standards for Federal Employees and Contractors
5. DHS Interagency Security Committee (I iT SC) Standards: The Risk Management Process for Federal Facilities
6. NIH Manual Chapter 1415 – Key and Lock Services
7. NIH Manual Chapter 1443, “HSPD-12 Implementation Policy”
8. NIH Policy Manual, Chapter 1743 Keeping and Destroying Records, available at:  https://oma1.od.nih.gov/manualchapters/management/1743/
9. NIH Manual Chapter 2808, “NIH Enterprise Architecture Policy” 
10. Clinical Center Administrative Policy FP-004-Managing Access in the Clinical Center Complex
11.  Clinical Center Administrative Policy S-002 – Security Risk Management in the Hospital