This chapter establishes the policy and procedures for requesting and obtaining access to manufacturing and compounding for human administration areas in NIH Facilities as needed to comply with applicable federal law and ensure effective quality control.

The policy in this chapter applies to all NIH Institute or Center (IC) or Office of the Director (OD) Offices and any Personnel being considered for or having access to manufacturing and compounding for human administration areas in NIH Facilities.

Access control is a requirement for all Food and Drug Administration (FDA) regulated manufacturing and compounding sites, whether they are operating under an FDA Regulatory Platform or United States Pharmacopeial (USP) Practice and Standards. It is a safety and quality assurance standard employed in facilities that manufacture and produce or compound interventions and therapeutic agents for human administration.

Federal law requires controlled access for sites that manufacture and compound FDA-regulated products. For more information, see Title 21 of the Code of Federal Regulations (CFR) part 211, which conveys Current Good Manufacturing Practice (cGMP) requirements. At 21 CFR Section 211.28 subparagraph (c), FDA regulations state: “Only personnel authorized by supervisory personnel shall enter those areas of the buildings and facilities designated as limited-access areas.”

The USP is a scientific nonprofit organization that sets standards for the identity, strength, quality, and purity of medicines, food ingredients, and dietary supplements manufactured, distributed and consumed worldwide. The USP standards are enforced consistent with the requirements of Title 21 of the Food, Drug and Cosmetics Act (FD&C).

The USP has a number of chapters that are applicable to NIH manufacturing and compounding for human administration areas, including General Chapter <797> Pharmaceutical Compounding – Sterile Preparations. That General Chapter requires controlled access to areas that manufacture and compound certain products for human administration and restricts access to properly trained and credentialed personnel.

Major buildings on the NIH Bethesda campus are secured by an electronically controlled door lock/building access system. Access control to manufacturing and compounding for human administration areas on all NIH campuses shall be controlled electronically as set forth in this policy.

The electronically controlled access system is and shall be administered by the Division of Personnel Security and Access Control (DPSAC), Office of Security and Emergency Response (SER), Office of Research Services (ORS) in compliance with NIH Policy Manual 1405 – NIH Physical Access Control.

Access to buildings or controlled spaces within them is granted in conjunction with the issuance of an ID badge. The type of ID badge issued to an individual is dependent on various factors as outlined in NIH Policy Manual 1443 - Homeland Security Presidential Directive (HSPD)-12 Implementation Policy. For details on current types of ID badges, please visit https://ors.od.nih.gov/ser/dpsac/administrators/onboarding-new-staff/Pages/position-classifications-and-corresponding-badge-types.aspx.

Access to manufacturing and compounding for human administration areas will be provided using the same steps as for the standard badging process and include additional requirements for appropriate training and credentialing of staff specific to the area. The procedures for access shall be consistent with the procedures set forth herein.

Grace Period: This Manual Chapter is effective immediately. However, existing sites are afforded a grace period of 60 calendar days from the release date of this Manual Chapter to comply with this policy.

1. Title 45 CFR Part 3.41: http://edocket.access.gpo.gov/cfr_2008/octqtr/pdf/45cfr3.41.pdf
2. Title 21 CFR Part 211: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=211
3. Title 18 United States Code (U.S.C.) Section 499: https://www.dhs.gov/sites/default/files/publications/mgmt-award-hshqdc09d00001-2.pdf
4. Title 18 U.S.C. Section 701: https://www.gpo.gov/fdsys/granule/USCODE-2009-title18/USCODE-2009-title18-partI-chap33-sec701/content-detail.html
5. Title 21: Food and Drugs Chapter 9 – Federal Food, Drug, and Cosmetics Act
6. 21 U.S.C. 353a: Pharmacy Compounding
7. U.S. Pharmacopeia (USP) General Chapter <797>
8. Clinical Center Medical Administrative Series Policy M95-1: http://cc-internal.cc.nih.gov/policies/PDF/M95-1.pdf
9. NIH Policy Manual 1381, Physical Security Project Requirements for NIH Owned and Leased Facilities
10. NIH Policy Manual 1405, NIH Physical Access Control
11. NIH Policy Manual 1743, Keeping and Destroying Records, Appendix 1, NIH Records Control Schedule
12. NIH Policy Manual 2808 – NIH Enterprise Architecture Policy
13. NIH Policy Manual 2300-334-1, Assignments under the Intergovernmental Personnel Act (IPA)
14. NIH Policy Manual 2300-940, Clearance of Personnel for Separation or Transfer: https://oma1.od.nih.gov/manualchapters/person/2300-940/
15. NIH Privacy Act Systems of Record Notice 09-25-0054, Administration: Property Accounting (Card Key System) HHS/NIH/ORS https://oma.od.nih.gov/forms/Privacy%20Documents/PAfiles/0054.htm
16. HHS Privacy Act Systems of Record Notice 09-90-0777, Facility and Resource Access Control Records, HHShttp://www.hhs.gov/foia/privacy/recordsnotices/09900777_.html

1. Access control: A process that grants, denies or restricts a person’s entrance to a facility based on approved criteria.
2. Badging Authority/Office: The NIH office responsible for issuing ID badges.
3. NIH Clinical Center (CC): Warren Grant Magnuson Clinical Center (original Building 10), Ambulatory Care Research Facility (ACRF), INVIVO (NMR) Addition and the Mark O. Hatfield Clinical Research Center (CRC), NIH Bethesda campus.
4. DPSAC HSPD-12 Program: The DPSAC HSPD-12 Program provides program management oversight for the HSPD-12 initiative at NIH. It is responsible for ensuring that program goals are achieved and timeframes for delivery are met while streamlining security processes for the NIH community. DPSAC plans and helps implement the NIH HSPD-12 initiative. It provides program management and training to assure compliance with the Directive.
5. Employee: An individual employed by the NIH. Employee must be an eligible Title 5 Federal employee, have a Title 42 appointment, an NIH civil service employee, or member of the Commissioned Officers Corps.
6. Federal Information Processing Standards (FIPS 201): Federal Publication developed by the National Institutes of Standards and Technology (NIST) as ordered by HSPD-12 to establish standards for identity credentials.
7. HSPD-12: Homeland Security Presidential Directive-12 is a Presidential Directive that requires the definition of a set of common, acceptable and achievable standards for Personal Identity Verification (PIV) of Federal employees and contractors. It is designed to enhance security, increase Government efficiency, reduce identity fraud and protect personal privacy.
8. Personnel: For the purpose of this NIH Manual Chapter, “Personnel” includes all employees as defined herein and other individuals (regardless of employment status) authorized to enter or be within a site covered under this chapter.
9. Physical Access Control System (PACS): A security database that stores information on all issued ID badges. This system is utilized to grant access to specific NIH facilities based on an individual’s job duties.

1. The Associate Director for Security and Emergency Response (ADSER), Office of Research Services (ORS) is responsible for the protection of NIH facilities and grounds and also serves as Deputy Chief Security Officer for NIH. The ADSER plans, directs, and coordinates all security and access control functions of the NIH to ensure a comprehensive security program exists.
2. The Office of Research Facilities Development and Operations (ORFDO) Automated Systems Unit (ASU) is responsible for the maintenance and repair of the electronic access control system.
3. The ORS, SER, Division of Personnel Security and Access Control (DPSAC) is responsible for management of the electronic access control system, e.g., the issuance of electronic identification cards, programming of access levels, etc. Additionally, DPSAC is responsible for reviewing all key requests to ensure the requestor has the appropriate clearance/suitability level and access privileges for the areas requiring key access.
4. The Institutes and Centers (IC) Executive Officers in non-Clinical Center manufacturing and compounding areas are responsible for compliance with this policy and identifying who is authorized access to the regulated spaces.
5. The ORS, SER, Division of Physical Security Management (DPSM) ensures that physical and engineering security initiatives at all owned and leased NIH facilities work in concert with the NIH operational security programs and comply with Federal security standards. This includes electronic access control security, closed-circuit television (CCTV) surveillance, and electric door locking systems.
6. A Clinical Center Department Head is responsible for determining who has access to regulated manufacturing compounding area(s) within that department’s suites.
7. NIH employees, as defined herein, are responsible for complying with the policies stated in this chapter.
8. NIH Police personnel will have key access to manufacturing and compounding for human administration areas in NIH Facilities.
9. NIH Fire Department personnel will have key access to manufacturing and compounding for human administration areas in NIH Facilities.
10. Code Blue Team personnel will have key access to manufacturing and compounding for human administration areas in the NIH CC.

1. Entry to all regulated manufacturing and compounding for human administration areas shall be controlled by a badge reader or multiple badge readers. Badge readers, rather than traditional keys, are required for the following reasons:
   1. Instant access revocation when card is lost/stolen.
   2. Instant access revocation when employee or contractor has been suspended, terminated, or separates from NIH service.
   3. Ability to grant access for a limited period of time.
   4. Ability to conduct forensics to determine who was in a given room when an event took place.
   5. Reduced vulnerability of counterfeiting although government issued keys are stamped “Do Not Duplicate”, those warnings can be easily disregarded.
2. The term “manufacturing and compounding for human administration area” includes programmatic, scientific and supporting infrastructure (mechanical and electrical rooms).
3. It is not intended that each individual manufacturing and compounding room be controlled by a badge reader; rather, if a program contains a suite of multiple interior rooms, it is sufficient for the access control to be applied at the suite level, generally off of the public corridor.
4. The ORS, SER, Division of Personnel Security and Access Control (DPSAC) is the organization responsible for granting electronic access to controlled spaces.
5. Access to manufacturing and compounded areas can only be granted to vetted Personnel by authorized individuals. Requests for access must be forwarded to [email protected]. See Appendix A for additional details.
6. Badges will be activated for access to manufacturing and compounding areas only for properly trained and credentialed employees approved by NIH leaders as follows:
   1. In the case of the NIH CC and Institute and Centers (IC), Department Head of respective area(s).
   2. In the case of the Office of Research Facilities Development and Operations (ORFDO), the ORFDO Director.
   3. In the case of other ICs outside the NIH CC, the Institute/Center Executive Officer.
7. Additional access restrictions to specific manufacturing and compounding areas shall be provided by the heads of the programs and/or Quality Assurance (21 CFR 211.22 & .25). Access shall be restricted when:
   1. There is a need to limit exposure due to the potential for harm from agents being manufactured/tested or processes being conducted within the area.
   2. Access must be controlled to persons with proper training and certifications specific to the operations to be performed, e.g., gowning and aseptic media fill certifications.
   3. Access must be denied to persons that do not meet GMP, compounding, and related regulations and guidelines.
8. Upon loss or theft of a badge, the employee must immediately notify his/her Administrative Officer (AO). The employee’s AO must immediately notify DPSAC, and DPSAC will deactivate the badge, thereby revoking all access privileges, consistent with existing policies.
9. Individuals receive only perimeter access to buildings when they initially receive their ID badge. An individual’s AO may request additional access for the person by contacting their local/satellite security/badge issuance office. All requests must be in writing. In order to gain access to regulated manufacturing and compounding areas, the request must be approved by the individuals identified under H.6. a., b., or c. above.
10. Badge use must comply with Title 18 U.S.C. Section 499. This prohibits counterfeiting, altering or misusing badges.
11. Badge holders shall never loan or surrender their badge to another person.
12. Badge holders must not permit others to follow them into controlled spaces. Each authorized individual is required to access the area using their own badge.
13. Upon termination or suspension of an employee with access to manufacturing and compounding areas, the IC AO notifies DPSAC requesting deactivation of the individual’s badge, thereby revoking all access privileges.
14. Cleaning staff must be escorted at all times by an individual that has access to the area, unless approved by the specific area access control authority as defined in H. 6. a., b. and c. to do so without escort supervision.
15. Some doors are equipped with both a badge reader and a key-activated lockset. Only NIH Police and NIH Fire Department personnel will be equipped with a key. The use of a key to override the card reader system will trigger an alarm for DPSAC’s response.
16. Appendix A identifies the process for gaining access to regulated manufacturing and compounding areas.
17. The responsible parties listed in H.6.a., b., and c. must bi-annually (i.e. twice per year) review who has access to the respective area(s) they control and ensure the list is accurate and notifying DPSAC immediately of any names that need to be removed.
18. The IC requesting a card reader to support controlling access to regulated manufacturing and compounding areas is responsible for funding for that effort.

All records (e-mail and non-e-mail) pertaining to this chapter must be retained and disposed of under the authority of NIH Manual 1743, “Keeping and Destroying Records”, Appendix 1, “NIH Records Control Schedules,” (as amended). These records must be maintained in accordance with current NIH Records Management and Federal guidelines. Contact your IC Records Liaison or the NIH Records Officer for additional information.

The purpose of this manual issuance is to establish the NIH policy and describe the system, process and procedure to control and provide access to manufacturing and compounding for human administration areas in NIH facilities.

1. Office Responsible for Reviewing Internal Controls Relative to this Chapter: Through this manual issuance, ORFDO is responsible for ensuring effectiveness of the facility related operations of the card reader system. ORS, SER, DPSAC is responsible for ensuring that internal controls for installing and approving card key access are implemented and working properly.
2. Frequency of Review: DPSAC will maintain an ongoing review to determine effectiveness of the established procedures.
3. Method of Review: DPSAC will ensure effective implementation and compliance with this policy by analyzing feedback, reviewing system-generated reports and through coordination with ORFDO.
4. Review Reports are sent to: Director, ORFDO; Director, ORS; and the ADSER annually. Reports will indicate that internal controls are in place and working. Issues of special security concern will be brought immediately to the attention of the ADSER.