HSPD-12 Related Definitions and Glossary

Access control: The process of granting or denying requests to access physical facilities or areas, or to logical systems (e.g., computer networks or software applications).

ANACI: Access NACI: An initial investigation for federal employees who will need access to classified national security information at the Confidential or Secret level.

Affiliate:  Individuals requiring a Personal Identity Verification (PIV) card to gain access to NIH and who are not employees or contractors (e.g., special volunteers, tenants, guest researchers, fellows)

Applicant: The person to whom a Personal Identification Verification (PIV) Card needs to be issued. Until an offer of employment is made, a person is not considered an applicant.

Approval Authority: The person who manages the entire Identity Management System (IDMS).  This person is responsible for designating people who will perform the duties of the Employer/Sponsor. The person with approval authority ensures that no single individual/role has the capability to issue a card without the participation of another individual, and that there are at least two different individuals participating in the process at all times.

ATO: Authority to Operate  - Authorization from a superior to proceed.

Authentication: The process of establishing a person's identity and determining whether people are who they say they are.

Authorization: The process of giving people access to specific areas or systems based on their authentication.

BI: Background Investigation - The search of a person's records covering specific areas of an individual's background, usually over a set period of time.

Biometric:  A measurable physical characteristic used to recognize the identity of a person. Examples include fingerprints and facial images. A biometric system uses biometric data for authentication purposes.

BSL:  Biosafety Levels  - Define proper lab techniques, equipment, and design.

BITS: Background Information Tracking System - NIH/DPSAC repository for inventoried data.

CAN: Common Account Number  - Unique identifier to each IC.

CHUID: Cardholder Unique Identifier  - Contains agency data, cardholder data, and card expiration date.

CIT: Center for Information Technology  - Provides support for NIH software development.

CNACI:  Child Care NACI  - Required investigation for positions involving child care.

CJIS: Criminal Justice Information Services  - FBI’s criminal data repository.

DIS: Division of International Services  - Provides immigration-related services for NIH.

DP: Division of Police  - Protect NIH from criminal activity and acts of terrorism.

DPSAC: Division of Personnel Security and Access Control  - Provides personal identity verification services, access control, and issues ID badges for the NIH community.

e-QIP: Electronic Questionnaires for Investigations Processing  -  Using a secure Internet connection, e-QIP gives applicants the ability to electronically enter, update, and transmit their personal investigative data to their employing agency for review and approval.

Emergency Response Official: Federal Emergency Response Officials are personnel directly involved with an agency’s organized actions taken by trained individuals to control immediate dangers to life and health in an effort to preserve life safety, conserve property and stabilize incidents.  These immediate dangers occur in the acute phase, or first 24 hours, of crises or emergencies.  Officials focus on controlling the immediate dangers as a priority that takes precedence over recovery and mitigation.  Once the emergency situation has been stabilized and the immediate dangers do not persist, activities move to a “consequence management” phase.  Personnel involved with consequence management are not necessarily considered Federal Emergency Response Officials.” NIH Employees with this designation have a red stripe on the bottom of their individual PIV badge.

EOD: Entry on Duty: First day of employment with NIH.

Federal Bureau of Investigation (FBI) Fingerprint Check: A fingerprint check of the FBI fingerprint files. This check is the minimum requirement for provisional card issuance.

FIPS 201-1: Federal Information Processing Standards  - Federal publication developed to establish standards for identity credentials.

HSPD-12: Homeland Security Presidential Directive 12: Directive for a common identification standard for all FTEs and contractors.

IDMS: Identity Management System - Systems or applications that manage the identity verification and validation process.

Identity-proofing: The process of providing sufficient personal identifying information (e.g., driver's license, proof of current address, etc.) to a registration authority, or the process of verifying a person's information that he or she is that person.

Issuer: The person or entity that activates and issues a Personal Identification Verification (PIV) Card to an applicant following the positive completion of all identity proofing, background checks, and related approvals. The Issuing Authority is responsible for verifying a biometric fingerprint match between the applicant and the identity system when the card is being issued.

JPAS: Joint Personnel Adjudication System  - Department of Defense (DOD) repository for background investigations data.

LBI:  Limited Background Investigation: Minimum investigation required for a Public Trust level 5c background investigation.

LACS: Logical Access Control System - Protection mechanisms that limit users' access to information, and restrict their access on the system to only what is appropriate for them.

MBI: Minimum Background Investigation  - Includes a NACIC and face-to-face interview with a personal investigator.

Mission Critical Facility: A building or group of buildings in one geographical area, so vital to the United States and/or HHS that the incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, HHS mission accomplishment during crisis circumstances, or any of these combined.

NAC: National Agency Check - Standard NACs involve the basic and minimum investigation required of all federal employees and contractors. They consist of searches of the OPM Security/Suitability Investigations Index (SII), Defense Clearance and Investigation Index (DCII), FBI Name Check, and FBI National Criminal History Fingerprint Check

NACI: National Agency Check with Inquiries - In addition to NAC requirements, NACIs include written inquiries and searches of records covering specific areas of a person's background during the past five years (inquiries sent to current and past employers, schools attended, references, and local law enforcement authorities).

NACIC: National Agency Check with Inquiries & Credit Check - NACICs require the same items as NACIs, with an additional requirement for credit checks for persons in Public Trust Positions.

NACLC: NAC with Local Agency Check and Credit  - Initial investigation for contractors, consultants, and experts at the Confidential and Secret national security levels.

NCIC: National Crime Information Center  - FBI’s index of criminal justice data.

NED: NIH Enterprise Directory  - Web based NIH community data repository

OMB: Office of Management and Budget

OPM: Office of Personnel Management  - Ensures the Federal Government has an effective civilian workforce.

PACS: Physical Access Control System - Protection mechanisms that limit users' access to physical facilities or areas to only what is appropriate for them.

PII: Personal Identifying Information - Unique personal information.

PIPS:  Personnel Investigations Processing System  - OPM’s background investigation repository.

PIV: Personal Identification Verification -The process that federal employees and contractors who routinely gain access to federal facilities and information systems must go through.  Applicants must prove their identity, be fingerprinted and have a background investigation before receiving a federal ID badge called a PIV Card.

PIV Authentication Certification Authority: The person with Certification Authority that signs and issues the PIV Authentication Certificate of the applicant.

PIV Card Issuer: The individual or entity that issues an identity credential to an applicant following the positive completion of all identity proofing, background checks, and related approvals. This role is normally associated with Badge or Credential Issuance. In most Operating Divisions (OPDIVS) or Staff Divisions (STAFFDIVS), it is a function of either Personnel or Physical Security.

PIV Card: A government-issued credit card-sized identification that contains a microchip, which can be machine-read through direct contact or very short distances. The holder's facial image will be printed on the card along with other identifying information and security features. The microchip will store a user's access (Public Key Infrastructure (PKI)) certificate, the card holder's unique identifier, and fingerprint biometric. This information can be used to authenticate the user for physical access to federally controlled facilities and logical access to federally controlled information systems.

PIV Card Categories [2]:

Category #1: Federal Employee: Federal employees as defined in title 5 U.S.C § 2105; individuals employed by, detailed to, or assigned to NIH; members of the PHS Commissioned Corps, Armed Forces, DOD and DOS civilian employees; paid students; or any individual occupying a Full Time Equivalent (FTE) position or Part Time Equivalent (PTE) position

Category #2: Federal Contractor & Organizational Affiliate: Federal contractors include individuals performing work under contract to NIH, who require regular and prolonged access to NIH-controlled facilities and/or NIH-controlled information systems – for whom the NIH has determined to issue an HHS PIV-II ID Card. 
Organizational affiliates include any individual who does not meet the criteria for federal employee or federal contractor but who does require regular and prolonged physical and/or logical access to NIH facilities and/or information systems and would be issued an HHS credential in accordance with NIH determination.

PIV Digital Signatory: The entity that signs the PIV biometric and cardholder unique identifier of the applicant.

Public Trust Position: Positions in which the incumbent's actions or inactions could diminish public confidence in the integrity, efficiency, or effectiveness of assigned government activities, whether or not actual damage occurs. Also applies to positions in which the incumbents are being entrusted with control over information which the Department has legal or contractual obligations not to divulge.

Registrar: The Personal Identity Verification (PIV) Registrar acts on behalf of the Department or agency to enroll an Applicant into the PIV system, ensure completion of a background check, and approve the issuance of the PIV Card.

Remote Issuer: The Personal Identity Verification (PIV) Remote Issuer is not located at or near a PIV Card Issuing Facility (PCIF). The Remote Issuer serves as a proxy to the Issuer by delivering personalized PIV Cards to authorized Applicants who are also remote to a PCIF.

SAC:  Special Agreement Check  - Criminal history check.

SF: Standard Form

SOP: Standard Operating Procedure

SP:  Special Publication

SSBI: Single Scope Background Investigation  - Required background investigation for individuals seeking Top Secret security clearances.

SSBI-PR: SSBI Periodic Reinvestigation  - Required investigation every five years after an initial SSBI.

Sponsor: The Personal Identity Verification (PIV) Sponsor acts on behalf of the Department or agency to request an Applicant be issued a PIV Card. Division of Personnel Security and Access Control. National Institutes of Health Office of Research Services. The Gateway to your ID Badge.

Threat:  Any circumstance, event, or person that can potentially harm or adversely affect the organization and its inherent systems, processes, and people.   Events can be things like IT systems; circumstances can be things like employees sharing sensitive information with outside agencies who do not have approved access.

Vulnerability:  Defined as any weaknesses in the organizational environment that can be exploited…they exist when there is a flaw or weakness in the existing system…We can help to close the “vulnerability gap” by creating certain “fixes…” An example of these “fixes” is HSPD12 and supporting processes – both of which will serve as the focus of this session.