General IT Security Services
General IT Security Services includes security policies and guidance promotion, security awareness training; and requests for firewall access, non-expiring passwords and security waivers.
Provides security operations support.
Currently only available to CIT.
Frequently Asked Questions
Q: I am concerned that an automatically expiring password for a service account supporting my application could potentially cause an interruption in service. How do I obtain an exception for my service account so that its password no longer expires automatically every 60 days?
A: To prevent potential service interruptions due to an expiring service account password, an exception to the NIH Password Policy may be requested through the CIT ISSO office. Download and complete the Request for Exception to the NIH Account Lifecycle Policy Password Requirements form available on the NIH OCIO SharePoint site at https://sps.nihcio.nih.gov/OCIO/NIH/Documents/IT-Security-Forms/NIH%20Account%20Lifecycle%20Exception%20Request%20Form.pdf. Note that the form must be completed in its entirety and include compensating controls in-place to mitigate the risk of not changing the account’s password in accordance with the requirements specified in the NIH Password Policy, dated 26 February 2008, available at http://ocio.nih.gov/nihsecurity/pwd_policy.doc. Compliance is monitored and audited by the IRT and the CIT ISSO.
Q: How do I request an exception at the NIH border firewall?
A: Navigate to the NIH IRTForms Web site at https://irtforms.ocio.nih.gov/ and log on using your NIH Login credentials. Click on ‘Request Firewall Exception,’ complete the request form its entirety, and submit it to the CIT ISSO and IRT for review and approval. Note that the system or Web site the exception request is for must be on-line and capable of being scanned by the NIH IRT prior to submission of the exception request. Please also include the the associated service or system the firewall exception is affiliated with (e.g., Central Email Service, NED, etc.), as well as a distribution list email address for the exception point-of-contact. The IRT performs vulnerability and application scanning for all requests. Any vulnerabilities identified must be remediated prior to IRT completing the exception request.
Q: How do I request a waiver for staff needing local administrative access on their workstation?
A. Users with a business need for local administrative access on their NIH workstation may request a local administrative account. However, because granting the local administrative privileges is considered a deviation from the Federal Desktop Core Configuration requirements an NIH Policy Waiver Form (available at http://sps.nihcio.nih.gov/OCIO/NIH/Documents/IT-Security-Forms/NIH-Policy-Waiver_FINAL.doc) must be completed that documents the user’s business need and all relevant compensating controls. Next, the user’s Division Director must review and approve the waiver and submit it to the CIT ISSO either via email (email@example.com) or Fax at (301) 451-5309 for processing. Finally, the user requesting local administrative privileges must complete both the ‘FDCC Systems Administrator Training’ and the ‘HHS Role-Based Training for IT Administrators’ courses available via on the NIH Information Security Awareness Web site (http://irtsectraining.nih.gov/). The request will not be fulfilled without completion of the required training courses and Division Director approval.
Q: I have a new staff member joining my team, what security related training courses must he or she take?
A: All NIH employees, contractors, guests, tenants and visitors that will be granted access to NIH systems and data must complete the Information Security Awareness training course, available via the NIH Information Security Awareness Web site (http://irtsectraining.nih.gov/), prior to receiving their NIH credentials (username and password). The user should be provided their NIH ID number to log on to the NIH Information Security Awareness Web site.
Additionally, the user must complete the Privacy Awareness Course, also available via the NIH Information Security Awareness Web site, upon entry to NIH. Completion of this course is not contingent on the user receiving his or her credentials, but is required within five (5) days from the user’s entry on duty date as established in NED.
Q: I have a new staff member joining my team who will have significant IT security responsibilities; what specialized training courses must he or she take?
A: Depending on the particular role the individual will have, there are HHS and NASA role-based training courses available on-line via the NIH Information Security Awareness Web site (http://irtsectraining.nih.gov/). Additionally, users can be given credit for role-based trainings taken outside of the NIH Information Security Awareness Web site. Completion certificates from these trainings can be directly uploaded by the user to the NIH Information Security Awareness Web site. Please contact the CIT ISSO staff at firstname.lastname@example.org with specific questions regarding what training courses satisfy the training requirement for different roles with significant IT security responsibilities.
Q: I’m working on an NIH project that requires me to access Internet content (non-social networking/Web 2.0) that is currently blocked on NIHnet. How do I request access to these sites?
A: Access to blocked content is granted on an extremely limited basis where a legitimate business need exists. All requests must be documented using the Request for Access to NIH-Blocked Internet Content form available via http://sps.nihcio.nih.gov/OCIO/NIH/Documents/IT-Security-Forms/NIH-Request-for-Access.doc. The request form must be approved by the user’s Division Director, the CIT ISSO, the CIT Executive Officer, and the NIH Chief Information Security Officer (CISO). After obtaining the appropriately approvals, the form will be submitted to the IRT for processing. The user’s workstation will be assigned a static IP address and will be granted access to the normally blocked content.
Q: What do I do if I receive spam e-mail?
Q: What do I do if I forgot my PIN for my NIH PIV card?
A: Users may send an e-mail to CITPIV@mail.nih.gov and request an appointment to have their PIN reset. PIN reset locations are available both on Campus and in the Fernwood Building.
Q: Where can I find more frequently asked questions related to IT security at the National Institutes of Health?
Up to Top