skip to contentNational Cancer Institute
National Cancer Institute U.S. National Institutes of Health

DHHS requires employees and contractors to protect the Department's data by complying with the DHHS Information Security Program Handbook. As part of NIH and DHHS, NCI is subject to this policy, which requires contractor personnel to fulfill a number of requirements. Below is a brief summary of the requirements:

Background Investigations

Background investigations are required for all contractor/subcontractor personnel who have (1) access to sensitive government information, or (2) access to Federal information systems (including those hosted at contractor facilities), or (3) regular or prolonged physical access to Federally-controlled facilities.

The NIH Office of Research Services, Division of Personnel Security and Access Control (ORS/DPSAC) manages the background investigation process. Their website at provides more information on this subject and discusses the process that is involved. Applicants are required to complete and submit a number of forms electronically through an Office of Personnel Management online system called e-QIP. In addition, all applicants must also be fingerprinted. The requirements for this process are changing regularly, so please check the ORS/DPSAC website often.

Additional information about investigations and clearances:

Security Training

Contract staff with access to NIH computer systems must meet a number of computer security training requirements. Initially, contractors must complete the NIH Computer Security Awareness Training at prior to beginning work on a contract. Following that, there is a requirement for an annual computer security awareness refresher that must be completed on a schedule announced by NIH each year. Contract personnel designated by the government as having “significant IT security responsibilities” will be required to take security training related to their role.

Personnel Separation Documentation

Contractor must complete the employee separation checklist immediately upon removal of an employee from the contract and return the form to the project officer. This is required so that NCI can quickly remove employee’s access to NCI IT systems.

Systems Security Plan

A System Security Plan (SSP) is required for all IT systems hosted at a contractor or subcontractor facility. A contractor system is defined as a general support system or application hosted or maintained by contractor staff. When a system security plan is required, contractors must follow the NIST Special Publication 800-18 Guide for Developing Security Plans for Federal Information Systems.

Download Plugins:   Download Plugin Adobe Acrobat Reader   Download Plugin Adobe Flash Player   Download Plugin Microsoft Word Viewer   Download Plugin Microsoft Excel Viewer   Download Plugin Microsoft PowerPoint Viewer   Download Plugin Real Player   Download Plugin Windows Media Player   Download Plugin Quicktime Player   Download Plugin WinZip

Last Reviewed:  February 8, 2011