These Rules hold users accountable for their actions and responsible
for information security. They apply to local, network, and remote use
of HHS/NIH information (in both electronic and physical forms) and
information systems by all NIH users, including federal employees,
contractors, and other system users.
I assert my understanding that:
- Information and system use must comply with HHS and NIH policies and standards, and with applicable laws.
- Use for other than official, assigned duties is subject to the NIH Policy on Limited Authorized Personal Use of NIH Information Technology Resources.
- Unauthorized access to information or information systems is prohibited.
- Users must prevent unauthorized disclosure or modification of
sensitive information, including Personally Identifiable Information
General Security Practices
- Follow NIH security practices whether working at my primary workplace or remotely;
- Accept that I will be held accountable for my actions while accessing and using HHS/NIH information and information systems;
- Ensure that I have appropriate authorization to install and use
software, including downloaded software on NIH systems and that before
doing so I will ensure that all such software is properly licensed,
approved, and free of malicious code;
- Wear an identification badge (or badges, if applicable) at all
times, except when they are being used for system access in federal
- Lock workstations and remove Personal Identity Verification (PIV) cards from systems when leaving them unattended;
- Use assigned unique identification and authentication mechanisms, including PIV cards, to access HHS/NIH systems and facilities;
- Complete the NIH Information Security Awareness Training before
accessing any HHS/NIH system and on an annual basis thereafter, complete
the NIH Information Security and Privacy Awareness Refresher and any
specialized role-based security, as required by NIH policies. For
further guidance, refer to the HHS CISO Memorandum on Role-Based Training (RBT) of Personnel with Significant Security Responsibilities and the HHS CIO Memorandum on Training of Individuals Developing and Managing Sensitive Systems;
- Permit only authorized HHS/NIH users to use HHS/NIH equipment and/or software;
- Take all necessary precautions to protect HHS/NIH information assets
(including but not limited to hardware, software, personally
identifiable information (PII), protected health information (PHI), and
federal records [media neutral]) from unauthorized access, use,
modification, destruction, theft, disclosure, loss, damage, or abuse,
and treat such assets in accordance with any information handling
- Immediately report to the NIH IT Service Desk—within one hour:
- All lost or stolen NIH-issued laptops, Blackberries, and smartphones.
- Also notify your supervisor and your Information Systems Security Officer (ISSO).
- As soon as possible, notify law enforcement personnel, the building security office and your IC property manager.
- A suspected or confirmed loss of PII.
- Notify the NIH IT Service Desk,
as soon as possible, of known or suspected security incidents,
information security policy violations or compromises, or suspicious
activity. Known or suspected security incidents include actual or
potential loss of control or compromises (whether intentional or
unintentional, of your login name and password), and other sensitive NIH
information maintained or in possession of HHS/NIH or information
processed by contractors and third parties on behalf of HHS/NIH.)
- Maintain awareness of risks involved with clicking on e-mail or text message web links;
- Only use approved methods for accessing HHS/NIH information and HHS/NIH information systems; and
- Ensure important data is backed up.
- Understand and consent to having no expectation of privacy while accessing HHS/NIH computers, networks, or email;
- Collect information from members of the public only as required by
my assigned duties and permitted by the Privacy Act of 1974, the
Paperwork Reduction Act, and other relevant laws;
- Release information to members of the public including individuals
or the media only as allowed by the scope of my duties and the law;
- Refrain from accessing information about individuals unless specifically authorized and required as part of my assigned duties;
- Use PII only for the purposes for which it was collected, to
include conditions set forth by stated privacy notices and published
System of Records Notices. Information systems containing personally
identifiable information (e.g., SSN, name, photo, and patient ID number)
must be covered by a Privacy Act (PA) System of Records (SOR) Notice
and will likely have added security controls I must follow. Contact
your IC PA Coordinator for questions; and
- Ensure the accuracy, relevance, timeliness, and completeness of PII,
as is reasonably necessary and to the extent possible, to assure
fairness in making determinations about an individual.
Information is considered sensitive if the loss of
confidentiality, integrity, or availability could be expected to have a
serious, severe or catastrophic adverse effect on organizational
operations, organizational assets, or individuals. PII is a subset of
sensitive information and is defined as data which can potentially be
used to identify, locate, or contact an individual, or potentially
reveal the activities, characteristics, or other details about a person.
Review the Guide for Identifying and Handling Sensitive Information at
the NIH (Word - 132KB) .
- Treat computer, network and web application account credentials
as private sensitive information and refrain from sharing accounts;
- Secure sensitive information, regardless of media or format, when left unattended;
- Keep sensitive information out of sight when visitors are present;
- Sanitize or destroy electronic media and papers that contain
sensitive data when no longer needed, in accordance with NIH records
management (contact your IC Records Management Officer for questions) and sanitization policy (Word - 156KB) and guidance (Word - 272KB), or as otherwise directed by management. Hard copies of sensitive data should be destroyed by pulping or shredding;
- Access sensitive information only when necessary to perform job functions; and
- Properly protect (e.g., encrypt) HHS/NIH sensitive information at
all times while stored or in transmission, in accordance with the HHS Standard for Encryption of Computer Devices.
- Encrypt sensitive data if sending via email fax outside of the NIHnet perimeter.
- PII that is distributed or communicated via email must always be encrypted using FIPS 140-2 compliant encryption, whether the PII is within an attachment of part of the actual message;
- Include the following disclaimer on fax cover sheets when sending faxes:
The attached information may be confidential. It is intended only for
the addressee(s) identified above. If you are not the addressee(s), or
an employee or agent of the addressee(s), please note that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this fax in error, please destroy the
document and notify the sender of the error.
I must not:
I must refrain from the following activities when using federal government systems, which are prohibited per the Limited Authorized Personal Use of NIH Information Technology Resources.
- Unethical or illegal conduct;
- Sending or posting obscene or offensive material;
- Sending or forwarding chain letters, email spam, inappropriate messages, or unapproved newsletters and broadcast messages;
- Sending messages supporting prohibited partisan political activity as restricted under the Hatch Act;
- Conducting any commercial or for-profit activity;
- Using peer-to-peer (P2P) software except for secure tools approved
in writing by the NIH CIO to meet business or operational needs;
- Sending, retrieving, viewing, displaying, or printing sexually explicit, suggestive text or images, or other offensive material;
- Creating and/or operating unapproved Web sites or services;
- Allowing personal use of HHS/NIH resources to adversely affect
HHS/NIH systems, services, and co-workers (such as using non-trivial
amounts of storage space or bandwidth for personal digital photos,
music, or video);
- Using the Internet or NIH workstation to play games or gamble; and
- Posting HHS/NIH information to external newsgroups, social media and
other types of third-party website applications, or other public forums
without authority, including information which is at odds with HHS/NIH
missions or positions. This includes any use that could create the
perception that the communication was made in my official capacity as a
federal government employee, unless I have previously obtained
appropriate HHS/NIH approval.
Federal Acknowledgement Statement
I have read the NIH Rules of Behavior, and understand and agree to comply with its provisions.
- I understand that when accessing a U.S. Government information
system (which includes: 1) the computer, 2) the computer network, 3) all
computers connected to that network, and 4) all devices and storage
media attached to that network or to a computer on that network), use of
the system is for U.S. Government-authorized use only. By using the
information system, I understand and consent to the following:
- I have no reasonable expectation of privacy regarding any
communications or data transiting or stored on the information system,
including removable storage media in my possession or work spaces. At
any time, and for any lawful Government purpose, the government may
monitor, intercept, record, and search and seize any communication or
data transiting or stored on the information system or contained in
removable storage media.
- Any communication or data transiting or stored on the information
system may be disclosed or used for any lawful Government purpose.
- I understand that violations of the NIH Rules or information
security policies and standards may lead to disciplinary action, up to
and including termination of employment; removal or debarment from work
on Federal contracts or projects; and/or revocation of access to Federal
information, information systems, and/or facilities and may also
include civil and criminal penalties and/or imprisonment.
- I understand that exceptions to the NIH Rules must be authorized in
advance in writing by the NIH Chief Information Officer or his/her
- I also understand that violation of laws, such as the Privacy Act of
1974, copyright law, and 18 USC 2071, which the Rules draw upon, can
result in monetary fines and/or criminal charges that may result in
Last Revised: 4/17/2014