Chapter 30 - Homeland Security Presidential Directive - 12

5-30.1 INTRODUCTION

1. Purpose.  The purpose of this policy is to establish the Indian Health Service (IHS) standards and requirements for complying with the “Homeland Security Presidential Directive - 12 (HSPD-12), Policy for a Common Identification (ID) Standard for Federal Employees and Contractors,” in accordance with applicable law.  
2. Background.  The HSPD-12 directive was issued August 27, 2004, to establish a mandatory government-wide standard for secure and reliable ID issued by the Federal Government.  The initial objective of HSPD-12 was to issue a Personal ID Verification (PIV) card to every Federal employee and contractor based on a consistent identity proofing standard.  The Office of Management and Budget (OMB) issued Memorandum 11-11 requiring agencies to implement policy for the use of PIV credentials.
3. Scope.  This policy applies to all IHS employees and contractors, who require physical access to federally controlled facilities and/or logical access to the IHS network systems.  This policy establishes the standard use for the four HSPD-12 access cards accepted at the IHS.  This policy also establishes when the IHS will issue access cards to employee/contractors of Tribes or Tribal organizations that operate programs, functions, services, or activities pursuant to an Indian Self?Determination and Education and Assistance Act agreement with the IHS (hereinafter Tribal Health Programs (THPs)).  The HSPD-12 requirements do not directly apply to Tribes and Tribal organizations; however, the IHS must ensure that THP employees or contractors who are working in federally controlled facilities, or require logical access to the IHS network, meet the HSPD-12 requirements.  Tribal Employees who are working in federally controlled facilities, or require logical access to the IHS network, will not be provided such access unless the Tribal Employee meets the HSPD-12 requirements.  The determination that criteria for issuance of an HSPD-12 compliant access card to a THP employee or contractor has been met is an inherently Federal function that must be performed by the Federal Government, but the cost associated with such determinations (including the background check and the issuance of the HSPD-12 compliant card) may be the responsibility of the entity receiving the benefit, as outlined by an agreement between the IHS and the respective THP.    
4. Policy.  It is the IHS policy that all staff and contractors who require physical access to federally controlled facilities and logical access to the IHS Information Technology (IT) networks and systems must obtain an HSPD-12-compliant access card.  Individuals will be issued an access card upon meeting the HSPD-12 requirements and a favorable background investigation.
5. Authorities.
   1. Homeland Security Presidential Directive-12, “Policy for a Common Identification Standard for Federal Employees and Contractors,” dated August, 2004.
   2. Office of Management and Budget (OMB) Memorandum 05-24 (M-05-24), “Implementation of Homeland Security Presidential Directive (HSPD) 12- Policy for a Common Identification Standard for Federal Employees and Contractors,” dated August 2005.
   3. OMB Memorandum 11-11 (M-11-11), “Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors,” dated February 2011.
   4. U.S. Department of Commerce, National Institute of Standards and Technology (NIST) Federal Information Processing Standards Publication 201-3 (FIPS 201-3), “Personal Identity Verification of Federal Employees and Contractors,” dated January 2022.
   5. NIST Special Publication (SP) 800-79-2, “Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers,” dated July 2015.
   6. U.S. Office of Personnel Management (OPM) Memorandum, “Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12,” dated July 2008.
   7. OPM Memorandum, “Credentialing Standards Procedures for Issuing Personal Identity Verification Cards under HSPD-12 and New Requirement for Suspension or Revocation of Eligibility for Personal Identity Verification Credentials,” dated December 2020.
   8. Code of Federal Regulations (CFR) Title 5, Administrative Personnel, Volume 1, part 316, “Temporary and Term Employment.”
   9. U.S. Department of Health and Human Services (HHS) policy, “HHS HSPD-12 Implementation Policy for the Use of Personal Identity Verification (PIV) Card for Strong Authentication,” dated January 2017.
   10. The HHS policy, "HHS Foreign Visitor Management Policy," dated August 30, 2011.
   11. Federal Acquisition Regulation (FAR) 2.101, “Definitions of Words and Terms.”
   12. 44 U.S.C. § 3502(8), “Public Printing and Documents, Coordination of Federal Information Policy, Section 3502 – Definitions.”
   13. 44 U.S.C. § 3554(a)(1)(A), “Public Printing and Documents, Coordination of Federal Information Policy, Subchapter III – Information Security, Section 3554 - Federal Agency Responsibilities.”
   14. OPM, Federal Investigations Notice No. 15-3, “Implementation of Federal Investigative Standards for Tier 1 and Tier 2 Investigations,” (November 4, 2014).
6. Definitions. 
   1. Access Card.  A card that meets HSPD-12 requirements and grants individuals’ physical access to facilities and/or logical access to systems.  The IHS accepts four types of card credentials, also referred to as HSPD-12 access cards.
      1. The IHS PIV card is the primary type of HSPD-12 access card issued to IHS employees and contractors for physical and logical access to the network,
      2. Alternate Logon Token (ALT) card is used for access to privileged network systems as an administrator,
      3. Common Access Card (CAC) is a Uniformed Services access card accepted at the IHS, generally for active duty United States Public Health Service (USPHS) Commissioned Corps Officers.  The CAC can be used to access applications in the HHS Access Management System, but cannot be used to access PIV-exclusive systems (e.g., Integrated Time and Attendance System), and
      4. Restricted Local Access (RLA) badge is the equivalent version of a PIV card, but is only used for individuals who require access, but would otherwise be ineligible for a PIV card (e.g., a Foreign National or short-term staff).
   2. ALT Card.  The ALT card is a type of access card used for privileged logical access, and requires two-factor authentication.  The IHS only issues ALT cards to individuals with unexpired, active PIV cards, and who have a business need.
   3. Background Investigation (BI).  Process of obtaining and evaluating information about an applicant's employment, criminal, and personal history in an effort to investigate behavioral reliability, integrity, and personal conduct.  Background investigations are evaluated to determine whether there are any historical facts that would interfere with an applicant's ability to perform the job, including violations of statutes, regulations, or laws.  The PIV card may be issued to the individual in the interim through pre-employment investigative screening prior to full completion of the background investigation.  Interim PIV issuance requires, at a minimum, adjudication of the applicant’s criminal fingerprint check, electronic application, and all other documents required for the background investigation.  A favorable interim determination is commonly referred to as being pre-cleared for employment, and allows the applicant to start working while the full background investigation is pending completion with the IHS’s Investigative Service Provider, Defense Counterintelligence and Security Agency (DCSA).  Upon completion of the full background investigation, favorable results are adjudicated and a final national security or public trust determination is made. 
   4. Biometric.  A measurable physical characteristic used to recognize the identity of an individual.  Biometric data located in the PIV card are used for authentication purposes.  Examples include fingerprints and photos.
   5. CAC.  The CAC is the standard HSPD-12 access card issued to active duty uniformed service personnel, Selected Reserve, Department of Defense (DoD) civilian employees, and eligible contractor personnel.  The CAC is a type of access card.
   6. Contractor.  An individual who has executed a contract, or is employed by a company that has executed a contract with the IHS for the purpose of performing paid work or services for the agency. 
   7. Employee.  Federal employees as defined by Title 5 United States Code (U.S.C.) §2105.  This includes “Employees,” who are employed by the IHS or the USPHS Commissioned Corps.
   8. Enrollment Official.  An individual who verifies identity information from an applicant by obtaining and verifying biographic data; validating identity source documents for authenticity; capturing and verifying biometrics; and photographing the applicant.
   9. Enrollment Work Station (EWS).  A software application that manages the identity validation, verification, and enrollment process.  This software is purchased and installed on select workstations in the IHS Headquarters, Area offices and/or Service Units.  It can be found in the PIV Card Issuance Facility (PCIF) where the enrollment official completes enrollments.
   10. Federally Controlled Facility.  Federally owned or leased space in accordance with the FAR Subpart 2.1., including:
       1. Buildings with single or multi-tenant occupancy and their grounds and approaches, all or any portion of which is under the jurisdiction, custody or control of an agency;
       2. When federally controlled space is shared with non-government tenants, the directive is only applicable to Federal space;
       3. Federally owned space that is FAR contractor-operated; and
       4. Facilities under a management and operating contract, such as for operation, maintenance or support of a federally controlled establishment.
   11. Federally Controlled Information System.  Also referred to as the IHS network and applications that reside on the IHS network. An information system used or operated by a Federal agency, or a contractor or other organization on behalf of the agency.
   12. Foreign Nationals.  An alien, i.e., any person not a citizen of the United States (U.S.) or any person who was born outside the jurisdiction of the U.S., is a citizen of a foreign country, and has not become a naturalized U.S. citizen under U.S. law.  This includes legal permanent residents, also known as permanent resident aliens (22 U.S.C. § 6023(8) and 8 U.S.C. § 1101(a)(3)).
   13. Identity Proofing.  The process used in accordance with the “FIPS 201-3 List of Identity Source Documents” (see Manual Exhibit 5-30-E) for an applicant or current employee/contractor to provide sufficient documents (e.g., a valid government or state-issued photo ID card) to a Sponsor, Enrollment Official, Registrar, or Issuer for the process of verifying the identity of the PIV card applicant or current employee/contractor.
   14. Issuance Work Station (IWS).  A software application that manages the identity verification and issuance process.  This software application is purchased and installed on select workstations at the IHS Headquarters, Area offices and/or select Service Units.  It is located in the PCIF where the issuer performs all card issuance activities.
   15. Issuer.  A designated individual who assigns a PIV card to the PIV card applicant and activates it following the completion of all identity proofing, background checks, and related security approvals.  An issuer issues access cards, including the PIV card and sets personal ID numbers (PIN).
   16. PIV Card.  A Government-issued ID card, bearing a color photograph of the employee, along with other identifying information and security features.  This is the primary access card used to gain physical access to IHS facilities and access to the IHS IT networks, information, systems and information.  Use of a PIV card provides a higher level of assurance than by user name and password.  The PIV card can be used in conjunction with other access cards (e.g. with an ALT card for IT administrators, or CAC for active duty).  (See table in section 5-30.3 for the Access Card Type.)
   17. PCIF.  A physical location with equipment, staff, and documentation that is able to perform enrollments, issuance, or maintenance for PIV cards.
   18. RLA.  An access card to provide physical and/or logical access when a PIV access card cannot be issued, but the individual would otherwise require a PIV.  This card is generally limited to HHS staff that are foreign nationals.  The IHS accepts RLA cards, but does not issue RLA cards to individuals.
   19. Smart Card Management System (SCMS).  A HHS computer software application system that meets HSPD-12 requirements to provide physical and logical identity and access management.  The SCMS manages all active and disabled profiles for the HHS staff. 
   20. Sponsor.  The designated official responsible for determining each applicant’s need for a PIV card.

5-30.2 ORGANIZATIONAL RESPONSIBILITES

1. Director, Indian Health Service.  The Director, IHS, is administratively responsible for the establishment and direction of the HSPD-12 program.
2. Director, Office of Management Services (OMS).  The Director, OMS, is responsible for overseeing the implementation of the HSPD-12 policy.
3. Director, Division of Administrative and Emergency Services (DAES).  The Director, DAES, is responsible for planning, developing, and administering the IHS-wide HSPD–12 program by regularly overseeing and evaluating its operations, services, and functions.  Additionally, the Director, DAES serves as the Senior Authorizing Official for the IHS HSPD-12 Program and PCI Manager for the IHS.  The Director of DAES is responsible for:
   1. Overseeing the HSPD-12 program for the IHS and manages the overall day-to-day IHS PCI operations, services, and functions;
   2. Developing and implementing the IHS policy to ensure PIV issuance is compliant with all regulations, laws, and HHS requirements;
   3. Providing the IHS access card status reports from the SCMS to the Headquarters and Area HSPD-12 staff;
   4. Provisioning access to roles within the SCMS, as required to perform duties, and verifying successful completion of role training in the SCMS;
   5. Revoking access to roles within the SCMS upon any substantiated security risk or violation of Federal authority;
   6. Revoking the PIV card used for physical and/or logical access in accordance with the OPM’s Final Credentialing Standard when an individual has not been favorably adjudicated with from a background investigation or the IHS PIV card has expired;
   7. Ensuring no individual holds more than one active HHS PIV, or access card;
   8. Providing leadership on the Physical Access Control Systems and Physical Security Program;
   9. Conducting the NIST SP 800-79-2 annual assessment activities and reporting the outcomes to the HHS; and
   10. Managing the daily PCI program operations for the IHS.
4. Director, Division of Personnel Security and Ethics (DPSE).  Serves as the official IHS Registrar and Enrollment Official for Federal Civilian Employees and is responsible for:
   1. Developing policy and procedure for background investigations, suitability and all other personnel security requirements; and
   2. Overseeing and ensuring continuous personnel security evaluation for Federal Civilian Employees, USPHS Commissioned Officers, and Contract Staff.
5. Director, Division of USPHS Commissioned Personnel Support.  Serves as the official sponsor, Registrar and Enrollment Official for all USPHS Commissioned Corps officers and is responsible for:
   1. Ensuring all USPHS Commissioned Corps Officers, as defined by 42 U.S.C. § 204, meet the HSPD-12 requirements for PIV credentials, including a CAC issued by the DoD and/or a PIV card issued by the IHS; and
   2. Coordinating PIV card issuance with DAES when a USPHS Commissioned Corps Officer requires an IHS PIV card.
6. IHS Senior Privacy Act (PA) Officer.  The IHS Senior PA Officer serves as the Privacy Official for the IHS HSPD-12 program and is responsible for:
   1. Ensuring privacy policies are in place;
   2. Identifying the correct System of Records Notice for the records in the IHS holdings;
   3. Receiving privacy complaints related to the program; and
   4. Ensuring privacy complaints are resolved.
7. Area Personnel Security Representative (PSR).  The Area PSR is responsible for:
   1. Ensuring new employees are successfully pre-cleared before they come onboard;
   2. Ensuring all renewal employees have updated position descriptions and current background investigation on file before making a renewal request; and
   3. Making requests to Headquarters DAES for PIV card renewals.
8. Area PCIF Manager.  The Area PCIF Manager is responsible for:
   1. Managing daily PIV activities in the Area Office and Service Units in their service area;
   2. Monitoring PIV certificate and card expiration dates for Area staff;
   3. Ensuring notification is sent to Area employees and contractors about their expiring PIV card, and providing the steps to renew their PIV card;
   4. Ensuring PIV cards and SCMS records are terminated within 18 hours of separation from the IHS in accordance with FIPS 201-3; and
   5. Issuing designation letters to authorize Area employees to perform HSPD?12 duties, including sponsorship, enrollment, and PIV or ALT card issuance.  All roles are approved by the Director, DAES after mandatory training taken in the HHS SCMS.  All designation letters must be kept on file by the PCIF Manager.
9. Employees and Contractors.  Employees and contractors who are issued an IHS PIV card are responsible for:
   1. Completing all required documents for PIV credentialing;
   2. The “Digital Credential Acceptance Agreement” (see Manual Exhibit 5-30-A) and “Privacy Statement” (see Manual Exhibit 5-30-B);
   3. Ensuring their PIN is protected;
   4. Immediately reporting a lost, stolen, or damaged access card to their PCIF Manager (see Manual Exhibit 5-30-F);
   5. Always carrying their PIV card while on duty, (i.e., do not leave a PIV card unattended in a card reader, in an unlocked drawer, or at a desk); and
   6. Following the IHS policies regarding access to buildings and IHS network systems.

5-30.3 PROCEDURES

In accordance with HHS policy, the IHS accepts several types of badges to gain access to its facilities and network/system (logical access), including, PIV Card, CAC, RLA card or ALT Token, and ALT card.  All of these cards may also be referred to as a SMARTCARD.  See Table 1 for HSPD-12 access card types. 

Table 1. HSPD-12 Access Card Types

Access Card Type	Type of Access Granted
IHS PIV Card	Both physical access to the facility and logical access to the IHS network.
IHS ALT Card	Only logical access to the IHS network for IT administrators.
RLA Card	Both physical access to the facility and logical access to the IHS network, only used when a PIV card cannot be issued and access is required.
CAC Card	Type of DoD access card used at the IHS for logical access to HHS Access Management System (AMS) network applications.

1. Obtaining a new IHS PIV Card.  The IHS PIV card is the primary access method for IHS employees and contractors to gain physical access to IHS federally controlled facilities and for access to the IHS network.  Use of the IHS PIV card provides a higher level of assurance than by user name and password.  IHS PIV cards are issued upon meeting HSPD-12 and background investigation requirements. 
   1. Obtaining a PIV Card. 
      1. No IHS PIV card shall be issued without, at a minimum, the completion of a criminal fingerprint check with favorable results after adjudicative review, and the proper completion, review and adjudication of the electronic application, including the submission of other documents required for the background investigation.
      2. Headquarters and Area background investigation requirements must be submitted to the DPSE in order to determine the level of investigation required for a position.  The minimum standard for any PIV card holder is a favorably adjudicated Tier 1 background investigation; however, some positions may require a higher-tiered investigation.  See the Federal Investigations Notice No. 15-3, “Implementation of Federal Investigative Standards for Tier 1 and Tier 2 Background Investigations.”
      3. Upon pre-clearance from the DPSE or the PSR, and a date of entry provided by the Office of Human Resources (OHR), the IHS PIV card will be initiated by completing the “HHS ID Badge Request.” The HHS also uses the digital equivalent in the SCMS, “The Alternate Request for Personnel Security and Badging Services” form (see Manual Exhibit 5-30-C and Manual Exhibit 5-30-D, respectively), signed by a direct supervisor or project officer and provided to the Enrollment Official.
      4. The direct supervisor or project officer must also make an electronic request for network credentials to be associated to the IHS PIV card (i.e., a D1 network account in the SailPoint/IAMsystem.  See IHM Part 8- Chapter 21, “Access Control.”
      5. The Information System Security Officer (ISSO) shall approve the electronic request for network credentials upon their review and confirmation a PIV card has been issued.
      6. The Enrollment Official performs the identity proofing and takes the applicant’s biometrics using the EWS application.
      7. The issuer issues the IHS PIV card using the IWS application.
      8. If a final adjudication of the background investigation is found unfavorable by the DPSE and reported to the PCIF Manager, the PIV card will be revoked.
2. Renewing an IHS PIV Card.  The PIV card must be renewed prior to expiration­.  All renewal requests must meet the same requirements as for obtaining a new PIV card, with the additional subsections below:
   1. A PIV card is set to a maximum expiration date of five years and nine months and must be renewed prior to the expiration date set on the card;
   2. A renewal will require full re-enrollment when the PIV has expired prior to processing the request, including time if the request is made before a valid investigation is on file.
      A renewal will require full re-enrollment when either the fingerprints or the photo will reach twelve years old on the PIV card, in accordance with the enrollment threshold set in NIST SP 800-79-2.
3. Obtaining an IHS ALT Card.  An ALT card contains an embedded computer chip used exclusively for logical access and does not contain a photo.  An IHS ALT card can only be issued to a user who already has an active, unexpired PIV, CAC, or RLA card.  The IHS ALT cards are generally either issued to provide access to elevated IHS network systems (e.g., information technology staff who require privileged network access), or when the current access card is limited to non-IHS network systems (e.g., a PIV card holder from another agency is detailed to the IHS and requires network access).  The ALT card is issued by the IHS HSPD-12 staff after an ALT Card Request is approved and signed by Headquarters or Area ISSO.
4. Obtaining a CAC.  The CAC is an ID card only issued by the DoD and is accepted for use at the IHS as an acceptable IHS PIV card.
   1. The CAC is the primary access card issued to The USPHS Commissioned Corps Officers by the DoD, and is used to authenticate identity and gain access in the HHS AMS, without the need for an additional IHS PIV card.
   2. The IHS USPHS Commissioned Corps Officers who may also require an IHS PIV card for the IHS network access must contact their USPHS Commissioned Corps Liaisons to initiate a request for an IHS PIV card.
5. Obtaining a RLA Card.  The RLA access card functions similarly to a PIV card, but is only used for Foreign Nationals or short-term employees, who are not eligible to apply for a PIV card.  The IHS does not issue RLA cards, but accepts HHS-issued RLA cards for access at the IHS.  The RLA card is graphically personalized with a photo to establish the holder's identity, contains an embedded computer chip and meets the majority of the technical specifications of FIPS 201-3 for a PIV card.
6. Contractors.  The supervising official will determine if the contractor will be subject to PIV credentialing requirements for physical and logical access, in line with the below requirements. 
   1. Long-term contractors are defined as working in excess of four months (or 120 days, consecutively) for the purpose of background investigations.  All long-term contractors must have, at minimum, a favorably adjudicated Tier 1 background investigation.  Some positions may require a higher-tiered investigation, in accordance with the OMB M-05-24 Sections, 7.F “Applying guidance to temporary employees and contractors.”
   2. Short-term contractors are defined as working for less than six months or 1040 hours in a one-year period of service for the purpose of HSPD-12, in accordance with 5 CFR Part 316.  Short-term contractors are not issued a PIV card, except when required for routine facility or network access. Short-term contractors are subject to an investigation conducted in accordance with the risk/sensitivity of the position.
   3. Temporary hires and volunteers are defined as working for 120 days or less.  The supervising official will determine whether a temporary hire working 121 days or more will be subject to PIV credentialing requirements based on the need for network and facility access.  Temporary hires are subject to all personnel security requirements.
7. Tribal Health Programs.  Employees and contractors of Tribal Health Programs who are working in federally controlled facilities, or require logical access to the IHS network, will not be provided such access unless they meet the HSPD-12 requirements. Please Note: HSPD-12 requirements are similar but distinct from suitability determinations that apply to Federal employees under 5 C.F.R. Part 731.
8. Foreign Nationals.  The IHS will accept an HHS RLA as an acceptable HSPD-12 access card.
   1. Foreign Nationals who have resided in the U.S. for at least three of the past five years are subject to the requirements of this policy for PIV credentialing and are processed for a PIV card.
   2. Foreign Nationals who have resided in the U.S. for less than three of the past five years do not meet the minimum eligibility requirements for a background investigation and will not be issued a PIV card.
   3. A Foreign National who intends to perform work for the IHS, but does not qualify for a PIV card, will be subject to a non-national background check.  To qualify for an HHS RLA, a Foreign National must first be screened and pass a name check against the Federal Bureau of Investigations File, the Terrorist Screening Database, and pass the U.S. Citizenship and an Immigration Services Check against the Systematic Alien Verification for Entitlements system. 
   4. The IHS does not issue RLA access cards and may choose to delay the PIV credential and background investigation request until the Foreign National becomes qualified for an IHS PIV card.  During that time, a Foreign National will not have access to IT systems, and must follow HHS visitor protocol for Foreign Nationals until an HSPD-12 access card is issued.
9. Headquarters Specific Procedures.
   
   The IHS Headquarters is the only IHS location with the approved PIV card printer, and will print and distribute all IHS PIV and all IHS ALT cards to Area Offices.  Once Area staff have enrolled an employee or contractor for a PIV card by taking their photo using their local EWS software, Headquarters will print and ship the card to be issued by the Area on their local IWS software.
   
   The IHS Headquarters PCI staff will enroll IHS Headquarters employees and contractors, and issue their IHS PIV and ALT cards at the Headquarters PCIF.
10. Area Specific Procedures.
    1. The IHS Area Offices will receive all IHS PIV and IHS ALT cards from IHS Headquarters and distribute to Service Units for issuance.
    2. The IHS Area Offices and/or Service Unit PCI staff will issue IHS PIV and ALT cards to their respective staff.
11. Separation of Duties.
    1. Individuals cannot perform all HSPD-12 roles for one single applicant (e.g., one single person cannot sponsor, enroll, adjudicate, and issue the IHS PIV credentials for one applicant).
    2. Individuals with access to SCMS records shall not make changes to their own record.
    3. The IHS HSPD-12 staff will maintain a separation of duties from the information technology programs in accordance with the IHM Part 8- Chapter 12 - IT Security https://www.ihs.gov/ihm/pc/part-8/p8c12/.
12. Records.  The HHS Badge Request Form 745 (Manual Exhibit 5-30-C) is a record of “credential badges” (such as smart cards) that are based on the HSPD-12 standards for ID cards issued to Federal employees, contractors, and affiliates, and used to verify the identity of individuals seeking physical access to federally controlled Government facilities, and logical access to Government information systems.  The IHS PIV card application process is recorded in the HHS Badge Request Form 745, which documents who took the action, what action was taken, when and where the action took place, and what data was collected.  Damaged, lost or stolen credential documentation is recorded in the Lost Stolen Damaged Incident Report (Manual Exhibit 5-30 F).  All records must be kept in accordance with the General Record Schedule 5.6 Security Records item 120, “Personal identification credentials and cards,” Disposition Authority Number DAA-GRS-2017-0006-0016.  Background investigation records should follow the OPM and/or the DoD disposition schedule and policy for their System of Records.
13. Misuse.  Unauthorized possession of any access card or willfully providing an access card to an unauthorized individual is prohibited and can be criminally prosecuted under 18 U.S.C. §§ 499 and 701, which prohibit photographing or otherwise reproducing or possessing the HHS ID cards in an unauthorized manner, under penalty of fine, imprisonment, or both.  The individual may be subject to corrective action, including reprimand, being placed on administrative leave, or termination by the agency following an infraction.  Misuse should be reported through the IHS Incident Response process in compliance with Federal Information Security Modernization Act, as amended, 44 U.S.C. §§ 3551-3559.