HHS Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated to the Public. V. Agency Quality Assurance Policies, Standards, and Processes for Ensuring the Quality of Information Disseminated to the Public

10/01/2002

  1. Overview

    All NIH documents and audiovisuals must be prepared in accordance with professional and ethical standards, as well as generally accepted standards of good taste. They must be appropriate for dissemination by this Federal agency, and must undergo appropriate review and approval prior to release. NIH must adhere to the laws and regulations applying to publications and audiovisuals, including OMB Information Quality Guidelines, the HHS Printing Handbook, and relevant NIH Manual chapters. NIH efforts to ensure and maximize information quality begin at the preparation stage, and continue through the review and approval stages. Existing NIH policies developed in concert with Federal computer security laws provide appropriate security safeguards to ensure integrity of NIH documents, i.e., ensure that the information is protected from unauthorized access, revision, corruption, or falsification.

    The NIH has many quality control measures embedded in the scientific process to ensure that the information disseminated is of the highest quality. NIH grant applications undergo rigorous scientific review. Scientific journals do not publish articles until they have gone through a similar peer review process. There is a tension inherent in biomedical research between releasing information in a timely fashion and waiting for the peer review process to result in a published article. Sometimes the NIH provides "late breaking news" to the public on research findings prior to publication in scientific journals and prior to peer review by the journals. However, when it does so, there is an internal review process that routinely draws upon external expertise and monitoring/advisory review boards to ensure that information disseminated to the public summarizes the facts as they are currently known, and that appropriate disclaimers are attached.

    The policies and procedures to be followed in the preparation, review, approval, and distribution of NIH information materials, including scientific and professional materials, can be found in NIH Manual Chapter 1183: NIH Publications and Audiovisuals: Preparation, Review, Approval, and Distribution and NIH Manual Chapter 1184: Scientific and Professional Information Presented By NIH Employees: Review, Approval, and Distribution. The procedures currently in place were developed to be sensible, workable, flexible, and timely, and were updated in February 2002 to better articulate OMB, HHS, and NIH information quality guidelines. In the scientific and research context, technical information that has been subjected to formal, independent, external peer review is generally presumed to be of reasonable quality.

    The general principles concerning the responsibilities of the NIH research staff in the collection and recording of data, publication practices, authorship determination, peer review, confidentiality of information, collaborations, human subjects research, and financial conflicts of interest are exemplified in the "Guidelines for the Conduct of Research in the Intramural Research Programs at NIH." These guidelines can be found on the Web (www.nih.gov/news/irnews/guidelines.htm). NIH recognizes the scientific need for replication of findings, and encourages data sharing as appropriate. After publication, the research data, any unique reagents, and any supporting data that form the basis of the communication in question should be made available promptly and completely to all responsible scientists seeking further information. Exceptions may be necessary to maintain the confidentiality of clinical data or if unique materials were obtained under agreements that preclude their dissemination. Investigators should retain research data long enough to allow replication of study results -- in general, 5 to 7 years.

  2. NIH Information Review and Approval Policies and Procedures by Type of Information

    The review, approval, and dissemination of substantive scientific information by NIH and/or its ICs require adherence to appropriate clearance procedures set forth in NIH Manual Chapters, internal Web sites, or memos, and are consistent with HHS and OMB guidelines. The originating office is responsible for obtaining the necessary clearances for reproduction and distribution of printed materials and should ensure that written material distributed is appropriate and consistent with HHS policy.4

    A document that has obtained publication clearance for paper printing is often posted on the sponsoring IC's Web page for greater accessibility. NIH/IC Web documents derived from IC-approved printed publications should not need additional approvals. NIH/IC Web documents with no print counterpart require content clearance by the appropriate IC office or contact person to ensure that the information observes all applicable requirements governing information for release to the public. These include the requirements provided in NIH Manual Chapter 1183. When IC Web pages are related to more than one IC (e.g., trans-IC publications, special interest groups), the appropriate IC office or contact person for the primary IC responsible for creating the Web page should be notified regarding clearance requirements.

    This section describes NIH procedures and practices in place for review and approval of substantive scientific information that is meant for dissemination primarily to the public, and that NIH considers being subject to the OMB Information Quality Guidelines (see Section II above).

    1. Scientific research papers, books, journal articles, brochures, documents, statistical compendiums, newsletters, electronic documents, audiovisual productions, authoritative health information, and similar materials

      NIH encourages professional dissemination of scientific research and other information on behalf of public health by its employees. Professional and scholarly writing, lecturing, editing, and publishing are an essential part of research, are in the public interest, and bring credit and distinction to NIH and to the employees themselves. In assisting employees to share information about their official and professional activities, NIH seeks to advance scientific knowledge and contribute to professional education. Ordinarily first report of any scientific research results or other professional findings is made by publication in a scientific or professional journal or presentation at a meeting of a professional organization. The choice of the journal or meeting to which reports are offered is the prerogative of the author(s).

      There are many quality control measures embedded in the scientific process to ensure that the information disseminated by NIH employees is of the highest quality. Publications or presentations by NIH employees are expected to meet high standards of quality, make a substantial contribution to the field, and contain sufficient information for the informed audience to assess its validity.

      To ensure and maximize the quality of information disseminated by NIH employees, any non-extemporaneous presentation (written or electronic) by an NIH employee on a subject related to his/her NIH duties must be reviewed and approved through an internal NIH process prior to submitting for publication consideration. With few exceptions, non-extemporaneous oral presentations on health policy or practice, or presentations with policy implications, must also be cleared in advance. Manuscripts intended for publication are customarily subjected to an external peer review process directed by the interested publisher, volume editor, or journal editor.

      Publication or oral presentation of scientific and professional information by individual employees must conform to applicable laws and regulations, including OMB Information Quality Guidelines, and the HHS Standards of Conduct Regulations. Customary professional practices impose certain constraints on the degree to which NIH employees may be identified with the results of research and development work, including that obtained in collaboration with extramural grantees.5

      All Institutes have either formal or informal internal operating procedures for identifying printing requirements and tracking publications. These procedures come in a variety of forms such as policy issuances, internal Web sites, memos, or annual requests for printing requirements. In addition, the concept clearance process for new publications is often the vehicle that Institutes use to track the development of a new publication and to identify its attendant printing requirements. The requirements for clearance of prospective publications are contained in NIH Manual Chapter 1183. These requirements state that each prospective publication must be cleared through the Communications Office within the originating NIH component and then be approved by the Office of Communications and Public Liaison, OD/NIH and the Office of the Assistant Secretary for Public Affairs (OASPA), HHS.

      In brief, the NIH Manual Chapter 1183 requires that any official publication (including book, bibliography, chapter of a book or textbook, booklet, brochure, collection of abstracts, fact sheet, house organ, index, leaflet, manual, monograph, newsletter, pamphlet, review, periodical, proceeding, recurring report, statistical compendium, Internet document, audiovisual, or the like), prepared by any NIH component directly or through a contract must be sent for HHS clearance through the Editorial Operations Branch, using form HHS-615, Publication Planning and Clearance Request. This clearance requirement does not apply to publication of articles in journals. The authority to permit the initial publication of articles written by NIH employees in privately published journals, encyclopedias, and textbooks can be delegated according to NIH Manual Chapter 1130 (Delegation of Authority).

      All NIH Audio/Visual projects and exhibits must be cleared through OASPA, whether produced in-house or under contract. To obtain clearance for all NIH audiovisual products, including exhibits, Form HHS 524A must be completed. It can be obtained on the Web (http://www.nih.gov/icd/od/ocpl/resources/audiovisual.htm) and must be filed with the Office of the Assistant Secretary for Public Affairs and approved before actual production may begin. If the cost exceeds $50,000, a written evaluation plan is required. If more than $100,000 is involved, a written evaluation and formal message testing are required. No subsequent change in terms, dollar amounts, conditions, or additions can be made to the product without written approval of OASPA.

      Statistical compendiums, including statistical analyses, aggregated information by program, IC, or for NIH, including funding information and histories (by disease, funding mechanism, dollars, or other criteria), do not require approval by the Office of the Director, NIH. However, the Director of the originating IC is required to determine that the data conform to the accepted quality standards, and if applicable, that the reported statistics be substantially reproducible (see NIH Manual Chapter 1183).

      In general, any writing by an NIH employee on a work-related subject, whether intended for electronic or print publication, or for oral delivery, must be prepared according to accepted NIH standards of quality, reviewed for substantive content, and administratively approved. The purpose of the NIH clearance process is to improve the quality of information, and to ensure the accuracy, objectivity, utility, and validity of information. NIH Manual Chapter 1184, states the policy and procedures to be followed in the review, publication, and distribution of scientific, technical, and other professional manuscripts and speeches by NIH employees. IC Directors (or their delegates) are responsible for establishing and maintaining controls to ensure competent and timely clearance of professional writing and presentations by developing procedures appropriate to the type of information. They are also responsible for maintaining files of requests for approval and actions taken. Individual ICs may determine how best to meet these requirements.

      Written presentations by intramural scientists are reviewed and approved by Laboratory/Branch Chiefs and sometimes by Scientific Directors. The intramural approval process also ascertains that all animal, human subjects, and technology transfer requirements are met, that major press and policy implications are noted, and that at least one supervisory scientist finds the work to be of merit. (See the Intramural Research Sourcebook at www1.od.nih.gov/oir/sourcebook/oversight/pub-clear.htm).

      Materials requiring review in the Office of the Director, NIH, should be approved by a designated review officer within the originating IC, or by a person in a supervisory relationship to the author, prior to submission to the Office of the Director, NIH. No such preliminary review is required for writing by an IC Director. Any statement, commentary, or discussion of Federal policies or practices related to the employee's position or duties that might be construed as reflecting an official position by NIH, HHS, or the Federal Government must be approved in the Office of the Director, NIH.

      For scientific and technical documents, the scientific community recognizes peer review as the primary means of quality control. According to OMB Information Quality Guidelines, material subjected to formal, independent, external peer review may generally be considered to be of acceptable objectivity. However, this presumption of objectivity is refutable based on a persuasive showing to the contrary by a complainant in the particular instance. The single most important determinant of a scientific review group's competence and credibility is its members. Reviewers must have scientific excellence (as demonstrated by their grant and publication records, and academic degrees and honors), and must merit respect in the scientific community. They must possess a wide breadth of expertise, be fair and objective, and should not be influenced by inappropriate personal interests (competition, scientific bias, personal antagonisms, and other irrelevant factors.). Reviewers should review materials for propriety, accuracy, completeness and quality (including objectivity, utility, and integrity).

      Consistent with HHS Standards of Conduct (73.735-705 Writing and Editing), employees are encouraged to engage in outside writing and editing when such activity is not otherwise prohibited. If the writing or editing activity is related to the employee's official duties or other responsibilities and programs of the Federal Government, the employee must (i) make no mention of his or her official title or affiliation with the Department, or (ii) use his or her official title or affiliation with the Department and a disclaimer, or (iii) submit the material for clearance within the operating component, under procedures established by the component. When clearance is denied at any lower level, the employee shall have recourse for review up to the head of the principal operating component. This clearance will show there are no official objections to the activity and the employee may then use his or her official title or affiliation usually without a disclaimer. Except where the requirement for disclaimer is waived as a result of official clearance, disclaimers shall be used in all writing and editing related to the employee's official duties or other responsibilities and programs of the Federal Government: (i) in which the employee identifies himself or herself by official title or affiliation with the Department, or (ii) when the prominence of the employee or the employee's position might lead the public to associate him or her with the Department, even without identification other than name. Disclaimers shall read as follows unless a different wording is approved by the Assistant General Counsel, Business and Administrative Law Division, Office of the General Counsel: "This (article, book, etc.) was (written, edited) by (employee's name) in (his or her) private capacity. No official support or endorsement by (name of operating component or of Department) is intended or should be inferred."

      Normally, the need for a disclaimer is eliminated through the clearance process. However, a disclaimer may still be needed even after official clearance to clarify that the presentation should not be construed as necessarily representing NIH views, and/or to distinguish the status of information (e.g., preliminary, based on partial data set). The Department's regulations (Standards of Conduct) to which the NIH subscribes, require that disclaimers be used in all unofficial writing and editing related to the employee's official duties and/or affiliation with programs of the Federal Government in which the employee's identification with NIH is to be shown, can be inferred, or is well-known.

    2. Oral information, including speeches, interviews, expert opinions, only if representing NIH views, official positions, or policies

      Any statements, comments, or discussion of Federal policies or practices that are relevant to the employee's position or duties, draw conclusions, advocate or oppose professional practices or positions on subjects related to NIH duties, or might otherwise be construed as reflecting an official position by NIH, HHS, or the Federal Government, are covered by the OMB Guidelines, and must be approved in the Office of the Director, NIH.

      An NIH employee may respond orally to questions and requests for information from any source, including the news media, without prior review and approval but must adhere to internal IC guidelines for informing the IC Information Officer, Congressional Liaison Officer, or other appropriate official about the nature of the information to be discussed. An employee may appear as a member of a discussion panel or seminar and on radio, television, and Web broadcasts without prior approval if the appearance does not require a manuscript or written text or statement, and if there is no conflict with NIH Policy as provided in Manual Chapter 1184. An employee should limit his/her statements and responses to subjects about which he/she has official knowledge and should present only official HHS and NIH positions in discussion of policy matters.

      No review or approval is required for nonofficial and private writing, speaking, and publishing by an employee unless his/her NIH employment is likely to be regarded as influencing the content.

      NIH employees are responsible for the statements they make, regardless of whether they have been cleared. If one presents material that requires clearance but that has not been cleared prior to presentation, then the employee must inform the audience of the personal or unofficial nature of his or her views. An example of an appropriate disclaimer follows:

      "This material is presented from my own perspective, and should not be taken as representing the viewpoint of the Department, NIH, or [IC]."

      NIH employees shall not identify themselves as NIH employees in unofficial materials prepared for dissemination to nonprofessional audiences, such as a letter-to-the-editor. These materials must be reviewed prior to presentation in the Office of the Director, NIH, if an employee's identification with NIH is to be shown, can be inferred, or is well known.

    3. NIH Consensus Development Program

      The NIH Office of Disease Prevention (ODP) manages the NIH Consensus Development Conference (CDC) Program, the focal point for evidence-based assessments of medical practice and state of the science on behalf of the medical community and the public. Under this program, ODP organizes major conferences that produce Consensus Statements and State of the Science Statements on controversial issues in medicine important to healthcare providers, patients, and the general public. NIH Consensus Statements and State of the Science Statements are disseminated widely, and more than 120 NIH Consensus Statements and State of the Science Statements have been issued since the program's inception in 1977. Organizationally, ODP is under the Associate Director for Disease Prevention in the Office of the Director, NIH, and works closely with NIH Institutes, Centers, and Offices to assess, translate, and disseminate the results of biomedical research that can be used in the delivery of important health services to the public.

      An NIH Consensus Statement is a report evaluating scientific information on a given biomedical or public health intervention with the purpose of resolving a particular controversial issue in clinical practice. Each NIH Consensus Statement answers a series of four to six questions concerning efficacy, risk, and clinical applications, and recommends directions for future research, and is the product of an NIH Consensus Development Conference. NIH Consensus Statements synthesize new information, largely from recent or ongoing medical research, that has implications for reevaluation of routine medical practices. They do not give specific algorithms or guidelines for practice.

      NIH Consensus Statements are written by broad-based, independent panels of non-Federal, non-advocate individuals knowledgeable in the field of medical or public health science under consideration. The makeup of each panel represents various sectors of professional and community life and typically includes research investigators, healthcare providers, methodologists, and a public representative.

      Following circulation of the draft statement to the conference audience for comment, the panel resolves any conflicting recommendations and releases a revised statement at the end of the conference. The Web site for the Consensus Development program can be found at: consensus.nih.gov.

      If a suggested topic does not have an adequately defined and available base of scientific information, conference planning and implementation may still proceed. However, rather than being designated a Consensus Development Conference, the conference will be designated as a State of the Science Conference. NIH State of the Science Conferences and Workshops generally adhere to the NIH CDC format because the process is useful for evaluating complex issues. Usually, speakers present findings or perspectives on the issue. The public is invited to address questions to the speakers, and policy implications may be discussed. A report of the findings can emerge in one of a variety of formats including publication in a clinical or scientific journal. The Web site for the State of the Science Statements can be found at: consensus.nih.gov.

      Although it is difficult to quantify their impact, the NIH Consensus Statements and State of the Science Statements are intended to influence important public health discussions on topics affecting or broadly applying to a significant number of people. The severity of the problem (morbidity and mortality) and the feasibility of intervention are key considerations. For example, the program has had measured success in influencing reimbursement policy and specialty organization policy, thereby indirectly affecting physician behavior. Each conference is jointly sponsored and administered by one or more ICs of NIH and by ODP. Depending on the topic, other Federal agencies with biomedical components may join in sponsoring a CDC. In conjunction with each conference, the Agency for Health Care Research and Quality (AHRQ) provides a systematic review of the literature on the conference topic through one of its Evidence-Based Practice Centers.

      Both the Consensus Statements and the State of the Science Statements are independent reports of the convened panel; none are policy statements of the NIH or the Federal Government. However, NIH funds and disseminates the Consensus Reports, and considers these Statements to be subject to OMB's higher standard of substantial reproducibility. These Statements meet the OMB's quality standards because of the balanced, rigorous, and systematic procedures that ODP has in place to develop them. The panel makes available the evidence on which the Consensus Statement is based. If consensus cannot be achieved, minority or alternative views are included. The systematic literature review conducted by AHRQ is published with their explicit methods. The reports are peer-reviewed by expert panels, and posted on the Internet for at least one month for public comment.

    4. Health, Safety, and Environmental Information

      To make environmental health research findings more applicable to human risk assessment, NIH works in partnership with the CDC and the EPA to develop better ways to monitor and assess human exposure to specific chemicals. One of our most visible publications is the Report on Carcinogens (RoC), a congressionally mandated document that lists agents, substances, mixtures or exposure circumstances that are known or reasonably anticipated to be human carcinogens, and to which a significant number of persons residing in the United States are exposed. Responsibility for producing this report has been delegated to the National Toxicology Program (NTP) and the Director NTP also serves as the Director, NIEHS, NIH.6 The RoC is a composite of Summary Profiles that describes the carcinogenicity, exposure, and regulatory information for each listing with relevant tables and appendices. The NTP follows a published, multi-step process to review and evaluate selected substances and to develop the NTP’s recommendations to the Secretary, HHS, regarding whether or not the substances should be listed in the report.

      Upon review and approval by the Secretary, HHS, and submission to Congress, a notice of the RoC publication, indicating all newly listed or de-listed agents, substances, mixtures or exposure circumstances is published in the Federal Register, NTP newsletters and web pages and other appropriate publications. The current review process was finalized and released to the public on January 11, 2012 [http://ntp.niehs.nih.gov/go/rocprocess].

      It is important to note that the RoC does not present assessments of carcinogenic risks. Listing of substances in this Report, therefore, does not establish that such substances present carcinogenic risks to individuals in their daily lives. Such formal risk assessments are the purview of the appropriate Federal, State, and local health regulatory and research agencies. However, for each effluent, ambient, or exposure standard established by a Federal agency with respect to a listed substance, the RoC is required to state the extent to which, on the basis of available medical, scientific, or other data, the implementation of such standard decreases the risk to public health from exposure to the substance. This requires quantified information on the extent of protection from cancer that the public receives from established Federal standards. Only in a few instances, where studies of long-term human exposures and cancer incidence in restricted environments are available, can risk be estimated with complete confidence.

      NIEHS and NTP procedures conform to accepted NIH scientific practices where quantitative and qualitative scientific conclusions are based on: (1) The best available science and supporting studies, particularly peer-reviewed studies, conducted in accordance with sound and objective scientific practices; and (2) data collected by accepted methods or best available methods (if the reliability of the method and the nature of the decision justifies use of the data). The NIEHS and NTP make every effort to ensure that the presentation and dissemination of information about environmental health is comprehensive, informative, and understandable.

      Scientific results that can directly affect risk assessment and risk management activities are often published in the NIEHS journal Environmental Health Perspectives (EHP), but do not necessarily represent the viewpoints of NIEHS. EHP also publishes perspectives in the form of editorials, commentaries, reviews, and correspondence, as well as workshop summaries. Workshop summaries are reports by expert scientific committees that include reviews of existing information and that summarize research findings on specific topics, present new information, and recommend methods, courses of action, or further research needs for the scientific community. All scientific articles, including workshop summaries, are subject to rigorous peer review. The criteria for publication are weighted toward scientific quality and environmental significance. A submission is assessed according to its originality, scientific merit, and experimental design; the manuscript is evaluated for its conciseness, clarity, and presentation. These standards are thus consistent with the requirement that the presentation of information on risk effects be comprehensive, informative, and understandable. EHP also addresses certain ethical problems during the review process and requires assurances that all human and animal subjects have been treated humanely and with regard for the alleviation of suffering. The review also considers scientific integrity as part of the process.

    5. NIH Clearinghouse Information

      Clearinghouses often serve as the public's point of contact and access to information about IC programs, conferences, and research activities. At NIH, clearinghouses have been contracted to provide varying levels of service, including development and distribution of fact sheets, information packages, and publications; storage of materials; conducting outreach and promotion; and performing training and quality control for the clearinghouse staff. Some clearinghouses respond to inquiries about particular diseases or conditions, ranging from information about available patient and professional education materials to statistical data. Clearinghouses are challenged to ensure accuracy and reliability of information, while continually striving to improve performance and response times. Some clearinghouses also wrestle with how to determine which organizations are worthy of referral when customers need information that is not available at the clearinghouse and how to avoid implying endorsement. Clearinghouse inquiries may also be answered by searching the Combined Health Information Database (CHID), an NIH/CDC database that provides bibliographic references of both NIH and non-NIH materials on various health topics. This database represents a shared data archive, and as such is not covered by the new OMB guidelines.

      The NIH Manual chapter 1183 requires that official materials or information prepared by any NIH component directly or through a contract must be sent for HHS clearance through the Editorial Operations Branch, using form HHS-615, Publication Planning and Clearance Request. This clearance requirement does not apply to publication of articles in journals. Information developed by a clearinghouse for an NIH IC is subject to the OMB Guidelines. See NIH Manual Chapter 1183 for further information regarding this requirement.

      At NIH, there are essentially three types of materials being disseminated through information clearinghouses to the public: (1) Materials produced by NIH staff or contractors that undergo usual NIH review and approval processes; (2) materials produced by NIH grantees that are subject to policies and procedures in the Public Health Service (PHS) Grants Policy Statement; and (3) other materials not produced by NIH but available through libraries, whether in print or in electronic format, with appropriate disclaimers attached. Virtually all NIH ICs direct their clearinghouses to distribute only materials produced by the IC or other NIH ICs or Federal agencies. Non-Federal materials typically undergo careful IC scientific review before they are authorized for dissemination by the clearinghouse, and those materials are accompanied by appropriate disclaimers.

  3. Procedures to Ensure the "Integrity" of Information

    NIH has developed World Wide Web (WWW) Guidance (April 15, 1998), which is available on the Internet (http://ocio.nih.gov/docs/policy/guideli2.html). Each IC has a designated IC contact/reviewer for information and approvals related to developing Web pages and operating a new Web server. The list of IC contacts/reviewers is available on the website (www.nih.gov/employee/weblist.htm). NIH/IC Web page creators periodically review material on the Web page to determine whether it is accurate and up to date. Information, particularly time-sensitive information, should be posted as soon as possible. Web page creators are expected to promptly update or remove out-of-date information.

    Unless noted otherwise, it is safe to assume that information posted on public Web sites within the "NIH.GOV" domain is considered to be "in the public domain." As such, others are free to establish links to NIH online resources. In establishing such links, NIH requests that others avoid creating the impression that NIH is endorsing or promoting any particular product or service. In the same vein, any outside link to an external resource from an NIH Web site needs to be examined on a case-by-case basis. In general, the Web developer of each site determines when links to outside entities are justified.

    NIH Web managers are urged to exercise caution when linking to non-NIH, external websites. Professional judgment should be used to weigh the benefits against the possible risks of linking to other resources. In particular, links to sites providing medical and scientific information needs to be on par with the standards used at NIH to ensure the credibility of the information offered there. Steps should be taken to ensure that such links do not give the impression of endorsing the organizations we link to. NIH/IC Web pages containing links to external Web pages not located on NIH servers should include a link to a statement that releases NIH from responsibility for the material included in the external Web page. Again, it is important to avoid giving a user the impression that NIH is endorsing information or a commercial product described in an external site. Disclaimers on copyright, endorsement (general and external links), liability, and medical information are also used, as appropriate, for individual IC Web sites.

    The IC designates a main office or contact person for information and approvals related to Web pages and the operation of Web servers. NIH personnel, contractors, and other authorized users of NIH networks must notify this office or contact person prior to setting up a Web server. Information about appropriate security measures regarding Web Servers is available at: http://ocio.nih.gov/security/sec_policy.html. The IC or the OD Information Office can provide detailed information on required approvals including both NIH and IC-specific policies relating to publication of documents. NIH/IC documents derived from IC-approved printed publications should not need additional approvals (see Section V.2).

    The NIH Center for Information Technology (CIT) is charged with providing, coordinating, and managing information technology for NIH, and with advancing computational science. In terms of computer security, CIT has three distinct objectives: Confidentiality -- ensuring that there is no deliberate or accidental improper disclosure of sensitive automated information; integrity -- protecting against deliberate or accidental corruption of automated information; and availability -- protecting against deliberate or accidental actions that cause automated information resources to be unavailable to users when needed. Information is accorded protection against disclosure, alteration, loss, or destruction based on the degree of sensitivity.

    CIT staff use appropriate safeguards to protect data from improper disclosure by backing up critical data periodically, and, if a security incident occurs, by following proper incident response procedures. In 1994, CIT adopted a security incident response policy and procedures statement that establishes the responsibilities of CIT staff in responding to and reporting computer security problems. Supervisors are responsible for ensuring that employees, both Government and contractor, observe all security requirements, and that employees receive appropriate security training.

    CIT has instituted a structured management control review process that applies throughout the system life cycle. Risk analyses are conducted to strike a balance between an acceptable level of risk and the costs and inconvenience associated with safeguards. A system recertification/accreditation must be conducted at least once every 3 years. Additional information about NIH computer security measures can be found in The Computer Security Handbook of CIT (http://ocio.nih.gov/security/sec_policy.html).