What is the NIH External Active Directory?
The NIH External Directory is where a separate account is created for each outside NIH collaborator. This option (NIH External account creation) for collaboration is short-term until the collaboratorís institution/university/college has integrated their directory with NIHís Federated Identity solution.
To inquire about participation in NIH's Federation Collaboration, please visit the web site NIH FEDERATED IDENTITY SERVICE
NIH External (nihext.nih.gov) is a Microsoft Windows 2008 Active Directory Forest. There is a trust between nihext.nih.gov and nih.gov. This allows nihext.nih.gov AD accounts to authenticate and belong to nih.gov groups for authorization. The NIH External accounts will not be mail enabled. NIH External will follow nih.gov AD data content management standards. NIH External will follow nih.gov password complexity requirements, however a shorter 60 days password expiration policy will be enforced.
The Institute wanting to use NIH External will contact CIT and provide information for completing an SLA. The Institute must provide a project name and a project manager. The project manager will need to assign a Registration Authority (RA) to verify the identity of an individual before creating an account for that individual in the NIH external domain. †The RA may be within the IC or a designated official within the partnering institution (e.g., University). †NIH External provides a level 2 authentication credential as defined by NIST Special Publication (SP) 800-63: Electronic Authentication Guideline.† The identity proofing procedures that must be followed by the RA to meet level 2 requirements are defined in Section 7.2.1: †Registration and Identity Proofing Requirements of SP 800-63.† The project manager is response for ensuring that these requirements are met.† CIT will periodically audit RA procedures.† Failure to meet SP 800-63 requirements could result in having all individuals that were identity proofed by a non-compliant RA removed from NIH external.
Once identity proofing has been completed, the RA or designated account official will create the account using Active Directory Management web interface (https://adm.nih.gov). ADM will automatically add the new user to the correct project group.† The account name and password will then be emailed to the RA, who will in turn provide this information to the registered individual in accordance with the address confirmation / credential issuance procedures defined in SP 800-63.
The following is a list of user attributes that are manditory and needed to complete the web form and create an External Account.
After an account has been created, the Project Manager will be responsible for issuing the account name and password information to the individual. The individual will need to change their password at http://www.password.nih.gov, before they will be able to access their project's NIH resource. Please follow the instructions on that page.
Questions or Support Issues concerning the NIH External domain need to be directed to NIH IT Service Desk.
NIH External account deletions must be requested from the NIH IT Service Desk.
Service Level Agreement (SLA)
This Service Level Agreement (SLA) describes the environment and services being provided by CIT. The SLA will be reviewed and renewed on an annual basis.
CIT will maintain, Data center temperature and humidity maintained within conventional, vendor recommended limits for computing and telecommunications equipment; Sufficient power for all installed equipment, with an uninterruptible power supply and standby generator to maintain normal business operations during a utility outage; Physical security of the computer room with controlled access limited to approved personnel.
CIT has determined the needs and performance requirements for the equipment to be used by the Customer. CIT will review these requirements based on changing business needs and/or new technical requirements.
Operating System and Utility Software
CIT will install, upgrade and configure, the operating system and supported utility software based on current technical requirements; Patches to versions fully supported by the vendor and compatible with application software; Security patches applied to CIT-provided software.
CIT will provide overall system administration of the NIH External Domain to include, management oversight of the account creation process; A web based utility to manage NIH External accounts and groups; Available reports of accounts within projects; Provide a web interface for NIH External users to update their password; Timely diagnosis and resolution of hardware and software problems.
CIT will administer all backups of the NIH External Active Directory in accordance with CIT standards. In the event of a system problem causing loss of data, CIT will restore data from the most recent backup.
Firewalls and Host-Based Security
CIT will provide, Basic protection of hardware and software through NIH border firewalls and network intrusion detection in accordance with the data center security architecture; Secure management in accordance with the Federal Security Management Act (FISMA) and NIST guidelines; Host-based security solutions installed, maintained, and monitored to prevent system compromises (e.g., virus infections, intrusions, etc.).
CIT will conduct, annual SAS 70 audits of physical security, operating practices and procedures; Triennial Certification and Accreditation of host systems in accordance with NIH policy and procedures.
Disaster Recovery Service
CIT will implement, a disaster recovery program as described in the Computer Center Disaster Recovery Plan; make provisions for off-site data storage and hot site availability.
CIT strives for 99.9% availability of resources to support services, exclusive of scheduled maintenance activities.
The Project Manager must:
FAQs & Help
What is Registration Authority?
Federal regulations stipulate projects with an E-Authentication level 2 or above must provide some assurance that users are who they say they are. This involves identity proofing external users prior to registration with NIH External. A Registration Authority is the individual responsible for accomplishing this task.
What is E-Authentication level?
The Project Sponsor must determine that the external user access is necessary. A determination of E-Authentication level for the project shall be made. Ensure all project groups are created in NIH External with the exception of the Admin Group in nih.gov. Administrators added to project groups will manage project group membership throughout the project lifecycle. Applicant must possess a government photo ID Non-U.S. government photo IDs are accepted Address of record is defined as that provided by the applicant Drivers license or passport IDs are accepted
For Technical help please contact:
NIH IT Service Desk at
301-496-4357 (6-HELP) (local)
866-319-4357 (toll free)