skip navigation nih record
Vol. LXIII, No. 1
January 7, 2011
cover

previous story



Feedback

Have a question about some aspect of working at NIH? You can post anonymous queries at www.nih.gov/nihrecord/index.htm (click on the Feedback icon) and we’ll try to provide answers.

Feedback: In a recent feedback item about bicycles in buildings (May 14, 2010), it was stated that “The Code of Federal Regulations (CFR) prohibits bringing bicycles into buildings. The NIH Police will enforce the code when witnessing or informed of a violation.” However, this is incorrect. The CFR does not prohibit bringing bicycles into buildings. It explicitly states that bicycles cannot be ridden in buildings. It also states that bicycles cannot be parked in buildings except when parked at bicycle racks. The CFR does not specify what constitutes a bike rack. There are out-of-the way locations in our buildings (for example, in small unused offices, or against a back wall in my own office), which can serve as convenient places to rack bicycles. I hope that the NIH Police will not try to discourage us from doing so, nor try to cite us for something that is not prohibited.

Response from the NIH Police: Respectfully, the inquirer is incorrect. Bicycles are prohibited in NIH buildings both in the Code of Federal Regulations and NIH Policy Manual Issuance 1411. Per 45 CFR Part 3, Subpart B, 3.23(b), “A person must park bicycles, motorbikes and similar vehicles only in designated areas and may not bring these vehicles inside buildings.” This policy is further clarified in the NIH Policy Manual Issuance 1411, titled, “Bicycles, Bicycle Racks and Locker Facilities.” This policy cites the CFR and also explicitly states, a person “…may not bring these vehicles inside buildings. Designated areas are limited only to bicycle racks and bicycle lockers.”

Feedback: Why isn’t Skype allowed at NIH? Wouldn’t that application save a lot of money on travel expenses—especially foreign travel?

Response from NIH’s chief information officer: Indeed Skype has many appealing features, but it’s a package deal that comes with some undesirable problems. For those not familiar with Skype, it’s a software application (that works on Windows, Macs and Linux) that allows users to make voice calls over the Internet. Skype-to-Skype voice and video calls are free and low-cost calls can be made to standard landlines and mobile phones. The product also supports instant messaging, chat rooms, file transfer and video conferencing capabilities. It seems perfectly reasonable that folks in the NIH scientific community would view the use of Skype as an attractive option for communicating with fellow colleagues, especially those in foreign countries.

Unfortunately, Skype falls into the realm of what is called “peer-to-peer” (P2P) communications, an Internet protocol type generally prohibited within federal computing environments, corporate and educational networks because they are deliberately designed to evade network security controls. Because these communications cannot be centrally managed, there’s a dangerous potential for introducing new and unknown risks into the enterprise, completely undetected. Skype network traffic is encrypted and thus its content is invisible to intrusion detection sensors. This makes it an inviting vector for hackers seeking to distribute a worm, virus, key logger or other malware. The configuration and security of most implementations of P2P software are entirely under the control of the company and, possibly, the unknown third parties through which these connections pass. The bottom line is that NIH has little or no control over the behavior, security or privacy of unmanaged P2P software. Additional concerns with the use of P2P software include the potential for inappropriate use (through file sharing) and excessive bandwidth (which can negatively affect our network performance).

NIH continues to explore enterprise level controls that might allow desktop computer- based applications such as Skype. In the meantime, individual ICs administer desktop configurations and the security controls that govern their local area networks. Skype is allowed as an exception to policy where ICs have been able to show that they can manage and administer it safely for their user community.  

For more information on Skype and other P2P applications, see the NIH P2P Policy at http://ocio.nih.gov/security/NIH_P2P_Policy.doc and the NIH P2P Guide at http://ocio.nih.gov/security/NIH_P2P_File_Sharing_Guide.doc.


back to top of page