[Federal Register: October 14, 2011 (Volume 76, Number 199)]
[Proposed Rules]
[Page 63896-63899]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr14oc11-23]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 24 and 52
[FAR Case 2010-013; Docket 2010-0013; Sequence 1]
RIN 9000-AM02
Federal Acquisition Regulation; Privacy Training, 2010-013
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal
Acquisition Regulation (FAR) to require contractors to complete
training that addresses the protection of privacy, in accordance with
the Privacy Act of 1974, and the handling and safeguarding of
personally identifiable information.
DATES: Interested parties should submit written comments to the
Regulatory Secretariat at one of the addresses shown below on or before
December 13, 2011 to be considered in the formation of the final rule.
ADDRESSES: Submit comments in response to FAR case 2010-013 by any of
the following methods:
Regulations.gov: http://www.regulations.gov. Submit
comments via the Federal eRulemaking portal by inputting ``FAR Case
2010-013'' under
[[Page 63897]]
the heading ``Enter Keyword or ID'' and selecting ``Search.'' Select
the link ``Submit a Comment'' that corresponds with ``FAR Case 2010-
013.'' Follow the instructions provided at the ``Submit a Comment''
screen. Please include your name, company name (if any), and ``FAR Case
2010-013'' on your attached document.
Fax: (202) 501-4067.
Mail: General Services Administration, Regulatory
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th
Floor, Washington, DC 20417.
Instructions: Please submit comments only and cite FAR Case 2010-
013, in all correspondence related to this case. All comments received
will be posted without change to http://www.regulations.gov, including
any personal and/or business confidential information provided.
FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement
Analyst, at (202) 501-2364 for clarification of content. For
information pertaining to status or publication schedules, contact the
Regulatory Secretariat at (202) 501-4755. Please cite FAR Case 2010-
013.
SUPPLEMENTARY INFORMATION:
I. Background
DoD, GSA, and NASA are proposing to amend the Federal Acquisition
Regulation (FAR) to add a new subpart 24.3, entitled ``Privacy
Training,'' and related clause to ensure that contractors identify
employees who require access to a Government system of records, handle
personally identifiable information, or design, develop, maintain, or
operate a system of records on behalf of the Federal Government, and
who, therefore, are required to complete privacy training initially
upon award of the procurement and at least annually thereafter. In
addition, contractors are required to keep records indicating that
employees have completed the required training and, upon request,
provide those records to the Government. This rule does not apply to
commercial items.
These requirements are consistent with subsection (e), Agency
requirements, and subsection (m), Government contractors, of the
Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that
address the responsibility for Federal agencies to ensure that
Government and contractor personnel are instructed on compliance
requirements with the laws, rules, and guidance pertaining to handling
and safeguarding personally identifiable information include the E-
Government Act of 2002, the Federal Information Security Management Act
(FISMA) of 2002, and Federal guidance from the Office of Management and
Budget (OMB), e.g., OMB Memorandum M-07-16, entitled ``Safeguarding
Against and Responding to the Breach of Personally Identifiable
Information,'' issued May 22, 2007; OMB Memorandum M-10-23, entitled
``Guidance for Agency Use of Third-Party Web sites and Applications,''
issued June 25, 2010 (this memorandum contains the most current
definition of personally identifiable information, and clarifies the
definition provided in M-07-16); and OMB Circular No. A-130, entitled
``Management of Federal Information Resources,'' which address
significant requirements for safeguarding and handling personally
identifiable information and reporting any theft, loss, or compromise
of such information. In addition, FAR subpart 24.1 requires that
Federal agencies contracting for the design, development, or operation
of a system of records on individuals must extend all Privacy Act
safeguards to the contractor and its employees working on the contract.
Minimum requirements for privacy training are proposed for the
coverage in order to ensure consistency across the Government. For
example, any privacy training must address the protection of privacy,
in accordance with the Privacy Act (5 U.S.C. 552a), and the handling
and safeguarding of personally identifiable information. The proposed
FAR text includes seven mandatory elements of the privacy training,
including any agency-specific requirements. Many agencies currently
require that designated contractor employees complete agency-developed
privacy training, but, in some circumstances, an agency may provide a
contractor with the Privacy Act requirements and have the contractor
develop the training package. While the use of an agency-developed
privacy training package is the most common approach, and the approach
embodied in the clause at FAR 52.224-XX, Privacy Training, the proposed
FAR language provides an Alternate I to the FAR clause for those cases
where the agency prefers to have the contractor create the privacy
training package. Additionally, the proposed FAR language provides an
Alternate II to the FAR clause for those instances when it's determined
to be in the best interest of the Government for a contractor employee
to attend agency-provided privacy training.
Under the proposed FAR rule, a contractor employee who requires
access to a Government system of records will be granted or allowed to
retain such access only if the individual has (1) Completed privacy
training and (2) met all other applicable agency requirements.
II. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under Section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
III. Regulatory Flexibility Act
The change may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory
Flexibility Analysis (IRFA) is summarized as follows:
This proposed rule was initiated to ensure that contractor
personnel who handle personally identifiable information; design,
develop, maintain, or operate a system of records on behalf of the
Government; or require access to a Government-owned system of
records are properly trained on the requirements of applicable laws
and appropriate safeguards to ensure the security and
confidentiality of personally identifiable information.
Such training of contractor employees is required by provisions
of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government
Act of 2002, the Office of Management and Budget (OMB) Memorandum M-
07-16, and existing Privacy Act clauses (52.224-1 and 52.224-2).
Various other statutes, applicable authorities, and memoranda
address the responsibility of Federal agencies to ensure that
Government and contractor personnel are instructed on compliance
requirements pertaining to the handling and safeguarding of
personally identifiable information. The list includes, but is not
limited to the following:
The Federal Information Security Management Act (FISMA)
of 2002 (44 U.S.C. 3541);
OMB Memorandum M-06-15, Safeguarding Personally
Identifiable Information; and
OMB Circular No. A-130, Management of Federal
Information Resources.
The proposed rule requires all contractors with contracts that
require employees to have access to personally identifiable
information to complete training that addresses the
[[Page 63898]]
statutory requirements for protection of privacy, in accordance with
the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding
of personally identifiable information. This rule requires the
contractor to identify its employees who require access, ensure that
those employees complete agency-provided privacy training before
being granted access and annually thereafter, and maintain records
of the training. In a few cases, the content of the training will
not be provided by the agency but will be created by the contractor
in accordance with Alternate I to the clause at FAR 52.224-XX.
Alternate II to the clause at FAR 52.224-XX if it is determined to
be in the best interest of the Government for a contractor employee
to attend agency-provided privacy training. This rule does not apply
to commercial items.
Information obtained from the Federal Procurement Data System
for Fiscal Year 2009 demonstrates that 98,864 small business
concerns were awarded contracts and 197,728 firms were awarded
subcontracts. However, only contracts for the types of work
identified in the paragraphs above will be subject to the privacy-
training requirement. We estimated that approximately one-half of
one percent of all small business Government prime contractors and
subcontractors will be required to conduct privacy training as
follows:
Small business prime contractors........................... 98,864
Small business subcontractors.............................. + 197,728
------------
Total small businesses................................. 296,592
Percent w/privacy-training requirement..................... x 0.005
------------
Number of small businesses impacted........................ 1,483
Recordkeeping associated with this proposed rule is minimal;
there are no required formats or templates for the records, and they
will be retained by the contractor in most cases. The Government
only will request a contractor's training records on an exception
basis, i.e., if the Government has a particular reason to check on a
contractor's compliance with the training requirement.
The Regulatory Secretariat will be submitting a copy of the Interim
Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for
Advocacy of the Small Business Administration. A copy of the IRFA may
be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite
comments from small business concerns and other interested parties on
the expected impact of this rule on small entities.
DoD, GSA, and NASA will also consider comments from small entities
concerning the existing regulations in subparts affected by this rule
in accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C. 610 (FAR Case 2010-013) in
correspondence.
IV. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The
proposed rule contains information collection requirements.
Accordingly, the Regulatory Secretariat has submitted a request for
approval of a new information collection requirement concerning
``Privacy Training'' to the Office of Management and Budget.
A. Public reporting burden for this collection of information is
estimated to average one hour per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information. The recordkeeping requirements are minor,
and records generally will be retained within the contractor's
organization. While a contractor is required to identify its employees
who require initial privacy training and annual privacy training
thereafter, there is no requirement to collect this information in a
particular format or provide it to the Government, other than on an
exception basis, i.e., when there is an indication that the contractor
is not complying with the training requirements.
The annual reporting burden is estimated as follows:
Respondents................................................ 148
Responses per respondent................................... 1
------------
Total annual responses................................. 148
Preparation hours per response............................. 1
------------
Total response burden hours............................ 148
:B. Request for Comments Regarding Paperwork Burden.
Submit comments, including suggestions for reducing this burden,
not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102,
NEOB, Washington, DC 20503, and a copy to the General Services
Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275
First Street, NE., 7th Floor, Washington, DC 20417.
Public comments are particularly invited on: whether this
collection of information is necessary for the proper performance of
functions of the FAR, and will have practical utility; whether our
estimate of the public burden of this collection of information is
accurate, and based on valid assumptions and methodology; ways to
enhance the quality, utility, and clarity of the information to be
collected; and ways in which we can minimize the burden of the
collection of information on those who are to respond, through the use
of appropriate technological collection techniques or other forms of
information technology.
Requester may obtain a copy of the supporting statement from the
General Services Administration, Regulatory Secretariat (MVCB), Attn:
Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.
Please cite OMB Control Number 9000-0182, FAR Case 2010-013, Privacy
Training, in correspondence.
List of Subjects in 48 CFR Parts 24 and 52
Government procurement.
Dated: October 6, 2011.
Laura Auletta,
Acting Director, Office of Governmentwide Acquisition Policy, Office of
Acquisition Policy.
Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and
52 as set forth below:
1. The authority citation for 48 CFR parts 24 and 52 continues to
read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION
2. Add subpart 24.3 to read as follows:
Subpart 24.3--Privacy Training
Sec.
24.301 Privacy Training.
24.302 Contract clause.
Subpart 24.3--Privacy Training
Sec. 24.301 Privacy training.
(a) Contractors are responsible for conducting initial privacy
training, and annual privacy training thereafter, for employees who--
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on
behalf of the Federal Government (see subpart 24.1 and 39.105).
(b) Agencies shall provide contractors with the privacy training
materials (in a format deemed appropriate) necessary to satisfy the
requirement described in paragraph (a) of this section unless, on an
exception basis, the contracting officer authorizes a contractor to
provide its own privacy training materials (see 24.302(b)).
(c) Privacy training shall, at a minimum, address--
(1) The protection of privacy, in accordance with the Privacy Act
(5 U.S.C. 552a);
[[Page 63899]]
(2) The handling and safeguarding of personally identifiable
information;
(3) The authorized and official use of a Government system of
records;
(4) Restrictions on the use of personally-owned equipment to
process, access, or store personally identifiable information;
(5) The prohibition against access by unauthorized users, and
unauthorized use by authorized users, of personally identifiable
information or systems of records on behalf of the Federal Government;
(6) Breach notification procedures (i.e., procedures for notifying
appropriate individuals when privacy information is lost, stolen, or
compromised) to minimize risk and to ensure prompt and appropriate
actions are taken should a breach occur; and
(7) Any agency-specific privacy training requirements.
(d) The contractor is responsible for ensuring that employees
identified in paragraph (a) of this section complete the required
training and maintain evidence of appropriate training completed. The
contractor is required, upon request, to provide evidence of completion
of privacy training for all applicable employees.
(e) Each contractor employee who requires access to a Government
system of records, handles personally identifiable information, or
designs, develops, maintains, or operates a Government system of
records, shall be granted or allowed to retain such access only if the
individual--
(1) Has completed agency-mandated privacy training that, at a
minimum, addresses the elements in paragraph (c) of this section; and
(2) Has met all other applicable agency requirements.
Sec. 24.302 Contract clause.
(a) When contractor employees will have access to a Government
system of records, handle personally identifiable information, or
design, develop, maintain, or operate a system of records, the
contracting officer shall insert the clause at FAR 52.224-XX, Privacy
Training, in solicitations and contracts.
(b) When the contracting officer elects to have the contractor
provide its own privacy training materials, use Alternate I in lieu of
paragraph (a) of the basic clause.
(c) When an agency elects to provide privacy training to contractor
employees, use Alternate II in lieu of paragraph (a) of the basic
clause.
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
3. Add section 52.224-XX to read as follows:
52.224-XX Privacy Training.
As prescribed in 24.302(a), insert the following clause:
Privacy Training (Date)
(a) The Contractor shall conduct initial privacy training, and
annual privacy training thereafter, using the Government-provided
privacy training materials, for employees who--
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on
behalf of the Federal Government (see also FAR subpart 24.1 and
39.105).
(b) The Contractor shall ensure that its employees, as
identified in paragraph (a) of this clause, complete the required
training in a timely manner. In addition, the Contractor shall
maintain privacy training records, and, upon request, shall provide
to the Contracting Officer evidence of privacy training completed
for applicable employees.
(c) The Contractor shall not grant any employee access to a
Government system of records or personally identifiable information
until the employee has completed privacy training, as required by
this clause, and has met all other applicable agency requirements.
(d) The substance of this clause, including this paragraph (d),
shall be included in all subcontracts under this contract, when
subcontractor employees will (1) have access to a Government system
of records, (2) handle personally identifiable information, or (3)
design, develop, maintain, or operate a system of records on behalf
of the Federal Government.
(End of clause)
Alternate I (Date). If the agency elects to have the Contractor
provide its own privacy training materials, substitute the following
paragraph (a) for paragraph (a) of the basic clause:
(a)(1) The Contractor shall conduct initial privacy training,
and annual privacy training thereafter, using its own privacy
training materials, for employees who--
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain or operate a system of records
on behalf of the Federal Government (see also FAR subpart 24.1 and
39.105).
(2) The privacy-training materials shall, at a minimum,
address--
(i) The protection of privacy, in accordance with the Privacy
Act (5 U.S.C. 552a);
(ii) The handling and safeguarding of personally identifiable
information;
(iii) The authorized and official use of a Government system of
records;
(iv) Restrictions on the use of personally-owned equipment to
process, access, or store personally identifiable information;
(v) The prohibition against access by unauthorized users, and
unauthorized use by authorized users, of personally identifiable
information or a system of records on behalf of the Federal
Government;
(vi) Breach notification procedures (i.e., procedures for
notifying appropriate individuals when privacy information is lost,
stolen, or compromised); and
(vii) Any agency-specific privacy training requirements
specified by the Contracting Officer.
Alternate II (Date). If the agency elects to provide privacy
training to contractor employees, substitute the following paragraph
(a) for paragraph (a) of the basic clause:
(a)(1) The Government shall provide initial privacy training,
and annual privacy training thereafter, to contractor employees
who--
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain, or operate a system of records
on behalf of the Federal Government (see also subpart 24.1 and
39.105).
(2) The Government will conduct privacy training to Contractor
employees in the same format given its own employees (e.g., lecture,
computer-based training, Web-based training, video conferencing,
etc.).
[FR Doc. 2011-26546 Filed 10-13-11; 8:45 am]
BILLING CODE 6820-EP-P