[Federal Register: November 22, 2006 (Volume 71, Number 225)]
[Rules and Regulations]
[Page 67771-67775]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr22no06-12]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 2, 4, 7, and 52
[FAC 2005-14; FAR Case 2005-015; Item I; Docket 2006-0020, Sequence 19]
RIN 9000-AJ91
Federal Acquisition Regulation; FAR Case 2005-015, Common
Identification Standard for Contractors
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed to convert the
interim rule published in the Federal Register at 71 FR 208 on January
3, 2006, to a final rule with changes. This final rule is amending the
Federal Acquisition Regulation (FAR) to add the contractor personal
identification requirements identified in the Homeland Security
Presidential Directive (HSPD) 12, ``Policy for a Common Identification
Standard for Federal Employees and Contractors,'' and Federal
Information Processing Standards (FIPS) Number 201, ``Personal Identity
Verification (PIV) of Federal Employees and Contractors,'' as amended.
DATES: Effective Date: November 22, 2006.
Applicability Date: This rule applies to solicitations and
contracts issued or awarded on or after November 22, 2006. Contracts
awarded before October 27, 2005 requiring contractors to have routine
physical access to a Federally-controlled facility and/or routine
access to a Federally-controlled information system must be modified to
ensure that credentials are issued by October 27, 2007, pursuant to FAR
Subpart 4.13 in accordance with agency implementation of FIPS PUB 201
and OMB guidance M-05-24, as amended.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please
cite FAC 2005-14, FAR case 2005-015. For information pertaining to
status or publication schedules, contact the FAR Secretariat at (202)
501-4755.
SUPPLEMENTARY INFORMATION:
A. Background
This final rule amends the Federal Acquisition Regulation to
require contracting officers to incorporate the requirement for
contractors to comply with agency verification procedures that
implement Homeland Security Presidential Directive-12 (HSPD-12), Office
of Management and Budget (OMB) guidance M-05-24, and Federal
Information Processing Standards Publication (FIPS PUB) Number 201 when
applicable to the work to be performed under the contract.
DoD, GSA, and NASA published an interim rule in the Federal
Register at 71 FR 208 on January 3, 2006. The 60-day comment period for
the interim rule ended March 6, 2006. Five respondents provided
comments. Most comments pointed out areas of concern and language that
required clarification. The substantive comments are discussed below.
Public Comments
Comment: One respondent requested the Government clarify/elaborate
on the requirements to have subcontractors properly cleared.
Response: Implementation of Homeland Security Presidential
Directive (HSPD) 12 required by OMB memorandum M-05-24, Policy for a
Common Identification Standard for Federal Employees and Contractors,
follows the Federal Information Processing Standard Publication (FIPS
PUB) 201 when individuals under contract with a Federal department or
agency, requiring routine access to Federally-controlled facilities
and/or Federally-controlled information systems, require identity
credentials consistent with existing agency security policies. The need
to have contactors meet the requirements of FIPS PUB 201, including
background investigations, applies equally to contractors and
subcontractors to the extent that subcontractors require routine access
to Federally-controlled facilities and/or Federally-controlled
information systems. As such, the Councils have revised the final rule
to add the term ``routine'' to clarify that personal identity
verification does not apply to all contractors and/or subcontractors.
Comment: One respondent stated there is an overlap with Department
of Defense Instruction (DoDI) 3020.41 (October 3, 2005) paragraph
6.2.7.3 which states ``contingency contractor personnel shall be issued
a standard Geneva Convention Card...U.S. citizens and selected other
CDF will be issued a DoD Uniformed Services Identification and
Privilege Card...'', and points out that FAC 2005-07 requires agencies
to adopt and accredit a registration process consistent with the
identity proofing, registrations and accreditation requirements in
section 2.2 of FIPS [PUB] 201. The respondent asks will the requirement
in DoDI 3020.41 satisfy the requirements of FAC 2005-07 for providing a
personal identity card for contingency contractors? The respondent also
asks does FAC 2005-07 duplicate or supplement the requirement in DoDI
3020.41 or does it depend on the contingency status of the contractor?
Response: Those contingency contractor personnel who receive a
common access card (CAC), including those who receive a CAC based on
the eligibility for a Geneva Conventions card, must comply with the
identity proofing and vetting requirements of FIPS PUB 201, as the CAC
represents DoD's implementation of the Personal Identity Verification
(PIV) for Federal
[[Page 67772]]
Employees and Contractors standard. Policy change is currently in
staffing to modify and update existing documents to comply with the
heightened requirements. The current DoDI 3020.41 does not satisfy FIPS
PUB 201 requirements; pending publication of the policy changes, FIPS
PUB 201 must be considered additive to the requirements of DoDI 3020.1.
Comment: One respondent highlights that the FIPS PUB 201 will be
implemented in two phases, that the documents referenced in the interim
rule are lengthy and a small business may not have the capability to
download them, and that SBA may need to assist small businesses and/or
provide training to make them competent in this arena. The respondent
also stated that added administrative time is required for businesses
and Federal agencies to incorporate the required contract
modifications. The respondent also recommends that the standards
required by parts 1 and 2 of the OMB memorandum (M-05-24) be outlined
in the FAR clause at 52.204-9, and that the clause be added to
solicitations and contracts in full text versus incorporation by
reference.
Response: The rule permits modifications to be executed according
to agency procedures for FIPS PUB 201 implementation. The Councils
consider the October 2007 date to be in full compliance with FIPS PUB
201 and allow adequate time for agencies to establish a completion date
to modify contracts thereby lessening any administrative burden.
Agencies will establish their own procedures for complying with FIPS
PUB 201, therefore the Councils do not want to give the appearance that
the outline encompasses all facets of identity verification by
including an outline in the clause. Because agency policy will
implement FIPS PUB 201, agency resources should be available to assist
small businesses with questions or concerns regarding their procedures.
Adding the clause in solicitations and contracts by reference is the
proper prescription, and the full text of clause 52.204-9 is available
using the Internet. Nonetheless, a small business can receive
clarification or a copy of the clause by contacting the contracting
officer.
Comment: One respondent commented that the interim rule is a
significant regulatory action and suggested that the budgetary and
administrative impact is so significant it should be a ``major rule''
that is subject to congressional review pursuant to 5 U.S.C. 801 et
seq. and to the regulatory planning and review process under Executive
Order 12866.
Response: The budgetary and administrative resources to implement
HSPD-12 are provided by the Government. The Councils have appropriately
complied with the determination made by OMB's Office of Information and
Regulatory Affairs that this rule is not significant, nor economically
significant, nor a major rule.
Comment: One respondent commented that the HSPD-12 requires
agencies to ``complete and receive notification of results of the FBI
National Criminal History check prior to credential issuance.'' Both
requirements will significantly increase the demands placed on
Government investigative services far beyond their current budgetary
and manpower capabilities. The respondent provided an overview of the
backlog OPM is currently experiencing. The respondent indicates that
hundreds of thousands more investigations will be required by HSPD-12
for government personnel, contractors, and subcontractors, and
questions how the Government will handle the influx of contractor
personnel. The respondent also stated the rule will cause an artificial
increase in the number of investigations to ensure that personnel that
may become critical to the contract performance are not excluded only
because they do not have a government-issued I.D.
Response: Attachment A to the OMB Memo M-05-24 dated August 5,
2005, states that agencies should receive notification of results of
the National Agency Checks before issuing a credential. However, the
memo provides that the identity credential can be issued based on the
FBI National Criminal History Check (fingerprint check) if the results
are not received in 5 days. Because of this provision, the Councils
have concluded that flexibilities exist to allow credentialing which
may mitigate the impact of an increase in demand placed on
investigative services. OPM is responsible for the investigative
services and has procedures in place to handle the associated workload.
Comment: One respondent expressed that a concern for industry is
the potential impact of this rule on the performance of contracts by
contractors and subcontractors, because the rule is silent on the
consequences of Government investigative services not being completed
in a timely fashion. The respondent questions if an agency is allowed
beyond October 27, 2005 to continue to provide access to ``federally-
controlled facilities'' and/or ``federal information systems'' for
contractors and subcontractors who are not yet adjudicated. Additional
concern was expressed that a contractor or subcontractor would be
barred from performing on a contract because the Government is unable
to provide a final identity verification and successful criminal
background check.
Response: In reference to the OMB Memo M-05-24, agencies are
instructed to initiate National Agency Checks by October 27, 2005. Full
completion will occur over a specified time period. The guidance
includes instruction for distinguishing adjudicated individuals from
those that have not yet been adjudicated; it does not prohibit access.
Each agency will follow its own implementation policy for access
authorization when a final identity verification and successful
criminal background check are pending. Therefore, the Councils do not
anticipate that contractors or subcontractors will be barred from
performing their contractual obligations.
Comment: Two respondents question the course of action for
contractors and subcontractors, including small and disadvantaged
businesses, needing to obtain identity verification for their
employees. It appears that the agency will be responsible for ensuring
all contractor and subcontractor employees are able to complete the
process, but such a sequence would indicate that verification occurs
after award and employers who do not currently have adjudicated
personnel would be required to delay performance on the contract until
such time as a sufficient number of personnel can be adjudicated.
Response: As stated in the response above, implementation of HSPD-
12 does not prohibit access to a Federally-controlled facility and/or
Federally-controlled information system pending a final identity
verification and successful criminal background check. Contractors must
comply with agency procedures for access authorization when a final
adjudication has not been issued. There is no intent to delay contract
performance until a sufficient number of personnel can be adjudicated.
Comment: One respondent stated the prospect of investigative delays
would drive businesses that can offer the Government successful
commercial solutions from the marketplace because the delays would
impact performance, and suggests a solution is to start verifying
identity before contract award. However, this option would exacerbate
the problem of workload delays that
[[Page 67773]]
already plague the Government investigative services.
Response: The Councils have been informed by OPM that the full
extent to which HSPD-12 will create investigative delays is unknown. It
is anticipated that cases received by OPM because of HSPD-12
implementation, that would not otherwise have been received, will be
almost exclusively for uncleared contractors. While the true size of
this population is unknown, what is known is that a large number of
agencies have been investigating uncleared contractors on a regular
basis and the workload increase will be significantly smaller than if
no activity had ever occurred. National Agency Check with Inquiries
(NACI), the minimum investigation required for HSPD-12 compliance and
personal identity verification (PIV) issuance, are not labor intensive.
Once the case is data-entered, it is processed by automated systems.
NACIs do not, other than in rare cases, require the use of field
investigators. Further, PIV credentials can be issued upon favorable
completion of the fingerprint portion of the NACI, which in most cases
will be accomplished in a matter of days. The option of allowing
contractors to begin the investigative process before contract award
would create a far greater burden on the process. OPM is the authority
on handling workload for investigative services, and has procedures to
support implementation of HSPD-12.
Comment: One respondent stated it supports the need for secure and
reliable forms of identification, but it is not clear that the
Government has sufficiently anticipated the full scale of the impact on
investigative services, historical delays, nor the potential impact on
contractors and subcontractor and Government contracting as a whole on
the Government's ability to verify the personnel for every contractor
and subcontractor requiring access to ``federal information systems''
and/or ``federally-controlled facilities.''
Response: As stated in the above response, the Councils have been
informed by OPM that the full extent to which HSPD-12 will create
investigative delays is unknown, however, it is anticipated that cases
received by OPM because of HSPD-12 implementation, that would not
otherwise have been received, will almost exclusively be for uncleared
contractors. OPM is responsible for handling investigative requests
regarding HSPD-12 and has existing procedures to manage this type of
workload.
Comment: One respondent stated the Councils must require as part of
the rule that agencies submit information to the Government
investigative services. Citing the November 9, 2005 testimony of Linda
Springer, Director of the Office of Personnel Management, to the Senate
Subcommittee on Oversight of Government Management, the Federal
Workforce and the District of Columbia, this information will at least
provide the bases for adequate, reasonable and accurate annual
estimates of the personnel and costs demands they will place upon the
process.
Response: In her November 9, 2005 testimony, Ms. Springer indicated
that ``OPM will assist agencies in improving their workload forecasting
by collecting quarterly data comparing agencies' annual workload
projections with actual requests,'' and that OPM will continue to work
toward reducing the time it takes to complete the process for
investigative cases. The Councils support OPM's role in managing
resources to perform investigations and OPM's procedures for gathering
information for investigative services, and do not believe it is
necessary to add further implementation requirements to this rule.
Comment: One respondent states the FAR interim rule sets a
mechanism for requiring contractors to comply with HSPD-12 that differs
from the OMB guidance. Because DOE has implemented the appropriate
mechanism to assure contractors comply with HSPD-12, implementation of
the FAR rule will cause hardship to the Department. The FAR policy
requires agencies to follow HSPD-12 and its associated guidance. The
policy states ``agencies must follow FIPS 201 and OMB guidance for
personal identity verification for all affected contractor and
subcontractor personnel...'' This policy language indicates that the
FAR interim rule is intended to further the requirements of FIPS 201
and OMB guidance. This language clearly implies that for contractors
which are not affected by HSPD-12, contracting officers do not have to
include this clause.
Response: The Councils did not intend to overstate requirements to
implement FIPS PUB 201 and the OMB guidance and agree that contracting
officers do not have to include the clause if contract performance does
not require compliance with HSPD-12. The final rule clarifies that
HSPD-12 applies when contractors and subcontractors require routine
physical access to a Federally-controlled facility and/or routine
access to a Federally-controlled information system.
Comment: One respondent recommends that the FAR Interim Rule be
modified for consistency with established HSPD-12 guidance, because the
FAR requirement is not consistent with the recently amended FIPS PUB
201 and the OMB memorandum M-05-24. In particular, promulgation of the
final rule as written could result in substantial confusion among the
Federal agency employees and contractors who are assigned to implement
HSPD-12 at large Federal agencies. The respondent listed items in the
FAR interim rule which are different from the OMB memo including the
definition of Federally-controlled facilities; the use of ``Federal
Information System'' instead of ``Federally Controlled Information
System''; the omission of ``facilities under a management and operation
contract''; the exception for ``education institution''; and the
expansion of the definition of ``Federally owned buildings and leased
space'' to include property interests controlled by any department or
agency.
Response: The Councils have reviewed updated FIPS PUB 201 guidance
and have revised the definitions in the final rule for Federally-
controlled facilities and Federally-controlled information systems to
be consistent with the OMB Memo M-05-24, dated August 5, 2005.
This is not a significant regulatory action and, therefore, was not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The changes may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq., because all entities that hold
contracts or wish to hold contracts that require their personnel to
have access to Federally-controlled facilities or information systems
will be required to employ on Government contracts only employees who
meet the standards for being credentialed and expend resources
necessary to help employees fill out the forms for credentialing. The
Councils prepared a Final Regulatory Flexibility Analysis (FRFA), and
it is summarized as follows:
1. Statement of need for, and objectives of, the rule.
This rule amends the Federal Acquisition Regulation to implement
the Homeland Security Presidential Directive (HSPD) 12, ``Policy for
a Common Identification Standard for Federal Employees and
Contractors,'' dated August 27, 2004. HSPD 12 requires the
development and agency implementation of a mandatory
[[Page 67774]]
Governmentwide standard for secure and reliable forms of
identification for Federal employees and contractors, including
contractor employees.
2. Summary of significant issues raised by the public comments
in response to the Initial Regulatory Flexibility Analysis (IRFA), a
summary of the assessment of the agency of such issues, and a
statement of any changes made in the interim rule as a result of
such comments.
An interim rule was published in the Federal Register at 71 FR
208 on January 3, 2006. The Councils considered all of the comments
in finalizing the rule. An Initial Regulatory Flexibility Analysis
was performed. One respondent highlights that the FIPS PUB 201 will
be implemented in two phases, that the documents referenced in the
interim rule are lengthy and a small business may not have the
capability to download them, and that SBA may need to assist small
businesses and/or provide training to make them competent in this
arena. The respondent also stated that added administrative time is
required for businesses and Federal agencies to incorporate the
required contract modifications. The councils consider the October
2007 date to be in full compliance with FIPS PUB 201 and allow
adequate time for agencies to establish a completion date to modify
contracts thereby lessening any administrative burden. Because
agency policy will implement FIPS PUB 201, agency resources should
be available to assist small businesses with questions or concerns
regarding their procedures.
3. Description of, and an estimate of the number of, small
entities to which the rule will apply or an explanation of why no
such estimate is available.
This rule will apply to all large and small businesses that seek
awards when contract performance requires contractors and/or
subcontractors to have routine physical access to a Federally-
controlled facility and/or routine access to a Federally-controlled
information system. A precise estimate of the number of small
entities that fall within the rule is not currently feasible because
it would include both contractors who perform in Government-owned
space as well as those who perform in Government-leased space
(including employees of the lessor and its contractors).
The Councils did not receive any comments on this issue from
small business concerns or other interested parties in response to
the Initial Regulatory Flexibility Analysis.
4. Description of the projected reporting, recordkeeping, and
other compliance requirements of the rule, including an estimate of
the classes of small entities which will be subject to the
requirement and the type of professional skills necessary for
preparation of the report or record.
The rule does not directly require reporting, recordkeeping or
other compliance requirements within the meaning of the Paperwork
Reduction Act (PRA). The rule does require that any entity,
including small businesses that will be performing a contract that
requires its employees to have access to Federal facilities or
information systems, submit information on their employees. Such
information will include a personnel history for each employee
having access to a Federal facility or information system for a
period exceeding 6 months. Although the forms involved are similar
to a standard application for employment that is used by many
companies, it is envisioned that some employers, especially those
using non-skilled or semi-skilled laborers, will need to help their
employees complete the form. It is estimated that each applicant
will spend approximately 30 minutes completing the form.
Five respondents provided public comments in response to the
interim rule. The public expressed concern that downloading large
documents may be problematic for small business concerns, there will
be a significant increase workload for OPM resources who provide
investigative services that may cause a delay and prohibit a
contractor's ability to start performance while awaiting
adjudication, and the interim rule overstated the credentialing
requirements by referencing all contractors and subcontractors. The
responses to public comments in the final rule preamble address
these comments.
Agencies must adopt the technical standards for an approved
identity proofing and registration process established by Federal
Information Processing Standard Publication (FIPS PUB) 201, and
establish their own implementation policy. The real implementation
of this directive will occur at the agency level. Agencies should be
prepared to assist contractors with questions or concerns about the
agency policy.
5. Description of steps the agency has taken to minimize
significant economic impact on small entities consistent with the
stated objectives of applicable statutes, including a statement of
the factual, policy, and legal reasons for selecting the alternative
adopted in the final rule and why each of the other significant
alternatives to the rule considered by the agency was rejected.
There are no known significant alternatives that will accomplish
the objectives of the rule. No alternatives were proposed during the
public comment period.
The FAR Secretariat has submitted a copy of the FRFA to the Chief
Counsel for Advocacy of the Small Business Administration. Interested
parties may obtain a copy from the FAR Secretariat. The Councils will
consider comments from small entities concerning the affected FAR Parts
2, 4, 7, and 52 in accordance with 5 U.S.C. 610. Interested parties
must submit such comments separately and should cite 5 U.S.C. 601, et
seq. (FAC 2005-14, FAR Case 2005-015), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.
List of Subjects in 48 CFR Parts 2, 4, 7, and 52
Government procurement.
Dated: November 15, 2006.
Ralph De Stefano,
Director, Contract Policy Division.
Interim Rule Adopted as Final with Changes
0
Accordingly, DoD, GSA, and NASA adopt the interim rule amending 48 CFR
parts 2, 4, 7, and 52, which was published in the Federal Register at
71 FR 208, January 3, 2006, as a final rule with the following changes:
0
1. The authority citation for 48 CFR parts 2, 4, 7, and 52 continues to
read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
PART 2--DEFINITIONS OF WORDS AND TERMS
0
2. Amend section 2.101 in paragraph (b)(2) by removing the definition
``Federal information system''; revising the definition ``Federally-
controlled facilities''; and adding the definition ``Federally-
controlled information system'' to read as follows:
2.101 Definitions.
* * * * *
(b) * * *
(2) * * *
Federally-controlled facilities means--
(1) Federally-owned buildings or leased space, whether for single
or multi-tenant occupancy, and its grounds and approaches, all or any
portion of which is under the jurisdiction, custody or control of a
department or agency;
(2) Federally-controlled commercial space shared with non-
government tenants. For example, if a department or agency leased the
10th floor of a commercial building, the Directive applies to the 10th
floor only;
(3) Government-owned, contractor-operated facilities, including
laboratories engaged in national defense research and production
activities; and
(4) Facilities under a management and operating contract, such as
for the operation, maintenance, or support of a Government-owned or
Government-controlled research, development, special production, or
testing establishment.
Federally-controlled information system means an information system
(44 U.S.C. 3502(8) used or operated by a Federal agency, or a
contractor or other
[[Page 67775]]
organization on behalf of the agency (44 U.S.C. 3544(a)(1)(A)).
* * * * *
PART 4--ADMINISTRATIVE MATTERS
0
3. Revise section 4.1300 in paragraphs (a) and (b) and section 4.1301
to read as follows:
4.1300 Policy.
(a) Agencies must follow Federal Information Processing Standards
Publication (FIPS PUB) Number 201, ``Personal Identity Verification of
Federal Employees and Contractors,'' as amended, and the associated
Office of Management and Budget (OMB) implementation guidance as
amended, for personal identity verification for all affected contractor
and subcontractor personnel when contract performance requires
contractors to have routine physical access to a Federally-controlled
facility and/or routine access to a Federally-controlled information
system.
(b) Agencies must include their implementation of FIPS PUB 201 as
amended, and OMB guidance M-05-24, dated August 5, 2005, as amended, in
solicitations and contracts that require the contractor to have routine
physical access to a Federally-controlled facility and/or routine
access to a Federally-controlled information system.
* * * * *
4.1301 Contract clause.
The contracting officer shall insert the clause at 52.204-9,
Personal Identity Verification of Contractor Personnel, in
solicitations and contracts when contract performance requires
contractors to have routine physical access to a Federally-controlled
facility and/or routine access to a Federally-controlled information
system. The clause shall not be used when contractors require only
intermittent access to Federally-controlled facilities.
PART 7--ACQUISITION PLANNING
0
4. Amend section 7.105 by revising the last sentence in paragraph
(b)(17) to read as follows:
7.105 Contents of written acquisition plans.
* * * * *
(b) * * *
(17) Security considerations. * * * For acquisitions requiring
routine contractor physical access to a Federally-controlled facility
and/or routine access to a Federally-controlled information system,
discuss how agency requirements for personal identity verification of
contractors will be met (see Subpart 4.13).
* * * * *
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
5. Amend section 52.204-9 by revising the date of the clause to read
``(NOV 2006)''; and revising paragraphs (a) and (b) to read as follows:
52.204-9 Personal Identity Verification of Contractor Personnel.
* * * * *
(a) The Contractor shall comply with agency personal identity
verification procedures identified in the contract that implement
Homeland Security Presidential Directive-12 (HSPD-12), Office of
Management and Budget (OMB) guidance M-05-24, as amended, and Federal
Information Processing Standards Publication (FIPS PUB) Number 201, as
amended.
(b) The Contractor shall insert this clause in all subcontracts
when the subcontractor is required to have routine physical access to a
Federally-controlled facility and/or routine access to a Federally-
controlled information system.
(End of clause)
[FR Doc. 06-9308 Filed 11-21-06; 8:45 am]
BILLING CODE 6820-EP-S