[Federal Register Volume 71, Number 1 (Tuesday, January 3, 2006)]
[Rules and Regulations]
[Pages 208-211]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-24547]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 2, 4, 7, and 52

[FAC 2005-07; FAR Case 2005-015; Item II]
RIN 9000-AK35


Federal Acquisition Regulation; Common Identification Standard 
for Contractors

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Interim rule with request for comments.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed on an interim 
rule amending the Federal Acquisition Regulation (FAR) to address the 
contractor personal identification requirements in Homeland Security 
Presidential Directive (HSPD-12), ``Policy for a Common Identification 
Standard for Federal Employees and Contractors,'' and Federal 
Information Processing Standards Publication (FIPS PUB) Number 201, 
``Personal Identity Verification (PIV) of Federal Employees and 
Contractors.''

DATES: Effective Date: January 3, 2006.
    Comment Date: Interested parties should submit written comments to 
the FAR Secretariat on or before March 6, 2006 to be considered in the 
formulation of a final rule.
    Applicability Date: This rule applies to solicitations and 
contracts issued or awarded on or after October 27, 2005. Contracts 
awarded before that date requiring contractors to have access to a 
Federally controlled facility or a Federal

[[Page 209]]

information system must be modified by October 27, 2007, pursuant to 
FAR subpart 4.13 in accordance with agency implementation of FIPS PUB 
201 and OMB guidance M-05-24.

ADDRESSES: Submit comments identified by FAC 2005-07, FAR case 2005-
015, by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Agency Web Site: http://www.acqnet.gov/far/ProposedRules/proposed.htm. Click on the FAR case number to submit comments.
     E-mail: farcase.2005-015@gsa.gov. Include FAC 2005-07, FAR 
case 2005-015 in the subject line of the message.
     Fax: 202-501-4067.
     Mail: General Services Administration, Regulatory 
Secretariat (VIR), 1800 F Street, NW, Room 4035, ATTN: Laurieann 
Duarte, Washington, DC 20405.
    Instructions: Please submit comments only and cite FAC 2005-07, FAR 
case 2005-015, in all correspondence related to this case. All comments 
received will be posted without change to http://www.acqnet.gov/far/ProposedRules/proposed.htm, including any personal and/or business 
confidential information provided.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please 
cite FAC 2005-07, FAR case 2005-015. For information pertaining to 
status or publication schedules, contact the FAR Secretariat at (202) 
501-4755.


SUPPLEMENTARY INFORMATION:

A. Background

    Increasingly, contractors are required to have physical access to 
federally-controlled facilities and information systems in the 
performance of Government contracts. On August 27, 2004, in response to 
the general threat of unauthorized access to physical facilities and 
information systems, the President issued Homeland Security 
Presidential Directive (HSPD-12). The primary objectives of HSPD-12 are 
to establish a process to enhance security, increase Government 
efficiency, reduce identity fraud, and protect personal privacy by 
establishing a mandatory, Governmentwide standard for secure and 
reliable forms of identification issued by the Federal Government to 
its employees and contractors. In accordance with HSPD-12, the 
Secretary of Commerce issued on February 25, 2005, Federal Information 
Processing Standards Publication (FIPS PUB) 201, Personal Identity 
Verification of Federal Employees and Contractors, to establish a 
Governmentwide standard for secure and reliable forms of identification 
for Federal and contractor employees. FIPS PUB 201 is available at 
http://www.csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf. 
The associated Office of Management and Budget (OMB) guidance, M-05-24, 
dated August 5, 2005, can be found at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf.
    In accordance with requirements in HSPD-12, by October 27, 2005, 
agencies must--
    (a) Adopt and accredit a registration process consistent with the 
identity proofing, registration and accreditation requirements in 
section 2.2 of FIPS PUB 201 and associated guidance issued by the 
National Institute for Standards and Technology. This registration 
process applies to all new identity credentials issued to contractors;
    (b) Begin the required identity proofing requirements for all 
current contractors that do not have a successfully adjudicated 
investigation (i.e., completed National Agency Check with Written 
Inquires (NACI) or other Office of Personnel Management or National 
Security community investigation) on record. (By October 27, 2007, 
identity proofing should be verified and completed for all current 
contractors);
    (c) Complete and receive notification of results of the FBI 
National Criminal History Check prior to credential issuance;
    (d) Include language implementing the Standard in applicable 
solicitations and contracts that require contractors to have access to 
a federally-controlled facility or access to a Federal information 
system; and
    (e) Complete the applicable privacy requirements listed in section 
2.4 of FIPS PUB 201 and the OMB guidance M-05-24.
    The rule amends the FAR by--
     Adding the definitions ``Federal information system'' and 
``Federally-controlled facilities'' at FAR 2.101;
     Adding Subpart 4.13, Personal Identity Verification of 
Contractor Personnel, to implement FIPS PUB 201 and the associated OMB 
guidance;
     Modifying the security considerations in FAR 7.105(b)(17) 
to require the acquisition plan to address the agency's personal 
identity verification requirements for contractors when applicable;
     Adding FAR clause 52.204-9, Personal Identity Verification 
of Contractor Personnel, to require the contractor to comply with the 
personal identity verification process for all affected employees in 
accordance with agency procedures identified in the contract.
    This is not a significant regulatory action and, therefore, was not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The changes may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601 et seq., because all entities that hold 
contracts or wish to hold contracts that require their personnel to 
have access to Federally controlled facilities or information systems 
will be required to employ on Government contracts only employees who 
meet the standards for being credentialed and expend resources 
necessary to help employees fill out the forms for credentialing. An 
Initial Regulatory Flexibility Analysis (IRFA) has been prepared. The 
analysis is summarized as follows:

INITIAL REGULATORY FLEXIBILITY ANALYSIS

FAR Case 2005-015

Common Identification Standard for Contractors

    This Initial Regulatory Flexibility Analysis (IRFA) has been 
prepared consistent with 5 U.S.C. 603.

    1. Description of the reasons why the action is being taken.
    This proposed rule implements Homeland Security Presidential 
Directive (HSPD-12), ``Policy for a Common Identification Standard 
for Federal Employees and Contractors.'' This directive requires 
agencies to adopt a Governmentwide standard for secure and reliable 
forms of identification issued by the Federal Government to its 
employees and contractors. As required by the Directive, the 
Department of Commerce issued Federal Information Processing 
Standard Publication (FIPS PUB) 201. Consequently, the FAR must be 
revised to require solicitations and contracts include requirements 
that contractors who have access to federally-controlled facilities 
and information systems comply with the agency's personal identify 
verification process. Failure to take action would expose the 
Government to unacceptable risk of harm to employees and assets.

    2. Succinct statement of the objectives of, and legal basis for, 
the rule.
    This rule is being promulgated to ensure that Federal agencies 
consistently apply the requirements of HSPD-12 to Federal contracts. 
Consistency in an identification standard is cost effective and will 
improve the security of Government employees and assets.

[[Page 210]]

    FIPS PUB 201 states that the Personal Identity Verification 
(PIV) Registrar shall initiate a National Agency Check with 
Inquiries (NACI) on the applicant as required by Executive Order 
10450. Any unfavorable results of the investigation shall be 
adjudicated to determine the suitability of the applicant for 
obtaining a PIV credential. When all of the requirements have been 
completed, the PIV Registrar notifies the sponsor and the designated 
PIV issuer that the applicant has been approved for the issuance of 
a PIV credential. Conversely, if any of the required steps are 
unsuccessful, the PIV Registrar shall send appropriate notifications 
to the same authorities.

    3. Description of and, where feasible, estimate of the number of 
small entities to which the rule will apply.
    This rule will apply to any contractor whose employees will have 
access to Federal facilities or information systems. A precise 
estimate of the number of small entities that fall within the rule 
is not currently feasible because it would include both contractors 
who perform in Government-owned space as well as those who perform 
in Government-leased space (including employees of the lessor and 
its contractors.)

    4. Description of projected reporting, recordkeeping, and other 
compliance requirements of the rule, including an estimate of the 
classes of small entities which will be subject to the requirement 
and the type of professional skills necessary for preparation of the 
report or record.
    The rule does not directly require reporting, recordkeeping or 
other compliance requirements within the meaning of the Paperwork 
Reduction Act (PRA). The rule does require that any entity, 
including small businesses that will be performing a contract that 
requires its employees to have access to Federal facilities or 
information systems, submit information on their employees. Such 
information will include a personnel history for each employee 
having access to a Federal facility or information system for a 
period exceeding 6 months. Although the forms involved are similar 
to a standard application for employment that is used by many 
companies, it is envisioned that some employers, especially those 
using non-skilled or semi-skilled laborers, will need to help their 
employees complete the form. It is estimated that each applicant 
will spend approximately 30 minutes completing the form.

    5. Identification, to the extent practicable, of all relevant 
Federal rules which may duplicate, overlap, or conflict with the 
rule.
    The Councils are unaware of any duplicative, overlapping or 
conflicting Federal rule. To the extent that there may be a 
duplicative, overlapping or conflicting Federal rule, the purpose of 
this rule is to establish a Federal standard that would eliminate 
such duplication, overlap or conflict.

    6. Description of any significant alternatives to the rule which 
accomplish the stated objectives of applicable statutes and which 
minimize any significant economic impact of the rule on small 
entities.
    There are no practical alternatives that will accomplish the 
objectives of HSPD-12.

    The FAR Secretariat has submitted a copy of the IRFA to the Chief 
Counsel for Advocacy of the Small Business Administration. Interested 
parties may obtain a copy from the FAR Secretariat. The Councils will 
consider comments from small entities concerning the affected FAR Parts 
2, 4, 7, and 52 in accordance with 5 U.S.C. 610. Interested parties 
must submit such comments separately and should cite 5 U.S.C 601, et 
seq. (FAC 2005-07, FAR case 2005-015), in correspondence.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.Further, the OMB guidance, M-05-24, advises to collect 
information using only forms approved by OMB under the Paperwork 
Reduction Act (PRA) of 1995 (44 U.S.C. ch. 35), where applicable. 
Departments and agencies are encouraged to use Standard Form 85, Office 
of Personnel Management Questionnaire for Non-Sensitive Positions (OMB 
No. 3206-0005), or the Standard Form 85P, Office of Personnel 
Management Questionnaire for Positions of Public Trust (OMB No. 3206-
0005), when collecting information.

D. Determination to Issue an Interim Rule

    A determination has been made under the authority of the Secretary 
of Defense (DOD), the Administrator of General Services Administration 
(GSA), and the Administrator of the National Aeronautics and Space 
Administration (NASA) that urgent and compelling reasons exist to 
promulgate this interim rule without opportunity for public comment. 
This action is necessary to implement HSPD-12 which directs agencies to 
require the use of identification by Federal employees and contractors 
that meets the Standard in gaining physical access to federally-
controlled facilities and access to federally-controlled information 
systems no later than October 27, 2005. The issuance of this interim 
rule will not be the first time the public has seen and had a chance to 
comment on FIPS PUB 201 and HSPD-12. The Department of Commerce, 
National Institute of Standards and Technology, issued a draft of FIPS 
PUB 201 on November 23, 2004, with comments due by December 23, 2004. 
Also, OMB issued a notice of Draft Agency Implementation Guidance for 
HSPD-12 on April 8, 2005, with comments due by May 9, 2005. HSPD-12 
requires the development and agency implementation of a mandatory 
Governmentwide standard for secure and reliable forms of identification 
for both Federal employees and contractors. However, pursuant to Public 
Law 98-577 and FAR 1.501, the Councils will consider public comments 
received in response to this interim rule in the formation of the final 
rule.

List of Subjects in 48 CFR Parts 2, 4, 7, and 52

    Government procurement.

    Dated: December 22, 2005.
Gerald Zaffos,
Director, Contract Policy Division.

0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 2, 4, 7, and 52 as set 
forth below:
0
1. The authority citation for 48 CFR parts 2, 4, 7, and 52 continues to 
read as follows:

    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

PART 2--DEFINITIONS OF WORDS AND TERMS

0
2. Amend section 2.101 in paragraph (b)(2) by adding, in alphabetical 
order, the definitions ``Federal information system'' and ``Federally-
controlled facilities'' to read as follows:


2.101  Definitions.

* * * * *
    (b) * * *
    (2) * * *
    Federal information system means an information system (44 U.S.C. 
3502(8)) used or operated by a Federal agency, or a contractor or other 
organization on behalf of the agency.
    Federally-controlled facilities means--
    (1)(i) Federally-owned buildings or leased space, whether for 
single or multi-tenant occupancy, and its grounds and approaches, all 
or any portion of which is under the jurisdiction, custody or control 
of a department or agency;
    (ii) Federally-controlled commercial space shared with non-
government tenants. For example, if a department or agency leased the 
10\th\ floor of a commercial building, the Directive applies to the 
10\th\ floor only; and
    (iii) Government-owned, contractor-operated facilities, including 
laboratories engaged in national defense research and production 
activities.

[[Page 211]]

    (2) The term does not apply to educational institutions that 
conduct activities on behalf of departments or agencies or at which 
Federal employees are hosted unless specifically designated as such by 
the sponsoring department or agency.
* * * * *

PART 4--ADMINISTRATIVE MATTERS

0
3. Add Subpart 4.13, consisting of sections 4.1300 and 4.1301, to read 
as follows:

Subpart 4.13--Personal Identity Verification of Contractor 
Personnel

Sec.
4.1300 Policy.
4.1301 Contract clause.


4.1300  Policy.

    (a) Agencies must follow Federal Information Processing Standards 
Publication (FIPS PUB) Number 201, ``Personal Identity Verification of 
Federal Employees and Contractors,'' and the associated Office of 
Management and Budget (OMB) implementation guidance for personal 
identity verification for all affected contractor and subcontractor 
personnel when contract performance requires contractors to have 
physical access to a federally-controlled facility or access to a 
Federal information system.
    (b) Agencies must include their implementation of FIPS PUB 201 and 
OMB guidance M-05-24, dated August 5, 2005, in solicitations and 
contracts that require the contractor to have physical access to a 
federally-controlled facility or access to a Federal information 
system.
    (c) Agencies shall designate an official responsible for verifying 
contractor employee personal identity.


4.1301  Contract clause.

    The contracting officer shall insert the clause at 52.204-9, 
Personal Identity Verification of Contractor Personnel, in 
solicitations and contracts when contract performance requires 
contractors to have physical access to a federally-controlled facility 
or access to a Federal information system.

PART 7--ACQUISITION PLANNING

0
4. Amend section 7.105 by revising paragraph (b)(17) to read as 
follows:


7.105  Contents of written acquisition plans.

* * * * *
    (b) * * *
    (17) Security considerations. For acquisitions dealing with 
classified matters, discuss how adequate security will be established, 
maintained, and monitored (see Subpart 4.4). For information technology 
acquisitions, discuss how agency information security requirements will 
be met. For acquisitions requiring contractor physical access to a 
federally-controlled facility or access to a Federal information 
system, discuss how agency requirements for personal identity 
verification of contractors will be met (see Subpart 4.13).
* * * * *

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
5. Add section 52.204-9 to read as follows:


52.204-9  Personal Identity Verification of Contractor Personnel.

    As prescribed in 4.1301, insert the following clause:

PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL (JAN 2006)

    (a) The Contractor shall comply with agency personal identity 
verification procedures identified in the contract that implement 
Homeland Security Presidential Directive-12 (HSPD-12), Office of 
Management and Budget (OMB) guidance M-05-24, and Federal 
Information Processing Standards Publication (FIPS PUB) Number 201.
    (b) The Contractor shall insert this clause in all subcontracts 
when the subcontractor is required to have physical access to a 
federally-controlled facility or access to a Federal information 
system.
    (End of clause)
[FR Doc. 05-24547 Filed 12-30-05; 8:45 am]
BILLING CODE 6820-EP-S