[Federal Register Volume 76, Number 199 (Friday, October 14, 2011)]
[Proposed Rules]
[Pages 63896-63899]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-26546]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 24 and 52

[FAR Case 2010-013; Docket 2010-0013; Sequence 1]
RIN 9000-AM02


Federal Acquisition Regulation; Privacy Training, 2010-013

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal 
Acquisition Regulation (FAR) to require contractors to complete 
training that addresses the protection of privacy, in accordance with 
the Privacy Act of 1974, and the handling and safeguarding of 
personally identifiable information.

DATES: Interested parties should submit written comments to the 
Regulatory Secretariat at one of the addresses shown below on or before 
December 13, 2011 to be considered in the formation of the final rule.

ADDRESSES: Submit comments in response to FAR case 2010-013 by any of 
the following methods:
     Regulations.gov: http://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by inputting ``FAR Case 
2010-013'' under

[[Page 63897]]

the heading ``Enter Keyword or ID'' and selecting ``Search.'' Select 
the link ``Submit a Comment'' that corresponds with ``FAR Case 2010-
013.'' Follow the instructions provided at the ``Submit a Comment'' 
screen. Please include your name, company name (if any), and ``FAR Case 
2010-013'' on your attached document.
     Fax: (202) 501-4067.
     Mail: General Services Administration, Regulatory 
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th 
Floor, Washington, DC 20417.
    Instructions: Please submit comments only and cite FAR Case 2010-
013, in all correspondence related to this case. All comments received 
will be posted without change to http://www.regulations.gov, including 
any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement 
Analyst, at (202) 501-2364 for clarification of content. For 
information pertaining to status or publication schedules, contact the 
Regulatory Secretariat at (202) 501-4755. Please cite FAR Case 2010-
013.

SUPPLEMENTARY INFORMATION:

I. Background

    DoD, GSA, and NASA are proposing to amend the Federal Acquisition 
Regulation (FAR) to add a new subpart 24.3, entitled ``Privacy 
Training,'' and related clause to ensure that contractors identify 
employees who require access to a Government system of records, handle 
personally identifiable information, or design, develop, maintain, or 
operate a system of records on behalf of the Federal Government, and 
who, therefore, are required to complete privacy training initially 
upon award of the procurement and at least annually thereafter. In 
addition, contractors are required to keep records indicating that 
employees have completed the required training and, upon request, 
provide those records to the Government. This rule does not apply to 
commercial items.
    These requirements are consistent with subsection (e), Agency 
requirements, and subsection (m), Government contractors, of the 
Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that 
address the responsibility for Federal agencies to ensure that 
Government and contractor personnel are instructed on compliance 
requirements with the laws, rules, and guidance pertaining to handling 
and safeguarding personally identifiable information include the E-
Government Act of 2002, the Federal Information Security Management Act 
(FISMA) of 2002, and Federal guidance from the Office of Management and 
Budget (OMB), e.g., OMB Memorandum M-07-16, entitled ``Safeguarding 
Against and Responding to the Breach of Personally Identifiable 
Information,'' issued May 22, 2007; OMB Memorandum M-10-23, entitled 
``Guidance for Agency Use of Third-Party Web sites and Applications,'' 
issued June 25, 2010 (this memorandum contains the most current 
definition of personally identifiable information, and clarifies the 
definition provided in M-07-16); and OMB Circular No. A-130, entitled 
``Management of Federal Information Resources,'' which address 
significant requirements for safeguarding and handling personally 
identifiable information and reporting any theft, loss, or compromise 
of such information. In addition, FAR subpart 24.1 requires that 
Federal agencies contracting for the design, development, or operation 
of a system of records on individuals must extend all Privacy Act 
safeguards to the contractor and its employees working on the contract.
    Minimum requirements for privacy training are proposed for the 
coverage in order to ensure consistency across the Government. For 
example, any privacy training must address the protection of privacy, 
in accordance with the Privacy Act (5 U.S.C. 552a), and the handling 
and safeguarding of personally identifiable information. The proposed 
FAR text includes seven mandatory elements of the privacy training, 
including any agency-specific requirements. Many agencies currently 
require that designated contractor employees complete agency-developed 
privacy training, but, in some circumstances, an agency may provide a 
contractor with the Privacy Act requirements and have the contractor 
develop the training package. While the use of an agency-developed 
privacy training package is the most common approach, and the approach 
embodied in the clause at FAR 52.224-XX, Privacy Training, the proposed 
FAR language provides an Alternate I to the FAR clause for those cases 
where the agency prefers to have the contractor create the privacy 
training package. Additionally, the proposed FAR language provides an 
Alternate II to the FAR clause for those instances when it's determined 
to be in the best interest of the Government for a contractor employee 
to attend agency-provided privacy training.
    Under the proposed FAR rule, a contractor employee who requires 
access to a Government system of records will be granted or allowed to 
retain such access only if the individual has (1) Completed privacy 
training and (2) met all other applicable agency requirements.

II. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is a significant regulatory action and, therefore, was subject to 
review under Section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993. This rule is not a major rule under 5 
U.S.C. 804.

III. Regulatory Flexibility Act

    The change may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory 
Flexibility Analysis (IRFA) is summarized as follows:

    This proposed rule was initiated to ensure that contractor 
personnel who handle personally identifiable information; design, 
develop, maintain, or operate a system of records on behalf of the 
Government; or require access to a Government-owned system of 
records are properly trained on the requirements of applicable laws 
and appropriate safeguards to ensure the security and 
confidentiality of personally identifiable information.
    Such training of contractor employees is required by provisions 
of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government 
Act of 2002, the Office of Management and Budget (OMB) Memorandum M-
07-16, and existing Privacy Act clauses (52.224-1 and 52.224-2). 
Various other statutes, applicable authorities, and memoranda 
address the responsibility of Federal agencies to ensure that 
Government and contractor personnel are instructed on compliance 
requirements pertaining to the handling and safeguarding of 
personally identifiable information. The list includes, but is not 
limited to the following:
     The Federal Information Security Management Act (FISMA) 
of 2002 (44 U.S.C. 3541);
     OMB Memorandum M-06-15, Safeguarding Personally 
Identifiable Information; and
     OMB Circular No. A-130, Management of Federal 
Information Resources.
    The proposed rule requires all contractors with contracts that 
require employees to have access to personally identifiable 
information to complete training that addresses the

[[Page 63898]]

statutory requirements for protection of privacy, in accordance with 
the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding 
of personally identifiable information. This rule requires the 
contractor to identify its employees who require access, ensure that 
those employees complete agency-provided privacy training before 
being granted access and annually thereafter, and maintain records 
of the training. In a few cases, the content of the training will 
not be provided by the agency but will be created by the contractor 
in accordance with Alternate I to the clause at FAR 52.224-XX. 
Alternate II to the clause at FAR 52.224-XX if it is determined to 
be in the best interest of the Government for a contractor employee 
to attend agency-provided privacy training. This rule does not apply 
to commercial items.
    Information obtained from the Federal Procurement Data System 
for Fiscal Year 2009 demonstrates that 98,864 small business 
concerns were awarded contracts and 197,728 firms were awarded 
subcontracts. However, only contracts for the types of work 
identified in the paragraphs above will be subject to the privacy-
training requirement. We estimated that approximately one-half of 
one percent of all small business Government prime contractors and 
subcontractors will be required to conduct privacy training as 
follows:

Small business prime contractors...........................       98,864
Small business subcontractors..............................    + 197,728
                                                            ------------
    Total small businesses.................................      296,592
Percent w/privacy-training requirement.....................      x 0.005
                                                            ------------
Number of small businesses impacted........................        1,483
 

    Recordkeeping associated with this proposed rule is minimal; 
there are no required formats or templates for the records, and they 
will be retained by the contractor in most cases. The Government 
only will request a contractor's training records on an exception 
basis, i.e., if the Government has a particular reason to check on a 
contractor's compliance with the training requirement.

    The Regulatory Secretariat will be submitting a copy of the Interim 
Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the IRFA may 
be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite 
comments from small business concerns and other interested parties on 
the expected impact of this rule on small entities.
    DoD, GSA, and NASA will also consider comments from small entities 
concerning the existing regulations in subparts affected by this rule 
in accordance with 5 U.S.C. 610. Interested parties must submit such 
comments separately and should cite 5 U.S.C. 610 (FAR Case 2010-013) in 
correspondence.

IV. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
proposed rule contains information collection requirements. 
Accordingly, the Regulatory Secretariat has submitted a request for 
approval of a new information collection requirement concerning 
``Privacy Training'' to the Office of Management and Budget.
    A. Public reporting burden for this collection of information is 
estimated to average one hour per response, including the time for 
reviewing instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information. The recordkeeping requirements are minor, 
and records generally will be retained within the contractor's 
organization. While a contractor is required to identify its employees 
who require initial privacy training and annual privacy training 
thereafter, there is no requirement to collect this information in a 
particular format or provide it to the Government, other than on an 
exception basis, i.e., when there is an indication that the contractor 
is not complying with the training requirements.
    The annual reporting burden is estimated as follows:

Respondents................................................          148
Responses per respondent...................................            1
                                                            ------------
    Total annual responses.................................          148
Preparation hours per response.............................            1
                                                            ------------
    Total response burden hours............................          148
 
 

    :B. Request for Comments Regarding Paperwork Burden.
    Submit comments, including suggestions for reducing this burden, 
not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102, 
NEOB, Washington, DC 20503, and a copy to the General Services 
Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 
First Street, NE., 7th Floor, Washington, DC 20417.
    Public comments are particularly invited on: whether this 
collection of information is necessary for the proper performance of 
functions of the FAR, and will have practical utility; whether our 
estimate of the public burden of this collection of information is 
accurate, and based on valid assumptions and methodology; ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and ways in which we can minimize the burden of the 
collection of information on those who are to respond, through the use 
of appropriate technological collection techniques or other forms of 
information technology.
    Requester may obtain a copy of the supporting statement from the 
General Services Administration, Regulatory Secretariat (MVCB), Attn: 
Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. 
Please cite OMB Control Number 9000-0182, FAR Case 2010-013, Privacy 
Training, in correspondence.

List of Subjects in 48 CFR Parts 24 and 52

    Government procurement.

    Dated: October 6, 2011.
Laura Auletta,
Acting Director, Office of Governmentwide Acquisition Policy, Office of 
Acquisition Policy.

    Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and 
52 as set forth below:
    1. The authority citation for 48 CFR parts 24 and 52 continues to 
read as follows:

    Authority:  40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION

    2. Add subpart 24.3 to read as follows:
Subpart 24.3--Privacy Training
Sec.
24.301 Privacy Training.
24.302 Contract clause.

Subpart 24.3--Privacy Training


Sec.  24.301   Privacy training.

    (a) Contractors are responsible for conducting initial privacy 
training, and annual privacy training thereafter, for employees who--
    (1) Require access to a Government system of records;
    (2) Handle personally identifiable information; or
    (3) Design, develop, maintain, or operate a system of records on 
behalf of the Federal Government (see subpart 24.1 and 39.105).
    (b) Agencies shall provide contractors with the privacy training 
materials (in a format deemed appropriate) necessary to satisfy the 
requirement described in paragraph (a) of this section unless, on an 
exception basis, the contracting officer authorizes a contractor to 
provide its own privacy training materials (see 24.302(b)).
    (c) Privacy training shall, at a minimum, address--
    (1) The protection of privacy, in accordance with the Privacy Act 
(5 U.S.C. 552a);

[[Page 63899]]

    (2) The handling and safeguarding of personally identifiable 
information;
    (3) The authorized and official use of a Government system of 
records;
    (4) Restrictions on the use of personally-owned equipment to 
process, access, or store personally identifiable information;
    (5) The prohibition against access by unauthorized users, and 
unauthorized use by authorized users, of personally identifiable 
information or systems of records on behalf of the Federal Government;
    (6) Breach notification procedures (i.e., procedures for notifying 
appropriate individuals when privacy information is lost, stolen, or 
compromised) to minimize risk and to ensure prompt and appropriate 
actions are taken should a breach occur; and
    (7) Any agency-specific privacy training requirements.
    (d) The contractor is responsible for ensuring that employees 
identified in paragraph (a) of this section complete the required 
training and maintain evidence of appropriate training completed. The 
contractor is required, upon request, to provide evidence of completion 
of privacy training for all applicable employees.
    (e) Each contractor employee who requires access to a Government 
system of records, handles personally identifiable information, or 
designs, develops, maintains, or operates a Government system of 
records, shall be granted or allowed to retain such access only if the 
individual--
    (1) Has completed agency-mandated privacy training that, at a 
minimum, addresses the elements in paragraph (c) of this section; and
    (2) Has met all other applicable agency requirements.


Sec.  24.302   Contract clause.

    (a) When contractor employees will have access to a Government 
system of records, handle personally identifiable information, or 
design, develop, maintain, or operate a system of records, the 
contracting officer shall insert the clause at FAR 52.224-XX, Privacy 
Training, in solicitations and contracts.
    (b) When the contracting officer elects to have the contractor 
provide its own privacy training materials, use Alternate I in lieu of 
paragraph (a) of the basic clause.
    (c) When an agency elects to provide privacy training to contractor 
employees, use Alternate II in lieu of paragraph (a) of the basic 
clause.

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    3. Add section 52.224-XX to read as follows:


52.224-XX  Privacy Training.

    As prescribed in 24.302(a), insert the following clause:

Privacy Training (Date)

    (a) The Contractor shall conduct initial privacy training, and 
annual privacy training thereafter, using the Government-provided 
privacy training materials, for employees who--
    (1) Require access to a Government system of records;
    (2) Handle personally identifiable information; or
    (3) Design, develop, maintain, or operate a system of records on 
behalf of the Federal Government (see also FAR subpart 24.1 and 
39.105).
    (b) The Contractor shall ensure that its employees, as 
identified in paragraph (a) of this clause, complete the required 
training in a timely manner. In addition, the Contractor shall 
maintain privacy training records, and, upon request, shall provide 
to the Contracting Officer evidence of privacy training completed 
for applicable employees.
    (c) The Contractor shall not grant any employee access to a 
Government system of records or personally identifiable information 
until the employee has completed privacy training, as required by 
this clause, and has met all other applicable agency requirements.
    (d) The substance of this clause, including this paragraph (d), 
shall be included in all subcontracts under this contract, when 
subcontractor employees will (1) have access to a Government system 
of records, (2) handle personally identifiable information, or (3) 
design, develop, maintain, or operate a system of records on behalf 
of the Federal Government.
    (End of clause)
    Alternate I (Date). If the agency elects to have the Contractor 
provide its own privacy training materials, substitute the following 
paragraph (a) for paragraph (a) of the basic clause:
    (a)(1) The Contractor shall conduct initial privacy training, 
and annual privacy training thereafter, using its own privacy 
training materials, for employees who--
    (i) Require access to a Government system of records;
    (ii) Handle personally identifiable information; or
    (iii) Design, develop, maintain or operate a system of records 
on behalf of the Federal Government (see also FAR subpart 24.1 and 
39.105).
    (2) The privacy-training materials shall, at a minimum, 
address--
    (i) The protection of privacy, in accordance with the Privacy 
Act (5 U.S.C. 552a);
    (ii) The handling and safeguarding of personally identifiable 
information;
    (iii) The authorized and official use of a Government system of 
records;
    (iv) Restrictions on the use of personally-owned equipment to 
process, access, or store personally identifiable information;
    (v) The prohibition against access by unauthorized users, and 
unauthorized use by authorized users, of personally identifiable 
information or a system of records on behalf of the Federal 
Government;
    (vi) Breach notification procedures (i.e., procedures for 
notifying appropriate individuals when privacy information is lost, 
stolen, or compromised); and
    (vii) Any agency-specific privacy training requirements 
specified by the Contracting Officer.
    Alternate II (Date). If the agency elects to provide privacy 
training to contractor employees, substitute the following paragraph 
(a) for paragraph (a) of the basic clause:
    (a)(1) The Government shall provide initial privacy training, 
and annual privacy training thereafter, to contractor employees 
who--
    (i) Require access to a Government system of records;
    (ii) Handle personally identifiable information; or
    (iii) Design, develop, maintain, or operate a system of records 
on behalf of the Federal Government (see also subpart 24.1 and 
39.105).
    (2) The Government will conduct privacy training to Contractor 
employees in the same format given its own employees (e.g., lecture, 
computer-based training, Web-based training, video conferencing, 
etc.).

[FR Doc. 2011-26546 Filed 10-13-11; 8:45 am]
BILLING CODE 6820-EP-P