Federal Acquisition Regulation; Privacy Training, 2010-013, 63896-63899 [2011-26546]

Download as PDF tkelley on DSK3SPTVN1PROD with PROPOSALS 63896 Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules Diagnostic specimen. Specimens of human and animal matter (including tissue, blood, body discharges, fluids, excretions or similar material), or environmental samples. Genomic material. Deoxyribonucleic acid (DNA) or Ribonucleic acid (RNA) comprising the genome or organism’s hereditary information may be singlestranded or double-stranded, and in a linear, circular or segmented configuration and may be positive sense (same polarity as mRNA), negative sense, or ambisense (mixture of the two). Infectious biological agent. A microorganism (including, but not limited to, bacteria (including rickettsiae), viruses, fungi, or protozoa) or prion, whether naturally occurring, bioengineered, or artificial, or a component of such microorganism or prion that is capable of causing communicable disease in a human. Infectious material. Any material which is known or suspected to contain a biological agent infectious to humans. Select agents and toxins. Biological agents and toxins that could pose a severe threat to public health and safety listed in 42 CFR 73.3 and 73.4. Vector. Any animals (vertebrate or invertebrate) including arthropods or any noninfectious self-replicating system known to transfer or capable of transferring an infectious biological agent to a human. (b) Unless excluded pursuant to paragraph (f) of this section, a person may not import into the United States any infectious biological agent, infectious material or vector unless: (1) It is accompanied by a permit issued by CDC. The possession of a permit issued by CDC does not satisfy permitting requirements placed on materials by the U.S. Department of Agriculture that may pose hazards to agriculture or agricultural production in addition to hazards to human health. (2) The importer is in compliance with all permit requirements and conditions. (3) The importer has implemented biosafety measures commensurate with the hazard posed by the infectious biological agent, infectious material, and/or vector to be imported, and the level of risk given its intended use. (4) The importer is in compliance with all applicable laws concerning the packaging and shipment of infectious substances. (c) If noted as a condition of the issued permit, subsequent transfers of any infectious biological agent, infectious material or vector within the United States will require an additional permit issued by the CDC. VerDate Mar<15>2010 15:18 Oct 13, 2011 Jkt 226001 (d) A permit is valid only for: (1) The time period and/or term indicated on the permit, and (2) Only for so long as the permit conditions continue to be met. (e) A permit can be denied, revoked or suspended if: (1) The biosafety measures of the permit holder are not commensurate with the hazard posed by the infectious biological agent, infectious materials, or vector, and the level of risk given its intended use; or, (2) The permit holder fails to comply with all conditions, restrictions and precautions specified in permit. (f) A permit issued under this part is not required for an item if: (1) It is a biological agent listed in 42 CFR Part 73 as a select agent and its importation has been authorized in accordance with 42 CFR 73.16 or 9 CFR 121.16. (2) It is a diagnostic specimen not known by the importer to contain, or suspected by the importer of containing, an infectious biological agent and the specimen is accompanied by an importer certification statement confirming that the material is not known to contain or suspected of containing an infectious biological agent. (3) It consists only of nucleic acids that cannot produce infectious forms of any infectious biological agent and the specimen is accompanied by an importer certification statement confirming that the material is not known to contain or suspected of containing an infectious biological agent. (4) It is a product that is cleared, approved, licensed, or otherwise authorized under any of the following laws: (i) The Federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.), or (ii) Section 351 of the Public Health Service Act pertaining to biological products (42 U.S.C. 262), or (iii) The Virus-Serum-Toxin Act (21 U.S.C. 151–159). (g) To apply for a permit, an individual must: (1) Submit a signed, completed CDC Form 0.753 (Application for Permit to Import Biological Agents or Vectors of Human Disease into the United States) to the CDC Import Permit Program. (2) Have in place biosafety measures that are commensurate with the hazard posed by the infectious biological agent, infectious material, and/or vector to be imported, and the level of risk given its intended use. (h) Issuance of a permit may be contingent upon an inspection of the importer’s facility by the CDC to PO 00000 Frm 00051 Fmt 4702 Sfmt 4702 evaluate whether the importer’s biosafety measures (e.g., physical structure and features of the facility, and operational and procedural safeguards) are commensurate with the hazard posed by the infectious biological agent, infectious material, and/or vector, and the level of risk given its intended use. (i) Denial, suspension, or revocation of a permit under this section may be appealed to the CDC Director. The appeal must be in writing, state the factual basis for the appeal, and be submitted to the CDC Director within 30 calendar days of the denial, suspension, or revocation of the permit. CDC will issue a written response to the appeal, which shall constitute final agency action. [FR Doc. 2011–26656 Filed 10–13–11; 8:45 am] BILLING CODE 4163–18–P DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 24 and 52 [FAR Case 2010–013; Docket 2010–0013; Sequence 1] RIN 9000–AM02 Federal Acquisition Regulation; Privacy Training, 2010–013 Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Proposed rule. AGENCY: DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information. SUMMARY: Interested parties should submit written comments to the Regulatory Secretariat at one of the addresses shown below on or before December 13, 2011 to be considered in the formation of the final rule. ADDRESSES: Submit comments in response to FAR case 2010–013 by any of the following methods: • Regulations.gov: http:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by inputting ‘‘FAR Case 2010–013’’ under DATES: E:\FR\FM\14OCP1.SGM 14OCP1 Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules the heading ‘‘Enter Keyword or ID’’ and selecting ‘‘Search.’’ Select the link ‘‘Submit a Comment’’ that corresponds with ‘‘FAR Case 2010–013.’’ Follow the instructions provided at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘FAR Case 2010–013’’ on your attached document. • Fax: (202) 501–4067. • Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Instructions: Please submit comments only and cite FAR Case 2010–013, in all correspondence related to this case. All comments received will be posted without change to http:// www.regulations.gov, including any personal and/or business confidential information provided. FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement Analyst, at (202) 501–2364 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501– 4755. Please cite FAR Case 2010–013. SUPPLEMENTARY INFORMATION: tkelley on DSK3SPTVN1PROD with PROPOSALS I. Background DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to add a new subpart 24.3, entitled ‘‘Privacy Training,’’ and related clause to ensure that contractors identify employees who require access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government, and who, therefore, are required to complete privacy training initially upon award of the procurement and at least annually thereafter. In addition, contractors are required to keep records indicating that employees have completed the required training and, upon request, provide those records to the Government. This rule does not apply to commercial items. These requirements are consistent with subsection (e), Agency requirements, and subsection (m), Government contractors, of the Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that address the responsibility for Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements with the laws, rules, and guidance pertaining to handling and safeguarding personally identifiable information include the E–Government Act of 2002, the Federal Information VerDate Mar<15>2010 15:18 Oct 13, 2011 Jkt 226001 Security Management Act (FISMA) of 2002, and Federal guidance from the Office of Management and Budget (OMB), e.g., OMB Memorandum M–07– 16, entitled ‘‘Safeguarding Against and Responding to the Breach of Personally Identifiable Information,’’ issued May 22, 2007; OMB Memorandum M–10–23, entitled ‘‘Guidance for Agency Use of Third-Party Web sites and Applications,’’ issued June 25, 2010 (this memorandum contains the most current definition of personally identifiable information, and clarifies the definition provided in M–07–16); and OMB Circular No. A–130, entitled ‘‘Management of Federal Information Resources,’’ which address significant requirements for safeguarding and handling personally identifiable information and reporting any theft, loss, or compromise of such information. In addition, FAR subpart 24.1 requires that Federal agencies contracting for the design, development, or operation of a system of records on individuals must extend all Privacy Act safeguards to the contractor and its employees working on the contract. Minimum requirements for privacy training are proposed for the coverage in order to ensure consistency across the Government. For example, any privacy training must address the protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. The proposed FAR text includes seven mandatory elements of the privacy training, including any agency-specific requirements. Many agencies currently require that designated contractor employees complete agency-developed privacy training, but, in some circumstances, an agency may provide a contractor with the Privacy Act requirements and have the contractor develop the training package. While the use of an agency-developed privacy training package is the most common approach, and the approach embodied in the clause at FAR 52.224–XX, Privacy Training, the proposed FAR language provides an Alternate I to the FAR clause for those cases where the agency prefers to have the contractor create the privacy training package. Additionally, the proposed FAR language provides an Alternate II to the FAR clause for those instances when it’s determined to be in the best interest of the Government for a contractor employee to attend agencyprovided privacy training. Under the proposed FAR rule, a contractor employee who requires access to a Government system of records will be granted or allowed to retain such access only if the individual PO 00000 Frm 00052 Fmt 4702 Sfmt 4702 63897 has (1) Completed privacy training and (2) met all other applicable agency requirements. II. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. III. Regulatory Flexibility Act The change may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory Flexibility Analysis (IRFA) is summarized as follows: This proposed rule was initiated to ensure that contractor personnel who handle personally identifiable information; design, develop, maintain, or operate a system of records on behalf of the Government; or require access to a Government-owned system of records are properly trained on the requirements of applicable laws and appropriate safeguards to ensure the security and confidentiality of personally identifiable information. Such training of contractor employees is required by provisions of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government Act of 2002, the Office of Management and Budget (OMB) Memorandum M–07–16, and existing Privacy Act clauses (52.224–1 and 52.224–2). Various other statutes, applicable authorities, and memoranda address the responsibility of Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements pertaining to the handling and safeguarding of personally identifiable information. The list includes, but is not limited to the following: • The Federal Information Security Management Act (FISMA) of 2002 (44 U.S.C. 3541); • OMB Memorandum M–06–15, Safeguarding Personally Identifiable Information; and • OMB Circular No. A–130, Management of Federal Information Resources. The proposed rule requires all contractors with contracts that require employees to have access to personally identifiable information to complete training that addresses the E:\FR\FM\14OCP1.SGM 14OCP1 63898 Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules statutory requirements for protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. This rule requires the contractor to identify its employees who require access, ensure that those employees complete agency-provided privacy training before being granted access and annually thereafter, and maintain records of the training. In a few cases, the content of the training will not be provided by the agency but will be created by the contractor in accordance with Alternate I to the clause at FAR 52.224–XX. Alternate II to the clause at FAR 52.224–XX if it is determined to be in the best interest of the Government for a contractor employee to attend agency-provided privacy training. This rule does not apply to commercial items. Information obtained from the Federal Procurement Data System for Fiscal Year 2009 demonstrates that 98,864 small business concerns were awarded contracts and 197,728 firms were awarded subcontracts. However, only contracts for the types of work identified in the paragraphs above will be subject to the privacy-training requirement. We estimated that approximately one-half of one percent of all small business Government prime contractors and subcontractors will be required to conduct privacy training as follows: Small business prime contractors ........................................ 98,864 Small business subcontractors + 197,728 Total small businesses ..... Percent w/privacy-training requirement ............................. Number of small businesses impacted ............................... 296,592 × 0.005 1,483 tkelley on DSK3SPTVN1PROD with PROPOSALS Recordkeeping associated with this proposed rule is minimal; there are no required formats or templates for the records, and they will be retained by the contractor in most cases. The Government only will request a contractor’s training records on an exception basis, i.e., if the Government has a particular reason to check on a contractor’s compliance with the training requirement. The Regulatory Secretariat will be submitting a copy of the Interim Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2010–013) in correspondence. VerDate Mar<15>2010 15:18 Oct 13, 2011 Jkt 226001 IV. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The proposed rule contains information collection requirements. Accordingly, the Regulatory Secretariat has submitted a request for approval of a new information collection requirement concerning ‘‘Privacy Training’’ to the Office of Management and Budget. A. Public reporting burden for this collection of information is estimated to average one hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The recordkeeping requirements are minor, and records generally will be retained within the contractor’s organization. While a contractor is required to identify its employees who require initial privacy training and annual privacy training thereafter, there is no requirement to collect this information in a particular format or provide it to the Government, other than on an exception basis, i.e., when there is an indication that the contractor is not complying with the training requirements. The annual reporting burden is estimated as follows: Respondents ............................. Responses per respondent ...... 148 1 Total annual responses .... Preparation hours per response ................................... 148 Total response burden hours .............................. 1 Frm 00053 Fmt 4702 Sfmt 4702 List of Subjects in 48 CFR Parts 24 and 52 Government procurement. Dated: October 6, 2011. Laura Auletta, Acting Director, Office of Governmentwide Acquisition Policy, Office of Acquisition Policy. Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and 52 as set forth below: 1. The authority citation for 48 CFR parts 24 and 52 continues to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c). PART 24—PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION 2. Add subpart 24.3 to read as follows: Subpart 24.3—Privacy Training Sec. 24.301 Privacy Training. 24.302 Contract clause. Subpart 24.3—Privacy Training 148 B. Request for Comments Regarding Paperwork Burden. Submit comments, including suggestions for reducing this burden, not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102, NEOB, Washington, DC 20503, and a copy to the General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Public comments are particularly invited on: whether this collection of information is necessary for the proper performance of functions of the FAR, and will have practical utility; whether our estimate of the public burden of this collection of information is accurate, and based on valid assumptions and methodology; ways to enhance the quality, utility, and clarity of the information to be collected; and ways in which we can minimize the burden of the collection of information on those PO 00000 who are to respond, through the use of appropriate technological collection techniques or other forms of information technology. Requester may obtain a copy of the supporting statement from the General Services Administration, Regulatory Secretariat (MVCB), Attn: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Please cite OMB Control Number 9000–0182, FAR Case 2010–013, Privacy Training, in correspondence. § 24.301 Privacy training. (a) Contractors are responsible for conducting initial privacy training, and annual privacy training thereafter, for employees who— (1) Require access to a Government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see subpart 24.1 and 39.105). (b) Agencies shall provide contractors with the privacy training materials (in a format deemed appropriate) necessary to satisfy the requirement described in paragraph (a) of this section unless, on an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials (see 24.302(b)). (c) Privacy training shall, at a minimum, address— (1) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a); E:\FR\FM\14OCP1.SGM 14OCP1 Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules (2) The handling and safeguarding of personally identifiable information; (3) The authorized and official use of a Government system of records; (4) Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information; (5) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal Government; (6) Breach notification procedures (i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) to minimize risk and to ensure prompt and appropriate actions are taken should a breach occur; and (7) Any agency-specific privacy training requirements. (d) The contractor is responsible for ensuring that employees identified in paragraph (a) of this section complete the required training and maintain evidence of appropriate training completed. The contractor is required, upon request, to provide evidence of completion of privacy training for all applicable employees. (e) Each contractor employee who requires access to a Government system of records, handles personally identifiable information, or designs, develops, maintains, or operates a Government system of records, shall be granted or allowed to retain such access only if the individual— (1) Has completed agency-mandated privacy training that, at a minimum, addresses the elements in paragraph (c) of this section; and (2) Has met all other applicable agency requirements. tkelley on DSK3SPTVN1PROD with PROPOSALS § 24.302 Contract clause. (a) When contractor employees will have access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records, the contracting officer shall insert the clause at FAR 52.224–XX, Privacy Training, in solicitations and contracts. (b) When the contracting officer elects to have the contractor provide its own privacy training materials, use Alternate I in lieu of paragraph (a) of the basic clause. (c) When an agency elects to provide privacy training to contractor employees, use Alternate II in lieu of paragraph (a) of the basic clause. VerDate Mar<15>2010 15:18 Oct 13, 2011 Jkt 226001 PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 3. Add section 52.224–XX to read as follows: 52.224–XX Privacy Training. As prescribed in 24.302(a), insert the following clause: Privacy Training (Date) (a) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using the Government-provided privacy training materials, for employees who— (1) Require access to a Government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105). (b) The Contractor shall ensure that its employees, as identified in paragraph (a) of this clause, complete the required training in a timely manner. In addition, the Contractor shall maintain privacy training records, and, upon request, shall provide to the Contracting Officer evidence of privacy training completed for applicable employees. (c) The Contractor shall not grant any employee access to a Government system of records or personally identifiable information until the employee has completed privacy training, as required by this clause, and has met all other applicable agency requirements. (d) The substance of this clause, including this paragraph (d), shall be included in all subcontracts under this contract, when subcontractor employees will (1) have access to a Government system of records, (2) handle personally identifiable information, or (3) design, develop, maintain, or operate a system of records on behalf of the Federal Government. (End of clause) Alternate I (Date). If the agency elects to have the Contractor provide its own privacy training materials, substitute the following paragraph (a) for paragraph (a) of the basic clause: (a)(1) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using its own privacy training materials, for employees who— (i) Require access to a Government system of records; (ii) Handle personally identifiable information; or (iii) Design, develop, maintain or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105). (2) The privacy-training materials shall, at a minimum, address— (i) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a); (ii) The handling and safeguarding of personally identifiable information; (iii) The authorized and official use of a Government system of records; (iv) Restrictions on the use of personallyowned equipment to process, access, or store personally identifiable information; PO 00000 Frm 00054 Fmt 4702 Sfmt 4702 63899 (v) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or a system of records on behalf of the Federal Government; (vi) Breach notification procedures (i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised); and (vii) Any agency-specific privacy training requirements specified by the Contracting Officer. Alternate II (Date). If the agency elects to provide privacy training to contractor employees, substitute the following paragraph (a) for paragraph (a) of the basic clause: (a)(1) The Government shall provide initial privacy training, and annual privacy training thereafter, to contractor employees who— (i) Require access to a Government system of records; (ii) Handle personally identifiable information; or (iii) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also subpart 24.1 and 39.105). (2) The Government will conduct privacy training to Contractor employees in the same format given its own employees (e.g., lecture, computer-based training, Web-based training, video conferencing, etc.). [FR Doc. 2011–26546 Filed 10–13–11; 8:45 am] BILLING CODE 6820–EP–P DEPARTMENT OF TRANSPORTATION Federal Railroad Administration 49 CFR Part 236 [Docket No. FRA–2011–0028, Notice No. 2] RIN 2130–AC27 Positive Train Control Systems Federal Railroad Administration (FRA), Department of Transportation (DOT). ACTION: Notice of public hearing and extension of comment period. AGENCY: On August 24, 2011, FRA published a notice of proposed rulemaking that would remove regulatory provisions requiring railroads to either conduct further analyses or meet certain risk-based criteria in order to avoid positive train control (PTC) system implementation on track segments that do not transport poisonor toxic-by-inhalation (PIH) hazardous materials traffic and are not used for intercity or commuter rail passenger transportation as of December 31, 2015. FRA is announcing a public hearing to provide interested persons an opportunity to provide comments on the proposal and to discuss further development of the regulation. The Rail SUMMARY: E:\FR\FM\14OCP1.SGM 14OCP1

Agencies

[Federal Register Volume 76, Number 199 (Friday, October 14, 2011)]
[Proposed Rules]
[Pages 63896-63899]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-26546]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 24 and 52

[FAR Case 2010-013; Docket 2010-0013; Sequence 1]
RIN 9000-AM02


Federal Acquisition Regulation; Privacy Training, 2010-013

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal 
Acquisition Regulation (FAR) to require contractors to complete 
training that addresses the protection of privacy, in accordance with 
the Privacy Act of 1974, and the handling and safeguarding of 
personally identifiable information.

DATES: Interested parties should submit written comments to the 
Regulatory Secretariat at one of the addresses shown below on or before 
December 13, 2011 to be considered in the formation of the final rule.

ADDRESSES: Submit comments in response to FAR case 2010-013 by any of 
the following methods:
     Regulations.gov: http://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by inputting ``FAR Case 
2010-013'' under

[[Page 63897]]

the heading ``Enter Keyword or ID'' and selecting ``Search.'' Select 
the link ``Submit a Comment'' that corresponds with ``FAR Case 2010-
013.'' Follow the instructions provided at the ``Submit a Comment'' 
screen. Please include your name, company name (if any), and ``FAR Case 
2010-013'' on your attached document.
     Fax: (202) 501-4067.
     Mail: General Services Administration, Regulatory 
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th 
Floor, Washington, DC 20417.
    Instructions: Please submit comments only and cite FAR Case 2010-
013, in all correspondence related to this case. All comments received 
will be posted without change to http://www.regulations.gov, including 
any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement 
Analyst, at (202) 501-2364 for clarification of content. For 
information pertaining to status or publication schedules, contact the 
Regulatory Secretariat at (202) 501-4755. Please cite FAR Case 2010-
013.

SUPPLEMENTARY INFORMATION:

I. Background

    DoD, GSA, and NASA are proposing to amend the Federal Acquisition 
Regulation (FAR) to add a new subpart 24.3, entitled ``Privacy 
Training,'' and related clause to ensure that contractors identify 
employees who require access to a Government system of records, handle 
personally identifiable information, or design, develop, maintain, or 
operate a system of records on behalf of the Federal Government, and 
who, therefore, are required to complete privacy training initially 
upon award of the procurement and at least annually thereafter. In 
addition, contractors are required to keep records indicating that 
employees have completed the required training and, upon request, 
provide those records to the Government. This rule does not apply to 
commercial items.
    These requirements are consistent with subsection (e), Agency 
requirements, and subsection (m), Government contractors, of the 
Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that 
address the responsibility for Federal agencies to ensure that 
Government and contractor personnel are instructed on compliance 
requirements with the laws, rules, and guidance pertaining to handling 
and safeguarding personally identifiable information include the E-
Government Act of 2002, the Federal Information Security Management Act 
(FISMA) of 2002, and Federal guidance from the Office of Management and 
Budget (OMB), e.g., OMB Memorandum M-07-16, entitled ``Safeguarding 
Against and Responding to the Breach of Personally Identifiable 
Information,'' issued May 22, 2007; OMB Memorandum M-10-23, entitled 
``Guidance for Agency Use of Third-Party Web sites and Applications,'' 
issued June 25, 2010 (this memorandum contains the most current 
definition of personally identifiable information, and clarifies the 
definition provided in M-07-16); and OMB Circular No. A-130, entitled 
``Management of Federal Information Resources,'' which address 
significant requirements for safeguarding and handling personally 
identifiable information and reporting any theft, loss, or compromise 
of such information. In addition, FAR subpart 24.1 requires that 
Federal agencies contracting for the design, development, or operation 
of a system of records on individuals must extend all Privacy Act 
safeguards to the contractor and its employees working on the contract.
    Minimum requirements for privacy training are proposed for the 
coverage in order to ensure consistency across the Government. For 
example, any privacy training must address the protection of privacy, 
in accordance with the Privacy Act (5 U.S.C. 552a), and the handling 
and safeguarding of personally identifiable information. The proposed 
FAR text includes seven mandatory elements of the privacy training, 
including any agency-specific requirements. Many agencies currently 
require that designated contractor employees complete agency-developed 
privacy training, but, in some circumstances, an agency may provide a 
contractor with the Privacy Act requirements and have the contractor 
develop the training package. While the use of an agency-developed 
privacy training package is the most common approach, and the approach 
embodied in the clause at FAR 52.224-XX, Privacy Training, the proposed 
FAR language provides an Alternate I to the FAR clause for those cases 
where the agency prefers to have the contractor create the privacy 
training package. Additionally, the proposed FAR language provides an 
Alternate II to the FAR clause for those instances when it's determined 
to be in the best interest of the Government for a contractor employee 
to attend agency-provided privacy training.
    Under the proposed FAR rule, a contractor employee who requires 
access to a Government system of records will be granted or allowed to 
retain such access only if the individual has (1) Completed privacy 
training and (2) met all other applicable agency requirements.

II. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is a significant regulatory action and, therefore, was subject to 
review under Section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993. This rule is not a major rule under 5 
U.S.C. 804.

III. Regulatory Flexibility Act

    The change may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory 
Flexibility Analysis (IRFA) is summarized as follows:

    This proposed rule was initiated to ensure that contractor 
personnel who handle personally identifiable information; design, 
develop, maintain, or operate a system of records on behalf of the 
Government; or require access to a Government-owned system of 
records are properly trained on the requirements of applicable laws 
and appropriate safeguards to ensure the security and 
confidentiality of personally identifiable information.
    Such training of contractor employees is required by provisions 
of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government 
Act of 2002, the Office of Management and Budget (OMB) Memorandum M-
07-16, and existing Privacy Act clauses (52.224-1 and 52.224-2). 
Various other statutes, applicable authorities, and memoranda 
address the responsibility of Federal agencies to ensure that 
Government and contractor personnel are instructed on compliance 
requirements pertaining to the handling and safeguarding of 
personally identifiable information. The list includes, but is not 
limited to the following:
     The Federal Information Security Management Act (FISMA) 
of 2002 (44 U.S.C. 3541);
     OMB Memorandum M-06-15, Safeguarding Personally 
Identifiable Information; and
     OMB Circular No. A-130, Management of Federal 
Information Resources.
    The proposed rule requires all contractors with contracts that 
require employees to have access to personally identifiable 
information to complete training that addresses the

[[Page 63898]]

statutory requirements for protection of privacy, in accordance with 
the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding 
of personally identifiable information. This rule requires the 
contractor to identify its employees who require access, ensure that 
those employees complete agency-provided privacy training before 
being granted access and annually thereafter, and maintain records 
of the training. In a few cases, the content of the training will 
not be provided by the agency but will be created by the contractor 
in accordance with Alternate I to the clause at FAR 52.224-XX. 
Alternate II to the clause at FAR 52.224-XX if it is determined to 
be in the best interest of the Government for a contractor employee 
to attend agency-provided privacy training. This rule does not apply 
to commercial items.
    Information obtained from the Federal Procurement Data System 
for Fiscal Year 2009 demonstrates that 98,864 small business 
concerns were awarded contracts and 197,728 firms were awarded 
subcontracts. However, only contracts for the types of work 
identified in the paragraphs above will be subject to the privacy-
training requirement. We estimated that approximately one-half of 
one percent of all small business Government prime contractors and 
subcontractors will be required to conduct privacy training as 
follows:

Small business prime contractors...........................       98,864
Small business subcontractors..............................    + 197,728
                                                            ------------
    Total small businesses.................................      296,592
Percent w/privacy-training requirement.....................      x 0.005
                                                            ------------
Number of small businesses impacted........................        1,483
 

    Recordkeeping associated with this proposed rule is minimal; 
there are no required formats or templates for the records, and they 
will be retained by the contractor in most cases. The Government 
only will request a contractor's training records on an exception 
basis, i.e., if the Government has a particular reason to check on a 
contractor's compliance with the training requirement.

    The Regulatory Secretariat will be submitting a copy of the Interim 
Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the IRFA may 
be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite 
comments from small business concerns and other interested parties on 
the expected impact of this rule on small entities.
    DoD, GSA, and NASA will also consider comments from small entities 
concerning the existing regulations in subparts affected by this rule 
in accordance with 5 U.S.C. 610. Interested parties must submit such 
comments separately and should cite 5 U.S.C. 610 (FAR Case 2010-013) in 
correspondence.

IV. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
proposed rule contains information collection requirements. 
Accordingly, the Regulatory Secretariat has submitted a request for 
approval of a new information collection requirement concerning 
``Privacy Training'' to the Office of Management and Budget.
    A. Public reporting burden for this collection of information is 
estimated to average one hour per response, including the time for 
reviewing instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information. The recordkeeping requirements are minor, 
and records generally will be retained within the contractor's 
organization. While a contractor is required to identify its employees 
who require initial privacy training and annual privacy training 
thereafter, there is no requirement to collect this information in a 
particular format or provide it to the Government, other than on an 
exception basis, i.e., when there is an indication that the contractor 
is not complying with the training requirements.
    The annual reporting burden is estimated as follows:

Respondents................................................          148
Responses per respondent...................................            1
                                                            ------------
    Total annual responses.................................          148
Preparation hours per response.............................            1
                                                            ------------
    Total response burden hours............................          148
 
 

    :B. Request for Comments Regarding Paperwork Burden.
    Submit comments, including suggestions for reducing this burden, 
not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102, 
NEOB, Washington, DC 20503, and a copy to the General Services 
Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 
First Street, NE., 7th Floor, Washington, DC 20417.
    Public comments are particularly invited on: whether this 
collection of information is necessary for the proper performance of 
functions of the FAR, and will have practical utility; whether our 
estimate of the public burden of this collection of information is 
accurate, and based on valid assumptions and methodology; ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and ways in which we can minimize the burden of the 
collection of information on those who are to respond, through the use 
of appropriate technological collection techniques or other forms of 
information technology.
    Requester may obtain a copy of the supporting statement from the 
General Services Administration, Regulatory Secretariat (MVCB), Attn: 
Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. 
Please cite OMB Control Number 9000-0182, FAR Case 2010-013, Privacy 
Training, in correspondence.

List of Subjects in 48 CFR Parts 24 and 52

    Government procurement.

    Dated: October 6, 2011.
Laura Auletta,
Acting Director, Office of Governmentwide Acquisition Policy, Office of 
Acquisition Policy.

    Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and 
52 as set forth below:
    1. The authority citation for 48 CFR parts 24 and 52 continues to 
read as follows:

    Authority:  40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION

    2. Add subpart 24.3 to read as follows:
Subpart 24.3--Privacy Training
Sec.
24.301 Privacy Training.
24.302 Contract clause.

Subpart 24.3--Privacy Training


Sec.  24.301   Privacy training.

    (a) Contractors are responsible for conducting initial privacy 
training, and annual privacy training thereafter, for employees who--
    (1) Require access to a Government system of records;
    (2) Handle personally identifiable information; or
    (3) Design, develop, maintain, or operate a system of records on 
behalf of the Federal Government (see subpart 24.1 and 39.105).
    (b) Agencies shall provide contractors with the privacy training 
materials (in a format deemed appropriate) necessary to satisfy the 
requirement described in paragraph (a) of this section unless, on an 
exception basis, the contracting officer authorizes a contractor to 
provide its own privacy training materials (see 24.302(b)).
    (c) Privacy training shall, at a minimum, address--
    (1) The protection of privacy, in accordance with the Privacy Act 
(5 U.S.C. 552a);

[[Page 63899]]

    (2) The handling and safeguarding of personally identifiable 
information;
    (3) The authorized and official use of a Government system of 
records;
    (4) Restrictions on the use of personally-owned equipment to 
process, access, or store personally identifiable information;
    (5) The prohibition against access by unauthorized users, and 
unauthorized use by authorized users, of personally identifiable 
information or systems of records on behalf of the Federal Government;
    (6) Breach notification procedures (i.e., procedures for notifying 
appropriate individuals when privacy information is lost, stolen, or 
compromised) to minimize risk and to ensure prompt and appropriate 
actions are taken should a breach occur; and
    (7) Any agency-specific privacy training requirements.
    (d) The contractor is responsible for ensuring that employees 
identified in paragraph (a) of this section complete the required 
training and maintain evidence of appropriate training completed. The 
contractor is required, upon request, to provide evidence of completion 
of privacy training for all applicable employees.
    (e) Each contractor employee who requires access to a Government 
system of records, handles personally identifiable information, or 
designs, develops, maintains, or operates a Government system of 
records, shall be granted or allowed to retain such access only if the 
individual--
    (1) Has completed agency-mandated privacy training that, at a 
minimum, addresses the elements in paragraph (c) of this section; and
    (2) Has met all other applicable agency requirements.


Sec.  24.302   Contract clause.

    (a) When contractor employees will have access to a Government 
system of records, handle personally identifiable information, or 
design, develop, maintain, or operate a system of records, the 
contracting officer shall insert the clause at FAR 52.224-XX, Privacy 
Training, in solicitations and contracts.
    (b) When the contracting officer elects to have the contractor 
provide its own privacy training materials, use Alternate I in lieu of 
paragraph (a) of the basic clause.
    (c) When an agency elects to provide privacy training to contractor 
employees, use Alternate II in lieu of paragraph (a) of the basic 
clause.

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    3. Add section 52.224-XX to read as follows:


52.224-XX  Privacy Training.

    As prescribed in 24.302(a), insert the following clause:

Privacy Training (Date)

    (a) The Contractor shall conduct initial privacy training, and 
annual privacy training thereafter, using the Government-provided 
privacy training materials, for employees who--
    (1) Require access to a Government system of records;
    (2) Handle personally identifiable information; or
    (3) Design, develop, maintain, or operate a system of records on 
behalf of the Federal Government (see also FAR subpart 24.1 and 
39.105).
    (b) The Contractor shall ensure that its employees, as 
identified in paragraph (a) of this clause, complete the required 
training in a timely manner. In addition, the Contractor shall 
maintain privacy training records, and, upon request, shall provide 
to the Contracting Officer evidence of privacy training completed 
for applicable employees.
    (c) The Contractor shall not grant any employee access to a 
Government system of records or personally identifiable information 
until the employee has completed privacy training, as required by 
this clause, and has met all other applicable agency requirements.
    (d) The substance of this clause, including this paragraph (d), 
shall be included in all subcontracts under this contract, when 
subcontractor employees will (1) have access to a Government system 
of records, (2) handle personally identifiable information, or (3) 
design, develop, maintain, or operate a system of records on behalf 
of the Federal Government.
    (End of clause)
    Alternate I (Date). If the agency elects to have the Contractor 
provide its own privacy training materials, substitute the following 
paragraph (a) for paragraph (a) of the basic clause:
    (a)(1) The Contractor shall conduct initial privacy training, 
and annual privacy training thereafter, using its own privacy 
training materials, for employees who--
    (i) Require access to a Government system of records;
    (ii) Handle personally identifiable information; or
    (iii) Design, develop, maintain or operate a system of records 
on behalf of the Federal Government (see also FAR subpart 24.1 and 
39.105).
    (2) The privacy-training materials shall, at a minimum, 
address--
    (i) The protection of privacy, in accordance with the Privacy 
Act (5 U.S.C. 552a);
    (ii) The handling and safeguarding of personally identifiable 
information;
    (iii) The authorized and official use of a Government system of 
records;
    (iv) Restrictions on the use of personally-owned equipment to 
process, access, or store personally identifiable information;
    (v) The prohibition against access by unauthorized users, and 
unauthorized use by authorized users, of personally identifiable 
information or a system of records on behalf of the Federal 
Government;
    (vi) Breach notification procedures (i.e., procedures for 
notifying appropriate individuals when privacy information is lost, 
stolen, or compromised); and
    (vii) Any agency-specific privacy training requirements 
specified by the Contracting Officer.
    Alternate II (Date). If the agency elects to provide privacy 
training to contractor employees, substitute the following paragraph 
(a) for paragraph (a) of the basic clause:
    (a)(1) The Government shall provide initial privacy training, 
and annual privacy training thereafter, to contractor employees 
who--
    (i) Require access to a Government system of records;
    (ii) Handle personally identifiable information; or
    (iii) Design, develop, maintain, or operate a system of records 
on behalf of the Federal Government (see also subpart 24.1 and 
39.105).
    (2) The Government will conduct privacy training to Contractor 
employees in the same format given its own employees (e.g., lecture, 
computer-based training, Web-based training, video conferencing, 
etc.).

[FR Doc. 2011-26546 Filed 10-13-11; 8:45 am]
BILLING CODE 6820-EP-P