Federal Acquisition Regulation; Privacy Training, 2010-013, 63896-63899 [2011-26546]
Download as PDF
<![CDATA[
tkelley on DSK3SPTVN1PROD with PROPOSALS
63896
Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules
Diagnostic specimen. Specimens of
human and animal matter (including
tissue, blood, body discharges, fluids,
excretions or similar material), or
environmental samples.
Genomic material. Deoxyribonucleic
acid (DNA) or Ribonucleic acid (RNA)
comprising the genome or organism’s
hereditary information may be singlestranded or double-stranded, and in a
linear, circular or segmented
configuration and may be positive sense
(same polarity as mRNA), negative
sense, or ambisense (mixture of the
two).
Infectious biological agent. A
microorganism (including, but not
limited to, bacteria (including
rickettsiae), viruses, fungi, or protozoa)
or prion, whether naturally occurring,
bioengineered, or artificial, or a
component of such microorganism or
prion that is capable of causing
communicable disease in a human.
Infectious material. Any material
which is known or suspected to contain
a biological agent infectious to humans.
Select agents and toxins. Biological
agents and toxins that could pose a
severe threat to public health and safety
listed in 42 CFR 73.3 and 73.4.
Vector. Any animals (vertebrate or
invertebrate) including arthropods or
any noninfectious self-replicating
system known to transfer or capable of
transferring an infectious biological
agent to a human.
(b) Unless excluded pursuant to
paragraph (f) of this section, a person
may not import into the United States
any infectious biological agent,
infectious material or vector unless:
(1) It is accompanied by a permit
issued by CDC. The possession of a
permit issued by CDC does not satisfy
permitting requirements placed on
materials by the U.S. Department of
Agriculture that may pose hazards to
agriculture or agricultural production in
addition to hazards to human health.
(2) The importer is in compliance
with all permit requirements and
conditions.
(3) The importer has implemented
biosafety measures commensurate with
the hazard posed by the infectious
biological agent, infectious material,
and/or vector to be imported, and the
level of risk given its intended use.
(4) The importer is in compliance
with all applicable laws concerning the
packaging and shipment of infectious
substances.
(c) If noted as a condition of the
issued permit, subsequent transfers of
any infectious biological agent,
infectious material or vector within the
United States will require an additional
permit issued by the CDC.
VerDate Mar<15>2010
15:18 Oct 13, 2011
Jkt 226001
(d) A permit is valid only for:
(1) The time period and/or term
indicated on the permit, and
(2) Only for so long as the permit
conditions continue to be met.
(e) A permit can be denied, revoked
or suspended if:
(1) The biosafety measures of the
permit holder are not commensurate
with the hazard posed by the infectious
biological agent, infectious materials, or
vector, and the level of risk given its
intended use; or,
(2) The permit holder fails to comply
with all conditions, restrictions and
precautions specified in permit.
(f) A permit issued under this part is
not required for an item if:
(1) It is a biological agent listed in 42
CFR Part 73 as a select agent and its
importation has been authorized in
accordance with 42 CFR 73.16 or 9 CFR
121.16.
(2) It is a diagnostic specimen not
known by the importer to contain, or
suspected by the importer of containing,
an infectious biological agent and the
specimen is accompanied by an
importer certification statement
confirming that the material is not
known to contain or suspected of
containing an infectious biological
agent.
(3) It consists only of nucleic acids
that cannot produce infectious forms of
any infectious biological agent and the
specimen is accompanied by an
importer certification statement
confirming that the material is not
known to contain or suspected of
containing an infectious biological
agent.
(4) It is a product that is cleared,
approved, licensed, or otherwise
authorized under any of the following
laws:
(i) The Federal Food, Drug, and
Cosmetic Act (21 U.S.C. 301 et seq.), or
(ii) Section 351 of the Public Health
Service Act pertaining to biological
products (42 U.S.C. 262), or
(iii) The Virus-Serum-Toxin Act (21
U.S.C. 151–159).
(g) To apply for a permit, an
individual must:
(1) Submit a signed, completed CDC
Form 0.753 (Application for Permit to
Import Biological Agents or Vectors of
Human Disease into the United States)
to the CDC Import Permit Program.
(2) Have in place biosafety measures
that are commensurate with the hazard
posed by the infectious biological agent,
infectious material, and/or vector to be
imported, and the level of risk given its
intended use.
(h) Issuance of a permit may be
contingent upon an inspection of the
importer’s facility by the CDC to
PO 00000
Frm 00051
Fmt 4702
Sfmt 4702
evaluate whether the importer’s
biosafety measures (e.g., physical
structure and features of the facility, and
operational and procedural safeguards)
are commensurate with the hazard
posed by the infectious biological agent,
infectious material, and/or vector, and
the level of risk given its intended use.
(i) Denial, suspension, or revocation
of a permit under this section may be
appealed to the CDC Director. The
appeal must be in writing, state the
factual basis for the appeal, and be
submitted to the CDC Director within 30
calendar days of the denial, suspension,
or revocation of the permit. CDC will
issue a written response to the appeal,
which shall constitute final agency
action.
[FR Doc. 2011–26656 Filed 10–13–11; 8:45 am]
BILLING CODE 4163–18–P
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
48 CFR Parts 24 and 52
[FAR Case 2010–013; Docket 2010–0013;
Sequence 1]
RIN 9000–AM02
Federal Acquisition Regulation;
Privacy Training, 2010–013
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Proposed rule.
AGENCY:
DoD, GSA, and NASA are
proposing to amend the Federal
Acquisition Regulation (FAR) to require
contractors to complete training that
addresses the protection of privacy, in
accordance with the Privacy Act of
1974, and the handling and
safeguarding of personally identifiable
information.
SUMMARY:
Interested parties should submit
written comments to the Regulatory
Secretariat at one of the addresses
shown below on or before December 13,
2011 to be considered in the formation
of the final rule.
ADDRESSES: Submit comments in
response to FAR case 2010–013 by any
of the following methods:
• Regulations.gov: https://
www.regulations.gov. Submit comments
via the Federal eRulemaking portal by
inputting ‘‘FAR Case 2010–013’’ under
DATES:
E:\FR\FM\14OCP1.SGM
14OCP1
Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules
the heading ‘‘Enter Keyword or ID’’ and
selecting ‘‘Search.’’ Select the link
‘‘Submit a Comment’’ that corresponds
with ‘‘FAR Case 2010–013.’’ Follow the
instructions provided at the ‘‘Submit a
Comment’’ screen. Please include your
name, company name (if any), and
‘‘FAR Case 2010–013’’ on your attached
document.
• Fax: (202) 501–4067.
• Mail: General Services
Administration, Regulatory Secretariat
(MVCB), ATTN: Hada Flowers, 1275
First Street, NE., 7th Floor, Washington,
DC 20417.
Instructions: Please submit comments
only and cite FAR Case 2010–013, in all
correspondence related to this case. All
comments received will be posted
without change to https://
www.regulations.gov, including any
personal and/or business confidential
information provided.
FOR FURTHER INFORMATION CONTACT: Mr.
Karlos Morgan, Procurement Analyst, at
(202) 501–2364 for clarification of
content. For information pertaining to
status or publication schedules, contact
the Regulatory Secretariat at (202) 501–
4755. Please cite FAR Case 2010–013.
SUPPLEMENTARY INFORMATION:
tkelley on DSK3SPTVN1PROD with PROPOSALS
I. Background
DoD, GSA, and NASA are proposing
to amend the Federal Acquisition
Regulation (FAR) to add a new subpart
24.3, entitled ‘‘Privacy Training,’’ and
related clause to ensure that contractors
identify employees who require access
to a Government system of records,
handle personally identifiable
information, or design, develop,
maintain, or operate a system of records
on behalf of the Federal Government,
and who, therefore, are required to
complete privacy training initially upon
award of the procurement and at least
annually thereafter. In addition,
contractors are required to keep records
indicating that employees have
completed the required training and,
upon request, provide those records to
the Government. This rule does not
apply to commercial items.
These requirements are consistent
with subsection (e), Agency
requirements, and subsection (m),
Government contractors, of the Privacy
Act of 1974, 5 U.S.C. 552a. Other
applicable authorities that address the
responsibility for Federal agencies to
ensure that Government and contractor
personnel are instructed on compliance
requirements with the laws, rules, and
guidance pertaining to handling and
safeguarding personally identifiable
information include the E–Government
Act of 2002, the Federal Information
VerDate Mar<15>2010
15:18 Oct 13, 2011
Jkt 226001
Security Management Act (FISMA) of
2002, and Federal guidance from the
Office of Management and Budget
(OMB), e.g., OMB Memorandum M–07–
16, entitled ‘‘Safeguarding Against and
Responding to the Breach of Personally
Identifiable Information,’’ issued May
22, 2007; OMB Memorandum M–10–23,
entitled ‘‘Guidance for Agency Use of
Third-Party Web sites and
Applications,’’ issued June 25, 2010
(this memorandum contains the most
current definition of personally
identifiable information, and clarifies
the definition provided in M–07–16);
and OMB Circular No. A–130, entitled
‘‘Management of Federal Information
Resources,’’ which address significant
requirements for safeguarding and
handling personally identifiable
information and reporting any theft,
loss, or compromise of such
information. In addition, FAR subpart
24.1 requires that Federal agencies
contracting for the design, development,
or operation of a system of records on
individuals must extend all Privacy Act
safeguards to the contractor and its
employees working on the contract.
Minimum requirements for privacy
training are proposed for the coverage in
order to ensure consistency across the
Government. For example, any privacy
training must address the protection of
privacy, in accordance with the Privacy
Act (5 U.S.C. 552a), and the handling
and safeguarding of personally
identifiable information. The proposed
FAR text includes seven mandatory
elements of the privacy training,
including any agency-specific
requirements. Many agencies currently
require that designated contractor
employees complete agency-developed
privacy training, but, in some
circumstances, an agency may provide a
contractor with the Privacy Act
requirements and have the contractor
develop the training package. While the
use of an agency-developed privacy
training package is the most common
approach, and the approach embodied
in the clause at FAR 52.224–XX, Privacy
Training, the proposed FAR language
provides an Alternate I to the FAR
clause for those cases where the agency
prefers to have the contractor create the
privacy training package. Additionally,
the proposed FAR language provides an
Alternate II to the FAR clause for those
instances when it’s determined to be in
the best interest of the Government for
a contractor employee to attend agencyprovided privacy training.
Under the proposed FAR rule, a
contractor employee who requires
access to a Government system of
records will be granted or allowed to
retain such access only if the individual
PO 00000
Frm 00052
Fmt 4702
Sfmt 4702
63897
has (1) Completed privacy training and
(2) met all other applicable agency
requirements.
II. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. This is a significant
regulatory action and, therefore, was
subject to review under Section 6(b) of
E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This
rule is not a major rule under 5 U.S.C.
804.
III. Regulatory Flexibility Act
The change may have a significant
economic impact on a substantial
number of small entities within the
meaning of the Regulatory Flexibility
Act 5 U.S.C. 601, et seq. The Initial
Regulatory Flexibility Analysis (IRFA) is
summarized as follows:
This proposed rule was initiated to ensure
that contractor personnel who handle
personally identifiable information; design,
develop, maintain, or operate a system of
records on behalf of the Government; or
require access to a Government-owned
system of records are properly trained on the
requirements of applicable laws and
appropriate safeguards to ensure the security
and confidentiality of personally identifiable
information.
Such training of contractor employees is
required by provisions of the Privacy Act (5
U.S.C. 552a), Title III of the E-Government
Act of 2002, the Office of Management and
Budget (OMB) Memorandum M–07–16, and
existing Privacy Act clauses (52.224–1 and
52.224–2). Various other statutes, applicable
authorities, and memoranda address the
responsibility of Federal agencies to ensure
that Government and contractor personnel
are instructed on compliance requirements
pertaining to the handling and safeguarding
of personally identifiable information. The
list includes, but is not limited to the
following:
• The Federal Information Security
Management Act (FISMA) of 2002 (44 U.S.C.
3541);
• OMB Memorandum M–06–15,
Safeguarding Personally Identifiable
Information; and
• OMB Circular No. A–130, Management
of Federal Information Resources.
The proposed rule requires all contractors
with contracts that require employees to have
access to personally identifiable information
to complete training that addresses the
E:\FR\FM\14OCP1.SGM
14OCP1
63898
Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules
statutory requirements for protection of
privacy, in accordance with the Privacy Act
(5 U.S.C. 552a), and the handling and
safeguarding of personally identifiable
information. This rule requires the contractor
to identify its employees who require access,
ensure that those employees complete
agency-provided privacy training before
being granted access and annually thereafter,
and maintain records of the training. In a few
cases, the content of the training will not be
provided by the agency but will be created
by the contractor in accordance with
Alternate I to the clause at FAR 52.224–XX.
Alternate II to the clause at FAR 52.224–XX
if it is determined to be in the best interest
of the Government for a contractor employee
to attend agency-provided privacy training.
This rule does not apply to commercial
items.
Information obtained from the Federal
Procurement Data System for Fiscal Year
2009 demonstrates that 98,864 small business
concerns were awarded contracts and
197,728 firms were awarded subcontracts.
However, only contracts for the types of work
identified in the paragraphs above will be
subject to the privacy-training requirement.
We estimated that approximately one-half of
one percent of all small business Government
prime contractors and subcontractors will be
required to conduct privacy training as
follows:
Small business prime contractors ........................................
98,864
Small business subcontractors
+ 197,728
Total small businesses .....
Percent w/privacy-training requirement .............................
Number of small businesses
impacted ...............................
296,592
× 0.005
1,483
tkelley on DSK3SPTVN1PROD with PROPOSALS
Recordkeeping associated with this
proposed rule is minimal; there are no
required formats or templates for the records,
and they will be retained by the contractor
in most cases. The Government only will
request a contractor’s training records on an
exception basis, i.e., if the Government has
a particular reason to check on a contractor’s
compliance with the training requirement.
The Regulatory Secretariat will be
submitting a copy of the Interim
Regulatory Flexibility Analysis (IRFA)
to the Chief Counsel for Advocacy of the
Small Business Administration. A copy
of the IRFA may be obtained from the
Regulatory Secretariat. DoD, GSA and
NASA invite comments from small
business concerns and other interested
parties on the expected impact of this
rule on small entities.
DoD, GSA, and NASA will also
consider comments from small entities
concerning the existing regulations in
subparts affected by this rule in
accordance with 5 U.S.C. 610. Interested
parties must submit such comments
separately and should cite 5 U.S.C. 610
(FAR Case 2010–013) in
correspondence.
VerDate Mar<15>2010
15:18 Oct 13, 2011
Jkt 226001
IV. Paperwork Reduction Act
The Paperwork Reduction Act (44
U.S.C. chapter 35) applies. The
proposed rule contains information
collection requirements. Accordingly,
the Regulatory Secretariat has submitted
a request for approval of a new
information collection requirement
concerning ‘‘Privacy Training’’ to the
Office of Management and Budget.
A. Public reporting burden for this
collection of information is estimated to
average one hour per response,
including the time for reviewing
instructions, searching existing data
sources, gathering and maintaining the
data needed, and completing and
reviewing the collection of information.
The recordkeeping requirements are
minor, and records generally will be
retained within the contractor’s
organization. While a contractor is
required to identify its employees who
require initial privacy training and
annual privacy training thereafter, there
is no requirement to collect this
information in a particular format or
provide it to the Government, other than
on an exception basis, i.e., when there
is an indication that the contractor is
not complying with the training
requirements.
The annual reporting burden is
estimated as follows:
Respondents .............................
Responses per respondent ......
148
1
Total annual responses ....
Preparation hours per response ...................................
148
Total response burden
hours ..............................
1
Frm 00053
Fmt 4702
Sfmt 4702
List of Subjects in 48 CFR Parts 24 and
52
Government procurement.
Dated: October 6, 2011.
Laura Auletta,
Acting Director, Office of Governmentwide
Acquisition Policy, Office of Acquisition
Policy.
Therefore, DoD, GSA, and NASA
propose amending 48 CFR parts 24 and
52 as set forth below:
1. The authority citation for 48 CFR
parts 24 and 52 continues to read as
follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C.
chapter 137; and 42 U.S.C. 2473(c).
PART 24—PROTECTION OF PRIVACY
AND FREEDOM OF INFORMATION
2. Add subpart 24.3 to read as follows:
Subpart 24.3—Privacy Training
Sec.
24.301 Privacy Training.
24.302 Contract clause.
Subpart 24.3—Privacy Training
148
B. Request for Comments Regarding
Paperwork Burden.
Submit comments, including
suggestions for reducing this burden,
not later than December 13, 2011 to:
FAR Desk Officer, OMB, Room 10102,
NEOB, Washington, DC 20503, and a
copy to the General Services
Administration, Regulatory Secretariat
(MVCB), ATTN: Hada Flowers, 1275
First Street, NE., 7th Floor, Washington,
DC 20417.
Public comments are particularly
invited on: whether this collection of
information is necessary for the proper
performance of functions of the FAR,
and will have practical utility; whether
our estimate of the public burden of this
collection of information is accurate,
and based on valid assumptions and
methodology; ways to enhance the
quality, utility, and clarity of the
information to be collected; and ways in
which we can minimize the burden of
the collection of information on those
PO 00000
who are to respond, through the use of
appropriate technological collection
techniques or other forms of information
technology.
Requester may obtain a copy of the
supporting statement from the General
Services Administration, Regulatory
Secretariat (MVCB), Attn: Hada Flowers,
1275 First Street, NE., 7th Floor,
Washington, DC 20417. Please cite OMB
Control Number 9000–0182, FAR Case
2010–013, Privacy Training, in
correspondence.
§ 24.301
Privacy training.
(a) Contractors are responsible for
conducting initial privacy training, and
annual privacy training thereafter, for
employees who—
(1) Require access to a Government
system of records;
(2) Handle personally identifiable
information; or
(3) Design, develop, maintain, or
operate a system of records on behalf of
the Federal Government (see subpart
24.1 and 39.105).
(b) Agencies shall provide contractors
with the privacy training materials (in a
format deemed appropriate) necessary
to satisfy the requirement described in
paragraph (a) of this section unless, on
an exception basis, the contracting
officer authorizes a contractor to
provide its own privacy training
materials (see 24.302(b)).
(c) Privacy training shall, at a
minimum, address—
(1) The protection of privacy, in
accordance with the Privacy Act (5
U.S.C. 552a);
E:\FR\FM\14OCP1.SGM
14OCP1
Federal Register / Vol. 76, No. 199 / Friday, October 14, 2011 / Proposed Rules
(2) The handling and safeguarding of
personally identifiable information;
(3) The authorized and official use of
a Government system of records;
(4) Restrictions on the use of
personally-owned equipment to process,
access, or store personally identifiable
information;
(5) The prohibition against access by
unauthorized users, and unauthorized
use by authorized users, of personally
identifiable information or systems of
records on behalf of the Federal
Government;
(6) Breach notification procedures
(i.e., procedures for notifying
appropriate individuals when privacy
information is lost, stolen, or
compromised) to minimize risk and to
ensure prompt and appropriate actions
are taken should a breach occur; and
(7) Any agency-specific privacy
training requirements.
(d) The contractor is responsible for
ensuring that employees identified in
paragraph (a) of this section complete
the required training and maintain
evidence of appropriate training
completed. The contractor is required,
upon request, to provide evidence of
completion of privacy training for all
applicable employees.
(e) Each contractor employee who
requires access to a Government system
of records, handles personally
identifiable information, or designs,
develops, maintains, or operates a
Government system of records, shall be
granted or allowed to retain such access
only if the individual—
(1) Has completed agency-mandated
privacy training that, at a minimum,
addresses the elements in paragraph (c)
of this section; and
(2) Has met all other applicable
agency requirements.
tkelley on DSK3SPTVN1PROD with PROPOSALS
§ 24.302
Contract clause.
(a) When contractor employees will
have access to a Government system of
records, handle personally identifiable
information, or design, develop,
maintain, or operate a system of records,
the contracting officer shall insert the
clause at FAR 52.224–XX, Privacy
Training, in solicitations and contracts.
(b) When the contracting officer elects
to have the contractor provide its own
privacy training materials, use Alternate
I in lieu of paragraph (a) of the basic
clause.
(c) When an agency elects to provide
privacy training to contractor
employees, use Alternate II in lieu of
paragraph (a) of the basic clause.
VerDate Mar<15>2010
15:18 Oct 13, 2011
Jkt 226001
PART 52—SOLICITATION PROVISIONS
AND CONTRACT CLAUSES
3. Add section 52.224–XX to read as
follows:
52.224–XX
Privacy Training.
As prescribed in 24.302(a), insert the
following clause:
Privacy Training (Date)
(a) The Contractor shall conduct initial
privacy training, and annual privacy training
thereafter, using the Government-provided
privacy training materials, for employees
who—
(1) Require access to a Government system
of records;
(2) Handle personally identifiable
information; or
(3) Design, develop, maintain, or operate a
system of records on behalf of the Federal
Government (see also FAR subpart 24.1 and
39.105).
(b) The Contractor shall ensure that its
employees, as identified in paragraph (a) of
this clause, complete the required training in
a timely manner. In addition, the Contractor
shall maintain privacy training records, and,
upon request, shall provide to the
Contracting Officer evidence of privacy
training completed for applicable employees.
(c) The Contractor shall not grant any
employee access to a Government system of
records or personally identifiable information
until the employee has completed privacy
training, as required by this clause, and has
met all other applicable agency requirements.
(d) The substance of this clause, including
this paragraph (d), shall be included in all
subcontracts under this contract, when
subcontractor employees will (1) have access
to a Government system of records, (2)
handle personally identifiable information,
or (3) design, develop, maintain, or operate
a system of records on behalf of the Federal
Government.
(End of clause)
Alternate I (Date). If the agency elects to
have the Contractor provide its own privacy
training materials, substitute the following
paragraph (a) for paragraph (a) of the basic
clause:
(a)(1) The Contractor shall conduct initial
privacy training, and annual privacy training
thereafter, using its own privacy training
materials, for employees who—
(i) Require access to a Government system
of records;
(ii) Handle personally identifiable
information; or
(iii) Design, develop, maintain or operate a
system of records on behalf of the Federal
Government (see also FAR subpart 24.1 and
39.105).
(2) The privacy-training materials shall, at
a minimum, address—
(i) The protection of privacy, in accordance
with the Privacy Act (5 U.S.C. 552a);
(ii) The handling and safeguarding of
personally identifiable information;
(iii) The authorized and official use of a
Government system of records;
(iv) Restrictions on the use of personallyowned equipment to process, access, or store
personally identifiable information;
PO 00000
Frm 00054
Fmt 4702
Sfmt 4702
63899
(v) The prohibition against access by
unauthorized users, and unauthorized use by
authorized users, of personally identifiable
information or a system of records on behalf
of the Federal Government;
(vi) Breach notification procedures (i.e.,
procedures for notifying appropriate
individuals when privacy information is lost,
stolen, or compromised); and
(vii) Any agency-specific privacy training
requirements specified by the Contracting
Officer.
Alternate II (Date). If the agency elects to
provide privacy training to contractor
employees, substitute the following
paragraph (a) for paragraph (a) of the basic
clause:
(a)(1) The Government shall provide initial
privacy training, and annual privacy training
thereafter, to contractor employees who—
(i) Require access to a Government system
of records;
(ii) Handle personally identifiable
information; or
(iii) Design, develop, maintain, or operate
a system of records on behalf of the Federal
Government (see also subpart 24.1 and
39.105).
(2) The Government will conduct privacy
training to Contractor employees in the same
format given its own employees (e.g., lecture,
computer-based training, Web-based training,
video conferencing, etc.).
[FR Doc. 2011–26546 Filed 10–13–11; 8:45 am]
BILLING CODE 6820–EP–P
DEPARTMENT OF TRANSPORTATION
Federal Railroad Administration
49 CFR Part 236
[Docket No. FRA–2011–0028, Notice No. 2]
RIN 2130–AC27
Positive Train Control Systems
Federal Railroad
Administration (FRA), Department of
Transportation (DOT).
ACTION: Notice of public hearing and
extension of comment period.
AGENCY:
On August 24, 2011, FRA
published a notice of proposed
rulemaking that would remove
regulatory provisions requiring railroads
to either conduct further analyses or
meet certain risk-based criteria in order
to avoid positive train control (PTC)
system implementation on track
segments that do not transport poisonor toxic-by-inhalation (PIH) hazardous
materials traffic and are not used for
intercity or commuter rail passenger
transportation as of December 31, 2015.
FRA is announcing a public hearing to
provide interested persons an
opportunity to provide comments on the
proposal and to discuss further
development of the regulation. The Rail
SUMMARY:
E:\FR\FM\14OCP1.SGM
14OCP1
]]>Agencies
[Federal Register Volume 76, Number 199 (Friday, October 14, 2011)]
[Proposed Rules]
[Pages 63896-63899]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-26546]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 24 and 52
[FAR Case 2010-013; Docket 2010-0013; Sequence 1]
RIN 9000-AM02
Federal Acquisition Regulation; Privacy Training, 2010-013
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal
Acquisition Regulation (FAR) to require contractors to complete
training that addresses the protection of privacy, in accordance with
the Privacy Act of 1974, and the handling and safeguarding of
personally identifiable information.
DATES: Interested parties should submit written comments to the
Regulatory Secretariat at one of the addresses shown below on or before
December 13, 2011 to be considered in the formation of the final rule.
ADDRESSES: Submit comments in response to FAR case 2010-013 by any of
the following methods:
Regulations.gov: https://www.regulations.gov. Submit
comments via the Federal eRulemaking portal by inputting ``FAR Case
2010-013'' under
[[Page 63897]]
the heading ``Enter Keyword or ID'' and selecting ``Search.'' Select
the link ``Submit a Comment'' that corresponds with ``FAR Case 2010-
013.'' Follow the instructions provided at the ``Submit a Comment''
screen. Please include your name, company name (if any), and ``FAR Case
2010-013'' on your attached document.
Fax: (202) 501-4067.
Mail: General Services Administration, Regulatory
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th
Floor, Washington, DC 20417.
Instructions: Please submit comments only and cite FAR Case 2010-
013, in all correspondence related to this case. All comments received
will be posted without change to https://www.regulations.gov, including
any personal and/or business confidential information provided.
FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement
Analyst, at (202) 501-2364 for clarification of content. For
information pertaining to status or publication schedules, contact the
Regulatory Secretariat at (202) 501-4755. Please cite FAR Case 2010-
013.
SUPPLEMENTARY INFORMATION:
I. Background
DoD, GSA, and NASA are proposing to amend the Federal Acquisition
Regulation (FAR) to add a new subpart 24.3, entitled ``Privacy
Training,'' and related clause to ensure that contractors identify
employees who require access to a Government system of records, handle
personally identifiable information, or design, develop, maintain, or
operate a system of records on behalf of the Federal Government, and
who, therefore, are required to complete privacy training initially
upon award of the procurement and at least annually thereafter. In
addition, contractors are required to keep records indicating that
employees have completed the required training and, upon request,
provide those records to the Government. This rule does not apply to
commercial items.
These requirements are consistent with subsection (e), Agency
requirements, and subsection (m), Government contractors, of the
Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that
address the responsibility for Federal agencies to ensure that
Government and contractor personnel are instructed on compliance
requirements with the laws, rules, and guidance pertaining to handling
and safeguarding personally identifiable information include the E-
Government Act of 2002, the Federal Information Security Management Act
(FISMA) of 2002, and Federal guidance from the Office of Management and
Budget (OMB), e.g., OMB Memorandum M-07-16, entitled ``Safeguarding
Against and Responding to the Breach of Personally Identifiable
Information,'' issued May 22, 2007; OMB Memorandum M-10-23, entitled
``Guidance for Agency Use of Third-Party Web sites and Applications,''
issued June 25, 2010 (this memorandum contains the most current
definition of personally identifiable information, and clarifies the
definition provided in M-07-16); and OMB Circular No. A-130, entitled
``Management of Federal Information Resources,'' which address
significant requirements for safeguarding and handling personally
identifiable information and reporting any theft, loss, or compromise
of such information. In addition, FAR subpart 24.1 requires that
Federal agencies contracting for the design, development, or operation
of a system of records on individuals must extend all Privacy Act
safeguards to the contractor and its employees working on the contract.
Minimum requirements for privacy training are proposed for the
coverage in order to ensure consistency across the Government. For
example, any privacy training must address the protection of privacy,
in accordance with the Privacy Act (5 U.S.C. 552a), and the handling
and safeguarding of personally identifiable information. The proposed
FAR text includes seven mandatory elements of the privacy training,
including any agency-specific requirements. Many agencies currently
require that designated contractor employees complete agency-developed
privacy training, but, in some circumstances, an agency may provide a
contractor with the Privacy Act requirements and have the contractor
develop the training package. While the use of an agency-developed
privacy training package is the most common approach, and the approach
embodied in the clause at FAR 52.224-XX, Privacy Training, the proposed
FAR language provides an Alternate I to the FAR clause for those cases
where the agency prefers to have the contractor create the privacy
training package. Additionally, the proposed FAR language provides an
Alternate II to the FAR clause for those instances when it's determined
to be in the best interest of the Government for a contractor employee
to attend agency-provided privacy training.
Under the proposed FAR rule, a contractor employee who requires
access to a Government system of records will be granted or allowed to
retain such access only if the individual has (1) Completed privacy
training and (2) met all other applicable agency requirements.
II. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under Section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
III. Regulatory Flexibility Act
The change may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory
Flexibility Analysis (IRFA) is summarized as follows:
This proposed rule was initiated to ensure that contractor
personnel who handle personally identifiable information; design,
develop, maintain, or operate a system of records on behalf of the
Government; or require access to a Government-owned system of
records are properly trained on the requirements of applicable laws
and appropriate safeguards to ensure the security and
confidentiality of personally identifiable information.
Such training of contractor employees is required by provisions
of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government
Act of 2002, the Office of Management and Budget (OMB) Memorandum M-
07-16, and existing Privacy Act clauses (52.224-1 and 52.224-2).
Various other statutes, applicable authorities, and memoranda
address the responsibility of Federal agencies to ensure that
Government and contractor personnel are instructed on compliance
requirements pertaining to the handling and safeguarding of
personally identifiable information. The list includes, but is not
limited to the following:
The Federal Information Security Management Act (FISMA)
of 2002 (44 U.S.C. 3541);
OMB Memorandum M-06-15, Safeguarding Personally
Identifiable Information; and
OMB Circular No. A-130, Management of Federal
Information Resources.
The proposed rule requires all contractors with contracts that
require employees to have access to personally identifiable
information to complete training that addresses the
[[Page 63898]]
statutory requirements for protection of privacy, in accordance with
the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding
of personally identifiable information. This rule requires the
contractor to identify its employees who require access, ensure that
those employees complete agency-provided privacy training before
being granted access and annually thereafter, and maintain records
of the training. In a few cases, the content of the training will
not be provided by the agency but will be created by the contractor
in accordance with Alternate I to the clause at FAR 52.224-XX.
Alternate II to the clause at FAR 52.224-XX if it is determined to
be in the best interest of the Government for a contractor employee
to attend agency-provided privacy training. This rule does not apply
to commercial items.
Information obtained from the Federal Procurement Data System
for Fiscal Year 2009 demonstrates that 98,864 small business
concerns were awarded contracts and 197,728 firms were awarded
subcontracts. However, only contracts for the types of work
identified in the paragraphs above will be subject to the privacy-
training requirement. We estimated that approximately one-half of
one percent of all small business Government prime contractors and
subcontractors will be required to conduct privacy training as
follows:
Small business prime contractors........................... 98,864
Small business subcontractors.............................. + 197,728
------------
Total small businesses................................. 296,592
Percent w/privacy-training requirement..................... x 0.005
------------
Number of small businesses impacted........................ 1,483
Recordkeeping associated with this proposed rule is minimal;
there are no required formats or templates for the records, and they
will be retained by the contractor in most cases. The Government
only will request a contractor's training records on an exception
basis, i.e., if the Government has a particular reason to check on a
contractor's compliance with the training requirement.
The Regulatory Secretariat will be submitting a copy of the Interim
Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for
Advocacy of the Small Business Administration. A copy of the IRFA may
be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite
comments from small business concerns and other interested parties on
the expected impact of this rule on small entities.
DoD, GSA, and NASA will also consider comments from small entities
concerning the existing regulations in subparts affected by this rule
in accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C. 610 (FAR Case 2010-013) in
correspondence.
IV. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The
proposed rule contains information collection requirements.
Accordingly, the Regulatory Secretariat has submitted a request for
approval of a new information collection requirement concerning
``Privacy Training'' to the Office of Management and Budget.
A. Public reporting burden for this collection of information is
estimated to average one hour per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information. The recordkeeping requirements are minor,
and records generally will be retained within the contractor's
organization. While a contractor is required to identify its employees
who require initial privacy training and annual privacy training
thereafter, there is no requirement to collect this information in a
particular format or provide it to the Government, other than on an
exception basis, i.e., when there is an indication that the contractor
is not complying with the training requirements.
The annual reporting burden is estimated as follows:
Respondents................................................ 148
Responses per respondent................................... 1
------------
Total annual responses................................. 148
Preparation hours per response............................. 1
------------
Total response burden hours............................ 148
:B. Request for Comments Regarding Paperwork Burden.
Submit comments, including suggestions for reducing this burden,
not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102,
NEOB, Washington, DC 20503, and a copy to the General Services
Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275
First Street, NE., 7th Floor, Washington, DC 20417.
Public comments are particularly invited on: whether this
collection of information is necessary for the proper performance of
functions of the FAR, and will have practical utility; whether our
estimate of the public burden of this collection of information is
accurate, and based on valid assumptions and methodology; ways to
enhance the quality, utility, and clarity of the information to be
collected; and ways in which we can minimize the burden of the
collection of information on those who are to respond, through the use
of appropriate technological collection techniques or other forms of
information technology.
Requester may obtain a copy of the supporting statement from the
General Services Administration, Regulatory Secretariat (MVCB), Attn:
Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.
Please cite OMB Control Number 9000-0182, FAR Case 2010-013, Privacy
Training, in correspondence.
List of Subjects in 48 CFR Parts 24 and 52
Government procurement.
Dated: October 6, 2011.
Laura Auletta,
Acting Director, Office of Governmentwide Acquisition Policy, Office of
Acquisition Policy.
Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and
52 as set forth below:
1. The authority citation for 48 CFR parts 24 and 52 continues to
read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION
2. Add subpart 24.3 to read as follows:
Subpart 24.3--Privacy Training
Sec.
24.301 Privacy Training.
24.302 Contract clause.
Subpart 24.3--Privacy Training
Sec. 24.301 Privacy training.
(a) Contractors are responsible for conducting initial privacy
training, and annual privacy training thereafter, for employees who--
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on
behalf of the Federal Government (see subpart 24.1 and 39.105).
(b) Agencies shall provide contractors with the privacy training
materials (in a format deemed appropriate) necessary to satisfy the
requirement described in paragraph (a) of this section unless, on an
exception basis, the contracting officer authorizes a contractor to
provide its own privacy training materials (see 24.302(b)).
(c) Privacy training shall, at a minimum, address--
(1) The protection of privacy, in accordance with the Privacy Act
(5 U.S.C. 552a);
[[Page 63899]]
(2) The handling and safeguarding of personally identifiable
information;
(3) The authorized and official use of a Government system of
records;
(4) Restrictions on the use of personally-owned equipment to
process, access, or store personally identifiable information;
(5) The prohibition against access by unauthorized users, and
unauthorized use by authorized users, of personally identifiable
information or systems of records on behalf of the Federal Government;
(6) Breach notification procedures (i.e., procedures for notifying
appropriate individuals when privacy information is lost, stolen, or
compromised) to minimize risk and to ensure prompt and appropriate
actions are taken should a breach occur; and
(7) Any agency-specific privacy training requirements.
(d) The contractor is responsible for ensuring that employees
identified in paragraph (a) of this section complete the required
training and maintain evidence of appropriate training completed. The
contractor is required, upon request, to provide evidence of completion
of privacy training for all applicable employees.
(e) Each contractor employee who requires access to a Government
system of records, handles personally identifiable information, or
designs, develops, maintains, or operates a Government system of
records, shall be granted or allowed to retain such access only if the
individual--
(1) Has completed agency-mandated privacy training that, at a
minimum, addresses the elements in paragraph (c) of this section; and
(2) Has met all other applicable agency requirements.
Sec. 24.302 Contract clause.
(a) When contractor employees will have access to a Government
system of records, handle personally identifiable information, or
design, develop, maintain, or operate a system of records, the
contracting officer shall insert the clause at FAR 52.224-XX, Privacy
Training, in solicitations and contracts.
(b) When the contracting officer elects to have the contractor
provide its own privacy training materials, use Alternate I in lieu of
paragraph (a) of the basic clause.
(c) When an agency elects to provide privacy training to contractor
employees, use Alternate II in lieu of paragraph (a) of the basic
clause.
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
3. Add section 52.224-XX to read as follows:
52.224-XX Privacy Training.
As prescribed in 24.302(a), insert the following clause:
Privacy Training (Date)
(a) The Contractor shall conduct initial privacy training, and
annual privacy training thereafter, using the Government-provided
privacy training materials, for employees who--
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on
behalf of the Federal Government (see also FAR subpart 24.1 and
39.105).
(b) The Contractor shall ensure that its employees, as
identified in paragraph (a) of this clause, complete the required
training in a timely manner. In addition, the Contractor shall
maintain privacy training records, and, upon request, shall provide
to the Contracting Officer evidence of privacy training completed
for applicable employees.
(c) The Contractor shall not grant any employee access to a
Government system of records or personally identifiable information
until the employee has completed privacy training, as required by
this clause, and has met all other applicable agency requirements.
(d) The substance of this clause, including this paragraph (d),
shall be included in all subcontracts under this contract, when
subcontractor employees will (1) have access to a Government system
of records, (2) handle personally identifiable information, or (3)
design, develop, maintain, or operate a system of records on behalf
of the Federal Government.
(End of clause)
Alternate I (Date). If the agency elects to have the Contractor
provide its own privacy training materials, substitute the following
paragraph (a) for paragraph (a) of the basic clause:
(a)(1) The Contractor shall conduct initial privacy training,
and annual privacy training thereafter, using its own privacy
training materials, for employees who--
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain or operate a system of records
on behalf of the Federal Government (see also FAR subpart 24.1 and
39.105).
(2) The privacy-training materials shall, at a minimum,
address--
(i) The protection of privacy, in accordance with the Privacy
Act (5 U.S.C. 552a);
(ii) The handling and safeguarding of personally identifiable
information;
(iii) The authorized and official use of a Government system of
records;
(iv) Restrictions on the use of personally-owned equipment to
process, access, or store personally identifiable information;
(v) The prohibition against access by unauthorized users, and
unauthorized use by authorized users, of personally identifiable
information or a system of records on behalf of the Federal
Government;
(vi) Breach notification procedures (i.e., procedures for
notifying appropriate individuals when privacy information is lost,
stolen, or compromised); and
(vii) Any agency-specific privacy training requirements
specified by the Contracting Officer.
Alternate II (Date). If the agency elects to provide privacy
training to contractor employees, substitute the following paragraph
(a) for paragraph (a) of the basic clause:
(a)(1) The Government shall provide initial privacy training,
and annual privacy training thereafter, to contractor employees
who--
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain, or operate a system of records
on behalf of the Federal Government (see also subpart 24.1 and
39.105).
(2) The Government will conduct privacy training to Contractor
employees in the same format given its own employees (e.g., lecture,
computer-based training, Web-based training, video conferencing,
etc.).
[FR Doc. 2011-26546 Filed 10-13-11; 8:45 am]
BILLING CODE 6820-EP-P
