Federal Acquisition Regulation; Privacy Training, 93476-93481 [2016-30213]

Download as PDF 93476 Federal Register / Vol. 81, No. 244 / Tuesday, December 20, 2016 / Rules and Regulations and National Aeronautics and Space Administration (NASA). DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION ACTION: NATIONAL AERONAUTICS AND SPACE ADMINISTRATION SUMMARY: Summary presentation of final rules. 48 CFR Chapter 1 [Docket No. FAR 2016–0051, Sequence No. 8] Federal Acquisition Regulation; Federal Acquisition Circular 2005–94; Introduction Department of Defense (DoD), General Services Administration (GSA), AGENCY: This document summarizes the Federal Acquisition Regulation (FAR) rules agreed to by the Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) in this Federal Acquisition Circular (FAC) 2005–94. A companion document, the Small Entity Compliance Guide (SECG), follows this FAC. The FAC, including the SECG, is available via the Internet at http:// www.regulations.gov. For effective dates see the separate documents, which follow. DATES: The analyst whose name appears in the table below in relation to the FAR case. Please cite FAC 2005–94 and the specific FAR case number. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202– 501–4755. FOR FURTHER INFORMATION CONTACT: RULES LISTED IN FAC 2005–94 Item Subject I ................................. II ................................ Privacy Training ................................................................................................................. Payment of Subcontractors ............................................................................................... SUPPLEMENTARY INFORMATION: Summaries for each FAR rule follow. For the actual revisions and/or amendments made by these rules, refer to the specific item numbers and subjects set forth in the documents following these item summaries. FAC 2005–94 amends the FAR as follows: Item I—Privacy Training (FAR Case 2010–013) This final rule amends the Federal Acquisition Regulation to clarify the training requirements for contractors whose employees will have access to a system of records on individuals or handle personally identifiable information. These training requirements are consistent with the Privacy Act of 1974, 5 U.S.C. 552a, and OMB Circular A–130, Managing Federal Information as a Strategic Resource. Prime contractors are required to flow down these requirements to all applicable subcontracts. mstockstill on DSK3G9T082PROD with RULES6 Item II—Payment of Subcontractors (FAR Case 2014–004) This final rule amends the Federal Acquisition Regulation (FAR) to implement section 1334 of the Small Business Jobs Act of 2010 and the Small Business Administration’s (SBA) final rule, published July 16, 2013. If a contract requires a subcontracting plan, the prime contractor must notify the contracting officer in writing if the prime contractor pays a reduced payment to a small business subcontractor, or an untimely payment if the payment to a small business subcontractor is more than 90 days past VerDate Sep<11>2014 21:59 Dec 19, 2016 Jkt 241001 FAR Case due for supplies or services for which the Government has paid the contractor. The contractor is also to include the reason for the reduction in payment or failure to pay. A contracting officer will then use his or her best judgment in determining whether the reduced or untimely payments were justified. The contracting officer must record the identity of a prime contractor with a history of three or more unjustified reduced or untimely payments to subcontractors within a 12-month period under a single contract, in the Federal Awardee Performance and Integrity Information System (FAPIIS). This regulation will benefit small business subcontractors by encouraging large business prime contractors to pay small business subcontractors in a timely manner and at the agreed upon contractual price. Dated: December 9, 2016. William F. Clark, Director, Office of Government-wide Acquisition Policy, Office of Acquisition Policy, Office of Government-wide Policy. Federal Acquisition Circular (FAC) 2005–94 is issued under the authority of the Secretary of Defense, the Administrator of General Services, and the Administrator for the National Aeronautics and Space Administration. Unless otherwise specified, all Federal Acquisition Regulation (FAR) and other directive material contained in FAC 2005–94 is effective December 20, 2016 except for items I, and II, which are effective January 19, 2017. Dated: December 9, 2016. PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 2010–013 2014–004 Analyst Gray. Glover. Claire M. Grady, Director, Defense Procurement and Acquisition Policy. Dated: December 8, 2016. Jeffrey A. Koses, Senior Procurement Executive/Deputy CAO, Office of Acquisition Policy, U.S. General Services Administration. Dated: December 8, 2016. William P. McNally, Assistant Administrator, Office of Procurement, National Aeronautics and Space Administration. [FR Doc. 2016–30212 Filed 12–19–16; 8:45 am] BILLING CODE 6820–EP–P DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR parts 1, 24, and 52 [FAC 2005–94; FAR Case 2010–013; Item I; Docket No. 2010–0013; Sequence No. 1] RIN 9000–AM06 Federal Acquisition Regulation; Privacy Training Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. AGENCY: DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to require that contractors, whose SUMMARY: E:\FR\FM\20DER6.SGM 20DER6 Federal Register / Vol. 81, No. 244 / Tuesday, December 20, 2016 / Rules and Regulations employees have access to a system of records or handle personally identifiable information, complete privacy training. DATES: Effective: January 19, 2017. FOR FURTHER INFORMATION CONTACT: Mr. Charles Gray, Procurement Analyst, at 703–795–6328 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202–501–4755. Please cite FAC 2005– 94, FAR Case 2010–013. SUPPLEMENTARY INFORMATION: mstockstill on DSK3G9T082PROD with RULES6 I. Background DoD, GSA, and NASA published a proposed rule in the Federal Register at 76 FR 63896 on October 14, 2011, to provide guidance to contractors regarding the requirement to complete training that addresses the protection of privacy in accordance with the Privacy Act of 1974, 5 U.S.C. 552a, as amended, and the handling and safeguarding of personally identifiable information (PII). The rule ensures that contractors identify employees who handle PII, have access to a system of records, or design, develop, maintain, or operate a system of records. These employees are required to complete initial privacy training and annual privacy training thereafter. A contractor who has employees involved in these activities is also required to maintain records indicating that its employees have completed the requisite training and provide these records to the contracting officer upon request. In addition, the prime contractor is required to flowdown these requirements to all applicable subcontracts. Fifteen respondents submitted comments, including comments regarding the Initial Regulatory Flexibility Analysis (IRFA), and the Paperwork Reduction Act (PRA) analysis. II. Discussion and Analysis The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (the Councils) reviewed the public comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments is provided as follows (comments pertaining to the IRFA and PRA analysis are addressed in sections V and VI of this preamble): A. Summary of Significant Changes The final rule clarifies the responsibilities for contractors awarded contracts involving access to PII and streamlines the options for providing training. These clarifications include— VerDate Sep<11>2014 21:59 Dec 19, 2016 Jkt 241001 • Alternate I of the clause is amended to replace the proposed text, which gave the option to agencies to have contractors furnish their own training materials. The final rule no longer contains this option and what was Alternate II in the proposed rule now becomes Alternate I in the final rule; and • The applicability of the rule to commercial items is clarified. The final rule also provides a number of clarifications consistent with Office of Management and Budget (OMB) Circular A–130, which was revised on July 28, 2016. These clarifications address the substance of the minimal privacy training requirements, to include— • A revised definition for PII; • The requirement for foundational as well as more advanced levels of privacy training; • The requirement for there to be measures in place to test the knowledge level of the employee; and • The requirement for role-based privacy training. B. Analysis of Public Comments 1. Requests To Withdraw the Proposed Rule Comment: Several respondents suggested that the proposed rule should be withdrawn, given the ‘‘considerable burden implications and the fact that the proposed rule does not provide compelling justification.’’ These respondents stated that withdrawing the rule would ‘‘avoid causing confusion and redundancy.’’ The respondents noted that the requirements of the Privacy Act have been in place for 35 years and stated that the Councils did not explain why the Government believes ‘‘that additional protections are now needed.’’ Response: There are a number of applicable authorities, beyond the Privacy Act, that address the responsibility for Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements with the laws, rules, and guidance pertaining to handling and safeguarding PII. This rule establishes minimum requirements consistent with those authorities to ensure consistency across the Government. Further, the increasing portability of data and various instances of loss or potential disclosure of protected information have resulted in greater scrutiny regarding the Government’s information collection practices and information security management. PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 93477 2. Applicability to Commercial Item Contracts Comment: Several respondents expressed concern with the applicability to commercial item contracts. The respondents considered that excluding commercial item contracts from the privacy training requirement failed to take into account the Government’s increased use of FAR part 12 purchases; that training on the improper release of Privacy Act information should not exempt FAR part 12 contracts; and, overall, the decision to exempt commercial item contracts would not serve the Government’s best interests. One respondent had a different perspective on the proposed rule, and complimented the FAR Council for exempting commercial item contracts from the privacy training requirement. However, the respondent noted that this policy was not reflected in the proposed rule’s clause or clause prescription. This respondent also recommended that all subcontracts for commercial items be exempted from the privacy training requirement. Response: The final rule clarifies that the privacy training requirement applies to contracts and subcontracts for commercial items when they involve access to a system of records. Exempting commercial item contracts and subcontracts would exclude a significant portion of Government contracts that involve the design, development, operation, or maintenance of a system of records and would therefore diminish the effectiveness of the rule. 3. Training Comment: Respondents had multiple concerns related to the content of the required training, such as whether the training would be best developed by the agency or by the contractor and which contractor employees should be required to take the training. Several respondents questioned the efficacy of having contractor employees who work under more than one agency’s contracts potentially taking multiple courses. Other respondents questioned who would decide if the training would be provided by the agency or by the contractor, e.g., could the contractor decide to forego an agency course in favor of its own course? One respondent recommended that training include instruction on the Privacy Act’s transparency requirements. Another respondent questioned how agencies would be held responsible for providing the training in a timely manner. Other respondents questioned which E:\FR\FM\20DER6.SGM 20DER6 93478 Federal Register / Vol. 81, No. 244 / Tuesday, December 20, 2016 / Rules and Regulations contractor employees should be required to complete the training, whether subcontractors would be required to take the training, and whether certain professional positions, such as psychologists, should be exempt from the training based on their professional training. Response: The final rule allows the contractor flexibility to utilize privacy training from any source that meets the minimum content requirements, unless the agency specifies in the contract that only agency-provided training is acceptable (by using the clause with its Alternate I, as specified at FAR 24.302(b)). This guidance on flexibility is also provided directly in the clause at 52.224–3(c)(2). This is intended to minimize or eliminate duplicative or overlapping training. Initial training is required and annual training thereafter. Finally, consistent with the revisions made to OMB Circular A–130, the requirements for privacy training at 24.301(b) and the clause at 52.224–3(c) are clarified to ensure privacy training is role-based, provides foundational as well as more advanced levels of training, and that measures are in place to test the knowledge level of users. At a minimum, privacy training shall cover— • The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act; • The appropriate handling and safeguarding of PII; • The authorized and official use of a system of records or any other PII; • Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII; • The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and • Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII. mstockstill on DSK3G9T082PROD with RULES6 4. Flowdown Comment: A respondent noted that, where the prime contractor is covered by the rule, the training requirement will likely flow down to subcontractors and lower tier contractors. Accordingly, the respondent recommended that the mandatory provision at 52.224–3(d) include a provision that exempts from the mandatory flow down any subcontract(s) specific to commercial items. VerDate Sep<11>2014 21:59 Dec 19, 2016 Jkt 241001 Response: The requirements of this rule will flow down to all subcontractors involved with the handling and safeguarding of PII. These protections are necessary when the work requires contractor employees and subcontractor employees to have access to systems of records, handling PII, or the design, development, maintenance, or operation of a system of records on behalf of the Federal Government. 5. Definitions Comment: A respondent recommended including definitions of ‘‘restrictions,’’ as used in FAR 24.301(c)(4) and Alternate I, and ‘‘access,’’ as used in FAR 24.301, 24.302, and the clause at 52.224–3. Response: These are not unique words. Therefore, the Councils will use the standard dictionary definitions for these terms. 6. Accountability and Audit Comment: One respondent recommended that, during an audit, the contractor must produce a list of the individuals who completed training, or have a copy of the employee’s training certificate in the employee’s personnel records. Response: The final rule requires the contractor to maintain privacy training documentation and provide it upon request to the Government agency making the request. This may be requested, when necessary, to ensure effective management and oversight of this annual privacy training requirement. 7. Other Comments Comment: One respondent recommended that FAR 24.302 be revised to clarify who is responsible for determining whether the Statement of Work involves a system of records. Another respondent recommended that, if a final rule were promulgated, it would be appropriate to recognize a specific certification. Response: As with all clause prescriptions, the contracting officer will determine whether the clause applies. In addition, the FAR covers all options for meeting the training requirement. Comment: Several respondents submitted editorial comments on the proposed rule. One respondent stated that there is no need to create a separate subpart within FAR part 24. In addition, this respondent provided suggestions on the proper format for citations within the FAR. Another respondent recommended additional coverage regarding the Government-provided training method and also recommended PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 a revision to the last sentence in FAR 24.301(b). A third respondent recommended using the term ‘‘personally identifiable’’ in lieu of ‘‘privacy.’’ Response: The Councils determined that there is a need for a separate subpart 24.3 and have retained it in the final rule. The required training does not encompass solely the Privacy Act; it is only one of the areas listed that must be addressed as part of privacy training. Other areas include— • The appropriate handling and safeguarding of PII; the authorized and official use of systems of records or any other PII; restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII; the prohibition against unauthorized access, handling, or use of PII or systems of records; and • Procedures to be followed in the event of a suspected or confirmed breach of a system of records or an unauthorized disclosure, access, handling, or use of PII. This subject matter does not fit within either of the existing subparts of FAR part 24, therefore, a separate subpart 24.3 is needed. The remaining editorial comments have been considered for inclusion in FAR subpart 24. III. Applicability to Contracts at or Below the Simplified Acquisition Threshold and for Commercial Items, Including Commercially Available Offthe-Shelf Items This rule is applicable to contracts and subcontracts at or below the simplified acquisition threshold (SAT) and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items. The statutory authority for this rule, the Privacy Act of 1974, 5 U.S.C. 552a, predates the exemptions in 41 U.S.C. 1905, 1906, and 1907, which stipulate that a provision of law enacted after October 13, 1994 shall not be made applicable to contracts or subcontracts, unless the FAR Council or the Administrator of the Office of Federal Procurement Policy makes a written determination that such exemption would not be in the best interests of the Federal Government. IV. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory E:\FR\FM\20DER6.SGM 20DER6 Federal Register / Vol. 81, No. 244 / Tuesday, December 20, 2016 / Rules and Regulations approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. V. Regulatory Flexibility Act mstockstill on DSK3G9T082PROD with RULES6 DoD, GSA, and NASA have prepared a final regulatory flexibility analysis (FRFA) consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. The FRFA is summarized as follows: The objective of the rule is to ensure that contractor employees complete initial and annual privacy training if the employees have access to a system of records, handle personally identifiable information (PII), or design, develop, maintain, or operate a system of records involving PII on behalf of the Government. One public comment was received in response to the Initial Regulatory Flexibility Analysis, which was published in the Federal Register at 76 FR 63896 on October 14, 2011: Comment: The Initial Regulatory Flexibility Analysis (IRFA), which addressed the impact of the rule on small entities, should assess the impact this rule may have on the research community’s funding of sponsored research, as this group is likely to be adversely affected by the proposed rule, in the respondent’s opinion. Response: Research institutions are included in the Regulatory Flexibility Act’s definition of a small entity and were thus given the same consideration in the IRFA analysis as other small entities. The analysis in this FRFA has been revised to incorporate commercial item contracts. Therefore, the impact on research institutions has been accommodated whether the institution was awarded a negotiated contract or a FAR part 12 commercial item contract. Because the FAR does not address grants or cooperative agreements, the FRFA does not include consideration of such agreements in the analysis. Research institutions, or any other small entities, will not bear any significant impact resulting from this rule, given that the requirements of the Privacy Act, including training on the Act’s requirements, have been in place for over 40 years and this rule just establishes minimum requirements for Privacy Act training, to ensure consistency across the Government. The rule requires all contractors with contracts that require employees to have access to PII to complete training that addresses the statutory requirements for protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of PII. VerDate Sep<11>2014 21:59 Dec 19, 2016 Jkt 241001 93479 In the IRFA, it was estimated that approximately 1,483 small businesses would be impacted. However, because the final rule clarifies its applicability to commercial item contracts, the number of small entities previously estimated to be impacted by this rule has been revised as described in the following paragraphs: Information obtained from the Federal Procurement Data System (FPDS) for fiscal year (FY) 2015 reveals that approximately 10,607 unique vendors received contracts that most likely entailed the design, development, maintenance or operation of a system of records; required access to a system of records; or handled PII from individuals, on behalf of the Government. The estimated number of subcontractors who likewise will be involved in these activities is 21,214, or double the amount of prime contractors. In all, the total number of contractors and subcontractors (including contracts and subcontracts for commercial items) that may be subject to the requirements of this rule is 31,821. Examination of FY 2015 FPDS data also reveals that approximately 61 percent of these contractors and subcontractors are small business entities. Based on this information, the following analysis was used to determine the number of small businesses that may be impacted by this rule: • Small businesses that may receive contracts = (10,607 × .61): 6,470 • Small businesses that may receive subcontracts = (21,214 × .61): 12,941 • Total number of small businesses that may be impacted by rule: 19,411 There is minimal recordkeeping associated with this rule. Contractors will likely maintain employee training records for privacy training similar to how they maintain their employees’ other training records. There are no required formats or templates for documentation, and documentation will be retained by the contractor in most cases. The Government will likely request a firm’s training documentation only when necessary to ensure effective management and oversight. The final rule addresses several steps to minimize the economic impact on small entities, most notably by clarifying responsibilities and streamlining the options for providing privacy training. This final rule also removes from the clause consideration of agency-specific training elements, while retaining the required minimum training elements. Agency-specific training elements are provided in Alternate I of the clause. entitled Privacy Training, in the amount of 97,670 public burden hours. Two respondents submitted comments in response to the initial notice published in the preamble of the Federal Register notice published at 76 FR 63896, on October 14, 2011. Both of the respondents submitted similar comments as follows: Comment: The respondents stated that the public’s Paperwork Reduction Act estimated annual reporting burden was understated. The respondents believed that (a) requiring contractors to conduct their own privacy training and (b) requiring re-training every year created a greater burden on contractors than what was shown in the proposed rule. Response: The information collection requirement for this rule does not address the burden associated with conducting the initial or subsequent annual privacy training. Rather, it focuses solely on the obligation of Federal contractors to maintain documentation showing that the required privacy training was completed by the employee and, upon request, provide completion documentation to the contracting officer. In this regard, the same philosophy expressed in the preamble for the proposed rule holds true for the final rule as well, i.e., the recordkeeping requirements are considered to be minor and a contracting officer will request documentation only when necessary to ensure effective management and oversight. However, since the analysis used in the proposed rule did not consider contracts involving the acquisition of commercial items, the methodology used to derive the estimated public burden needed to be adjusted to encompass these contracts. In addition, the estimated public burden hours vary from the estimates in the notice published in the Federal Register at 79 FR 68249, on November 14, 2014, in order to reflect the use of FY 2015 data, rather than FY 2014 data. Interested parties may obtain a copy of the FRFA from the Regulatory Secretariat Division. The Regulatory Secretariat Division has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. List of Subjects in 48 CFR parts 1, 24, and 52 VI. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The rule contains information collection requirements. OMB has cleared the information collection requirement under OMB Control Number 9000–0182, PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 Government procurement. Dated: December 9, 2016. William Clark, Director, Office of Government-wide Acquisition Policy, Office of Acquisition Policy, Office of Government-wide Policy. Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 24, and 52 as set forth below: ■ 1. The authority citation for 48 CFR parts 1, 24, and 52 continues to read as follows: E:\FR\FM\20DER6.SGM 20DER6 93480 Federal Register / Vol. 81, No. 244 / Tuesday, December 20, 2016 / Rules and Regulations Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 U.S.C. 20113. PART 1—FEDERAL ACQUISITION REGULATIONS SYSTEM 1.106 [Amended] 2. Amend section 1.106 in the table following the introductory text, by adding in numerical sequence, FAR segments ‘‘24.3’’ and ‘‘52.224–3’’ and their corresponding OMB Control Number ‘‘9000–0182’’. ■ PART 24—PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION 3. Amend section 24.101 by adding in alphabetical order the definition of ‘‘personally identifiable information’’ to read as follows: ■ 24.101 Definitions. * * * * * Personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular No. A–130, Managing Federal Information as a Strategic Resource). * * * * * ■ 4. Add subpart 24.3 to read as follows: Subpart 24.3—Privacy Training Sec. 24.301 Privacy training. 24.302 Contract clause. Subpart 24.3—Privacy Training mstockstill on DSK3G9T082PROD with RULES6 24.301 Privacy training. (a) Contractors are responsible for ensuring that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who— (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of the agency; or (3) Design, develop, maintain, or operate a system of records (see FAR subpart 24.1 and 39.105). (b) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover— VerDate Sep<11>2014 21:59 Dec 19, 2016 Jkt 241001 (1) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act; (2) The appropriate handling and safeguarding of personally identifiable information; (3) The authorized and official use of a system of records or any other personally identifiable information; (4) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information; (5) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and (6) Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information (see Office of Management and Budget guidance for Preparing for and Responding to a Breach of Personally Identifiable Information). (c) The contractor may provide its own training or use the training of another agency unless the contracting agency specifies that only its agencyprovided training is acceptable (see 24.302(b)). (d) The contractor is required to maintain and, upon request, to provide documentation of completion of privacy training for all applicable employees. (e) No contractor employee shall be permitted to have or retain access to a system of records, create, collect, use, process, store, maintain, disseminate, disclose, or dispose, or otherwise handle personally identifiable information, or design, develop, maintain, or operate a system of records, unless the employee has completed privacy training that, at a minimum, addresses the elements in paragraph (b) of this section. 24.302 Contract clause. (a) The contracting officer shall insert the clause at FAR 52.224–3, Privacy Training, in solicitations and contracts when, on behalf of the agency, contractor employees will— (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records. (b) When an agency specifies that only its agency-provided training is acceptable, use the clause with its Alternate I. PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 5. Amend section 52.212–5 by— a. Revising the date of the clause; b. Redesignating paragraphs (b)(47) through (60) as paragraphs (b)(48) through (61), respectively; ■ c. Adding a new paragraph (b)(47); ■ d. Redesignating paragraphs (e)(1)(xix) through (xx) as paragraphs (e)(1)(xx) through (xxi), respectively; ■ e. Adding a new paragraph (e)(1)(xix); ■ (f.) Revising the date of Alternate II; ■ (1.) Redesignating paragraphs (e)(1)(ii)(S) and (T) as paragraphs (e)(1)(ii)(T) and (U), respectively; and ■ (2.) Adding a new paragraph (e)(1)(ii)(S). The revisions and additions read as follows: ■ ■ ■ 52.212–5 Contract Terms and Conditions Required To Implement Statutes or Executive Orders—Commercial Items. * * * * * Contract Terms and Conditions Required To Implement Statues of Executive Orders—Commercial Items (JAN 2017) * * * * * (b) * * * (47)(i) 52.224–3, Privacy Training (JAN 2017) (5 U.S.C. 552a). (ii) Alternate I (JAN 2017) of 52.224– 3. * * * * * (e)(1) * * * (xix)(A) 52.224–3, Privacy Training (JAN 2017) (5 U.S.C. 552a). (B) Alternate I (JAN 2017) of 52.224– 3. * * * * * Alternate II (JAN 2017). * * * * * (e)(1) * * * (ii) * * * (S)(1) 52.224–3, Privacy Training (JAN 2017) (5 U.S.C. 552a). (2) Alternate I (JAN 2017) of 52.224– 3. * * * * * ■ 6. Amend section 52.213–4 by— ■ a. Revising the date of the clause; and ■ b. Revising the date in paragraph (a)(2)(viii). The revisions read as follows: 52.213–4 Terms and Conditions— Simplified Acquisitions (Other Than Commercial Items). * * * * * Terms and Conditions—Simplified Acquisitions (Other Than Commercial Items) (JAN 2017) * * * (a) * * * E:\FR\FM\20DER6.SGM 20DER6 * * Federal Register / Vol. 81, No. 244 / Tuesday, December 20, 2016 / Rules and Regulations (2) * * * (viii) 52.244–6, Subcontracts for Commercial Items (JAN 2017). * * * * * ■ 7. Add section 52.224–3 to read as follows: 52.224–3 Privacy Training. As prescribed in 24.302(a), insert the following clause: mstockstill on DSK3G9T082PROD with RULES6 Privacy Training (JAN 2017) (a) Definition. As used in this clause, personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular A–130, Managing Federal Information as a Strategic Resource). (b) The Contractor shall ensure that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who— (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or (3) Design, develop, maintain, or operate a system of records (see also FAR subpart 24.1 and 39.105). (c)(1) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover— (i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act; (ii) The appropriate handling and safeguarding of personally identifiable information; (iii) The authorized and official use of a system of records or any other personally identifiable information; (iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information; (v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and (vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information). (2) Completion of an agency-developed or agency-conducted training course shall be deemed to satisfy these elements. (d) The Contractor shall maintain and, upon request, provide documentation of completion of privacy training to the Contracting Officer. VerDate Sep<11>2014 21:59 Dec 19, 2016 Jkt 241001 (e) The Contractor shall not allow any employee access to a system of records, or permit any employee to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle personally identifiable information, or to design, develop, maintain, or operate a system of records unless the employee has completed privacy training, as required by this clause. (f) The substance of this clause, including this paragraph (f), shall be included in all subcontracts under this contract, when subcontractor employees will— (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records. (End of clause) Alternate I (JAN 2017). As prescribed in 24.302(b), if the agency specifies that only its agency-provided training is acceptable, substitute the following paragraph (c) for paragraph (c) of the basic clause: (c) The contracting agency will provide initial privacy training, and annual privacy training thereafter, to Contractor employees for the duration of this contract. 8. Amend section 52.244–6 by— a. Revising the date of the clause; ■ b. Redesignating paragraphs (c)(1)(xv) through (xvii) as paragraphs (c)(1)(xvi) through (xviii), respectively; and ■ c. Adding a new paragraph (c)(1)(xv). The revisions and additions read as follows: ■ ■ 52.244–6 Items. * * Subcontracts for Commercial * * * * * * * * (c)(1) * * * (xv)(A) 52.224–3, Privacy Training (JAN 2017) (5 U.S.C. 552a) if flow down is required in accordance with 52.224– 3(f). (B) Alternate I (JAN 2017) of 52.224– 3, if flow down is required in accordance with 52.224–3(f) and the agency specifies that only its agencyprovided training is acceptable). * * * * * [FR Doc. 2016–30213 Filed 12–19–16; 8:45 am] PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 1, 19, 42, and 52 [FAC 2005–94; FAR Case 2014–004; Item II; Docket No. 2014–0004; Sequence No. 1] RIN 9000–AM98 Federal Acquisition Regulations; Payment of Subcontractors Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. AGENCY: DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to implement a section of the Small Business Jobs Act of 2010. This statute requires contractors to notify the contracting officer, in writing, if the contractor pays a reduced price to a small business subcontractor or if the contractor’s payment to a small business subcontractor is more than 90 days past due. DATES: Effective: January 19, 2017. FOR FURTHER INFORMATION CONTACT: Mr. Curtis E. Glover, Sr., Procurement Analyst, at 202–501–1448 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202–501–4755. Please cite FAC 2005–94, FAR Case 2014–004. SUPPLEMENTARY INFORMATION: SUMMARY: I. Background Subcontracts for Commercial Items (JAN 2017) BILLING CODE 6820–EP–P 93481 DoD, GSA, and NASA are issuing a final rule to implement section 1334 of the Small Business Jobs Act of 2010 (Pub. L. 111–240, 15 U.S.C. 637(d)(12)) and the Small Business Administration (SBA) final rule published in the Federal Register on July 16, 2013 at 78 FR 42391, which require prime contractors to self-report late or reduced payments to their small business subcontractors. The rule also requires contracting officers to record the identity of contractors with a history of late or reduced payments to small business subcontractors in the Federal Awardee Performance and Integrity System (FAPIIS). DoD, GSA, and NASA published a proposed rule in the Federal Register on January 20, 2016 at 81 FR 3087. Seven respondents E:\FR\FM\20DER6.SGM 20DER6

Agencies

[Federal Register Volume 81, Number 244 (Tuesday, December 20, 2016)]
[Rules and Regulations]
[Pages 93476-93481]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-30213]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR parts 1, 24, and 52

[FAC 2005-94; FAR Case 2010-013; Item I; Docket No. 2010-0013; Sequence 
No. 1]
RIN 9000-AM06


Federal Acquisition Regulation; Privacy Training

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are issuing a final rule amending the 
Federal Acquisition Regulation (FAR) to require that contractors, whose

[[Page 93477]]

employees have access to a system of records or handle personally 
identifiable information, complete privacy training.

DATES: Effective: January 19, 2017.

FOR FURTHER INFORMATION CONTACT: Mr. Charles Gray, Procurement Analyst, 
at 703-795-6328 for clarification of content. For information 
pertaining to status or publication schedules, contact the Regulatory 
Secretariat Division at 202-501-4755. Please cite FAC 2005-94, FAR Case 
2010-013.

SUPPLEMENTARY INFORMATION:

I. Background

    DoD, GSA, and NASA published a proposed rule in the Federal 
Register at 76 FR 63896 on October 14, 2011, to provide guidance to 
contractors regarding the requirement to complete training that 
addresses the protection of privacy in accordance with the Privacy Act 
of 1974, 5 U.S.C. 552a, as amended, and the handling and safeguarding 
of personally identifiable information (PII). The rule ensures that 
contractors identify employees who handle PII, have access to a system 
of records, or design, develop, maintain, or operate a system of 
records. These employees are required to complete initial privacy 
training and annual privacy training thereafter. A contractor who has 
employees involved in these activities is also required to maintain 
records indicating that its employees have completed the requisite 
training and provide these records to the contracting officer upon 
request. In addition, the prime contractor is required to flow-down 
these requirements to all applicable subcontracts.
    Fifteen respondents submitted comments, including comments 
regarding the Initial Regulatory Flexibility Analysis (IRFA), and the 
Paperwork Reduction Act (PRA) analysis.

II. Discussion and Analysis

    The Civilian Agency Acquisition Council and the Defense Acquisition 
Regulations Council (the Councils) reviewed the public comments in the 
development of the final rule. A discussion of the comments and the 
changes made to the rule as a result of those comments is provided as 
follows (comments pertaining to the IRFA and PRA analysis are addressed 
in sections V and VI of this preamble):

A. Summary of Significant Changes

    The final rule clarifies the responsibilities for contractors 
awarded contracts involving access to PII and streamlines the options 
for providing training. These clarifications include--
     Alternate I of the clause is amended to replace the 
proposed text, which gave the option to agencies to have contractors 
furnish their own training materials. The final rule no longer contains 
this option and what was Alternate II in the proposed rule now becomes 
Alternate I in the final rule; and
     The applicability of the rule to commercial items is 
clarified.
    The final rule also provides a number of clarifications consistent 
with Office of Management and Budget (OMB) Circular A-130, which was 
revised on July 28, 2016. These clarifications address the substance of 
the minimal privacy training requirements, to include--
     A revised definition for PII;
     The requirement for foundational as well as more advanced 
levels of privacy training;
     The requirement for there to be measures in place to test 
the knowledge level of the employee; and
     The requirement for role-based privacy training.

B. Analysis of Public Comments

1. Requests To Withdraw the Proposed Rule
    Comment: Several respondents suggested that the proposed rule 
should be withdrawn, given the ``considerable burden implications and 
the fact that the proposed rule does not provide compelling 
justification.'' These respondents stated that withdrawing the rule 
would ``avoid causing confusion and redundancy.'' The respondents noted 
that the requirements of the Privacy Act have been in place for 35 
years and stated that the Councils did not explain why the Government 
believes ``that additional protections are now needed.''
    Response: There are a number of applicable authorities, beyond the 
Privacy Act, that address the responsibility for Federal agencies to 
ensure that Government and contractor personnel are instructed on 
compliance requirements with the laws, rules, and guidance pertaining 
to handling and safeguarding PII. This rule establishes minimum 
requirements consistent with those authorities to ensure consistency 
across the Government.
    Further, the increasing portability of data and various instances 
of loss or potential disclosure of protected information have resulted 
in greater scrutiny regarding the Government's information collection 
practices and information security management.
2. Applicability to Commercial Item Contracts
    Comment: Several respondents expressed concern with the 
applicability to commercial item contracts. The respondents considered 
that excluding commercial item contracts from the privacy training 
requirement failed to take into account the Government's increased use 
of FAR part 12 purchases; that training on the improper release of 
Privacy Act information should not exempt FAR part 12 contracts; and, 
overall, the decision to exempt commercial item contracts would not 
serve the Government's best interests. One respondent had a different 
perspective on the proposed rule, and complimented the FAR Council for 
exempting commercial item contracts from the privacy training 
requirement. However, the respondent noted that this policy was not 
reflected in the proposed rule's clause or clause prescription. This 
respondent also recommended that all subcontracts for commercial items 
be exempted from the privacy training requirement.
    Response: The final rule clarifies that the privacy training 
requirement applies to contracts and subcontracts for commercial items 
when they involve access to a system of records. Exempting commercial 
item contracts and subcontracts would exclude a significant portion of 
Government contracts that involve the design, development, operation, 
or maintenance of a system of records and would therefore diminish the 
effectiveness of the rule.
3. Training
    Comment: Respondents had multiple concerns related to the content 
of the required training, such as whether the training would be best 
developed by the agency or by the contractor and which contractor 
employees should be required to take the training. Several respondents 
questioned the efficacy of having contractor employees who work under 
more than one agency's contracts potentially taking multiple courses. 
Other respondents questioned who would decide if the training would be 
provided by the agency or by the contractor, e.g., could the contractor 
decide to forego an agency course in favor of its own course? One 
respondent recommended that training include instruction on the Privacy 
Act's transparency requirements. Another respondent questioned how 
agencies would be held responsible for providing the training in a 
timely manner. Other respondents questioned which

[[Page 93478]]

contractor employees should be required to complete the training, 
whether subcontractors would be required to take the training, and 
whether certain professional positions, such as psychologists, should 
be exempt from the training based on their professional training.
    Response: The final rule allows the contractor flexibility to 
utilize privacy training from any source that meets the minimum content 
requirements, unless the agency specifies in the contract that only 
agency-provided training is acceptable (by using the clause with its 
Alternate I, as specified at FAR 24.302(b)). This guidance on 
flexibility is also provided directly in the clause at 52.224-3(c)(2). 
This is intended to minimize or eliminate duplicative or overlapping 
training. Initial training is required and annual training thereafter.
    Finally, consistent with the revisions made to OMB Circular A-130, 
the requirements for privacy training at 24.301(b) and the clause at 
52.224-3(c) are clarified to ensure privacy training is role-based, 
provides foundational as well as more advanced levels of training, and 
that measures are in place to test the knowledge level of users. At a 
minimum, privacy training shall cover--
     The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), 
including penalties for violations of the Act;
     The appropriate handling and safeguarding of PII;
     The authorized and official use of a system of records or 
any other PII;
     Restrictions on the use of unauthorized equipment to 
create, collect, use, process, store, maintain, disseminate, disclose, 
dispose, or otherwise access, or store PII;
     The prohibition against the unauthorized use of a system 
of records or unauthorized disclosure, access, handling, or use of PII 
or systems of records; and
     Procedures to be followed in the event of a potential or 
confirmed breach of a system of records or unauthorized disclosure, 
access, handling, or use of PII.
4. Flowdown
    Comment: A respondent noted that, where the prime contractor is 
covered by the rule, the training requirement will likely flow down to 
subcontractors and lower tier contractors. Accordingly, the respondent 
recommended that the mandatory provision at 52.224-3(d) include a 
provision that exempts from the mandatory flow down any subcontract(s) 
specific to commercial items.
    Response: The requirements of this rule will flow down to all 
subcontractors involved with the handling and safeguarding of PII. 
These protections are necessary when the work requires contractor 
employees and subcontractor employees to have access to systems of 
records, handling PII, or the design, development, maintenance, or 
operation of a system of records on behalf of the Federal Government.
5. Definitions
    Comment: A respondent recommended including definitions of 
``restrictions,'' as used in FAR 24.301(c)(4) and Alternate I, and 
``access,'' as used in FAR 24.301, 24.302, and the clause at 52.224-3.
    Response: These are not unique words. Therefore, the Councils will 
use the standard dictionary definitions for these terms.
6. Accountability and Audit
    Comment: One respondent recommended that, during an audit, the 
contractor must produce a list of the individuals who completed 
training, or have a copy of the employee's training certificate in the 
employee's personnel records.
    Response: The final rule requires the contractor to maintain 
privacy training documentation and provide it upon request to the 
Government agency making the request. This may be requested, when 
necessary, to ensure effective management and oversight of this annual 
privacy training requirement.
7. Other Comments
    Comment: One respondent recommended that FAR 24.302 be revised to 
clarify who is responsible for determining whether the Statement of 
Work involves a system of records. Another respondent recommended that, 
if a final rule were promulgated, it would be appropriate to recognize 
a specific certification.
    Response: As with all clause prescriptions, the contracting officer 
will determine whether the clause applies. In addition, the FAR covers 
all options for meeting the training requirement.
    Comment: Several respondents submitted editorial comments on the 
proposed rule. One respondent stated that there is no need to create a 
separate subpart within FAR part 24. In addition, this respondent 
provided suggestions on the proper format for citations within the FAR. 
Another respondent recommended additional coverage regarding the 
Government-provided training method and also recommended a revision to 
the last sentence in FAR 24.301(b). A third respondent recommended 
using the term ``personally identifiable'' in lieu of ``privacy.''
    Response: The Councils determined that there is a need for a 
separate subpart 24.3 and have retained it in the final rule. The 
required training does not encompass solely the Privacy Act; it is only 
one of the areas listed that must be addressed as part of privacy 
training.
    Other areas include--
     The appropriate handling and safeguarding of PII; the 
authorized and official use of systems of records or any other PII; 
restrictions on the use of unauthorized equipment to create, collect, 
use, process, store, maintain, disseminate, disclose, dispose, or 
otherwise access, or store PII; the prohibition against unauthorized 
access, handling, or use of PII or systems of records; and
     Procedures to be followed in the event of a suspected or 
confirmed breach of a system of records or an unauthorized disclosure, 
access, handling, or use of PII.
    This subject matter does not fit within either of the existing 
subparts of FAR part 24, therefore, a separate subpart 24.3 is needed.
    The remaining editorial comments have been considered for inclusion 
in FAR subpart 24.

III. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold and for Commercial Items, Including Commercially Available 
Off-the-Shelf Items

    This rule is applicable to contracts and subcontracts at or below 
the simplified acquisition threshold (SAT) and to contracts and 
subcontracts for commercial-items, including contracts and subcontracts 
for commercially available off-the-shelf (COTS) items. The statutory 
authority for this rule, the Privacy Act of 1974, 5 U.S.C. 552a, 
predates the exemptions in 41 U.S.C. 1905, 1906, and 1907, which 
stipulate that a provision of law enacted after October 13, 1994 shall 
not be made applicable to contracts or subcontracts, unless the FAR 
Council or the Administrator of the Office of Federal Procurement 
Policy makes a written determination that such exemption would not be 
in the best interests of the Federal Government.

IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory

[[Page 93479]]

approaches that maximize net benefits (including potential economic, 
environmental, public health and safety effects, distributive impacts, 
and equity). E.O. 13563 emphasizes the importance of quantifying both 
costs and benefits, of reducing costs, of harmonizing rules, and of 
promoting flexibility. This is a significant regulatory action and, 
therefore, was subject to review under Section 6(b) of E.O. 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

V. Regulatory Flexibility Act

    DoD, GSA, and NASA have prepared a final regulatory flexibility 
analysis (FRFA) consistent with the Regulatory Flexibility Act, 5 
U.S.C. 601, et seq. The FRFA is summarized as follows:

    The objective of the rule is to ensure that contractor employees 
complete initial and annual privacy training if the employees have 
access to a system of records, handle personally identifiable 
information (PII), or design, develop, maintain, or operate a system 
of records involving PII on behalf of the Government.
    One public comment was received in response to the Initial 
Regulatory Flexibility Analysis, which was published in the Federal 
Register at 76 FR 63896 on October 14, 2011:
    Comment: The Initial Regulatory Flexibility Analysis (IRFA), 
which addressed the impact of the rule on small entities, should 
assess the impact this rule may have on the research community's 
funding of sponsored research, as this group is likely to be 
adversely affected by the proposed rule, in the respondent's 
opinion.
    Response: Research institutions are included in the Regulatory 
Flexibility Act's definition of a small entity and were thus given 
the same consideration in the IRFA analysis as other small entities. 
The analysis in this FRFA has been revised to incorporate commercial 
item contracts. Therefore, the impact on research institutions has 
been accommodated whether the institution was awarded a negotiated 
contract or a FAR part 12 commercial item contract. Because the FAR 
does not address grants or cooperative agreements, the FRFA does not 
include consideration of such agreements in the analysis. Research 
institutions, or any other small entities, will not bear any 
significant impact resulting from this rule, given that the 
requirements of the Privacy Act, including training on the Act's 
requirements, have been in place for over 40 years and this rule 
just establishes minimum requirements for Privacy Act training, to 
ensure consistency across the Government.
    The rule requires all contractors with contracts that require 
employees to have access to PII to complete training that addresses 
the statutory requirements for protection of privacy, in accordance 
with the Privacy Act (5 U.S.C. 552a), and the handling and 
safeguarding of PII.
    In the IRFA, it was estimated that approximately 1,483 small 
businesses would be impacted. However, because the final rule 
clarifies its applicability to commercial item contracts, the number 
of small entities previously estimated to be impacted by this rule 
has been revised as described in the following paragraphs:
    Information obtained from the Federal Procurement Data System 
(FPDS) for fiscal year (FY) 2015 reveals that approximately 10,607 
unique vendors received contracts that most likely entailed the 
design, development, maintenance or operation of a system of 
records; required access to a system of records; or handled PII from 
individuals, on behalf of the Government. The estimated number of 
subcontractors who likewise will be involved in these activities is 
21,214, or double the amount of prime contractors. In all, the total 
number of contractors and subcontractors (including contracts and 
subcontracts for commercial items) that may be subject to the 
requirements of this rule is 31,821. Examination of FY 2015 FPDS 
data also reveals that approximately 61 percent of these contractors 
and subcontractors are small business entities. Based on this 
information, the following analysis was used to determine the number 
of small businesses that may be impacted by this rule:

 Small businesses that may receive
    contracts = (10,607 x .61): 6,470
 Small businesses that may receive
    subcontracts = (21,214 x .61): 12,941
 Total number of small businesses
    that may be impacted by rule: 19,411

    There is minimal recordkeeping associated with this rule. 
Contractors will likely maintain employee training records for 
privacy training similar to how they maintain their employees' other 
training records. There are no required formats or templates for 
documentation, and documentation will be retained by the contractor 
in most cases. The Government will likely request a firm's training 
documentation only when necessary to ensure effective management and 
oversight.
    The final rule addresses several steps to minimize the economic 
impact on small entities, most notably by clarifying 
responsibilities and streamlining the options for providing privacy 
training. This final rule also removes from the clause consideration 
of agency-specific training elements, while retaining the required 
minimum training elements. Agency-specific training elements are 
provided in Alternate I of the clause.

    Interested parties may obtain a copy of the FRFA from the 
Regulatory Secretariat Division. The Regulatory Secretariat Division 
has submitted a copy of the FRFA to the Chief Counsel for Advocacy of 
the Small Business Administration.

VI. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
rule contains information collection requirements. OMB has cleared the 
information collection requirement under OMB Control Number 9000-0182, 
entitled Privacy Training, in the amount of 97,670 public burden hours.
    Two respondents submitted comments in response to the initial 
notice published in the preamble of the Federal Register notice 
published at 76 FR 63896, on October 14, 2011. Both of the respondents 
submitted similar comments as follows:
    Comment: The respondents stated that the public's Paperwork 
Reduction Act estimated annual reporting burden was understated. The 
respondents believed that (a) requiring contractors to conduct their 
own privacy training and (b) requiring re-training every year created a 
greater burden on contractors than what was shown in the proposed rule.
    Response: The information collection requirement for this rule does 
not address the burden associated with conducting the initial or 
subsequent annual privacy training. Rather, it focuses solely on the 
obligation of Federal contractors to maintain documentation showing 
that the required privacy training was completed by the employee and, 
upon request, provide completion documentation to the contracting 
officer. In this regard, the same philosophy expressed in the preamble 
for the proposed rule holds true for the final rule as well, i.e., the 
recordkeeping requirements are considered to be minor and a contracting 
officer will request documentation only when necessary to ensure 
effective management and oversight.
    However, since the analysis used in the proposed rule did not 
consider contracts involving the acquisition of commercial items, the 
methodology used to derive the estimated public burden needed to be 
adjusted to encompass these contracts. In addition, the estimated 
public burden hours vary from the estimates in the notice published in 
the Federal Register at 79 FR 68249, on November 14, 2014, in order to 
reflect the use of FY 2015 data, rather than FY 2014 data.

List of Subjects in 48 CFR parts 1, 24, and 52

    Government procurement.

    Dated: December 9, 2016.
William Clark,
Director, Office of Government-wide Acquisition Policy, Office of 
Acquisition Policy, Office of Government-wide Policy.
    Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 24, and 52 as 
set forth below:

0
1. The authority citation for 48 CFR parts 1, 24, and 52 continues to 
read as follows:


[[Page 93480]]


    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 
U.S.C. 20113.

PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM


1.106  [Amended]

0
2. Amend section 1.106 in the table following the introductory text, by 
adding in numerical sequence, FAR segments ``24.3'' and ``52.224-3'' 
and their corresponding OMB Control Number ``9000-0182''.

PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION

0
3. Amend section 24.101 by adding in alphabetical order the definition 
of ``personally identifiable information'' to read as follows:


24.101  Definitions.

* * * * *
    Personally identifiable information means information that can be 
used to distinguish or trace an individual's identity, either alone or 
when combined with other information that is linked or linkable to a 
specific individual. (See Office of Management and Budget (OMB) 
Circular No. A-130, Managing Federal Information as a Strategic 
Resource).
* * * * *

0
4. Add subpart 24.3 to read as follows:
Subpart 24.3--Privacy Training
Sec.
24.301 Privacy training.
24.302 Contract clause.

Subpart 24.3--Privacy Training


24.301  Privacy training.

    (a) Contractors are responsible for ensuring that initial privacy 
training, and annual privacy training thereafter, is completed by 
contractor employees who--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information on behalf of the agency; or
    (3) Design, develop, maintain, or operate a system of records (see 
FAR subpart 24.1 and 39.105).
    (b) Privacy training shall address the key elements necessary for 
ensuring the safeguarding of personally identifiable information or a 
system of records. The training shall be role-based, provide 
foundational as well as more advanced levels of training, and have 
measures in place to test the knowledge level of users. At a minimum, 
the privacy training shall cover--
    (1) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), 
including penalties for violations of the Act;
    (2) The appropriate handling and safeguarding of personally 
identifiable information;
    (3) The authorized and official use of a system of records or any 
other personally identifiable information;
    (4) The restriction on the use of unauthorized equipment to create, 
collect, use, process, store, maintain, disseminate, disclose, dispose, 
or otherwise access personally identifiable information;
    (5) The prohibition against the unauthorized use of a system of 
records or unauthorized disclosure, access, handling, or use of 
personally identifiable information; and
    (6) Procedures to be followed in the event of a suspected or 
confirmed breach of a system of records or unauthorized disclosure, 
access, handling, or use of personally identifiable information (see 
Office of Management and Budget guidance for Preparing for and 
Responding to a Breach of Personally Identifiable Information).
    (c) The contractor may provide its own training or use the training 
of another agency unless the contracting agency specifies that only its 
agency-provided training is acceptable (see 24.302(b)).
    (d) The contractor is required to maintain and, upon request, to 
provide documentation of completion of privacy training for all 
applicable employees.
    (e) No contractor employee shall be permitted to have or retain 
access to a system of records, create, collect, use, process, store, 
maintain, disseminate, disclose, or dispose, or otherwise handle 
personally identifiable information, or design, develop, maintain, or 
operate a system of records, unless the employee has completed privacy 
training that, at a minimum, addresses the elements in paragraph (b) of 
this section.


24.302   Contract clause.

    (a) The contracting officer shall insert the clause at FAR 52.224-
3, Privacy Training, in solicitations and contracts when, on behalf of 
the agency, contractor employees will--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information; or
    (3) Design, develop, maintain, or operate a system of records.
    (b) When an agency specifies that only its agency-provided training 
is acceptable, use the clause with its Alternate I.

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
5. Amend section 52.212-5 by--
0
a. Revising the date of the clause;
0
b. Redesignating paragraphs (b)(47) through (60) as paragraphs (b)(48) 
through (61), respectively;
0
c. Adding a new paragraph (b)(47);
0
d. Redesignating paragraphs (e)(1)(xix) through (xx) as paragraphs 
(e)(1)(xx) through (xxi), respectively;
0
e. Adding a new paragraph (e)(1)(xix);
0
(f.) Revising the date of Alternate II;
0
(1.) Redesignating paragraphs (e)(1)(ii)(S) and (T) as paragraphs 
(e)(1)(ii)(T) and (U), respectively; and
0
(2.) Adding a new paragraph (e)(1)(ii)(S).
    The revisions and additions read as follows:


52.212-5  Contract Terms and Conditions Required To Implement Statutes 
or Executive Orders--Commercial Items.

* * * * *

Contract Terms and Conditions Required To Implement Statues of 
Executive Orders--Commercial Items (JAN 2017)

* * * * *
    (b) * * *
    (47)(i) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
    (ii) Alternate I (JAN 2017) of 52.224-3.
* * * * *
    (e)(1) * * *
    (xix)(A) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
    (B) Alternate I (JAN 2017) of 52.224-3.
* * * * *
    Alternate II (JAN 2017).
* * * * *
    (e)(1) * * *
    (ii) * * *
    (S)(1) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
    (2) Alternate I (JAN 2017) of 52.224-3.
* * * * *

0
6. Amend section 52.213-4 by--
0
a. Revising the date of the clause; and
0
b. Revising the date in paragraph (a)(2)(viii).
    The revisions read as follows:


52.213-4  Terms and Conditions--Simplified Acquisitions (Other Than 
Commercial Items).

* * * * *

Terms and Conditions--Simplified Acquisitions (Other Than Commercial 
Items) (JAN 2017)

* * * * *
    (a) * * *

[[Page 93481]]

    (2) * * *
    (viii) 52.244-6, Subcontracts for Commercial Items (JAN 2017).
* * * * *

0
7. Add section 52.224-3 to read as follows:


52.224-3  Privacy Training.

    As prescribed in 24.302(a), insert the following clause:

Privacy Training (JAN 2017)

    (a) Definition. As used in this clause, personally identifiable 
information means information that can be used to distinguish or 
trace an individual's identity, either alone or when combined with 
other information that is linked or linkable to a specific 
individual. (See Office of Management and Budget (OMB) Circular A-
130, Managing Federal Information as a Strategic Resource).
    (b) The Contractor shall ensure that initial privacy training, 
and annual privacy training thereafter, is completed by contractor 
employees who--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information on behalf of an agency; or
    (3) Design, develop, maintain, or operate a system of records 
(see also FAR subpart 24.1 and 39.105).
    (c)(1) Privacy training shall address the key elements necessary 
for ensuring the safeguarding of personally identifiable information 
or a system of records. The training shall be role-based, provide 
foundational as well as more advanced levels of training, and have 
measures in place to test the knowledge level of users. At a 
minimum, the privacy training shall cover--
    (i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), 
including penalties for violations of the Act;
    (ii) The appropriate handling and safeguarding of personally 
identifiable information;
    (iii) The authorized and official use of a system of records or 
any other personally identifiable information;
    (iv) The restriction on the use of unauthorized equipment to 
create, collect, use, process, store, maintain, disseminate, 
disclose, dispose or otherwise access personally identifiable 
information;
    (v) The prohibition against the unauthorized use of a system of 
records or unauthorized disclosure, access, handling, or use of 
personally identifiable information; and
    (vi) The procedures to be followed in the event of a suspected 
or confirmed breach of a system of records or the unauthorized 
disclosure, access, handling, or use of personally identifiable 
information (see OMB guidance for Preparing for and Responding to a 
Breach of Personally Identifiable Information).
    (2) Completion of an agency-developed or agency-conducted 
training course shall be deemed to satisfy these elements.
    (d) The Contractor shall maintain and, upon request, provide 
documentation of completion of privacy training to the Contracting 
Officer.
    (e) The Contractor shall not allow any employee access to a 
system of records, or permit any employee to create, collect, use, 
process, store, maintain, disseminate, disclose, dispose or 
otherwise handle personally identifiable information, or to design, 
develop, maintain, or operate a system of records unless the 
employee has completed privacy training, as required by this clause.
    (f) The substance of this clause, including this paragraph (f), 
shall be included in all subcontracts under this contract, when 
subcontractor employees will--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information; or
    (3) Design, develop, maintain, or operate a system of records.


(End of clause)

    Alternate I (JAN 2017). As prescribed in 24.302(b), if the agency 
specifies that only its agency-provided training is acceptable, 
substitute the following paragraph (c) for paragraph (c) of the basic 
clause:

    (c) The contracting agency will provide initial privacy 
training, and annual privacy training thereafter, to Contractor 
employees for the duration of this contract.


0
8. Amend section 52.244-6 by--
0
a. Revising the date of the clause;
0
b. Redesignating paragraphs (c)(1)(xv) through (xvii) as paragraphs 
(c)(1)(xvi) through (xviii), respectively; and
0
c. Adding a new paragraph (c)(1)(xv).
    The revisions and additions read as follows:


52.244-6  Subcontracts for Commercial Items.

* * * * *

Subcontracts for Commercial Items (JAN 2017)

* * * * *
    (c)(1) * * *
    (xv)(A) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a) if 
flow down is required in accordance with 52.224-3(f).
    (B) Alternate I (JAN 2017) of 52.224-3, if flow down is required in 
accordance with 52.224-3(f) and the agency specifies that only its 
agency-provided training is acceptable).
* * * * *
[FR Doc. 2016-30213 Filed 12-19-16; 8:45 am]
 BILLING CODE 6820-EP-P