Acquisition Regulation and Grants Regulation: Contractor and Grantee Counterterrorism Vetting, 54369-54372 [2024-14127]

Agencies

• DEPARTMENT OF STATE

[Federal Register Volume 89, Number 126 (Monday, July 1, 2024)]
[Proposed Rules]
[Pages 54369-54372]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-14127]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 89, No. 126 / Monday, July 1, 2024 / Proposed 
Rules

[[Page 54369]]



DEPARTMENT OF STATE

2 CFR Part 602

48 CFR Parts 604, 652

[Public Notice: 11513]
RIN 1400-AF09


Acquisition Regulation and Grants Regulation: Contractor and 
Grantee Counterterrorism Vetting

AGENCY: Department of State.

ACTION: Advance Notice of Proposed Rulemaking; request for comment.

-----------------------------------------------------------------------

SUMMARY: The Department of State has identified namecheck vetting as a 
critical tool that can be used, where appropriate, to mitigate the risk 
that U.S. government activities could inadvertently benefit terrorist 
groups, their members, or their supporters, and is crafting rules that 
will address the Department's namecheck vetting process, including 
setting out the requirements for including vetting provisions in 
Department of State solicitations and awards for both grants and 
contracts to allow for namecheck vetting of key individuals of 
implementing partners and sub-contractors or sub-grantees, 
beneficiaries of programs, or other identified categories of 
individuals, when deemed appropriate by the relevant Department 
official.

DATES: The Department of State will accept comments until July 31, 
2024.

ADDRESSES: Persons with access to the internet may view this rule and 
submit comments by going to www.regulations.gov and searching for 
docket number DOS-2024-0008.
     Inspection of public comments: All comments received 
before the close of the comment period will be available for public 
inspection, including any personally identifiable or confidential 
business or financial information that is included in a comment. The 
Department of State will post all comments received before the close of 
the comment period at www.regulations.gov. For a summary of this 
rulemaking, please go to www.regulations.gov/DOS-2024-0008.

FOR FURTHER INFORMATION CONTACT: Annura Murtadha, Vetting Chief, 
[email protected], (202) 663-3871 (Fax).

SUPPLEMENTARY INFORMATION: Because security screening precautions have 
slowed the delivery and dependability of surface mail and hand delivery 
to the Department of State in Washington, DC, the Department recommends 
sending all comments to the Federal eRulemaking Portal. The email 
address and fax number listed above are provided in the event that 
submission to the Federal eRulemaking Portal is not convenient (all 
comments must be in writing to be reviewed). You may submit comments by 
electronic mail, avoiding the use of any special characters and any 
form of encryption.
    The purpose of this ANPRM is to gather data for the Department to 
amend 48 CFR chapter 6 and 2 CFR chapter VI, to add new pre-award and 
award terms for contracts and grants. The pre-award provisions will 
delineate the namecheck vetting process and the applicant's 
responsibilities for submitting information on individuals who will be 
subject to namecheck vetting, prior to award. The award provisions will 
delineate the post-award namecheck vetting process and the recipient's 
responsibilities with respect to namecheck vetting during the award 
period.
    This regulatory action will boost national security by helping the 
Department to mitigate the risk that agency funds and other resources 
do not inadvertently benefit terrorist groups, their members, or their 
supporters.

Background

    Authority for vetting is inherent in the Department of State's 
(``the Department'' or ``State'') authority to carry out the necessary 
administrative steps to implement foreign assistance and other 
Department of State programs and activities. The Office of Risk 
Analysis and Management (RAM) is the sole organization designated 
within the Department to conduct counterterrorism name-check vetting. 
In addition, section 7034(e) of the Department of State, Foreign 
Operations, and Related Programs Appropriations Act, 2024 (Div. F, Pub. 
L. 118-47) and similar provisions in prior year acts specifically 
contemplates the implementation of counterterrorism name-check vetting 
(described in the provision as ``partner vetting'') and establishes 
requirements for the expansion of the vetting program, which the 
Department addresses as appropriate.\1\ Section 7034(e) also provides 
that the Secretary may restrict the award of, terminate, or cancel 
contracts, grants, or cooperative agreements or require an awardee to 
restrict the award of, terminate, or cancel a sub-award based on 
information in connection with a partner vetting program. With respect 
to foreign assistance programs, section 635(a) of the Foreign 
Assistance Act of 1961 (FAA) provides that assistance may be provided 
on such terms as may be determined to be best suited to the achievement 
of the purposes of the FAA.
---------------------------------------------------------------------------

    \1\ ``(e) Partner Vetting.--Prior to initiating a partner 
vetting program, providing a direct vetting option, or making a 
significant change to the scope of an existing partner vetting 
program, the Secretary of State and USAID Administrator, as 
appropriate, shall consult with the Committees on Appropriations: 
Provided, That the Secretary and the Administrator shall provide a 
direct vetting option for prime awardees in any partner vetting 
program initiated or significantly modified after the date of 
enactment of this Act, unless the Secretary Administrator, as 
applicable, informs the Committees on Appropriations on a case-by-
case basis that a direct vetting option is not feasible for such 
program. Provided further, That the Secretary and the Administrator 
may restrict the award of, terminate, or cancel contracts, grants, 
or cooperative agreements or require an awardee to restrict the 
award of, terminate, or cancel a sub-award based on information in 
connection with a partner vetting program.''
---------------------------------------------------------------------------

    Consistent with U.S. law and Department policy, the Department 
makes every reasonable effort to guard against the risk that U.S. 
government activities could inadvertently benefit terrorist groups, 
their members, or supporters. Prior to furnishing assistance or 
providing funding, the Department first assesses the risk that funds, 
goods, services, or other resources to be provided could inadvertently 
benefit terrorist groups, their members, or their supporters, including 
people or organizations who are not formally designated as terrorists 
by the U.S. government but who may nevertheless be linked to terrorist 
activities.
    Where such risk is identified by a State Department Program Office, 
one way to mitigate it is through name-check vetting.

[[Page 54370]]

    The Department of State has been conducting name-check vetting for 
programs in certain select countries since 2012. Through a five-year 
joint pilot with the U.S. Agency for International Development (USAID) 
that concluded in 2017, 688 contracts and grants were subject to name-
checking vetting, with 1,593 key individuals from 410 organizations 
being vetted. The Department of State's RAM vetting program is designed 
to gather information about key individuals employed at organizations 
seeking U.S. funding, as well as subcontractors or subgrantees, 
beneficiaries of programs, or other identified categories of 
individuals that receive some benefit from an award. That information 
is then vetted against public sources of information and information 
contained in non-public relevant U.S. government databases for ties to 
terrorist groups, their members, or their supporters.

The Joint State-USAID Pilot Program

    The Department conducted a joint pilot program with the USAID 
starting in 2012. The joint State-USAID pilot was initially authorized 
under section 7034(o) of the Department of State, Foreign Operations, 
and Related Programs Appropriations Act, 2010 (Div. F, Pub. L. 111-
117), and required consultations between the Department and USAID and 
the Committees on Appropriations prior to implementation.
    The joint State-USAID pilot program included both agencies' 
programming in five countries--Guatemala, Ukraine, Lebanon, Kenya, and 
the Philippines. It was later expanded to include Afghanistan. These 
countries were chosen to reflect geographic diversity and a range of 
terrorist threat levels in contexts where comparable programs were 
being implemented by both agencies. During the pilot's early 
implementation, the Department and USAID received individuals' personal 
information through OMB-approved forms made available to the public via 
an online portal. The relevant individuals were vetted, and derogatory 
information identified was provided to the program office. The program 
office would then decide on whether to proceed in light of that 
information.
    Throughout the joint pilot, the Department and USAID also sought 
feedback from nongovernmental stakeholders. Some key areas of concern 
noted during consultations included standardization of vetting 
procedures, data privacy, and exemptions. To reduce concerns about 
effort duplication, State and USAID created a steering group to 
coordinate and standardize processes and data collection. In addition, 
to reduce the burden placed on implementers, both agencies instituted 
online portals for submitting individuals' information, rather than 
using paper forms.
    These online portals provided a secure platform and more 
streamlined means of submitting information and included instructions 
in multiple languages. Further, the agencies exercised best practices 
to protect submitted personal information throughout the joint pilot to 
ensure participants' privacy and minimize risk to those operating in 
more repressive contexts. Access to information submitted to the 
Department was limited within the Department to only those with a 
``need-to-know,'' such as the analysts charged with conducting the 
vetting. Records were retained and disposed according to a standardized 
records schedule consistent with National Archives and Records 
Administration guidance.
    The Department also implemented structures to ensure those without 
required documentation can still participate in programming after their 
case is reviewed on an ad hoc basis.
    A report was provided to Congress in 2017 at the conclusion of the 
pilot, consistent with section 7034(e)(1) of the Department of State, 
Foreign Operations, and Related Program Appropriations Act, 2017 (Div. 
J, Pub. L. 115-31).
    Following completion of the pilot program, the Department of 
State's name-check vetting program has continued to operate consistent 
with U.S. government and Department guidance, including the 
Department's Foreign Affairs Manual (FAM).\2\ The vetting program 
continues to be managed by the Office of Risk Analysis and Management 
(RAM) within the Department and continues to adapt to address feedback 
received, evolving needs of implementers, and dynamic global security 
challenges.
---------------------------------------------------------------------------

    \2\ 14 FAM 247.
---------------------------------------------------------------------------

    After the Department completed the joint pilot program with USAID, 
the number of countries under the RAM vetting program increased due to 
evolving circumstances in countries where Department programs are 
implemented. Programs in eight countries are currently subject to 
counterterrorism name-check vetting based on program offices' 
assessments of the risk that program resources will inadvertently 
provide a benefit to terrorist groups, their members, or their 
supporters. Additional countries could be added if the implementing 
program office, through its risk assessment process, assesses it is 
necessary to mitigate risk of foreign assistance or Department programs 
or activities inadvertently benefitting terrorist organizations or 
their supporters, subject to consultation with the Appropriations 
Committees, consistent with requirements in the annual appropriations 
acts for any significant expansion of the RAM vetting program. With 
respect to programs within each of these countries, the Department 
conducts a program-specific analysis and determines whether vetting is 
the appropriate risk-mitigation method for a particular award. 
Government-to-government assistance, and contributions to Public 
International Organizations, nonproliferation programs, other U.S. 
Government agencies, or the National Endowment for Democracy are not 
subject to vetting under this program.

Pre-Award Vetting and Source Selection

    The Department applies name-check vetting to acquisitions and 
foreign assistance in countries, as needed, where the risk has been 
determined to necessitate the practice.
    Offerors (potential recipients of contract or grant funds) applying 
or competing for State Department funding are made aware of the 
security screening requirement prior to application; when an 
acquisition, grant, contract, or cooperative agreement is subject to 
name-check vetting, a provision in the solicitation will notify 
offerors of the vetting requirements and procedures.
    Vetting for contracts and grants is conducted prior to award, often 
when the Department establishes the competitive range (see 48 CFR 
15.306(c)).\3\ For indefinite contracts--those that provide an 
indefinite quantity of supplies or services during a fixed period--
vetting will take place before the basic contract is awarded, in 
anticipation of potential orders. For all other contracts, including 
those that qualify as simplified acquisitions or sealed bids, the 
Contracting Officer determines the appropriate timing to require 
offerors to submit individuals for vetting.
---------------------------------------------------------------------------

    \3\ Competitive Range refers to those offerors whose proposals 
meet a minimum threshold and have a reasonable chance of being 
selected for award.
---------------------------------------------------------------------------

    When the Department decides to move forward with vetting an 
offeror, the offeror will be instructed to submit the completed Risk 
Assessment Information Form, DS-4184 (all DS-4184 form submissions are 
made through the internet-based RAM Portal). The information collection 
tool (DS-4184) identifies the biographic

[[Page 54371]]

information required for the key individuals of the offeror, required 
subcontractors, and, if applicable, beneficiaries. (Note--no biometric 
information, such as fingerprints, are collected.) Offerors are 
informed that key individuals include principal officers of the 
organization's governing body (e.g., chairman, vice chairman, treasurer 
and secretary of the board of directors or board of trustees), the 
principal officer and deputy principal officer of the organization 
(e.g., executive director, deputy director, president, vice president), 
or the program manager for the U.S. government-financed program, and 
any other person with significant responsibilities for administration 
of the U.S. government-financed activities or resources.
    U.S. persons' (U.S. citizens and lawful permanent residents) 
information submitted through the RAM Portal is subject to the Privacy 
Act of 1974, as well as other authorities and guidance pertaining to 
information security, disclosure, and disposition. While non-U.S. 
persons' information is not protected under the Privacy Act, the 
Department aims to provide robust privacy protections for individuals 
regardless of the citizenship status of the record holder. The 
Department takes the responsibility to protect personal information 
seriously, particularly in contexts where there is increased risk for 
participants. The Portal that the Form is submitted through is housed 
within Department of State servers and access is strictly controlled. 
The vetting office's systems are also subject to auditing under the 
Federal Information Security Modernization Act (FISMA), which requires 
specific infrastructure for the provision of information security.
    Once all information is submitted through the RAM Portal, the 
vetting official \4\ uses multiple commercial and investigative 
databases, public search engines, and both unclassified and classified 
systems operated by the Department and other U.S. government agencies 
to complete the name-check vetting. The RAM vetting official is also 
responsible for responding to questions from offerors about information 
to be included on the Form.
---------------------------------------------------------------------------

    \4\ Namecheck vetting officials are U.S. citizen employees of 
the Department in the RAM office not involved in the source 
selection process and operate under agency guidance at 14 FAM 247.
---------------------------------------------------------------------------

    Upon completion of the vetting, the RAM vetting official conveys 
the vetting results of each vetted offeror to the relevant Department 
program office. The RAM vetting office will only identify and provide 
to the program office derogatory information with a potential nexus to 
terrorism activities or violations of United States policy (i.e. human 
rights violations or sanctioned individuals/entities); other 
potentially unfavorable information (e.g., disorderly conduct, speeding 
tickets, or a criminal conviction for operating a motor vehicle while 
intoxicated) would not be provided to the program office. A name-match 
alone would not typically be considered sufficient evidence that a key 
individual has derogatory information. The program office makes the 
ultimate decision regarding whether to move forward with an offeror, 
and vetting is only one factor among many that go into making this 
decision.
    The Department's counterterrorism vetting program was designed to 
avoid adding a significant amount of time to the contracting and grant 
process. The process was also designed to avoid delays in an award, and 
the typical vetting case takes, on average, fewer than 14 days. Source 
selection proceeds separately from vetting, meaning that the name-check 
process for vetting occurs concurrently to other review processes. 
Generally, the Department finds there is no back-and-forth between the 
offeror and the RAM vetting office after the offeror completes and 
submits the DS-4184 except in limited circumstances when the RAM 
vetting office must re-contact the offeror to request missing 
information. In circumstances when derogatory information is identified 
and the program office informs the offeror that they are ineligible for 
the award, the offeror is entitled to request a redetermination of the 
decision and to provide additional documentation or explanation that 
may be used to make a revised determination. However, due to the 
sensitive nature of much derogatory information, the Department does 
not generally share such information with offerors if vetting is the 
cause of the Department's decision to not move forward with an offeror.
    During the 5-year period of the pilot program, 4.6% of offerors had 
key individuals found to have derogatory information, and 2.98% were 
ultimately deemed to be ineligible to participate in the award.
    Offerors who change any key individuals for any reason must submit 
their revised DS-4184 through the RAM Portal as soon as possible to 
allow for vetting of individuals not previously vetted. Name-check 
vetting may also be required for subcontractors and subgrantees. In 
most circumstances, only those subcontracts and subgrants for which 
consent is required in accordance with FAR clause 52.244-2 will be 
subject to name-check vetting. The contracting officer will not consent 
to a subcontract or subgrant until the subcontractor and subgrantee's 
key individuals have completed vetting. When the Department considers 
it appropriate, additional subcontracts for certain classes of items 
(supplies and services) that are considered higher risk may also be 
subject to vetting, even if Contracting Officer consent is not 
required. These classes of items will be identified in the 
solicitation, and the offeror will be responsible for ensuring that 
subcontracts at any tier are vetted through the RAM process before 
placing the subcontracts. In practice, this typically requires the 
prime contractor to include all known subcontractors when responding to 
the Department's solicitations. During this pre-award stage, offerors 
may either collect the necessary key individual information from 
subcontractors and subgrantees and directly submit it through the RAM 
Portal, or the subcontractors and subgrantees may submit it directly 
through the RAM Portal.

Post-Award Vetting

    Per 14 FAM 247, all grantees and contractors (including subgrantees 
and subcontractors) subject to initial vetting must resubmit 
individuals for vetting annually or when they replace key individuals 
with individuals who have not been previously vetted for that contract 
or grant. Previously vetted offerors and their key individuals are also 
subject to vetting when responding to solicitations for new grants or 
contracts for which the Department deems vetting an appropriate risk 
mitigation measure.. However, because vetting is valid for one year, 
individuals submitted on multiple awards within a given year will only 
be vetted one time if the same personal information is submitted. 
Additionally, when vetting is determined to be appropriate for a given 
award as identified in the initial solicitation, the Department can 
require vetting at any time post-award at the Department's discretion, 
including for the final beneficiaries of the award.

Questions for the Public

    The Department of State welcomes public comment on the discussion 
of existing RAM vetting processes as described above, but the 
Department would particularly benefit from commenters addressing one or 
more of the following questions with detailed explanations of the 
reasoning, data, or experiences informing their perspective.

[[Page 54372]]

Costs Associated With Name-Check Vetting

    Under OMB Control NO. 1405-0204, the Department of State has 
historically estimated that it takes, on average, 90 minutes for a 
respondent (i.e., an offeror) to fully complete the DS-4184 and to 
submit it through the RAM Portal. The Department estimates the average 
offeror submits information on five key individuals (and notes that 
this has ranged between one and 50 individuals), and the 90 minute 
estimate is inclusive of all the time it takes to learn the relevant 
instructions and information requirements, gather all necessary 
information and documentation from key individuals (including 
subcontractors and subgrantees), and compile that information into the 
RAM Portal and submit it to the Department.
    1. Is our time estimate accurate for your organization? If not, 
please provide us an estimate of the time that your organization 
expends submitting a completed DS-4184 through the RAM Portal. This 
estimate may include some or all of the following factors, and 
commenters are encouraged to provide a specific breakdown of each 
element of the time commitment:
    I. The time spent learning the requirements for RAM Vetting, 
including reading relevant instructions, understanding which 
individuals qualify as reportable key individuals, and learning how to 
navigate the RAM Portal.
    II. The time spent explaining vetting requirements to all key 
individuals.
    III. The time each key individual of your organization, as well as 
subcontractors and subgrantees, or final beneficiaries expends 
gathering the necessary information and documentation to be responsive 
to the information collected on the DS-4184.
    IV. Any travel time directly associated with developing the 
information necessary to be responsive to the DS-4184.
    2. Are there additional time or financial costs that are routinely 
incurred while responding to or submitting the DS-4184 that we have not 
previously captured?
    3. On average, how many individuals does your organization include 
per submission for vetting? Please consider submissions of key 
individuals, subcontractors and subgrantees, and final beneficiaries 
who are required to submit vetting information in your estimate.
    4. Have vetting requirements resulted in prospective grantee or 
contractor organizations choosing to not participate or drop out of the 
application process because of:
    I. Concerns regarding the cost, capacity, or ability to develop or 
gather the necessary identity documentation or biographic information 
about their key individuals or other vetted parties?
    II. Other reasons associated with difficulty or inability to comply 
with vetting requirements? Please provide those reasons.
    5. What financial costs, if any, has your organization incurred 
associated with maintaining appropriate information technology or 
physical filing systems for protecting the biographic information that 
must be collected prior to completing the DS-4184?

Current RAM Vetting Procedures

    As described in the background section, the entire RAM vetting 
process takes, on average, fewer than 14 days, typically does not 
require significant back-and-forth between the offeror and the 
Department of State, and occurs concurrently to other review processes 
the program office is conducting.
    1. In your organization's experience or in your understanding of 
other organizations' experiences:
    I. How frequently does RAM vetting require contacting the 
Department of State prior to submission of the DS-4184 in the RAM 
Portal to seek clarification regarding information that needs to be 
submitted or other challenges with navigating the RAM portal?
    II. How frequently does RAM vetting involve the Department 
following-up with your organization after initial submission to request 
additional information or documentation? How much additional time is 
typically involved in responding to and submitting any follow-up 
requests for additional information?
    III. Has your organization ever requested reconsideration of an 
initial determination of ineligibility? Was your organization able to 
provide the necessary explanation or additional documentation to 
successfully revise the Department's original determination of 
ineligibility?
    2. How might the Department structure the reconsideration or 
appeals process to provide offerors adequate opportunity to rebut an 
initial determination of ineligibility due to derogatory information? 
What type of feedback from the Department would help allow the offeror 
to provide more effective documentation or explanation when requesting 
a reconsideration?

Seth E. Green,
Deputy Assistant Secretary, Logistics Management, U.S. Department of 
State.
[FR Doc. 2024-14127 Filed 6-28-24; 8:45 am]
BILLING CODE 4710-24-P