82 FR 6425 - Homeland Security Acquisition Regulation (HSAR); Privacy Training (HSAR Case 2015-003)
DEPARTMENT OF HOMELAND SECURITY Federal Register Volume 82, Issue 12 (January 19, 2017)
Federal Register Volume 82, Issue 12 (January 19, 2017)
| Page Range | 6425-6429 | |
| FR Document | 2017-00752 |
[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)] [Proposed Rules] [Pages 6425-6429] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-00752] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY 48 CFR Parts 3001, 3002, 3024, and 3052 [Docket No. DHS-2017-0008] RIN 1601-AA79 Homeland Security Acquisition Regulation (HSAR); Privacy Training (HSAR Case 2015-003) AGENCY: Office of the Chief Procurement Officer, Department of Homeland Security (DHS). ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: DHS is proposing to amend the Homeland Security Acquisition Regulation (HSAR) to add a new subpart, update an existing clause, and add a new contract clause to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of Personally Identifiable Information and Sensitive Personally Identifiable Information. DATES: Interested parties should submit written comments to one of the addresses shown below on or before March 20, 2017, to be considered in the formation of the final rule. ADDRESSES: Submit comments identified by HSAR Case 2015-003, Privacy Training, using any of the following methods:Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by entering ``HSAR Case 2015-003'' under the heading ``Enter Keyword or ID'' and selecting ``Search.'' Select the link ``Submit a Comment'' that corresponds with ``HSAR Case 2015-003.'' Follow the instructions provided at the ``Submit a Comment'' screen. Please include your name, company name (if any), and ``HSAR Case 2015-003'' on your attached document. Fax: (202) 447-0520 Mail: Department of Homeland Security, Office of the Chief Procurement Officer, Acquisition Policy and Legislation, ATTN: Ms. Candace Lightfoot, 245 Murray Drive, Bldg. 410 (RDS), Washington, DC 20528. Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To confirm receipt of your comment(s), please check http://www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail). FOR FURTHER INFORMATION CONTACT: Ms. Candace Lightfoot, Procurement Analyst, DHS, Office of the Chief Procurement Officer, Acquisition Policy and Legislation at (202) 447-0882 or email [email protected]. When using email, include HSAR Case 2015-003 in the ``Subject'' line. SUPPLEMENTARY INFORMATION: I. Background DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information (PII) or Sensitive PII (SPII); or designing, developing, maintaining, or operating a Government system of records. This training is completed upon award of the procurement and at least annually thereafter. DHS is proposing to (1) include Privacy training requirements in the HSAR and (2) make the training more easily accessible by hosting it on a public Web site. This approach ensures all applicable DHS contractors and subcontractors are subject to the same requirements while removing the need for Government intervention to provide access to the Privacy training. This proposed rule standardizes the Privacy training requirement across all DHS contracts by amending the HSAR to: (1) Add the terms ``personally identifiable information'' and ``sensitive personally identifiable information'' at HSAR 3002.1, Definitions. The definition of ``personally identifiable information'' is taken from OMB Circular A-130 Managing Information as a Strategic Resource,\1\ published July 27, 2016. The definition of ``sensitive personally identifiable information'' is derived from the DHS lexicon, Privacy Incident Handling Guidance, and the Handbook for Safeguarding Sensitive Personally Identifiable Information. These definitions are necessary because these terms appear in proposed HSAR 3024.70, Privacy Training and HSAR 3052.224-7X, Privacy Training. --------------------------------------------------------------------------- \1\ OMB Circular A-130 Managing Information as a Strategic Resource is accessible at https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf. --------------------------------------------------------------------------- (2) Add a new subpart at HSAR 3024.70, Privacy Training addressing the requirements for privacy training. HSAR 3024.7001, Scope identifies the applicability of the subpart to contracts and subcontracts. HSAR 3024.7002, Definitions defines the term ``handling.'' The definition of ``handling'' was developed based upon a review of definitions for the term developed by other Federal agencies. HSAR 3024.7003, Policy identifies when contractors and subcontracts are required to complete the DHS privacy training. This subsection also requires the submission of training completion certificates for all contractor and subcontractor employees as a record of compliance. HSAR 3024.7004, Contract Clause, identifies when Contracting Officers must insert HSAR 3052.224-7X Privacy Training in solicitations and contracts. DHS welcomes respondents to offer their views on the following questions in particular: A. What burden, if any, is associated with the requirement to complete DHS-developed privacy training? B. What value, if any, is associated with providing industry the flexibility to develop its own privacy training given a unique set of Government requirements? (3) Amend sub paragraph (b) of the HSAR 3052.212-70, Contract Terms and Conditions Applicable to DHS Acquisition of Commercial Items to add HSAR 3052.224-7X, Privacy Training. This change is necessary because HSAR 3052.224-7X is applicable to the acquisition of commercial items; and (4) Add a new subsection at HSAR 3052.224-7X, Privacy Training to provide the text of the proposed clause. The proposed clause requires contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information (PII) or Sensitive PII (SPII); or designing, developing, maintaining, or operating a Government system of records. The training shall be completed within thirty (30) days of contract award and on an annual basis thereafter. The contractor shall maintain copies of training certificates for all contractor and subcontractor employees as a record of compliance and provide copies of the training certificates to the contracting officer. Subsequent training certificates to satisfy the annual privacy training requirement shall be submitted via email notification not later than October 31st of each year. The contractor shall attach training certificates to the email [[Page 6426]] notification and the email notification shall state that the required training has been completed for all contractor and subcontractor employees. These proposed revisions to the HSAR are necessary to ensure contractors and subcontractors properly handle PII and SPII. This includes PII and SPII contained in a system of records consistent with subsection (e) Agency requirements, and subsection (m) Government contractors, of the Privacy Act of 1974, Section 552a of title 5, United States Code (5 U.S.C. 552a). Other applicable authorities that address the responsibility for Federal agencies to ensure appropriate handling and safeguarding of PII include the following Office of Management and Budget (OMB) memoranda and policies: OMB Memorandum M-07-16, ``Safeguarding Against and Responding to the Breach of Personally Identifiable Information'' issued May 22, 2007; OMB Memorandum M-10-23, ``Guidance for Agency Use of Third-Party Web sites and Applications'' issued June 25, 2010 (this memorandum contains the most current definition of PII, and clarifies the definition provided in M-07-16); OMB Circular No. A-130 ``Managing Information as a Strategic Resource,'' which identifies significant requirements for safeguarding and handling PII and reporting any theft, loss, or compromise of such information. DHS has also developed internal guidance that addresses the handling and protection of PII, including the DHS Privacy Incident Handling Guidance and the DHS Handbook for Safeguarding Sensitive Personally Identifiable Information. The DHS Privacy Incident Handling Guidance informs DHS and its components, employees, senior officials, and contractors of their obligation to protect PII, and establishes policies and procedures defining how they must respond to the potential loss or compromise of PII. The DHS Handbook for Safeguarding Sensitive Personally Identifiable Information sets minimum standards for how DHS personnel and contractors should handle SPII in paper and electronic form during their work activities. This proposed rule is part of a broader initiative within DHS to (1) ensure contractors understand their responsibilities with regard to safeguarding controlled unclassified information (CUI); (2) contractor and subcontractor employees complete information technology (IT) security awareness training before access is provided to DHS information systems and information resources or contractor-owned and/ or operated information systems and information resources where CUI is collected, processed, stored or transmitted on behalf of the agency; (3) contractor and subcontractor employees sign the DHS RoB before access is provided to DHS information systems, information resources, or contractor-owned and/or operated information systems and information resources where CUI is collected, processed, stored or transmitted on behalf of the agency; and (4) contractor and subcontractor employees complete privacy training before accessing a Government system of records; handling personally identifiable information (PII) and/or sensitive PII information; or designing, developing, maintaining, or operating a system of records on behalf of the Government. II. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. DHS has included a discussion of the estimated costs and benefits of this rule in the Paperwork Reduction Act supporting statement, which can be found in the docket for this rulemaking. III. Regulatory Flexibility Act DHS expects this proposed rule may have an impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because the proposed rule requires contractor and subcontractor employees to be properly trained on the requirements, applicable laws, and appropriate safeguards designed to ensure the security and confidentiality of PII before access a Government system of records; handle PII or SPII; or design, develop, maintain, or operate a system of records on behalf of the Government. Although the Privacy Act of 1974 has been in place for over 40 years, the rapidly changing information security landscape requires the Federal government to strengthen its contracts to ensure that contractor and subcontractor employees comply with the Act and are aware of their responsibilities for safeguarding PII and SPII. Therefore, an Initial Regulatory Flexibility Analysis (IRFA) has been prepared consistent with 5 U.S.C. 603, and is summarized as follows: 1. Description of the Reasons Why Action by the Agency Is Being Taken DHS is proposing to amend the HSAR to require all contractor and subcontractor employees that will have access to a Government system of records; handle PII or SPII; or design, develop, maintain, or operate a system of records on behalf of the Government, complete training that addresses the requirements for the protection of privacy and the handling and safeguarding of PII and SPII. The purpose of this proposed rule is to require contractors to identify its employees who require access, ensure that those employees complete privacy training before being granted access and annually thereafter, provide the Government evidence of the completed training, and maintain evidence of completed training in accordance with the records retention requirements of the contract. 2. Succinct Statement of the Objectives of, and Legal Basis for, the Rule The objective of this rule is to require contractor and subcontractor employees to complete Privacy training before accessing a Government system of records; handling PII and/or SPII; or designing, developing, maintaining, or operating a Government system of records. This proposed rule requires contractors to identify who will be responsible for completing privacy training, and to emphasize and create awareness of the critical importance of privacy training in an effort to reduce the occurrences of privacy incidents. The training imposed by this proposed rule is required by the provisions of the Privacy Act (5 U.S.C. 552a), Title III of the E- Government Act of 2002 and the Federal Information Security Modernization Act (FISMA) of 2014. This proposed rule requires contractors to identify its employees and subcontractor employees who require access to PII and SPII, ensure that those employees complete privacy training before being granted access to such information and annually thereafter, provide the Government evidence of the completed training, and maintain evidence of completed training. [[Page 6427]] 3. Description of and, Where Feasible, Estimate of the Number of Small Entities To Which the Rule Will Apply This proposed rule will apply to contractor and subcontractor employees who require access to a Government system of records; handle PII or Sensitive PII; or design, develop, maintain, or operate a system of records on behalf of the Government. The estimated number of small entities to which the rule will apply is 6,628 respondents of which 4,162 are projected to be small businesses. This estimate is based on a review and analysis of internal DHS contract data and Fiscal Year (FY) 2014 data reported to the Federal Procurement Data System (FPDS). It is anticipated that this rule will be primarily applicable to procurement actions with a Product and Service Code (PSC) of ``D'' Automatic Data Processing and Telecommunication and ``R'' Professional, Administrative and Management Support. PSCs will be adjusted as additional data becomes available through HSAR clause implementation to validate future burden projections. 4. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Rule, Including an Estimate of the Classes of Small Entities Which Will Be Subject to the Requirement and the Type of Professional Skills Necessary The projected reporting and recordkeeping associated with this proposed rule is kept to the minimum necessary to meet the overall objectives. DHS minimized the burden associated with this proposed rule by developing the training and making it publicly accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. DHS has also minimized burden by providing automatically generated certificates at the conclusion of the training. Training shall be completed within thirty (30) days of contract award and on an annual basis thereafter. Initial training certificates for each contractor and subcontractor employee shall be provided to the Government not later than thirty (30) days after contract award. Subsequent training certificates to satisfy the annual privacy training requirement shall be submitted via email notification not later than October 31st of each year. The contractor shall attach training certificates to the email notification and the email notification shall state that the required training has been completed for all contractor and subcontractor employees and include copies of the training certificates. 5. Identification, to the Extent Practicable, of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Rule There are no rules that duplicate, overlap or conflict with this rule. 6. Description of Any Significant Alternatives to the Rule Which Accomplish the Stated Objectives of Applicable Statutes and Which Minimize Any Significant Economic Impact of the Rule on Small Entities There are no practical alternatives that will accomplish the objectives of the proposed rule. DHS will be submitting a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the point of contact specified herein. DHS invites comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DHS will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (HSAR Case 2015-003), in correspondence. IV. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. chapter 35) applies because this proposed rule contains information collection requirements. Accordingly, DHS will be submitting a request for approval of a new information collection requirement concerning this rule to the Office of Management and Budget under 44 U.S.C. 3501, et seq. A. Public reporting burden for this collection of information is estimated to be approximately 30 minutes (.50 hours) per response to comply with the requirements, including time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The total annual projected number of responses per respondent is estimated at four (4). The estimated annual total burden hours are as follows: Title: Homeland Security Acquisition Regulation: Privacy Training. Type of Request: New Collection. Number of Respondents: 6,628. Responses per Respondent: 4. Annual Responses: 26,512. Average Burden per Response: Approximately 0.50. Annual Burden Hours: 13,256. Needs and Uses: DHS needs the information required by 3052.224-7X, Privacy Training to properly track contractor compliance with the training requirements identified in the clause. Affected Public: Businesses or other for-profit institutions. Respondent's Obligation: Required to obtain or retain benefits. Frequency: Upon award of procurement and annually thereafter. B. Request for Comments Regarding Paperwork Burden. You may submit comments identified by DHS docket number [DHS-2017- 0008], including suggestions for reducing this burden, not later than March 20, 2017 using any one of the following methods: (1) Via the internet at Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. (2) Via email to the Department of Homeland Security, Office of the Chief Procurement Officer, at [email protected]. Public comments are particularly invited on: Whether this collection of information is necessary for the proper performance of functions of the HSAR, and will have practical utility; whether our estimate of the public burden of this collection of information is accurate, and based on valid assumptions and methodology; ways to enhance the quality, utility, and clarity of the information to be collected; and ways in which we can minimize the burden of the collection of information on those who are to respond, through the use of appropriate technological collection techniques or other forms of information technology. Requesters may obtain a copy of the supporting statement from the Department of Homeland Security, Office of the Chief Procurement Officer, Acquisition Policy and Legislation, via email to [email protected]. Please cite OMB Control No. 1600-0022 Privacy Training and Information Security Training, in the ``Subject'' line. List of Subjects in 48 CFR Parts 3001, 3002, 3024 and 3052 Government procurement. Therefore, DHS proposes to amend 48 CFR parts 3001, 3002, 3024 and 3052 to read as follows: 0 1. The authority citation for 48 CFR parts 3001, 3002, 3024, and 3052 is revised to read as follows: Authority: 5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation Number 0702. [[Page 6428]] PART 3001--FEDERAL ACQUISITION REGULATIONS SYSTEM Subpart 3001.1--Purpose, Authority, Issuance 0 2. Amend section 3001.106 by revising paragraph (a) to add a new OMB Control Number as follows: 3001.106 OMB Approval under the Paperwork Reduction Act. (a) * * * OMB Control No. 1600-0022 (Privacy Training) * * * * * PART 3002--DEFINITIONS OF WORDS AND TERMS 0 3. Amend section 3002.101 by adding, in alphabetical order, the definitions: for ``Personally Identifiable Information (PII),'' and ``Sensitive Personally Identifiable Information (SPII)'' to read as follows: * * * * * ``Personally Identifiable Information (PII)'' means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. * * * * * ``Sensitive Personally Identifiable Information (SPII)'' is a subset of PII, which if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone elements. (1) Examples of stand-alone SPII include: Social Security numbers (SSN), driver's license or state identification number, Alien Registration Numbers (A-number), financial account number, and biometric identifiers such as fingerprint, voiceprint, or iris scan. (2) Additional examples of SPII include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements: (i) Truncated SSN (such as last 4 digits) (ii) Date of birth (month, day, and year) (iii) Citizenship or immigration status (iv) Ethnic or religious affiliation (v) Sexual orientation (vi) Criminal history (vii) Medical information (viii) System authentication information such as mother's maiden name, account passwords or personal identification numbers (PIN) (3) Other PII may be SPII depending on its context, such as a list of employees and their performance ratings or an unlisted home address or phone number. In contrast, a business card or public telephone directory of agency employees contains PII but is not SPII. PART 3024--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION 0 4. Amend part 3024 by adding subpart 3024.70: Subpart 3024.70--Privacy Training 3024.7001 Scope. 3024.7002 Definitions. 3024.7003 Policy. 3024.7004 Contract Clause. 3024.7001 Scope. This section applies to contracts and subcontracts where contractor and subcontractor employees require access to a Government system of records; handle Personally Identifiable Information (PII) or Sensitive PII (SPII); or design, develop, maintain, or operate a Government system of records. 3024.7002 Definitions. As used in this subpart-- ``Handling'' means any use of Personally Identifiable Information (PII) or Sensitive PII (SPII), including but not limited to marking, safeguarding, transporting, disseminating, re-using, storing, capturing, and disposing of the information. 3024.7003 Policy. (a) Contractors are responsible for ensuring that contractor and subcontractor employees complete DHS privacy training initially upon award of the procurement, and at least annually thereafter, before contractor and subcontractor employees-- (1) Access to a Government system of records; (2) Handle PII or SPII; or (3) Design, develop, maintain, or operate a system of records on behalf of the Government. (b) The contractor shall ensure employees identified in paragraph (a) of this section complete the required training, maintain evidence that the training has been completed and provide copies of the training completion certificates to the Contracting Officer and/or Contracting Officer's Representative for inclusion in the contract file. (c) Each contractor and subcontractor employee who requires access to a Government system of records; handles PII or SPII; or designs, develops, maintains, or operates a Government system of records, shall be granted access or allowed to retain such access only if the individual has completed Department of Homeland Security privacy training requirements. 3024.7004 Contract Clause. Contracting officers shall insert the clause at (HSAR) 48 CFR 3052.224-7X, Privacy Training, in solicitations and contracts when contractor and subcontractor employees may have access to a Government system of records; handle PII or SPII; or design, develop, maintain, or operate a system of records on behalf of the Government. PART 3052--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 0 5. Amend paragraph (b) of section 3052.212-70 to add 3052.224-7X Privacy Training as follows: 3052.212-70 Contract terms and conditions applicable to DHS acquisition of commercial items. Contract Terms and Conditions Applicable to DHS Acquisition of Commercial Items (DATE) * * * * * (b) * * * ___3052.224-7X Privacy Training 0 6. Amend part 3052 by adding section 3052.224-7X Privacy Training, to read as follows: 3052.224-7X Privacy training. As prescribed in (HSAR) 48 CFR 3024.7004 contract clause, insert the following clause: Privacy Training (DATE) (a) The Contractor shall ensure that all Contractor and subcontractor employees complete the Department of Homeland Security (DHS) training titled, Privacy at DHS: Protecting Personally Identifiable Information accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors, before such employees-- (1) Access a Government system of records; (2) Handle personally identifiable information or sensitive personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the Government. (b) Training shall be completed within thirty (30) days of contract award and be completed on an annual basis thereafter not later than October 31st of each year. Any new Contractor or subcontractor employees assigned to the contract shall complete the training before accessing the information identified in paragraph (a) of this clause. The Contractor shall maintain copies of the training certificates for all Contractor and subcontractor employees as a record of compliance. Initial training certificates for each Contractor and subcontractor employee [[Page 6429]] shall be provided to the Contracting Officer and/or Contracting Officer's Representative (COR) via email notification not later than thirty (30) days after contract award or assignment to the contract. Subsequent training certificates to satisfy the annual training requirement shall be submitted to the Contracting Officer and/or COR via email notification not later than October 31st of each year. The Contractor shall attach training certificates to the email notification and the email notification shall list all Contractor and subcontractor employees required to complete the training and state the required Privacy training has been completed for all Contractor and subcontractor employees. (c) The Contractor shall insert the substance of this clause in all subcontracts and require subcontractors to include this clause in all lower-tier subcontracts. (End of clause) Soraya Correa, Chief Procurement Officer, Department of Homeland Security. [FR Doc. 2017-00752 Filed 1-18-17; 8:45 am] BILLING CODE 9110-9B-P
![Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules 6425
Dated: January 9, 2017. Comments received generally will be 3024.70, Privacy Training and HSAR
Sylvia M. Burwell, posted without change to http:// 3052.224–7X, Privacy Training.
Secretary, Department of Health and Human www.regulations.gov, including any (2) Add a new subpart at HSAR
Services. personal information provided. To 3024.70, Privacy Training addressing
[FR Doc. 2017–00700 Filed 1–18–17; 8:45 am] confirm receipt of your comment(s), the requirements for privacy training.
BILLING CODE 4165–15–P please check http:// HSAR 3024.7001, Scope identifies the
www.regulations.gov, approximately applicability of the subpart to contracts
two to three days after submission to and subcontracts. HSAR 3024.7002,
verify posting (except allow 30 days for Definitions defines the term ‘‘handling.’’
DEPARTMENT OF HOMELAND posting of comments submitted by The definition of ‘‘handling’’ was
SECURITY mail). developed based upon a review of
48 CFR Parts 3001, 3002, 3024, and FOR FURTHER INFORMATION CONTACT: Ms.
definitions for the term developed by
Candace Lightfoot, Procurement other Federal agencies. HSAR
3052
Analyst, DHS, Office of the Chief 3024.7003, Policy identifies when
[Docket No. DHS–2017–0008] Procurement Officer, Acquisition Policy contractors and subcontracts are
and Legislation at (202) 447–0882 or required to complete the DHS privacy
RIN 1601–AA79 training. This subsection also requires
email HSAR@hq.dhs.gov. When using
email, include HSAR Case 2015–003 in the submission of training completion
Homeland Security Acquisition
the ‘‘Subject’’ line. certificates for all contractor and
Regulation (HSAR); Privacy Training
subcontractor employees as a record of
(HSAR Case 2015–003) SUPPLEMENTARY INFORMATION:
compliance. HSAR 3024.7004, Contract
AGENCY: Office of the Chief Procurement I. Background Clause, identifies when Contracting
Officer, Department of Homeland DHS contracts currently require Officers must insert HSAR 3052.224–7X
Security (DHS). contractor and subcontractor employees Privacy Training in solicitations and
ACTION: Proposed rule. to complete privacy training before contracts. DHS welcomes respondents
accessing a Government system of to offer their views on the following
SUMMARY: DHS is proposing to amend records; handling Personally questions in particular:
the Homeland Security Acquisition A. What burden, if any, is associated
Identifiable Information (PII) or
Regulation (HSAR) to add a new with the requirement to complete DHS-
Sensitive PII (SPII); or designing,
subpart, update an existing clause, and developed privacy training?
developing, maintaining, or operating a B. What value, if any, is associated
add a new contract clause to require Government system of records. This
contractors to complete training that with providing industry the flexibility
training is completed upon award of the to develop its own privacy training
addresses the protection of privacy, in procurement and at least annually
accordance with the Privacy Act of given a unique set of Government
thereafter. requirements?
1974, and the handling and DHS is proposing to (1) include
safeguarding of Personally Identifiable (3) Amend sub paragraph (b) of the
Privacy training requirements in the HSAR 3052.212–70, Contract Terms and
Information and Sensitive Personally HSAR and (2) make the training more Conditions Applicable to DHS
Identifiable Information. easily accessible by hosting it on a Acquisition of Commercial Items to add
DATES: Interested parties should submit public Web site. This approach ensures HSAR 3052.224–7X, Privacy Training.
written comments to one of the all applicable DHS contractors and This change is necessary because HSAR
addresses shown below on or before subcontractors are subject to the same 3052.224–7X is applicable to the
March 20, 2017, to be considered in the requirements while removing the need acquisition of commercial items; and
formation of the final rule. for Government intervention to provide (4) Add a new subsection at HSAR
ADDRESSES: Submit comments access to the Privacy training. 3052.224–7X, Privacy Training to
identified by HSAR Case 2015–003, This proposed rule standardizes the provide the text of the proposed clause.
Privacy Training, using any of the Privacy training requirement across all The proposed clause requires contractor
following methods: DHS contracts by amending the HSAR and subcontractor employees to
• Regulations.gov: http:// to: complete privacy training before
www.regulations.gov. (1) Add the terms ‘‘personally accessing a Government system of
Submit comments via the Federal identifiable information’’ and ‘‘sensitive records; handling Personally
eRulemaking portal by entering ‘‘HSAR personally identifiable information’’ at Identifiable Information (PII) or
Case 2015–003’’ under the heading HSAR 3002.1, Definitions. The Sensitive PII (SPII); or designing,
‘‘Enter Keyword or ID’’ and selecting definition of ‘‘personally identifiable developing, maintaining, or operating a
‘‘Search.’’ Select the link ‘‘Submit a information’’ is taken from OMB Government system of records. The
Comment’’ that corresponds with Circular A–130 Managing Information training shall be completed within
‘‘HSAR Case 2015–003.’’ Follow the as a Strategic Resource,1 published July thirty (30) days of contract award and
instructions provided at the ‘‘Submit a 27, 2016. The definition of ‘‘sensitive on an annual basis thereafter. The
Comment’’ screen. Please include your personally identifiable information’’ is contractor shall maintain copies of
name, company name (if any), and derived from the DHS lexicon, Privacy training certificates for all contractor
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS
‘‘HSAR Case 2015–003’’ on your Incident Handling Guidance, and the and subcontractor employees as a record
attached document. Handbook for Safeguarding Sensitive of compliance and provide copies of the
• Fax: (202) 447–0520 Personally Identifiable Information. training certificates to the contracting
• Mail: Department of Homeland These definitions are necessary because officer. Subsequent training certificates
Security, Office of the Chief these terms appear in proposed HSAR to satisfy the annual privacy training
Procurement Officer, Acquisition Policy 1 OMB Circular A–130 Managing Information as
requirement shall be submitted via
and Legislation, ATTN: Ms. Candace a Strategic Resource is accessible at https://
email notification not later than October
Lightfoot, 245 Murray Drive, Bldg. 410 www.whitehouse.gov/sites/default/files/omb/assets/ 31st of each year. The contractor shall
(RDS), Washington, DC 20528. OMB/circulars/a130/a130revised.pdf. attach training certificates to the email
VerDate Sep<11>2014 20:40 Jan 18, 2017 Jkt 241001 PO 00000 Frm 00087 Fmt 4702 Sfmt 4702 E:\FR\FM\19JAP1.SGM 19JAP1](https://thefederalregister.org/doc/82_FR_6437/page/1.svg)
![Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules 6427
3. Description of and, Where Feasible, employees and include copies of the Annual Burden Hours: 13,256.
Estimate of the Number of Small training certificates. Needs and Uses: DHS needs the
Entities To Which the Rule Will Apply information required by 3052.224–7X,
5. Identification, to the Extent
Privacy Training to properly track
This proposed rule will apply to Practicable, of All Relevant Federal
contractor compliance with the training
contractor and subcontractor employees Rules Which May Duplicate, Overlap, or
requirements identified in the clause.
who require access to a Government Conflict With the Rule
Affected Public: Businesses or other
system of records; handle PII or There are no rules that duplicate, for-profit institutions.
Sensitive PII; or design, develop, overlap or conflict with this rule. Respondent’s Obligation: Required to
maintain, or operate a system of records obtain or retain benefits.
on behalf of the Government. The 6. Description of Any Significant
Alternatives to the Rule Which Frequency: Upon award of
estimated number of small entities to procurement and annually thereafter.
which the rule will apply is 6,628 Accomplish the Stated Objectives of
Applicable Statutes and Which B. Request for Comments Regarding
respondents of which 4,162 are Paperwork Burden.
projected to be small businesses. Minimize Any Significant Economic
Impact of the Rule on Small Entities You may submit comments identified
This estimate is based on a review by DHS docket number [DHS–2017–
and analysis of internal DHS contract There are no practical alternatives 0008], including suggestions for
data and Fiscal Year (FY) 2014 data that will accomplish the objectives of reducing this burden, not later than
reported to the Federal Procurement the proposed rule. March 20, 2017 using any one of the
Data System (FPDS). It is anticipated DHS will be submitting a copy of the following methods:
that this rule will be primarily IRFA to the Chief Counsel for Advocacy (1) Via the internet at Federal
applicable to procurement actions with of the Small Business Administration. A eRulemaking Portal: http://
a Product and Service Code (PSC) of copy of the IRFA may be obtained from www.regulations.gov. Follow the
‘‘D’’ Automatic Data Processing and the point of contact specified herein. instructions for submitting comments.
Telecommunication and ‘‘R’’ DHS invites comments from small (2) Via email to the Department of
Professional, Administrative and business concerns and other interested Homeland Security, Office of the Chief
Management Support. PSCs will be parties on the expected impact of this Procurement Officer, at HSAR@
adjusted as additional data becomes rule on small entities. hq.dhs.gov.
available through HSAR clause DHS will also consider comments Public comments are particularly
implementation to validate future from small entities concerning the invited on: Whether this collection of
burden projections. existing regulations in subparts affected information is necessary for the proper
by this rule in accordance with 5 U.S.C. performance of functions of the HSAR,
4. Description of Projected Reporting, 610. Interested parties must submit such and will have practical utility; whether
Recordkeeping, and Other Compliance comments separately and should cite 5 our estimate of the public burden of this
Requirements of the Rule, Including an U.S.C. 610 (HSAR Case 2015–003), in collection of information is accurate,
Estimate of the Classes of Small Entities correspondence. and based on valid assumptions and
Which Will Be Subject to the methodology; ways to enhance the
Requirement and the Type of IV. Paperwork Reduction Act
quality, utility, and clarity of the
Professional Skills Necessary The Paperwork Reduction Act (44 information to be collected; and ways in
U.S.C. chapter 35) applies because this which we can minimize the burden of
The projected reporting and proposed rule contains information
recordkeeping associated with this the collection of information on those
collection requirements. Accordingly, who are to respond, through the use of
proposed rule is kept to the minimum DHS will be submitting a request for
necessary to meet the overall objectives. appropriate technological collection
approval of a new information techniques or other forms of information
DHS minimized the burden associated collection requirement concerning this
with this proposed rule by developing technology.
rule to the Office of Management and Requesters may obtain a copy of the
the training and making it publicly Budget under 44 U.S.C. 3501, et seq.
accessible at http://www.dhs.gov/dhs- supporting statement from the
A. Public reporting burden for this
security-and-training-requirements- Department of Homeland Security,
collection of information is estimated to
contractors. DHS has also minimized Office of the Chief Procurement Officer,
be approximately 30 minutes (.50 hours)
burden by providing automatically Acquisition Policy and Legislation, via
per response to comply with the
generated certificates at the conclusion email to HSAR@hq.dhs.gov. Please cite
requirements, including time for
of the training. Training shall be OMB Control No. 1600–0022 Privacy
reviewing instructions, searching
completed within thirty (30) days of Training and Information Security
existing data sources, gathering and
contract award and on an annual basis Training, in the ‘‘Subject’’ line.
maintaining the data needed, and
thereafter. Initial training certificates for completing and reviewing the collection List of Subjects in 48 CFR Parts 3001,
each contractor and subcontractor of information. The total annual 3002, 3024 and 3052
employee shall be provided to the projected number of responses per
Government not later than thirty (30) Government procurement.
respondent is estimated at four (4). The
days after contract award. Subsequent Therefore, DHS proposes to amend 48
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS
estimated annual total burden hours are
training certificates to satisfy the annual as follows: CFR parts 3001, 3002, 3024 and 3052 to
privacy training requirement shall be Title: Homeland Security Acquisition read as follows:
submitted via email notification not Regulation: Privacy Training. ■ 1. The authority citation for 48 CFR
later than October 31st of each year. The Type of Request: New Collection. parts 3001, 3002, 3024, and 3052 is
contractor shall attach training Number of Respondents: 6,628. revised to read as follows:
certificates to the email notification and Responses per Respondent: 4. Authority: 5 U.S.C. 301–302, 41 U.S.C.
the email notification shall state that the Annual Responses: 26,512. 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48
required training has been completed Average Burden per Response: CFR part 1, subpart 1.3, and DHS Delegation
for all contractor and subcontractor Approximately 0.50. Number 0702.
VerDate Sep<11>2014 20:40 Jan 18, 2017 Jkt 241001 PO 00000 Frm 00089 Fmt 4702 Sfmt 4702 E:\FR\FM\19JAP1.SGM 19JAP1](https://thefederalregister.org/doc/82_FR_6437/page/3.svg)
![Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules 6429
shall be provided to the Contracting Officer Case 2015–001’’ under the heading post-incident activities and requires
and/or Contracting Officer’s Representative ‘‘Enter Keyword or ID’’ and selecting certification of sanitization of
(COR) via email notification not later than ‘‘Search.’’ Select the link ‘‘Submit a Government and Government-Activity
thirty (30) days after contract award or
Comment’’ that corresponds with related files and information.
assignment to the contract. Subsequent
training certificates to satisfy the annual ‘‘HSAR Case 2015–001.’’ Follow the Additionally, the proposed rule requires
training requirement shall be submitted to instructions provided at the ‘‘Submit a that contractors have in place
the Contracting Officer and/or COR via email Comment’’ screen. Please include your procedures and the capability to notify
notification not later than October 31st of name, company name (if any), and and provide credit monitoring services
each year. The Contractor shall attach ‘‘HSAR Case 2015–001’’ on your to any individual whose Personally
training certificates to the email notification attached document. Identifiable Information (PII) or
and the email notification shall list all • Fax: (202) 447–0520 Sensitive PII (SPII) was under the
Contractor and subcontractor employees
required to complete the training and state • Mail: Department of Homeland control of the contractor or resided in
the required Privacy training has been Security, Office of the Chief the information system at the time of the
completed for all Contractor and Procurement Officer, Acquisition Policy incident.
subcontractor employees. and Legislation, ATTN: Ms. Shaundra This rule addresses the safeguarding
(c) The Contractor shall insert the Duggans, 245 Murray Drive, Bldg. 410 requirements specified in the Federal
substance of this clause in all subcontracts (RDS), Washington, DC 20528. Information Security Modernization Act
and require subcontractors to include this Comments received generally will be (FISMA) of 2014 (44 U.S.C. 3551, et
clause in all lower-tier subcontracts. seq.), Office of Management and Budget
posted without change to http://
(End of clause) www.regulations.gov, including any (OMB) Circular A–130, Managing
personal information provided. To Information as a Strategic Resource,1
Soraya Correa, relevant National Institutes of Standards
confirm receipt of your comment(s),
Chief Procurement Officer, Department of please check www.regulations.gov, and Technology (NIST) guidance,
Homeland Security. Executive Order 13556, Controlled
approximately two to three days after
[FR Doc. 2017–00752 Filed 1–18–17; 8:45 am]
submission to verify posting (except Unclassified Information 2 and its
BILLING CODE 9110–9B–P allow 30 days for posting of comments implementing regulation at 32 CFR part
submitted by mail). 2002,3 and the following OMB
Memoranda: M–07–16, Safeguarding
DEPARTMENT OF HOMELAND FOR FURTHER INFORMATION CONTACT: Ms.
Against and Responding to the Breach
SECURITY Shaundra Duggans, Procurement
of Personally Identifiable Information;
Analyst, DHS, Office of the Chief
M–14–03, Enhancing the Security of
48 CFR Parts 3001, 3002, 3004, and Procurement Officer, Acquisition Policy
Federal Information and Information
3052 and Legislation at (202) 447–0056 or
Systems; and Reporting Instructions for
email HSAR@hq.dhs.gov. When using
[Docket No. DHS–2017–0006] the Federal Information Security
email, include HSAR Case 2015–001 in
Management Act and Agency Privacy
RIN 1601–AA76 the ‘‘Subject’’ line.
Management as identified in various
SUPPLEMENTARY INFORMATION: OMB Memoranda.4 Ongoing efforts by
Homeland Security Acquisition
Regulation (HSAR); Safeguarding of I. Background OMB and DHS with regard to
Controlled Unclassified Information implementation of FISMA, such as the
The purpose of this proposed rule is issuance of Binding Operational
(HSAR Case 2015–001) to implement adequate security and Directives, and DHS implementation of
AGENCY: Office of the Chief Procurement privacy measures to safeguard the CUI program, may require future
Officer, Department of Homeland Controlled Unclassified Information HSAR revisions in this area. DHS
Security (DHS). (CUI) and facilitate improved incident intends to harmonize the HSAR to be
ACTION: Proposed rule. reporting to DHS. This proposed rule consistent with the requirements of
does not apply to classified information. these ongoing efforts.
SUMMARY: DHS is proposing to amend These measures are necessary because
the Homeland Security Acquisition of the urgent need to protect CUI and II. Discussion and Analysis
Regulation (HSAR) to modify a subpart, respond appropriately when DHS This proposed rule is part of a broader
remove an existing clause and reserve contractors experience incidents with initiative within DHS to (1) ensure
the clause number, update an existing DHS information. Recent high-profile contractors understand their
clause, and add a new contract clause to breaches of Federal information further responsibilities with regard to
address requirements for the demonstrate the need to ensure that safeguarding controlled unclassified
safeguarding of Controlled Unclassified information security protections are information (CUI); (2) contractor and
Information (CUI). clearly, effectively, and consistently subcontractor employees complete
DATES: Comments on the proposed rule addressed in contracts. This proposed
should be submitted in writing to one of rule strengthens and expands existing 1 OMB Circular A–130 Managing Information as
the addresses shown below on or before HSAR language to ensure adequate a Strategic Resource is accessible at https://
www.whitehouse.gov/sites/default/files/omb/assets/
March 20, 2017, to be considered in the security for CUI that is accessed by OMB/circulars/a130/a130revised.pdf.
formation of the final rule. contractors; collected or maintained by
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS
2 Executive Order 13556 Controlled Unclassified
ADDRESSES: Submit comments contractors on behalf of an agency; and/ Information is accessible at https://www.gpo.gov/
or for Federal information systems that fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf.
identified by HSAR Case 2015–001, 3 32 CFR part 2002 is accessible at https://
Safeguarding of Controlled Unclassified collect, process, store or transmit such www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-
Information, using any of the following information. The proposed rule 21665.pdf.
methods: identifies CUI handling requirements as 4 These memoranda include M–03–19, M–04–25,
• Regulations.gov: http:// well as incident reporting requirements, M–05–15, M–06–20, M–07–19, M–08–212, M–09–
29, M–10–15, M–11–33, M–12–20, M–14–04, M–
www.regulations.gov. including timelines and required data 15–01, M–16–03, and M–16–04. These memoranda
Submit comments via the Federal elements. The proposed rule also can be accessed at: https://www.whitehouse.gov/
eRulemaking portal by entering ‘‘HSAR includes inspection provisions and omb/memoranda_default.
VerDate Sep<11>2014 20:40 Jan 18, 2017 Jkt 241001 PO 00000 Frm 00091 Fmt 4702 Sfmt 4702 E:\FR\FM\19JAP1.SGM 19JAP1](https://thefederalregister.org/doc/82_FR_6437/page/5.svg)
Document Created: 2018-02-01 15:16:16
Document Modified: 2018-02-01 15:16:16
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Proposed rule. | |
| Dates | Interested parties should submit written comments to one of the | |
| Contact | Ms. Candace Lightfoot, Procurement Analyst, DHS, Office of the Chief Procurement Officer, Acquisition Policy and Legislation at (202) 447-0882 or email [email protected] When using email, include HSAR Case 2015-003 in the ``Subject'' line. | |
| FR Citation | 82 FR 6425 | |
| RIN Number | 1601-AA79 | |
| CFR Citation | 48
CFR
3001 48 CFR 3002 48 CFR 3024 48 CFR 3052 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR