82_FR_6437 82 FR 6425 - Homeland Security Acquisition Regulation (HSAR); Privacy Training (HSAR Case 2015-003)

82 FR 6425 - Homeland Security Acquisition Regulation (HSAR); Privacy Training (HSAR Case 2015-003)

DEPARTMENT OF HOMELAND SECURITY

Federal Register Volume 82, Issue 12 (January 19, 2017)

Page Range6425-6429
FR Document2017-00752

DHS is proposing to amend the Homeland Security Acquisition Regulation (HSAR) to add a new subpart, update an existing clause, and add a new contract clause to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of Personally Identifiable Information and Sensitive Personally Identifiable Information.

Federal Register, Volume 82 Issue 12 (Thursday, January 19, 2017)
[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)]
[Proposed Rules]
[Pages 6425-6429]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2017-00752]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

48 CFR Parts 3001, 3002, 3024, and 3052

[Docket No. DHS-2017-0008]
RIN 1601-AA79


Homeland Security Acquisition Regulation (HSAR); Privacy Training 
(HSAR Case 2015-003)

AGENCY: Office of the Chief Procurement Officer, Department of Homeland 
Security (DHS).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DHS is proposing to amend the Homeland Security Acquisition 
Regulation (HSAR) to add a new subpart, update an existing clause, and 
add a new contract clause to require contractors to complete training 
that addresses the protection of privacy, in accordance with the 
Privacy Act of 1974, and the handling and safeguarding of Personally 
Identifiable Information and Sensitive Personally Identifiable 
Information.

DATES: Interested parties should submit written comments to one of the 
addresses shown below on or before March 20, 2017, to be considered in 
the formation of the final rule.

ADDRESSES: Submit comments identified by HSAR Case 2015-003, Privacy 
Training, using any of the following methods:
     Regulations.gov: http://www.regulations.gov.
    Submit comments via the Federal eRulemaking portal by entering 
``HSAR Case 2015-003'' under the heading ``Enter Keyword or ID'' and 
selecting ``Search.'' Select the link ``Submit a Comment'' that 
corresponds with ``HSAR Case 2015-003.'' Follow the instructions 
provided at the ``Submit a Comment'' screen. Please include your name, 
company name (if any), and ``HSAR Case 2015-003'' on your attached 
document.
     Fax: (202) 447-0520
     Mail: Department of Homeland Security, Office of the Chief 
Procurement Officer, Acquisition Policy and Legislation, ATTN: Ms. 
Candace Lightfoot, 245 Murray Drive, Bldg. 410 (RDS), Washington, DC 
20528.
    Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To 
confirm receipt of your comment(s), please check http://www.regulations.gov, approximately two to three days after submission 
to verify posting (except allow 30 days for posting of comments 
submitted by mail).

FOR FURTHER INFORMATION CONTACT: Ms. Candace Lightfoot, Procurement 
Analyst, DHS, Office of the Chief Procurement Officer, Acquisition 
Policy and Legislation at (202) 447-0882 or email [email protected]. When 
using email, include HSAR Case 2015-003 in the ``Subject'' line.

SUPPLEMENTARY INFORMATION:

I. Background

    DHS contracts currently require contractor and subcontractor 
employees to complete privacy training before accessing a Government 
system of records; handling Personally Identifiable Information (PII) 
or Sensitive PII (SPII); or designing, developing, maintaining, or 
operating a Government system of records. This training is completed 
upon award of the procurement and at least annually thereafter.
    DHS is proposing to (1) include Privacy training requirements in 
the HSAR and (2) make the training more easily accessible by hosting it 
on a public Web site. This approach ensures all applicable DHS 
contractors and subcontractors are subject to the same requirements 
while removing the need for Government intervention to provide access 
to the Privacy training.
    This proposed rule standardizes the Privacy training requirement 
across all DHS contracts by amending the HSAR to:
    (1) Add the terms ``personally identifiable information'' and 
``sensitive personally identifiable information'' at HSAR 3002.1, 
Definitions. The definition of ``personally identifiable information'' 
is taken from OMB Circular A-130 Managing Information as a Strategic 
Resource,\1\ published July 27, 2016. The definition of ``sensitive 
personally identifiable information'' is derived from the DHS lexicon, 
Privacy Incident Handling Guidance, and the Handbook for Safeguarding 
Sensitive Personally Identifiable Information. These definitions are 
necessary because these terms appear in proposed HSAR 3024.70, Privacy 
Training and HSAR 3052.224-7X, Privacy Training.
---------------------------------------------------------------------------

    \1\ OMB Circular A-130 Managing Information as a Strategic 
Resource is accessible at https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf.
---------------------------------------------------------------------------

    (2) Add a new subpart at HSAR 3024.70, Privacy Training addressing 
the requirements for privacy training. HSAR 3024.7001, Scope identifies 
the applicability of the subpart to contracts and subcontracts. HSAR 
3024.7002, Definitions defines the term ``handling.'' The definition of 
``handling'' was developed based upon a review of definitions for the 
term developed by other Federal agencies. HSAR 3024.7003, Policy 
identifies when contractors and subcontracts are required to complete 
the DHS privacy training. This subsection also requires the submission 
of training completion certificates for all contractor and 
subcontractor employees as a record of compliance. HSAR 3024.7004, 
Contract Clause, identifies when Contracting Officers must insert HSAR 
3052.224-7X Privacy Training in solicitations and contracts. DHS 
welcomes respondents to offer their views on the following questions in 
particular:
    A. What burden, if any, is associated with the requirement to 
complete DHS-developed privacy training?
    B. What value, if any, is associated with providing industry the 
flexibility to develop its own privacy training given a unique set of 
Government requirements?
    (3) Amend sub paragraph (b) of the HSAR 3052.212-70, Contract Terms 
and Conditions Applicable to DHS Acquisition of Commercial Items to add 
HSAR 3052.224-7X, Privacy Training. This change is necessary because 
HSAR 3052.224-7X is applicable to the acquisition of commercial items; 
and
    (4) Add a new subsection at HSAR 3052.224-7X, Privacy Training to 
provide the text of the proposed clause. The proposed clause requires 
contractor and subcontractor employees to complete privacy training 
before accessing a Government system of records; handling Personally 
Identifiable Information (PII) or Sensitive PII (SPII); or designing, 
developing, maintaining, or operating a Government system of records. 
The training shall be completed within thirty (30) days of contract 
award and on an annual basis thereafter. The contractor shall maintain 
copies of training certificates for all contractor and subcontractor 
employees as a record of compliance and provide copies of the training 
certificates to the contracting officer. Subsequent training 
certificates to satisfy the annual privacy training requirement shall 
be submitted via email notification not later than October 31st of each 
year. The contractor shall attach training certificates to the email

[[Page 6426]]

notification and the email notification shall state that the required 
training has been completed for all contractor and subcontractor 
employees.
    These proposed revisions to the HSAR are necessary to ensure 
contractors and subcontractors properly handle PII and SPII. This 
includes PII and SPII contained in a system of records consistent with 
subsection (e) Agency requirements, and subsection (m) Government 
contractors, of the Privacy Act of 1974, Section 552a of title 5, 
United States Code (5 U.S.C. 552a).
    Other applicable authorities that address the responsibility for 
Federal agencies to ensure appropriate handling and safeguarding of PII 
include the following Office of Management and Budget (OMB) memoranda 
and policies: OMB Memorandum M-07-16, ``Safeguarding Against and 
Responding to the Breach of Personally Identifiable Information'' 
issued May 22, 2007; OMB Memorandum M-10-23, ``Guidance for Agency Use 
of Third-Party Web sites and Applications'' issued June 25, 2010 (this 
memorandum contains the most current definition of PII, and clarifies 
the definition provided in M-07-16); OMB Circular No. A-130 ``Managing 
Information as a Strategic Resource,'' which identifies significant 
requirements for safeguarding and handling PII and reporting any theft, 
loss, or compromise of such information. DHS has also developed 
internal guidance that addresses the handling and protection of PII, 
including the DHS Privacy Incident Handling Guidance and the DHS 
Handbook for Safeguarding Sensitive Personally Identifiable 
Information. The DHS Privacy Incident Handling Guidance informs DHS and 
its components, employees, senior officials, and contractors of their 
obligation to protect PII, and establishes policies and procedures 
defining how they must respond to the potential loss or compromise of 
PII. The DHS Handbook for Safeguarding Sensitive Personally 
Identifiable Information sets minimum standards for how DHS personnel 
and contractors should handle SPII in paper and electronic form during 
their work activities.
    This proposed rule is part of a broader initiative within DHS to 
(1) ensure contractors understand their responsibilities with regard to 
safeguarding controlled unclassified information (CUI); (2) contractor 
and subcontractor employees complete information technology (IT) 
security awareness training before access is provided to DHS 
information systems and information resources or contractor-owned and/
or operated information systems and information resources where CUI is 
collected, processed, stored or transmitted on behalf of the agency; 
(3) contractor and subcontractor employees sign the DHS RoB before 
access is provided to DHS information systems, information resources, 
or contractor-owned and/or operated information systems and information 
resources where CUI is collected, processed, stored or transmitted on 
behalf of the agency; and (4) contractor and subcontractor employees 
complete privacy training before accessing a Government system of 
records; handling personally identifiable information (PII) and/or 
sensitive PII information; or designing, developing, maintaining, or 
operating a system of records on behalf of the Government.

II. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is a significant regulatory action and, therefore, was subject to 
review under section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993. This rule is not a major rule under 5 
U.S.C. 804. DHS has included a discussion of the estimated costs and 
benefits of this rule in the Paperwork Reduction Act supporting 
statement, which can be found in the docket for this rulemaking.

III. Regulatory Flexibility Act

    DHS expects this proposed rule may have an impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601, et seq., because the proposed rule 
requires contractor and subcontractor employees to be properly trained 
on the requirements, applicable laws, and appropriate safeguards 
designed to ensure the security and confidentiality of PII before 
access a Government system of records; handle PII or SPII; or design, 
develop, maintain, or operate a system of records on behalf of the 
Government. Although the Privacy Act of 1974 has been in place for over 
40 years, the rapidly changing information security landscape requires 
the Federal government to strengthen its contracts to ensure that 
contractor and subcontractor employees comply with the Act and are 
aware of their responsibilities for safeguarding PII and SPII. 
Therefore, an Initial Regulatory Flexibility Analysis (IRFA) has been 
prepared consistent with 5 U.S.C. 603, and is summarized as follows:

1. Description of the Reasons Why Action by the Agency Is Being Taken

    DHS is proposing to amend the HSAR to require all contractor and 
subcontractor employees that will have access to a Government system of 
records; handle PII or SPII; or design, develop, maintain, or operate a 
system of records on behalf of the Government, complete training that 
addresses the requirements for the protection of privacy and the 
handling and safeguarding of PII and SPII. The purpose of this proposed 
rule is to require contractors to identify its employees who require 
access, ensure that those employees complete privacy training before 
being granted access and annually thereafter, provide the Government 
evidence of the completed training, and maintain evidence of completed 
training in accordance with the records retention requirements of the 
contract.

2. Succinct Statement of the Objectives of, and Legal Basis for, the 
Rule

    The objective of this rule is to require contractor and 
subcontractor employees to complete Privacy training before accessing a 
Government system of records; handling PII and/or SPII; or designing, 
developing, maintaining, or operating a Government system of records. 
This proposed rule requires contractors to identify who will be 
responsible for completing privacy training, and to emphasize and 
create awareness of the critical importance of privacy training in an 
effort to reduce the occurrences of privacy incidents.
    The training imposed by this proposed rule is required by the 
provisions of the Privacy Act (5 U.S.C. 552a), Title III of the E-
Government Act of 2002 and the Federal Information Security 
Modernization Act (FISMA) of 2014. This proposed rule requires 
contractors to identify its employees and subcontractor employees who 
require access to PII and SPII, ensure that those employees complete 
privacy training before being granted access to such information and 
annually thereafter, provide the Government evidence of the completed 
training, and maintain evidence of completed training.

[[Page 6427]]

3. Description of and, Where Feasible, Estimate of the Number of Small 
Entities To Which the Rule Will Apply

    This proposed rule will apply to contractor and subcontractor 
employees who require access to a Government system of records; handle 
PII or Sensitive PII; or design, develop, maintain, or operate a system 
of records on behalf of the Government. The estimated number of small 
entities to which the rule will apply is 6,628 respondents of which 
4,162 are projected to be small businesses.
    This estimate is based on a review and analysis of internal DHS 
contract data and Fiscal Year (FY) 2014 data reported to the Federal 
Procurement Data System (FPDS). It is anticipated that this rule will 
be primarily applicable to procurement actions with a Product and 
Service Code (PSC) of ``D'' Automatic Data Processing and 
Telecommunication and ``R'' Professional, Administrative and Management 
Support. PSCs will be adjusted as additional data becomes available 
through HSAR clause implementation to validate future burden 
projections.

4. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Rule, Including an Estimate of the 
Classes of Small Entities Which Will Be Subject to the Requirement and 
the Type of Professional Skills Necessary

    The projected reporting and recordkeeping associated with this 
proposed rule is kept to the minimum necessary to meet the overall 
objectives. DHS minimized the burden associated with this proposed rule 
by developing the training and making it publicly accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. DHS has 
also minimized burden by providing automatically generated certificates 
at the conclusion of the training. Training shall be completed within 
thirty (30) days of contract award and on an annual basis thereafter. 
Initial training certificates for each contractor and subcontractor 
employee shall be provided to the Government not later than thirty (30) 
days after contract award. Subsequent training certificates to satisfy 
the annual privacy training requirement shall be submitted via email 
notification not later than October 31st of each year. The contractor 
shall attach training certificates to the email notification and the 
email notification shall state that the required training has been 
completed for all contractor and subcontractor employees and include 
copies of the training certificates.

5. Identification, to the Extent Practicable, of All Relevant Federal 
Rules Which May Duplicate, Overlap, or Conflict With the Rule

    There are no rules that duplicate, overlap or conflict with this 
rule.

6. Description of Any Significant Alternatives to the Rule Which 
Accomplish the Stated Objectives of Applicable Statutes and Which 
Minimize Any Significant Economic Impact of the Rule on Small Entities

    There are no practical alternatives that will accomplish the 
objectives of the proposed rule.
    DHS will be submitting a copy of the IRFA to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the IRFA may 
be obtained from the point of contact specified herein. DHS invites 
comments from small business concerns and other interested parties on 
the expected impact of this rule on small entities.
    DHS will also consider comments from small entities concerning the 
existing regulations in subparts affected by this rule in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 610 (HSAR Case 2015-003), in 
correspondence.

IV. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies because 
this proposed rule contains information collection requirements. 
Accordingly, DHS will be submitting a request for approval of a new 
information collection requirement concerning this rule to the Office 
of Management and Budget under 44 U.S.C. 3501, et seq.
    A. Public reporting burden for this collection of information is 
estimated to be approximately 30 minutes (.50 hours) per response to 
comply with the requirements, including time for reviewing 
instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information. The total annual projected number of 
responses per respondent is estimated at four (4). The estimated annual 
total burden hours are as follows:
    Title: Homeland Security Acquisition Regulation: Privacy Training.
    Type of Request: New Collection.
    Number of Respondents: 6,628.
    Responses per Respondent: 4.
    Annual Responses: 26,512.
    Average Burden per Response: Approximately 0.50.
    Annual Burden Hours: 13,256.
    Needs and Uses: DHS needs the information required by 3052.224-7X, 
Privacy Training to properly track contractor compliance with the 
training requirements identified in the clause.
    Affected Public: Businesses or other for-profit institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Frequency: Upon award of procurement and annually thereafter.
    B. Request for Comments Regarding Paperwork Burden.
    You may submit comments identified by DHS docket number [DHS-2017-
0008], including suggestions for reducing this burden, not later than 
March 20, 2017 using any one of the following methods:
    (1) Via the internet at Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
    (2) Via email to the Department of Homeland Security, Office of the 
Chief Procurement Officer, at [email protected].
    Public comments are particularly invited on: Whether this 
collection of information is necessary for the proper performance of 
functions of the HSAR, and will have practical utility; whether our 
estimate of the public burden of this collection of information is 
accurate, and based on valid assumptions and methodology; ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and ways in which we can minimize the burden of the 
collection of information on those who are to respond, through the use 
of appropriate technological collection techniques or other forms of 
information technology.
    Requesters may obtain a copy of the supporting statement from the 
Department of Homeland Security, Office of the Chief Procurement 
Officer, Acquisition Policy and Legislation, via email to 
[email protected]. Please cite OMB Control No. 1600-0022 Privacy Training 
and Information Security Training, in the ``Subject'' line.

List of Subjects in 48 CFR Parts 3001, 3002, 3024 and 3052

    Government procurement.

    Therefore, DHS proposes to amend 48 CFR parts 3001, 3002, 3024 and 
3052 to read as follows:

0
1. The authority citation for 48 CFR parts 3001, 3002, 3024, and 3052 
is revised to read as follows:

    Authority:  5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 
U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation 
Number 0702.

[[Page 6428]]

PART 3001--FEDERAL ACQUISITION REGULATIONS SYSTEM

Subpart 3001.1--Purpose, Authority, Issuance

0
2. Amend section 3001.106 by revising paragraph (a) to add a new OMB 
Control Number as follows:


3001.106   OMB Approval under the Paperwork Reduction Act.

    (a) * * *

OMB Control No. 1600-0022 (Privacy Training)
* * * * *

PART 3002--DEFINITIONS OF WORDS AND TERMS

0
3. Amend section 3002.101 by adding, in alphabetical order, the 
definitions: for ``Personally Identifiable Information (PII),'' and 
``Sensitive Personally Identifiable Information (SPII)'' to read as 
follows:
* * * * *
    ``Personally Identifiable Information (PII)'' means information 
that can be used to distinguish or trace an individual's identity, 
either alone or when combined with other information that is linked or 
linkable to a specific individual.
* * * * *
    ``Sensitive Personally Identifiable Information (SPII)'' is a 
subset of PII, which if lost, compromised or disclosed without 
authorization, could result in substantial harm, embarrassment, 
inconvenience, or unfairness to an individual. Some forms of PII are 
sensitive as stand-alone elements.
    (1) Examples of stand-alone SPII include: Social Security numbers 
(SSN), driver's license or state identification number, Alien 
Registration Numbers (A-number), financial account number, and 
biometric identifiers such as fingerprint, voiceprint, or iris scan.
    (2) Additional examples of SPII include any groupings of 
information that contain an individual's name or other unique 
identifier plus one or more of the following elements:
    (i) Truncated SSN (such as last 4 digits)
    (ii) Date of birth (month, day, and year)
    (iii) Citizenship or immigration status
    (iv) Ethnic or religious affiliation
    (v) Sexual orientation
    (vi) Criminal history
    (vii) Medical information
    (viii) System authentication information such as mother's maiden 
name, account passwords or personal identification numbers (PIN)
    (3) Other PII may be SPII depending on its context, such as a list 
of employees and their performance ratings or an unlisted home address 
or phone number. In contrast, a business card or public telephone 
directory of agency employees contains PII but is not SPII.

PART 3024--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION

0
4. Amend part 3024 by adding subpart 3024.70:

Subpart 3024.70--Privacy Training

3024.7001 Scope.
3024.7002 Definitions.
3024.7003 Policy.
3024.7004 Contract Clause.


3024.7001   Scope.

    This section applies to contracts and subcontracts where contractor 
and subcontractor employees require access to a Government system of 
records; handle Personally Identifiable Information (PII) or Sensitive 
PII (SPII); or design, develop, maintain, or operate a Government 
system of records.


3024.7002   Definitions.

As used in this subpart--
    ``Handling'' means any use of Personally Identifiable Information 
(PII) or Sensitive PII (SPII), including but not limited to marking, 
safeguarding, transporting, disseminating, re-using, storing, 
capturing, and disposing of the information.


3024.7003   Policy.

    (a) Contractors are responsible for ensuring that contractor and 
subcontractor employees complete DHS privacy training initially upon 
award of the procurement, and at least annually thereafter, before 
contractor and subcontractor employees--
    (1) Access to a Government system of records;
    (2) Handle PII or SPII; or
    (3) Design, develop, maintain, or operate a system of records on 
behalf of the Government.
    (b) The contractor shall ensure employees identified in paragraph 
(a) of this section complete the required training, maintain evidence 
that the training has been completed and provide copies of the training 
completion certificates to the Contracting Officer and/or Contracting 
Officer's Representative for inclusion in the contract file.
    (c) Each contractor and subcontractor employee who requires access 
to a Government system of records; handles PII or SPII; or designs, 
develops, maintains, or operates a Government system of records, shall 
be granted access or allowed to retain such access only if the 
individual has completed Department of Homeland Security privacy 
training requirements.


3024.7004   Contract Clause.

    Contracting officers shall insert the clause at (HSAR) 48 CFR 
3052.224-7X, Privacy Training, in solicitations and contracts when 
contractor and subcontractor employees may have access to a Government 
system of records; handle PII or SPII; or design, develop, maintain, or 
operate a system of records on behalf of the Government.

PART 3052--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
5. Amend paragraph (b) of section 3052.212-70 to add 3052.224-7X 
Privacy Training as follows:


3052.212-70   Contract terms and conditions applicable to DHS 
acquisition of commercial items.

Contract Terms and Conditions Applicable to DHS Acquisition of 
Commercial Items (DATE)

* * * * *
    (b) * * *

    ___3052.224-7X Privacy Training

0
6. Amend part 3052 by adding section 3052.224-7X Privacy Training, to 
read as follows:


3052.224-7X   Privacy training.

    As prescribed in (HSAR) 48 CFR 3024.7004 contract clause, insert 
the following clause:

Privacy Training (DATE)

    (a) The Contractor shall ensure that all Contractor and 
subcontractor employees complete the Department of Homeland Security 
(DHS) training titled, Privacy at DHS: Protecting Personally 
Identifiable Information accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors, before such 
employees--
    (1) Access a Government system of records;
    (2) Handle personally identifiable information or sensitive 
personally identifiable information; or
    (3) Design, develop, maintain, or operate a system of records on 
behalf of the Government.
    (b) Training shall be completed within thirty (30) days of 
contract award and be completed on an annual basis thereafter not 
later than October 31st of each year. Any new Contractor or 
subcontractor employees assigned to the contract shall complete the 
training before accessing the information identified in paragraph 
(a) of this clause. The Contractor shall maintain copies of the 
training certificates for all Contractor and subcontractor employees 
as a record of compliance. Initial training certificates for each 
Contractor and subcontractor employee

[[Page 6429]]

shall be provided to the Contracting Officer and/or Contracting 
Officer's Representative (COR) via email notification not later than 
thirty (30) days after contract award or assignment to the contract. 
Subsequent training certificates to satisfy the annual training 
requirement shall be submitted to the Contracting Officer and/or COR 
via email notification not later than October 31st of each year. The 
Contractor shall attach training certificates to the email 
notification and the email notification shall list all Contractor 
and subcontractor employees required to complete the training and 
state the required Privacy training has been completed for all 
Contractor and subcontractor employees.
    (c) The Contractor shall insert the substance of this clause in 
all subcontracts and require subcontractors to include this clause 
in all lower-tier subcontracts.


(End of clause)

Soraya Correa,
Chief Procurement Officer, Department of Homeland Security.
[FR Doc. 2017-00752 Filed 1-18-17; 8:45 am]
 BILLING CODE 9110-9B-P



                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                           6425

                                                        Dated: January 9, 2017.                                 Comments received generally will be                  3024.70, Privacy Training and HSAR
                                                      Sylvia M. Burwell,                                      posted without change to http://                       3052.224–7X, Privacy Training.
                                                      Secretary, Department of Health and Human               www.regulations.gov, including any                        (2) Add a new subpart at HSAR
                                                      Services.                                               personal information provided. To                      3024.70, Privacy Training addressing
                                                      [FR Doc. 2017–00700 Filed 1–18–17; 8:45 am]             confirm receipt of your comment(s),                    the requirements for privacy training.
                                                      BILLING CODE 4165–15–P                                  please check http://                                   HSAR 3024.7001, Scope identifies the
                                                                                                              www.regulations.gov, approximately                     applicability of the subpart to contracts
                                                                                                              two to three days after submission to                  and subcontracts. HSAR 3024.7002,
                                                                                                              verify posting (except allow 30 days for               Definitions defines the term ‘‘handling.’’
                                                      DEPARTMENT OF HOMELAND                                  posting of comments submitted by                       The definition of ‘‘handling’’ was
                                                      SECURITY                                                mail).                                                 developed based upon a review of
                                                      48 CFR Parts 3001, 3002, 3024, and                      FOR FURTHER INFORMATION CONTACT: Ms.
                                                                                                                                                                     definitions for the term developed by
                                                                                                              Candace Lightfoot, Procurement                         other Federal agencies. HSAR
                                                      3052
                                                                                                              Analyst, DHS, Office of the Chief                      3024.7003, Policy identifies when
                                                      [Docket No. DHS–2017–0008]                              Procurement Officer, Acquisition Policy                contractors and subcontracts are
                                                                                                              and Legislation at (202) 447–0882 or                   required to complete the DHS privacy
                                                      RIN 1601–AA79                                                                                                  training. This subsection also requires
                                                                                                              email HSAR@hq.dhs.gov. When using
                                                                                                              email, include HSAR Case 2015–003 in                   the submission of training completion
                                                      Homeland Security Acquisition
                                                                                                              the ‘‘Subject’’ line.                                  certificates for all contractor and
                                                      Regulation (HSAR); Privacy Training
                                                                                                                                                                     subcontractor employees as a record of
                                                      (HSAR Case 2015–003)                                    SUPPLEMENTARY INFORMATION:
                                                                                                                                                                     compliance. HSAR 3024.7004, Contract
                                                      AGENCY:  Office of the Chief Procurement                I. Background                                          Clause, identifies when Contracting
                                                      Officer, Department of Homeland                            DHS contracts currently require                     Officers must insert HSAR 3052.224–7X
                                                      Security (DHS).                                         contractor and subcontractor employees                 Privacy Training in solicitations and
                                                      ACTION: Proposed rule.                                  to complete privacy training before                    contracts. DHS welcomes respondents
                                                                                                              accessing a Government system of                       to offer their views on the following
                                                      SUMMARY:    DHS is proposing to amend                   records; handling Personally                           questions in particular:
                                                      the Homeland Security Acquisition                                                                                 A. What burden, if any, is associated
                                                                                                              Identifiable Information (PII) or
                                                      Regulation (HSAR) to add a new                                                                                 with the requirement to complete DHS-
                                                                                                              Sensitive PII (SPII); or designing,
                                                      subpart, update an existing clause, and                                                                        developed privacy training?
                                                                                                              developing, maintaining, or operating a                   B. What value, if any, is associated
                                                      add a new contract clause to require                    Government system of records. This
                                                      contractors to complete training that                                                                          with providing industry the flexibility
                                                                                                              training is completed upon award of the                to develop its own privacy training
                                                      addresses the protection of privacy, in                 procurement and at least annually
                                                      accordance with the Privacy Act of                                                                             given a unique set of Government
                                                                                                              thereafter.                                            requirements?
                                                      1974, and the handling and                                 DHS is proposing to (1) include
                                                      safeguarding of Personally Identifiable                                                                           (3) Amend sub paragraph (b) of the
                                                                                                              Privacy training requirements in the                   HSAR 3052.212–70, Contract Terms and
                                                      Information and Sensitive Personally                    HSAR and (2) make the training more                    Conditions Applicable to DHS
                                                      Identifiable Information.                               easily accessible by hosting it on a                   Acquisition of Commercial Items to add
                                                      DATES: Interested parties should submit                 public Web site. This approach ensures                 HSAR 3052.224–7X, Privacy Training.
                                                      written comments to one of the                          all applicable DHS contractors and                     This change is necessary because HSAR
                                                      addresses shown below on or before                      subcontractors are subject to the same                 3052.224–7X is applicable to the
                                                      March 20, 2017, to be considered in the                 requirements while removing the need                   acquisition of commercial items; and
                                                      formation of the final rule.                            for Government intervention to provide                    (4) Add a new subsection at HSAR
                                                      ADDRESSES: Submit comments                              access to the Privacy training.                        3052.224–7X, Privacy Training to
                                                      identified by HSAR Case 2015–003,                          This proposed rule standardizes the                 provide the text of the proposed clause.
                                                      Privacy Training, using any of the                      Privacy training requirement across all                The proposed clause requires contractor
                                                      following methods:                                      DHS contracts by amending the HSAR                     and subcontractor employees to
                                                         • Regulations.gov: http://                           to:                                                    complete privacy training before
                                                      www.regulations.gov.                                       (1) Add the terms ‘‘personally                      accessing a Government system of
                                                         Submit comments via the Federal                      identifiable information’’ and ‘‘sensitive             records; handling Personally
                                                      eRulemaking portal by entering ‘‘HSAR                   personally identifiable information’’ at               Identifiable Information (PII) or
                                                      Case 2015–003’’ under the heading                       HSAR 3002.1, Definitions. The                          Sensitive PII (SPII); or designing,
                                                      ‘‘Enter Keyword or ID’’ and selecting                   definition of ‘‘personally identifiable                developing, maintaining, or operating a
                                                      ‘‘Search.’’ Select the link ‘‘Submit a                  information’’ is taken from OMB                        Government system of records. The
                                                      Comment’’ that corresponds with                         Circular A–130 Managing Information                    training shall be completed within
                                                      ‘‘HSAR Case 2015–003.’’ Follow the                      as a Strategic Resource,1 published July               thirty (30) days of contract award and
                                                      instructions provided at the ‘‘Submit a                 27, 2016. The definition of ‘‘sensitive                on an annual basis thereafter. The
                                                      Comment’’ screen. Please include your                   personally identifiable information’’ is               contractor shall maintain copies of
                                                      name, company name (if any), and                        derived from the DHS lexicon, Privacy                  training certificates for all contractor
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      ‘‘HSAR Case 2015–003’’ on your                          Incident Handling Guidance, and the                    and subcontractor employees as a record
                                                      attached document.                                      Handbook for Safeguarding Sensitive                    of compliance and provide copies of the
                                                         • Fax: (202) 447–0520                                Personally Identifiable Information.                   training certificates to the contracting
                                                         • Mail: Department of Homeland                       These definitions are necessary because                officer. Subsequent training certificates
                                                      Security, Office of the Chief                           these terms appear in proposed HSAR                    to satisfy the annual privacy training
                                                      Procurement Officer, Acquisition Policy                   1 OMB Circular A–130 Managing Information as
                                                                                                                                                                     requirement shall be submitted via
                                                      and Legislation, ATTN: Ms. Candace                      a Strategic Resource is accessible at https://
                                                                                                                                                                     email notification not later than October
                                                      Lightfoot, 245 Murray Drive, Bldg. 410                  www.whitehouse.gov/sites/default/files/omb/assets/     31st of each year. The contractor shall
                                                      (RDS), Washington, DC 20528.                            OMB/circulars/a130/a130revised.pdf.                    attach training certificates to the email


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00087   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6426                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      notification and the email notification                 owned and/or operated information                      subcontractor employees comply with
                                                      shall state that the required training has              systems and information resources                      the Act and are aware of their
                                                      been completed for all contractor and                   where CUI is collected, processed,                     responsibilities for safeguarding PII and
                                                      subcontractor employees.                                stored or transmitted on behalf of the                 SPII. Therefore, an Initial Regulatory
                                                         These proposed revisions to the                      agency; (3) contractor and subcontractor               Flexibility Analysis (IRFA) has been
                                                      HSAR are necessary to ensure                            employees sign the DHS RoB before                      prepared consistent with 5 U.S.C. 603,
                                                      contractors and subcontractors properly                 access is provided to DHS information                  and is summarized as follows:
                                                      handle PII and SPII. This includes PII                  systems, information resources, or
                                                      and SPII contained in a system of                       contractor-owned and/or operated                       1. Description of the Reasons Why
                                                      records consistent with subsection (e)                  information systems and information                    Action by the Agency Is Being Taken
                                                      Agency requirements, and subsection                     resources where CUI is collected,
                                                      (m) Government contractors, of the                      processed, stored or transmitted on                       DHS is proposing to amend the HSAR
                                                      Privacy Act of 1974, Section 552a of                    behalf of the agency; and (4) contractor               to require all contractor and
                                                      title 5, United States Code (5 U.S.C.                   and subcontractor employees complete                   subcontractor employees that will have
                                                      552a).                                                  privacy training before accessing a                    access to a Government system of
                                                         Other applicable authorities that                    Government system of records; handling                 records; handle PII or SPII; or design,
                                                      address the responsibility for Federal                  personally identifiable information (PII)              develop, maintain, or operate a system
                                                      agencies to ensure appropriate handling                 and/or sensitive PII information; or                   of records on behalf of the Government,
                                                      and safeguarding of PII include the                     designing, developing, maintaining, or                 complete training that addresses the
                                                      following Office of Management and                      operating a system of records on behalf                requirements for the protection of
                                                      Budget (OMB) memoranda and policies:                    of the Government.                                     privacy and the handling and
                                                      OMB Memorandum M–07–16,                                                                                        safeguarding of PII and SPII. The
                                                      ‘‘Safeguarding Against and Responding                   II. Executive Orders 12866 and 13563
                                                                                                                                                                     purpose of this proposed rule is to
                                                      to the Breach of Personally Identifiable                   Executive Orders (E.O.s) 12866 and                  require contractors to identify its
                                                      Information’’ issued May 22, 2007; OMB                  13563 direct agencies to assess all costs              employees who require access, ensure
                                                      Memorandum M–10–23, ‘‘Guidance for                      and benefits of available regulatory                   that those employees complete privacy
                                                      Agency Use of Third-Party Web sites                     alternatives and, if regulation is                     training before being granted access and
                                                      and Applications’’ issued June 25, 2010                 necessary, to select regulatory                        annually thereafter, provide the
                                                      (this memorandum contains the most                      approaches that maximize net benefits                  Government evidence of the completed
                                                      current definition of PII, and clarifies                (including potential economic,                         training, and maintain evidence of
                                                      the definition provided in M–07–16);                    environmental, public health and safety                completed training in accordance with
                                                      OMB Circular No. A–130 ‘‘Managing                       effects, distributive impacts, and                     the records retention requirements of
                                                      Information as a Strategic Resource,’’                  equity). E.O. 13563 emphasizes the
                                                                                                                                                                     the contract.
                                                      which identifies significant                            importance of quantifying both costs
                                                      requirements for safeguarding and                       and benefits, of reducing costs, of                    2. Succinct Statement of the Objectives
                                                      handling PII and reporting any theft,                   harmonizing rules, and of promoting                    of, and Legal Basis for, the Rule
                                                      loss, or compromise of such                             flexibility. This is a significant
                                                      information. DHS has also developed                     regulatory action and, therefore, was                     The objective of this rule is to require
                                                      internal guidance that addresses the                    subject to review under section 6(b) of                contractor and subcontractor employees
                                                      handling and protection of PII,                         E.O. 12866, Regulatory Planning and                    to complete Privacy training before
                                                      including the DHS Privacy Incident                      Review, dated September 30, 1993. This                 accessing a Government system of
                                                      Handling Guidance and the DHS                           rule is not a major rule under 5 U.S.C.                records; handling PII and/or SPII; or
                                                      Handbook for Safeguarding Sensitive                     804. DHS has included a discussion of                  designing, developing, maintaining, or
                                                      Personally Identifiable Information. The                the estimated costs and benefits of this               operating a Government system of
                                                      DHS Privacy Incident Handling                           rule in the Paperwork Reduction Act                    records. This proposed rule requires
                                                      Guidance informs DHS and its                            supporting statement, which can be                     contractors to identify who will be
                                                      components, employees, senior officials,                found in the docket for this rulemaking.               responsible for completing privacy
                                                      and contractors of their obligation to                                                                         training, and to emphasize and create
                                                                                                              III. Regulatory Flexibility Act
                                                      protect PII, and establishes policies and                                                                      awareness of the critical importance of
                                                      procedures defining how they must                          DHS expects this proposed rule may                  privacy training in an effort to reduce
                                                      respond to the potential loss or                        have an impact on a substantial number                 the occurrences of privacy incidents.
                                                      compromise of PII. The DHS Handbook                     of small entities within the meaning of
                                                                                                              the Regulatory Flexibility Act, 5 U.S.C.                  The training imposed by this
                                                      for Safeguarding Sensitive Personally
                                                      Identifiable Information sets minimum                   601, et seq., because the proposed rule                proposed rule is required by the
                                                      standards for how DHS personnel and                     requires contractor and subcontractor                  provisions of the Privacy Act (5 U.S.C.
                                                      contractors should handle SPII in paper                 employees to be properly trained on the                552a), Title III of the E-Government Act
                                                      and electronic form during their work                   requirements, applicable laws, and                     of 2002 and the Federal Information
                                                      activities.                                             appropriate safeguards designed to                     Security Modernization Act (FISMA) of
                                                         This proposed rule is part of a broader              ensure the security and confidentiality                2014. This proposed rule requires
                                                      initiative within DHS to (1) ensure                     of PII before access a Government                      contractors to identify its employees
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      contractors understand their                            system of records; handle PII or SPII; or              and subcontractor employees who
                                                      responsibilities with regard to                         design, develop, maintain, or operate a                require access to PII and SPII, ensure
                                                      safeguarding controlled unclassified                    system of records on behalf of the                     that those employees complete privacy
                                                      information (CUI); (2) contractor and                   Government. Although the Privacy Act                   training before being granted access to
                                                      subcontractor employees complete                        of 1974 has been in place for over 40                  such information and annually
                                                      information technology (IT) security                    years, the rapidly changing information                thereafter, provide the Government
                                                      awareness training before access is                     security landscape requires the Federal                evidence of the completed training, and
                                                      provided to DHS information systems                     government to strengthen its contracts                 maintain evidence of completed
                                                      and information resources or contractor-                to ensure that contractor and                          training.


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00088   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                               6427

                                                      3. Description of and, Where Feasible,                  employees and include copies of the                      Annual Burden Hours: 13,256.
                                                      Estimate of the Number of Small                         training certificates.                                   Needs and Uses: DHS needs the
                                                      Entities To Which the Rule Will Apply                                                                          information required by 3052.224–7X,
                                                                                                              5. Identification, to the Extent
                                                                                                                                                                     Privacy Training to properly track
                                                         This proposed rule will apply to                     Practicable, of All Relevant Federal
                                                                                                                                                                     contractor compliance with the training
                                                      contractor and subcontractor employees                  Rules Which May Duplicate, Overlap, or
                                                                                                                                                                     requirements identified in the clause.
                                                      who require access to a Government                      Conflict With the Rule
                                                                                                                                                                       Affected Public: Businesses or other
                                                      system of records; handle PII or                           There are no rules that duplicate,                  for-profit institutions.
                                                      Sensitive PII; or design, develop,                      overlap or conflict with this rule.                      Respondent’s Obligation: Required to
                                                      maintain, or operate a system of records                                                                       obtain or retain benefits.
                                                      on behalf of the Government. The                        6. Description of Any Significant
                                                                                                              Alternatives to the Rule Which                           Frequency: Upon award of
                                                      estimated number of small entities to                                                                          procurement and annually thereafter.
                                                      which the rule will apply is 6,628                      Accomplish the Stated Objectives of
                                                                                                              Applicable Statutes and Which                            B. Request for Comments Regarding
                                                      respondents of which 4,162 are                                                                                 Paperwork Burden.
                                                      projected to be small businesses.                       Minimize Any Significant Economic
                                                                                                              Impact of the Rule on Small Entities                     You may submit comments identified
                                                         This estimate is based on a review                                                                          by DHS docket number [DHS–2017–
                                                      and analysis of internal DHS contract                      There are no practical alternatives                 0008], including suggestions for
                                                      data and Fiscal Year (FY) 2014 data                     that will accomplish the objectives of                 reducing this burden, not later than
                                                      reported to the Federal Procurement                     the proposed rule.                                     March 20, 2017 using any one of the
                                                      Data System (FPDS). It is anticipated                      DHS will be submitting a copy of the                following methods:
                                                      that this rule will be primarily                        IRFA to the Chief Counsel for Advocacy                   (1) Via the internet at Federal
                                                      applicable to procurement actions with                  of the Small Business Administration. A                eRulemaking Portal: http://
                                                      a Product and Service Code (PSC) of                     copy of the IRFA may be obtained from                  www.regulations.gov. Follow the
                                                      ‘‘D’’ Automatic Data Processing and                     the point of contact specified herein.                 instructions for submitting comments.
                                                      Telecommunication and ‘‘R’’                             DHS invites comments from small                          (2) Via email to the Department of
                                                      Professional, Administrative and                        business concerns and other interested                 Homeland Security, Office of the Chief
                                                      Management Support. PSCs will be                        parties on the expected impact of this                 Procurement Officer, at HSAR@
                                                      adjusted as additional data becomes                     rule on small entities.                                hq.dhs.gov.
                                                      available through HSAR clause                              DHS will also consider comments                       Public comments are particularly
                                                      implementation to validate future                       from small entities concerning the                     invited on: Whether this collection of
                                                      burden projections.                                     existing regulations in subparts affected              information is necessary for the proper
                                                                                                              by this rule in accordance with 5 U.S.C.               performance of functions of the HSAR,
                                                      4. Description of Projected Reporting,                  610. Interested parties must submit such               and will have practical utility; whether
                                                      Recordkeeping, and Other Compliance                     comments separately and should cite 5                  our estimate of the public burden of this
                                                      Requirements of the Rule, Including an                  U.S.C. 610 (HSAR Case 2015–003), in                    collection of information is accurate,
                                                      Estimate of the Classes of Small Entities               correspondence.                                        and based on valid assumptions and
                                                      Which Will Be Subject to the                                                                                   methodology; ways to enhance the
                                                      Requirement and the Type of                             IV. Paperwork Reduction Act
                                                                                                                                                                     quality, utility, and clarity of the
                                                      Professional Skills Necessary                             The Paperwork Reduction Act (44                      information to be collected; and ways in
                                                                                                              U.S.C. chapter 35) applies because this                which we can minimize the burden of
                                                         The projected reporting and                          proposed rule contains information
                                                      recordkeeping associated with this                                                                             the collection of information on those
                                                                                                              collection requirements. Accordingly,                  who are to respond, through the use of
                                                      proposed rule is kept to the minimum                    DHS will be submitting a request for
                                                      necessary to meet the overall objectives.                                                                      appropriate technological collection
                                                                                                              approval of a new information                          techniques or other forms of information
                                                      DHS minimized the burden associated                     collection requirement concerning this
                                                      with this proposed rule by developing                                                                          technology.
                                                                                                              rule to the Office of Management and                     Requesters may obtain a copy of the
                                                      the training and making it publicly                     Budget under 44 U.S.C. 3501, et seq.
                                                      accessible at http://www.dhs.gov/dhs-                                                                          supporting statement from the
                                                                                                                A. Public reporting burden for this
                                                      security-and-training-requirements-                                                                            Department of Homeland Security,
                                                                                                              collection of information is estimated to
                                                      contractors. DHS has also minimized                                                                            Office of the Chief Procurement Officer,
                                                                                                              be approximately 30 minutes (.50 hours)
                                                      burden by providing automatically                                                                              Acquisition Policy and Legislation, via
                                                                                                              per response to comply with the
                                                      generated certificates at the conclusion                                                                       email to HSAR@hq.dhs.gov. Please cite
                                                                                                              requirements, including time for
                                                      of the training. Training shall be                                                                             OMB Control No. 1600–0022 Privacy
                                                                                                              reviewing instructions, searching
                                                      completed within thirty (30) days of                                                                           Training and Information Security
                                                                                                              existing data sources, gathering and
                                                      contract award and on an annual basis                                                                          Training, in the ‘‘Subject’’ line.
                                                                                                              maintaining the data needed, and
                                                      thereafter. Initial training certificates for           completing and reviewing the collection                List of Subjects in 48 CFR Parts 3001,
                                                      each contractor and subcontractor                       of information. The total annual                       3002, 3024 and 3052
                                                      employee shall be provided to the                       projected number of responses per
                                                      Government not later than thirty (30)                                                                            Government procurement.
                                                                                                              respondent is estimated at four (4). The
                                                      days after contract award. Subsequent                                                                            Therefore, DHS proposes to amend 48
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                              estimated annual total burden hours are
                                                      training certificates to satisfy the annual             as follows:                                            CFR parts 3001, 3002, 3024 and 3052 to
                                                      privacy training requirement shall be                     Title: Homeland Security Acquisition                 read as follows:
                                                      submitted via email notification not                    Regulation: Privacy Training.                          ■ 1. The authority citation for 48 CFR
                                                      later than October 31st of each year. The                 Type of Request: New Collection.                     parts 3001, 3002, 3024, and 3052 is
                                                      contractor shall attach training                          Number of Respondents: 6,628.                        revised to read as follows:
                                                      certificates to the email notification and                Responses per Respondent: 4.                           Authority: 5 U.S.C. 301–302, 41 U.S.C.
                                                      the email notification shall state that the               Annual Responses: 26,512.                            1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48
                                                      required training has been completed                      Average Burden per Response:                         CFR part 1, subpart 1.3, and DHS Delegation
                                                      for all contractor and subcontractor                    Approximately 0.50.                                    Number 0702.



                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00089   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6428                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      PART 3001—FEDERAL ACQUISITION                           employees and their performance                        access or allowed to retain such access
                                                      REGULATIONS SYSTEM                                      ratings or an unlisted home address or                 only if the individual has completed
                                                                                                              phone number. In contrast, a business                  Department of Homeland Security
                                                      Subpart 3001.1—Purpose, Authority,                      card or public telephone directory of                  privacy training requirements.
                                                      Issuance                                                agency employees contains PII but is not
                                                                                                                                                                     3024.7004    Contract Clause.
                                                      ■ 2. Amend section 3001.106 by                          SPII.
                                                                                                                                                                       Contracting officers shall insert the
                                                      revising paragraph (a) to add a new                     PART 3024—PROTECTION OF                                clause at (HSAR) 48 CFR 3052.224–7X,
                                                      OMB Control Number as follows:                          PRIVACY AND FREEDOM OF                                 Privacy Training, in solicitations and
                                                      3001.106 OMB Approval under the                         INFORMATION                                            contracts when contractor and
                                                      Paperwork Reduction Act.                                                                                       subcontractor employees may have
                                                                                                              ■ 4. Amend part 3024 by adding subpart                 access to a Government system of
                                                        (a) * * *                                             3024.70:                                               records; handle PII or SPII; or design,
                                                      OMB Control No. 1600–0022 (Privacy
                                                                                                              Subpart 3024.70—Privacy Training                       develop, maintain, or operate a system
                                                        Training)
                                                                                                                                                                     of records on behalf of the Government.
                                                      *     *    *  *    *                                    3024.7001     Scope.
                                                                                                              3024.7002     Definitions.                             PART 3052—SOLICITATION
                                                      PART 3002—DEFINITIONS OF WORDS                          3024.7003     Policy.                                  PROVISIONS AND CONTRACT
                                                      AND TERMS                                               3024.7004     Contract Clause.                         CLAUSES
                                                      ■  3. Amend section 3002.101 by adding,                 3024.7001     Scope.                                   ■ 5. Amend paragraph (b) of section
                                                      in alphabetical order, the definitions: for               This section applies to contracts and                3052.212–70 to add 3052.224–7X
                                                      ‘‘Personally Identifiable Information                   subcontracts where contractor and                      Privacy Training as follows:
                                                      (PII),’’ and ‘‘Sensitive Personally                     subcontractor employees require access
                                                      Identifiable Information (SPII)’’ to read                                                                      3052.212–70 Contract terms and
                                                                                                              to a Government system of records;
                                                      as follows:                                                                                                    conditions applicable to DHS acquisition of
                                                                                                              handle Personally Identifiable                         commercial items.
                                                      *       *     *     *    *                              Information (PII) or Sensitive PII (SPII);
                                                         ‘‘Personally Identifiable Information                or design, develop, maintain, or operate               Contract Terms and Conditions
                                                      (PII)’’ means information that can be                   a Government system of records.                        Applicable to DHS Acquisition of
                                                      used to distinguish or trace an                                                                                Commercial Items (DATE)
                                                      individual’s identity, either alone or                  3024.7002     Definitions.
                                                                                                                                                                     *       *    *      *     *
                                                      when combined with other information                    As used in this subpart—                                   (b) * * *
                                                      that is linked or linkable to a specific                   ‘‘Handling’’ means any use of                           _ll3052.224–7X Privacy Training
                                                      individual.                                             Personally Identifiable Information (PII)
                                                                                                                                                                     ■ 6. Amend part 3052 by adding section
                                                      *       *     *     *    *                              or Sensitive PII (SPII), including but not
                                                                                                                                                                     3052.224–7X Privacy Training, to read
                                                         ‘‘Sensitive Personally Identifiable                  limited to marking, safeguarding,
                                                                                                                                                                     as follows:
                                                      Information (SPII)’’ is a subset of PII,                transporting, disseminating, re-using,
                                                      which if lost, compromised or disclosed                 storing, capturing, and disposing of the               3052.224–7X      Privacy training.
                                                      without authorization, could result in                  information.                                             As prescribed in (HSAR) 48 CFR
                                                      substantial harm, embarrassment,                                                                               3024.7004 contract clause, insert the
                                                                                                              3024.7003     Policy.
                                                      inconvenience, or unfairness to an                                                                             following clause:
                                                      individual. Some forms of PII are                          (a) Contractors are responsible for
                                                      sensitive as stand-alone elements.                      ensuring that contractor and                           Privacy Training (DATE)
                                                         (1) Examples of stand-alone SPII                     subcontractor employees complete DHS                      (a) The Contractor shall ensure that all
                                                      include: Social Security numbers (SSN),                 privacy training initially upon award of               Contractor and subcontractor employees
                                                      driver’s license or state identification                the procurement, and at least annually                 complete the Department of Homeland
                                                      number, Alien Registration Numbers (A-                  thereafter, before contractor and                      Security (DHS) training titled, Privacy at
                                                      number), financial account number, and                  subcontractor employees—                               DHS: Protecting Personally Identifiable
                                                      biometric identifiers such as fingerprint,                 (1) Access to a Government system of                Information accessible at http://
                                                                                                              records;                                               www.dhs.gov/dhs-security-and-training-
                                                      voiceprint, or iris scan.                                                                                      requirements-contractors, before such
                                                         (2) Additional examples of SPII                         (2) Handle PII or SPII; or
                                                                                                                 (3) Design, develop, maintain, or                   employees—
                                                      include any groupings of information                                                                              (1) Access a Government system of records;
                                                                                                              operate a system of records on behalf of
                                                      that contain an individual’s name or                                                                              (2) Handle personally identifiable
                                                                                                              the Government.
                                                      other unique identifier plus one or more                                                                       information or sensitive personally
                                                                                                                 (b) The contractor shall ensure
                                                      of the following elements:                                                                                     identifiable information; or
                                                                                                              employees identified in paragraph (a) of
                                                         (i) Truncated SSN (such as last 4                                                                              (3) Design, develop, maintain, or operate a
                                                                                                              this section complete the required                     system of records on behalf of the
                                                      digits)
                                                         (ii) Date of birth (month, day, and                  training, maintain evidence that the                   Government.
                                                      year)                                                   training has been completed and                           (b) Training shall be completed within
                                                         (iii) Citizenship or immigration status              provide copies of the training                         thirty (30) days of contract award and be
                                                                                                              completion certificates to the                         completed on an annual basis thereafter not
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                         (iv) Ethnic or religious affiliation
                                                         (v) Sexual orientation                               Contracting Officer and/or Contracting                 later than October 31st of each year. Any new
                                                                                                              Officer’s Representative for inclusion in              Contractor or subcontractor employees
                                                         (vi) Criminal history
                                                                                                              the contract file.                                     assigned to the contract shall complete the
                                                         (vii) Medical information
                                                                                                                 (c) Each contractor and subcontractor               training before accessing the information
                                                         (viii) System authentication                                                                                identified in paragraph (a) of this clause. The
                                                      information such as mother’s maiden                     employee who requires access to a                      Contractor shall maintain copies of the
                                                      name, account passwords or personal                     Government system of records; handles                  training certificates for all Contractor and
                                                      identification numbers (PIN)                            PII or SPII; or designs, develops,                     subcontractor employees as a record of
                                                         (3) Other PII may be SPII depending                  maintains, or operates a Government                    compliance. Initial training certificates for
                                                      on its context, such as a list of                       system of records, shall be granted                    each Contractor and subcontractor employee



                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00090   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                                  6429

                                                      shall be provided to the Contracting Officer            Case 2015–001’’ under the heading                      post-incident activities and requires
                                                      and/or Contracting Officer’s Representative             ‘‘Enter Keyword or ID’’ and selecting                  certification of sanitization of
                                                      (COR) via email notification not later than             ‘‘Search.’’ Select the link ‘‘Submit a                 Government and Government-Activity
                                                      thirty (30) days after contract award or
                                                                                                              Comment’’ that corresponds with                        related files and information.
                                                      assignment to the contract. Subsequent
                                                      training certificates to satisfy the annual             ‘‘HSAR Case 2015–001.’’ Follow the                     Additionally, the proposed rule requires
                                                      training requirement shall be submitted to              instructions provided at the ‘‘Submit a                that contractors have in place
                                                      the Contracting Officer and/or COR via email            Comment’’ screen. Please include your                  procedures and the capability to notify
                                                      notification not later than October 31st of             name, company name (if any), and                       and provide credit monitoring services
                                                      each year. The Contractor shall attach                  ‘‘HSAR Case 2015–001’’ on your                         to any individual whose Personally
                                                      training certificates to the email notification         attached document.                                     Identifiable Information (PII) or
                                                      and the email notification shall list all                  • Fax: (202) 447–0520                               Sensitive PII (SPII) was under the
                                                      Contractor and subcontractor employees
                                                      required to complete the training and state                • Mail: Department of Homeland                      control of the contractor or resided in
                                                      the required Privacy training has been                  Security, Office of the Chief                          the information system at the time of the
                                                      completed for all Contractor and                        Procurement Officer, Acquisition Policy                incident.
                                                      subcontractor employees.                                and Legislation, ATTN: Ms. Shaundra                       This rule addresses the safeguarding
                                                         (c) The Contractor shall insert the                  Duggans, 245 Murray Drive, Bldg. 410                   requirements specified in the Federal
                                                      substance of this clause in all subcontracts            (RDS), Washington, DC 20528.                           Information Security Modernization Act
                                                      and require subcontractors to include this                 Comments received generally will be                 (FISMA) of 2014 (44 U.S.C. 3551, et
                                                      clause in all lower-tier subcontracts.                                                                         seq.), Office of Management and Budget
                                                                                                              posted without change to http://
                                                      (End of clause)                                         www.regulations.gov, including any                     (OMB) Circular A–130, Managing
                                                                                                              personal information provided. To                      Information as a Strategic Resource,1
                                                      Soraya Correa,                                                                                                 relevant National Institutes of Standards
                                                                                                              confirm receipt of your comment(s),
                                                      Chief Procurement Officer, Department of                please check www.regulations.gov,                      and Technology (NIST) guidance,
                                                      Homeland Security.                                                                                             Executive Order 13556, Controlled
                                                                                                              approximately two to three days after
                                                      [FR Doc. 2017–00752 Filed 1–18–17; 8:45 am]
                                                                                                              submission to verify posting (except                   Unclassified Information 2 and its
                                                      BILLING CODE 9110–9B–P                                  allow 30 days for posting of comments                  implementing regulation at 32 CFR part
                                                                                                              submitted by mail).                                    2002,3 and the following OMB
                                                                                                                                                                     Memoranda: M–07–16, Safeguarding
                                                      DEPARTMENT OF HOMELAND                                  FOR FURTHER INFORMATION CONTACT: Ms.
                                                                                                                                                                     Against and Responding to the Breach
                                                      SECURITY                                                Shaundra Duggans, Procurement
                                                                                                                                                                     of Personally Identifiable Information;
                                                                                                              Analyst, DHS, Office of the Chief
                                                                                                                                                                     M–14–03, Enhancing the Security of
                                                      48 CFR Parts 3001, 3002, 3004, and                      Procurement Officer, Acquisition Policy
                                                                                                                                                                     Federal Information and Information
                                                      3052                                                    and Legislation at (202) 447–0056 or
                                                                                                                                                                     Systems; and Reporting Instructions for
                                                                                                              email HSAR@hq.dhs.gov. When using
                                                      [Docket No. DHS–2017–0006]                                                                                     the Federal Information Security
                                                                                                              email, include HSAR Case 2015–001 in
                                                                                                                                                                     Management Act and Agency Privacy
                                                      RIN 1601–AA76                                           the ‘‘Subject’’ line.
                                                                                                                                                                     Management as identified in various
                                                                                                              SUPPLEMENTARY INFORMATION:                             OMB Memoranda.4 Ongoing efforts by
                                                      Homeland Security Acquisition
                                                      Regulation (HSAR); Safeguarding of                      I. Background                                          OMB and DHS with regard to
                                                      Controlled Unclassified Information                                                                            implementation of FISMA, such as the
                                                                                                                The purpose of this proposed rule is                 issuance of Binding Operational
                                                      (HSAR Case 2015–001)                                    to implement adequate security and                     Directives, and DHS implementation of
                                                      AGENCY:  Office of the Chief Procurement                privacy measures to safeguard                          the CUI program, may require future
                                                      Officer, Department of Homeland                         Controlled Unclassified Information                    HSAR revisions in this area. DHS
                                                      Security (DHS).                                         (CUI) and facilitate improved incident                 intends to harmonize the HSAR to be
                                                      ACTION: Proposed rule.                                  reporting to DHS. This proposed rule                   consistent with the requirements of
                                                                                                              does not apply to classified information.              these ongoing efforts.
                                                      SUMMARY:   DHS is proposing to amend                    These measures are necessary because
                                                      the Homeland Security Acquisition                       of the urgent need to protect CUI and                  II. Discussion and Analysis
                                                      Regulation (HSAR) to modify a subpart,                  respond appropriately when DHS                            This proposed rule is part of a broader
                                                      remove an existing clause and reserve                   contractors experience incidents with                  initiative within DHS to (1) ensure
                                                      the clause number, update an existing                   DHS information. Recent high-profile                   contractors understand their
                                                      clause, and add a new contract clause to                breaches of Federal information further                responsibilities with regard to
                                                      address requirements for the                            demonstrate the need to ensure that                    safeguarding controlled unclassified
                                                      safeguarding of Controlled Unclassified                 information security protections are                   information (CUI); (2) contractor and
                                                      Information (CUI).                                      clearly, effectively, and consistently                 subcontractor employees complete
                                                      DATES: Comments on the proposed rule                    addressed in contracts. This proposed
                                                      should be submitted in writing to one of                rule strengthens and expands existing                    1 OMB Circular A–130 Managing Information as

                                                      the addresses shown below on or before                  HSAR language to ensure adequate                       a Strategic Resource is accessible at https://
                                                                                                                                                                     www.whitehouse.gov/sites/default/files/omb/assets/
                                                      March 20, 2017, to be considered in the                 security for CUI that is accessed by                   OMB/circulars/a130/a130revised.pdf.
                                                      formation of the final rule.                            contractors; collected or maintained by
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                                                                                       2 Executive Order 13556 Controlled Unclassified

                                                      ADDRESSES: Submit comments                              contractors on behalf of an agency; and/               Information is accessible at https://www.gpo.gov/
                                                                                                              or for Federal information systems that                fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf.
                                                      identified by HSAR Case 2015–001,                                                                                3 32 CFR part 2002 is accessible at https://
                                                      Safeguarding of Controlled Unclassified                 collect, process, store or transmit such               www.gpo.gov/fdsys/pkg/FR-2016-09-14/pdf/2016-
                                                      Information, using any of the following                 information. The proposed rule                         21665.pdf.
                                                      methods:                                                identifies CUI handling requirements as                  4 These memoranda include M–03–19, M–04–25,

                                                        • Regulations.gov: http://                            well as incident reporting requirements,               M–05–15, M–06–20, M–07–19, M–08–212, M–09–
                                                                                                                                                                     29, M–10–15, M–11–33, M–12–20, M–14–04, M–
                                                      www.regulations.gov.                                    including timelines and required data                  15–01, M–16–03, and M–16–04. These memoranda
                                                        Submit comments via the Federal                       elements. The proposed rule also                       can be accessed at: https://www.whitehouse.gov/
                                                      eRulemaking portal by entering ‘‘HSAR                   includes inspection provisions and                     omb/memoranda_default.



                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00091   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1



Document Created: 2018-02-01 15:16:16
Document Modified: 2018-02-01 15:16:16
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionProposed Rules
ActionProposed rule.
DatesInterested parties should submit written comments to one of the
ContactMs. Candace Lightfoot, Procurement Analyst, DHS, Office of the Chief Procurement Officer, Acquisition Policy and Legislation at (202) 447-0882 or email [email protected] When using email, include HSAR Case 2015-003 in the ``Subject'' line.
FR Citation82 FR 6425 
RIN Number1601-AA79
CFR Citation48 CFR 3001
48 CFR 3002
48 CFR 3024
48 CFR 3052

2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR