[Federal Register Volume 71, Number 1 (Tuesday, January 3, 2006)]
[Rules and Regulations]
[Pages 208-211]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-24547]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 2, 4, 7, and 52
[FAC 2005-07; FAR Case 2005-015; Item II]
RIN 9000-AK35
Federal Acquisition Regulation; Common Identification Standard
for Contractors
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Interim rule with request for comments.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed on an interim
rule amending the Federal Acquisition Regulation (FAR) to address the
contractor personal identification requirements in Homeland Security
Presidential Directive (HSPD-12), ``Policy for a Common Identification
Standard for Federal Employees and Contractors,'' and Federal
Information Processing Standards Publication (FIPS PUB) Number 201,
``Personal Identity Verification (PIV) of Federal Employees and
Contractors.''
DATES: Effective Date: January 3, 2006.
Comment Date: Interested parties should submit written comments to
the FAR Secretariat on or before March 6, 2006 to be considered in the
formulation of a final rule.
Applicability Date: This rule applies to solicitations and
contracts issued or awarded on or after October 27, 2005. Contracts
awarded before that date requiring contractors to have access to a
Federally controlled facility or a Federal
[[Page 209]]
information system must be modified by October 27, 2007, pursuant to
FAR subpart 4.13 in accordance with agency implementation of FIPS PUB
201 and OMB guidance M-05-24.
ADDRESSES: Submit comments identified by FAC 2005-07, FAR case 2005-
015, by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Agency Web Site: http://www.acqnet.gov/far/ProposedRules/proposed.htm. Click on the FAR case number to submit comments.
E-mail: [email protected]. Include FAC 2005-07, FAR
case 2005-015 in the subject line of the message.
Fax: 202-501-4067.
Mail: General Services Administration, Regulatory
Secretariat (VIR), 1800 F Street, NW, Room 4035, ATTN: Laurieann
Duarte, Washington, DC 20405.
Instructions: Please submit comments only and cite FAC 2005-07, FAR
case 2005-015, in all correspondence related to this case. All comments
received will be posted without change to http://www.acqnet.gov/far/ProposedRules/proposed.htm, including any personal and/or business
confidential information provided.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please
cite FAC 2005-07, FAR case 2005-015. For information pertaining to
status or publication schedules, contact the FAR Secretariat at (202)
501-4755.
SUPPLEMENTARY INFORMATION:
A. Background
Increasingly, contractors are required to have physical access to
federally-controlled facilities and information systems in the
performance of Government contracts. On August 27, 2004, in response to
the general threat of unauthorized access to physical facilities and
information systems, the President issued Homeland Security
Presidential Directive (HSPD-12). The primary objectives of HSPD-12 are
to establish a process to enhance security, increase Government
efficiency, reduce identity fraud, and protect personal privacy by
establishing a mandatory, Governmentwide standard for secure and
reliable forms of identification issued by the Federal Government to
its employees and contractors. In accordance with HSPD-12, the
Secretary of Commerce issued on February 25, 2005, Federal Information
Processing Standards Publication (FIPS PUB) 201, Personal Identity
Verification of Federal Employees and Contractors, to establish a
Governmentwide standard for secure and reliable forms of identification
for Federal and contractor employees. FIPS PUB 201 is available at
http://www.csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf.
The associated Office of Management and Budget (OMB) guidance, M-05-24,
dated August 5, 2005, can be found at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf.
In accordance with requirements in HSPD-12, by October 27, 2005,
agencies must--
(a) Adopt and accredit a registration process consistent with the
identity proofing, registration and accreditation requirements in
section 2.2 of FIPS PUB 201 and associated guidance issued by the
National Institute for Standards and Technology. This registration
process applies to all new identity credentials issued to contractors;
(b) Begin the required identity proofing requirements for all
current contractors that do not have a successfully adjudicated
investigation (i.e., completed National Agency Check with Written
Inquires (NACI) or other Office of Personnel Management or National
Security community investigation) on record. (By October 27, 2007,
identity proofing should be verified and completed for all current
contractors);
(c) Complete and receive notification of results of the FBI
National Criminal History Check prior to credential issuance;
(d) Include language implementing the Standard in applicable
solicitations and contracts that require contractors to have access to
a federally-controlled facility or access to a Federal information
system; and
(e) Complete the applicable privacy requirements listed in section
2.4 of FIPS PUB 201 and the OMB guidance M-05-24.
The rule amends the FAR by--
Adding the definitions ``Federal information system'' and
``Federally-controlled facilities'' at FAR 2.101;
Adding Subpart 4.13, Personal Identity Verification of
Contractor Personnel, to implement FIPS PUB 201 and the associated OMB
guidance;
Modifying the security considerations in FAR 7.105(b)(17)
to require the acquisition plan to address the agency's personal
identity verification requirements for contractors when applicable;
Adding FAR clause 52.204-9, Personal Identity Verification
of Contractor Personnel, to require the contractor to comply with the
personal identity verification process for all affected employees in
accordance with agency procedures identified in the contract.
This is not a significant regulatory action and, therefore, was not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The changes may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601 et seq., because all entities that hold
contracts or wish to hold contracts that require their personnel to
have access to Federally controlled facilities or information systems
will be required to employ on Government contracts only employees who
meet the standards for being credentialed and expend resources
necessary to help employees fill out the forms for credentialing. An
Initial Regulatory Flexibility Analysis (IRFA) has been prepared. The
analysis is summarized as follows:
INITIAL REGULATORY FLEXIBILITY ANALYSIS
FAR Case 2005-015
Common Identification Standard for Contractors
This Initial Regulatory Flexibility Analysis (IRFA) has been
prepared consistent with 5 U.S.C. 603.
1. Description of the reasons why the action is being taken.
This proposed rule implements Homeland Security Presidential
Directive (HSPD-12), ``Policy for a Common Identification Standard
for Federal Employees and Contractors.'' This directive requires
agencies to adopt a Governmentwide standard for secure and reliable
forms of identification issued by the Federal Government to its
employees and contractors. As required by the Directive, the
Department of Commerce issued Federal Information Processing
Standard Publication (FIPS PUB) 201. Consequently, the FAR must be
revised to require solicitations and contracts include requirements
that contractors who have access to federally-controlled facilities
and information systems comply with the agency's personal identify
verification process. Failure to take action would expose the
Government to unacceptable risk of harm to employees and assets.
2. Succinct statement of the objectives of, and legal basis for,
the rule.
This rule is being promulgated to ensure that Federal agencies
consistently apply the requirements of HSPD-12 to Federal contracts.
Consistency in an identification standard is cost effective and will
improve the security of Government employees and assets.
[[Page 210]]
FIPS PUB 201 states that the Personal Identity Verification
(PIV) Registrar shall initiate a National Agency Check with
Inquiries (NACI) on the applicant as required by Executive Order
10450. Any unfavorable results of the investigation shall be
adjudicated to determine the suitability of the applicant for
obtaining a PIV credential. When all of the requirements have been
completed, the PIV Registrar notifies the sponsor and the designated
PIV issuer that the applicant has been approved for the issuance of
a PIV credential. Conversely, if any of the required steps are
unsuccessful, the PIV Registrar shall send appropriate notifications
to the same authorities.
3. Description of and, where feasible, estimate of the number of
small entities to which the rule will apply.
This rule will apply to any contractor whose employees will have
access to Federal facilities or information systems. A precise
estimate of the number of small entities that fall within the rule
is not currently feasible because it would include both contractors
who perform in Government-owned space as well as those who perform
in Government-leased space (including employees of the lessor and
its contractors.)
4. Description of projected reporting, recordkeeping, and other
compliance requirements of the rule, including an estimate of the
classes of small entities which will be subject to the requirement
and the type of professional skills necessary for preparation of the
report or record.
The rule does not directly require reporting, recordkeeping or
other compliance requirements within the meaning of the Paperwork
Reduction Act (PRA). The rule does require that any entity,
including small businesses that will be performing a contract that
requires its employees to have access to Federal facilities or
information systems, submit information on their employees. Such
information will include a personnel history for each employee
having access to a Federal facility or information system for a
period exceeding 6 months. Although the forms involved are similar
to a standard application for employment that is used by many
companies, it is envisioned that some employers, especially those
using non-skilled or semi-skilled laborers, will need to help their
employees complete the form. It is estimated that each applicant
will spend approximately 30 minutes completing the form.
5. Identification, to the extent practicable, of all relevant
Federal rules which may duplicate, overlap, or conflict with the
rule.
The Councils are unaware of any duplicative, overlapping or
conflicting Federal rule. To the extent that there may be a
duplicative, overlapping or conflicting Federal rule, the purpose of
this rule is to establish a Federal standard that would eliminate
such duplication, overlap or conflict.
6. Description of any significant alternatives to the rule which
accomplish the stated objectives of applicable statutes and which
minimize any significant economic impact of the rule on small
entities.
There are no practical alternatives that will accomplish the
objectives of HSPD-12.
The FAR Secretariat has submitted a copy of the IRFA to the Chief
Counsel for Advocacy of the Small Business Administration. Interested
parties may obtain a copy from the FAR Secretariat. The Councils will
consider comments from small entities concerning the affected FAR Parts
2, 4, 7, and 52 in accordance with 5 U.S.C. 610. Interested parties
must submit such comments separately and should cite 5 U.S.C 601, et
seq. (FAC 2005-07, FAR case 2005-015), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.Further, the OMB guidance, M-05-24, advises to collect
information using only forms approved by OMB under the Paperwork
Reduction Act (PRA) of 1995 (44 U.S.C. ch. 35), where applicable.
Departments and agencies are encouraged to use Standard Form 85, Office
of Personnel Management Questionnaire for Non-Sensitive Positions (OMB
No. 3206-0005), or the Standard Form 85P, Office of Personnel
Management Questionnaire for Positions of Public Trust (OMB No. 3206-
0005), when collecting information.
D. Determination to Issue an Interim Rule
A determination has been made under the authority of the Secretary
of Defense (DOD), the Administrator of General Services Administration
(GSA), and the Administrator of the National Aeronautics and Space
Administration (NASA) that urgent and compelling reasons exist to
promulgate this interim rule without opportunity for public comment.
This action is necessary to implement HSPD-12 which directs agencies to
require the use of identification by Federal employees and contractors
that meets the Standard in gaining physical access to federally-
controlled facilities and access to federally-controlled information
systems no later than October 27, 2005. The issuance of this interim
rule will not be the first time the public has seen and had a chance to
comment on FIPS PUB 201 and HSPD-12. The Department of Commerce,
National Institute of Standards and Technology, issued a draft of FIPS
PUB 201 on November 23, 2004, with comments due by December 23, 2004.
Also, OMB issued a notice of Draft Agency Implementation Guidance for
HSPD-12 on April 8, 2005, with comments due by May 9, 2005. HSPD-12
requires the development and agency implementation of a mandatory
Governmentwide standard for secure and reliable forms of identification
for both Federal employees and contractors. However, pursuant to Public
Law 98-577 and FAR 1.501, the Councils will consider public comments
received in response to this interim rule in the formation of the final
rule.
List of Subjects in 48 CFR Parts 2, 4, 7, and 52
Government procurement.
Dated: December 22, 2005.
Gerald Zaffos,
Director, Contract Policy Division.
0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 2, 4, 7, and 52 as set
forth below:
0
1. The authority citation for 48 CFR parts 2, 4, 7, and 52 continues to
read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
PART 2--DEFINITIONS OF WORDS AND TERMS
0
2. Amend section 2.101 in paragraph (b)(2) by adding, in alphabetical
order, the definitions ``Federal information system'' and ``Federally-
controlled facilities'' to read as follows:
2.101 Definitions.
* * * * *
(b) * * *
(2) * * *
Federal information system means an information system (44 U.S.C.
3502(8)) used or operated by a Federal agency, or a contractor or other
organization on behalf of the agency.
Federally-controlled facilities means--
(1)(i) Federally-owned buildings or leased space, whether for
single or multi-tenant occupancy, and its grounds and approaches, all
or any portion of which is under the jurisdiction, custody or control
of a department or agency;
(ii) Federally-controlled commercial space shared with non-
government tenants. For example, if a department or agency leased the
10\th\ floor of a commercial building, the Directive applies to the
10\th\ floor only; and
(iii) Government-owned, contractor-operated facilities, including
laboratories engaged in national defense research and production
activities.
[[Page 211]]
(2) The term does not apply to educational institutions that
conduct activities on behalf of departments or agencies or at which
Federal employees are hosted unless specifically designated as such by
the sponsoring department or agency.
* * * * *
PART 4--ADMINISTRATIVE MATTERS
0
3. Add Subpart 4.13, consisting of sections 4.1300 and 4.1301, to read
as follows:
Subpart 4.13--Personal Identity Verification of Contractor
Personnel
Sec.
4.1300 Policy.
4.1301 Contract clause.
4.1300 Policy.
(a) Agencies must follow Federal Information Processing Standards
Publication (FIPS PUB) Number 201, ``Personal Identity Verification of
Federal Employees and Contractors,'' and the associated Office of
Management and Budget (OMB) implementation guidance for personal
identity verification for all affected contractor and subcontractor
personnel when contract performance requires contractors to have
physical access to a federally-controlled facility or access to a
Federal information system.
(b) Agencies must include their implementation of FIPS PUB 201 and
OMB guidance M-05-24, dated August 5, 2005, in solicitations and
contracts that require the contractor to have physical access to a
federally-controlled facility or access to a Federal information
system.
(c) Agencies shall designate an official responsible for verifying
contractor employee personal identity.
4.1301 Contract clause.
The contracting officer shall insert the clause at 52.204-9,
Personal Identity Verification of Contractor Personnel, in
solicitations and contracts when contract performance requires
contractors to have physical access to a federally-controlled facility
or access to a Federal information system.
PART 7--ACQUISITION PLANNING
0
4. Amend section 7.105 by revising paragraph (b)(17) to read as
follows:
7.105 Contents of written acquisition plans.
* * * * *
(b) * * *
(17) Security considerations. For acquisitions dealing with
classified matters, discuss how adequate security will be established,
maintained, and monitored (see Subpart 4.4). For information technology
acquisitions, discuss how agency information security requirements will
be met. For acquisitions requiring contractor physical access to a
federally-controlled facility or access to a Federal information
system, discuss how agency requirements for personal identity
verification of contractors will be met (see Subpart 4.13).
* * * * *
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
5. Add section 52.204-9 to read as follows:
52.204-9 Personal Identity Verification of Contractor Personnel.
As prescribed in 4.1301, insert the following clause:
PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL (JAN 2006)
(a) The Contractor shall comply with agency personal identity
verification procedures identified in the contract that implement
Homeland Security Presidential Directive-12 (HSPD-12), Office of
Management and Budget (OMB) guidance M-05-24, and Federal
Information Processing Standards Publication (FIPS PUB) Number 201.
(b) The Contractor shall insert this clause in all subcontracts
when the subcontractor is required to have physical access to a
federally-controlled facility or access to a Federal information
system.
(End of clause)
[FR Doc. 05-24547 Filed 12-30-05; 8:45 am]
BILLING CODE 6820-EP-S