Federal Acquisition Regulation (FAR): Common indentification standard for contractors,

[Federal Register: January 3, 2006 (Volume 71, Number 1)]

[Rules and Regulations]

[Page 208-211]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr03ja06-13]

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 2, 4, 7, and 52

[FAC 2005-07; FAR Case 2005-015; Item II]

RIN 9000-AK35

Federal Acquisition Regulation; Common Identification Standard for Contractors

AGENCIES: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Interim rule with request for comments.

SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on an interim rule amending the Federal Acquisition Regulation (FAR) to address the contractor personal identification requirements in Homeland Security Presidential Directive (HSPD-12), ``Policy for a Common Identification Standard for Federal Employees and Contractors,'' and Federal Information Processing Standards Publication (FIPS PUB) Number 201, ``Personal Identity Verification (PIV) of Federal Employees and Contractors.''

DATES: Effective Date: January 3, 2006.

Comment Date: Interested parties should submit written comments to the FAR Secretariat on or before March 6, 2006 to be considered in the formulation of a final rule.

Applicability Date: This rule applies to solicitations and contracts issued or awarded on or after October 27, 2005. Contracts awarded before that date requiring contractors to have access to a Federally controlled facility or a Federal

[[Page 209]]

information system must be modified by October 27, 2007, pursuant to FAR subpart 4.13 in accordance with agency implementation of FIPS PUB 201 and OMB guidance M-05-24.

ADDRESSES: Submit comments identified by FAC 2005-07, FAR case 2005- 015, by any of the following methods:

Federal eRulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments.

Agency Web Site: http://www.acqnet.gov/far/ProposedRules/proposed.htm. Click on the FAR case number to submit comments. E-mail: farcase.2005-015@gsa.gov. Include FAC 2005-07, FAR FAR case 2005-015 in the subject line of the message.

Fax: 202-501-4067.

Mail: General Services Administration, Regulatory Secretariat (VIR), 1800 F Street, NW, Room 4035, ATTN: Laurieann Duarte, Washington, DC 20405.

Instructions: Please submit comments only and cite FAC 2005-07, FAR case 2005-015, in all correspondence related to this case. All comments received will be posted without change to http://www.acqnet.gov/far/ProposedRules/proposed.htm , including any personal and/or business

confidential information provided.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please cite FAC 2005-07, FAR case 2005-015. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755.

SUPPLEMENTARY INFORMATION:

1. Background

   Increasingly, contractors are required to have physical access to federally-controlled facilities and information systems in the performance of Government contracts. On August 27, 2004, in response to the general threat of unauthorized access to physical facilities and information systems, the President issued Homeland Security Presidential Directive (HSPD-12). The primary objectives of HSPD-12 are to establish a process to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Governmentwide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors. In accordance with HSPD-12, the Secretary of Commerce issued on February 25, 2005, Federal Information Processing Standards Publication (FIPS PUB) 201, Personal Identity Verification of Federal Employees and Contractors, to establish a Governmentwide standard for secure and reliable forms of identification for Federal and contractor employees. FIPS PUB 201 is available at http://www.csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf.

   The associated Office of Management and Budget (OMB) guidance, M-05-24, dated August 5, 2005, can be found at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf .

   In accordance with requirements in HSPD-12, by October 27, 2005, agencies must--

   (a) Adopt and accredit a registration process consistent with the identity proofing, registration and accreditation requirements in section 2.2 of FIPS PUB 201 and associated guidance issued by the National Institute for Standards and Technology. This registration process applies to all new identity credentials issued to contractors;

   (b) Begin the required identity proofing requirements for all current contractors that do not have a successfully adjudicated investigation (i.e., completed National Agency Check with Written Inquires (NACI) or other Office of Personnel Management or National Security community investigation) on record. (By October 27, 2007, identity proofing should be verified and completed for all current contractors);

   (c) Complete and receive notification of results of the FBI National Criminal History Check prior to credential issuance;

   (d) Include language implementing the Standard in applicable solicitations and contracts that require contractors to have access to a federally-controlled facility or access to a Federal information system; and

   (e) Complete the applicable privacy requirements listed in section 2.4 of FIPS PUB 201 and the OMB guidance M-05-24.

   The rule amends the FAR by--

   Adding the definitions ``Federal information system'' and ``Federally-controlled facilities'' at FAR 2.101;

   Adding Subpart 4.13, Personal Identity Verification of Contractor Personnel, to implement FIPS PUB 201 and the associated OMB guidance;

   Modifying the security considerations in FAR 7.105(b)(17) to require the acquisition plan to address the agency's personal identity verification requirements for contractors when applicable;

   Adding FAR clause 52.204-9, Personal Identity Verification of Contractor Personnel, to require the contractor to comply with the personal identity verification process for all affected employees in accordance with agency procedures identified in the contract.

   This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

2. Regulatory Flexibility Act

   The changes may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because all entities that hold contracts or wish to hold contracts that require their personnel to have access to Federally controlled facilities or information systems will be required to employ on Government contracts only employees who meet the standards for being credentialed and expend resources necessary to help employees fill out the forms for credentialing. An Initial Regulatory Flexibility Analysis (IRFA) has been prepared. The analysis is summarized as follows:

   INITIAL REGULATORY FLEXIBILITY ANALYSIS

   FAR Case 2005-015

   Common Identification Standard for Contractors

   This Initial Regulatory Flexibility Analysis (IRFA) has been prepared consistent with 5 U.S.C. 603.

   1. Description of the reasons why the action is being taken.

      This proposed rule implements Homeland Security Presidential Directive (HSPD-12), ``Policy for a Common Identification Standard for Federal Employees and Contractors.'' This directive requires agencies to adopt a Governmentwide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors. As required by the Directive, the Department of Commerce issued Federal Information Processing Standard Publication (FIPS PUB) 201. Consequently, the FAR must be revised to require solicitations and contracts include requirements that contractors who have access to federally-controlled facilities and information systems comply with the agency's personal identify verification process. Failure to take action would expose the Government to unacceptable risk of harm to employees and assets.

   2. Succinct statement of the objectives of, and legal basis for, the rule.

      This rule is being promulgated to ensure that Federal agencies consistently apply the requirements of HSPD-12 to Federal contracts. Consistency in an identification standard is cost effective and will improve the security of Government employees and assets.

      [[Page 210]]

      FIPS PUB 201 states that the Personal Identity Verification (PIV) Registrar shall initiate a National Agency Check with Inquiries (NACI) on the applicant as required by Executive Order 10450. Any unfavorable results of the investigation shall be adjudicated to determine the suitability of the applicant for obtaining a PIV credential. When all of the requirements have been completed, the PIV Registrar notifies the sponsor and the designated PIV issuer that the applicant has been approved for the issuance of a PIV credential. Conversely, if any of the required steps are unsuccessful, the PIV Registrar shall send appropriate notifications to the same authorities.

   3. Description of and, where feasible, estimate of the number of small entities to which the rule will apply.

      This rule will apply to any contractor whose employees will have access to Federal facilities or information systems. A precise estimate of the number of small entities that fall within the rule is not currently feasible because it would include both contractors who perform in Government-owned space as well as those who perform in Government-leased space (including employees of the lessor and its contractors.)

   4. Description of projected reporting, recordkeeping, and other compliance requirements of the rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record.

      The rule does not directly require reporting, recordkeeping or other compliance requirements within the meaning of the Paperwork Reduction Act (PRA). The rule does require that any entity, including small businesses that will be performing a contract that requires its employees to have access to Federal facilities or information systems, submit information on their employees. Such information will include a personnel history for each employee having access to a Federal facility or information system for a period exceeding 6 months. Although the forms involved are similar to a standard application for employment that is used by many companies, it is envisioned that some employers, especially those using non-skilled or semi-skilled laborers, will need to help their employees complete the form. It is estimated that each applicant will spend approximately 30 minutes completing the form.

   5. Identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap, or conflict with the rule.

      The Councils are unaware of any duplicative, overlapping or conflicting Federal rule. To the extent that there may be a duplicative, overlapping or conflicting Federal rule, the purpose of this rule is to establish a Federal standard that would eliminate such duplication, overlap or conflict.

   6. Description of any significant alternatives to the rule which accomplish the stated objectives of applicable statutes and which minimize any significant economic impact of the rule on small entities.

      There are no practical alternatives that will accomplish the objectives of HSPD-12.

      The FAR Secretariat has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. Interested parties may obtain a copy from the FAR Secretariat. The Councils will consider comments from small entities concerning the affected FAR Parts 2, 4, 7, and 52 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C 601, et seq. (FAC 2005-07, FAR case 2005-015), in correspondence.

3. Paperwork Reduction Act

   The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.Further, the OMB guidance, M-05-24, advises to collect information using only forms approved by OMB under the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. ch. 35), where applicable. Departments and agencies are encouraged to use Standard Form 85, Office of Personnel Management Questionnaire for Non-Sensitive Positions (OMB No. 3206-0005), or the Standard Form 85P, Office of Personnel Management Questionnaire for Positions of Public Trust (OMB No. 3206- 0005), when collecting information.

4. Determination to Issue an Interim Rule

   A determination has been made under the authority of the Secretary of Defense (DOD), the Administrator of General Services Administration (GSA), and the Administrator of the National Aeronautics and Space Administration (NASA) that urgent and compelling reasons exist to promulgate this interim rule without opportunity for public comment. This action is necessary to implement HSPD-12 which directs agencies to require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to federally- controlled facilities and access to federally-controlled information systems no later than October 27, 2005. The issuance of this interim rule will not be the first time the public has seen and had a chance to comment on FIPS PUB 201 and HSPD-12. The Department of Commerce, National Institute of Standards and Technology, issued a draft of FIPS PUB 201 on November 23, 2004, with comments due by December 23, 2004. Also, OMB issued a notice of Draft Agency Implementation Guidance for HSPD-12 on April 8, 2005, with comments due by May 9, 2005. HSPD-12 requires the development and agency implementation of a mandatory Governmentwide standard for secure and reliable forms of identification for both Federal employees and contractors. However, pursuant to Public Law 98-577 and FAR 1.501, the Councils will consider public comments received in response to this interim rule in the formation of the final rule.

   List of Subjects in 48 CFR Parts 2, 4, 7, and 52

   Government procurement.

   Dated: December 22, 2005. Gerald Zaffos, Director, Contract Policy Division.

   0 Therefore, DoD, GSA, and NASA amend 48 CFR parts 2, 4, 7, and 52 as set forth below: 0 1. The authority citation for 48 CFR parts 2, 4, 7, and 52 continues to read as follows:

   Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).

   PART 2--DEFINITIONS OF WORDS AND TERMS

   0 2. Amend section 2.101 in paragraph (b)(2) by adding, in alphabetical order, the definitions ``Federal information system'' and ``Federally- controlled facilities'' to read as follows:

   2.101 Definitions.

   * * * * *

   (b) * * *

   (2) * * *

   Federal information system means an information system (44 U.S.C. 3502(8)) used or operated by a Federal agency, or a contractor or other organization on behalf of the agency.

   Federally-controlled facilities means--

   (1)(i) Federally-owned buildings or leased space, whether for single or multi-tenant occupancy, and its grounds and approaches, all or any portion of which is under the jurisdiction, custody or control of a department or agency;

   (ii) Federally-controlled commercial space shared with non- government tenants. For example, if a department or agency leased the 10\th\ floor of a commercial building, the Directive applies to the 10\th\ floor only; and

   (iii) Government-owned, contractor-operated facilities, including laboratories engaged in national defense research and production activities.

   [[Page 211]]

   (2) The term does not apply to educational institutions that conduct activities on behalf of departments or agencies or at which Federal employees are hosted unless specifically designated as such by the sponsoring department or agency. * * * * *

   PART 4--ADMINISTRATIVE MATTERS

   0 3. Add Subpart 4.13, consisting of sections 4.1300 and 4.1301, to read as follows:

   Subpart 4.13--Personal Identity Verification of Contractor Personnel

   Sec. 4.1300 Policy. 4.1301 Contract clause.

   4.1300 Policy.

   (a) Agencies must follow Federal Information Processing Standards Publication (FIPS PUB) Number 201, ``Personal Identity Verification of Federal Employees and Contractors,'' and the associated Office of Management and Budget (OMB) implementation guidance for personal identity verification for all affected contractor and subcontractor personnel when contract performance requires contractors to have physical access to a federally-controlled facility or access to a Federal information system.

   (b) Agencies must include their implementation of FIPS PUB 201 and OMB guidance M-05-24, dated August 5, 2005, in solicitations and contracts that require the contractor to have physical access to a federally-controlled facility or access to a Federal information system.

   (c) Agencies shall designate an official responsible for verifying contractor employee personal identity.

   4.1301 Contract clause.

   The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally-controlled facility or access to a Federal information system.

   PART 7--ACQUISITION PLANNING

   0 4. Amend section 7.105 by revising paragraph (b)(17) to read as follows:

   7.105 Contents of written acquisition plans.

   * * * * *

   (b) * * *

   (17) Security considerations. For acquisitions dealing with classified matters, discuss how adequate security will be established, maintained, and monitored (see Subpart 4.4). For information technology acquisitions, discuss how agency information security requirements will be met. For acquisitions requiring contractor physical access to a federally-controlled facility or access to a Federal information system, discuss how agency requirements for personal identity verification of contractors will be met (see Subpart 4.13). * * * * *

   PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

   0 5. Add section 52.204-9 to read as follows:

   52.204-9 Personal Identity Verification of Contractor Personnel.

   As prescribed in 4.1301, insert the following clause:

   PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL (JAN 2006)

   (a) The Contractor shall comply with agency personal identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24, and Federal Information Processing Standards Publication (FIPS PUB) Number 201.

   (b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have physical access to a federally-controlled facility or access to a Federal information system.

   (End of clause)

   [FR Doc. 05-24547 Filed 12-30-05; 8:45 am]

   BILLING CODE 6820-EP-S