Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).
The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed to convert the interim rule published in the Federal Register at 71 FR 208 on January 3, 2006, to a final rule with changes. This final rule is amending the Federal Acquisition Regulation (FAR) to add the contractor personal identification requirements identified in the Homeland Security Presidential Directive (HSPD) 12, “Policy for a Common Identification Standard for Federal Employees and Contractors,” and Federal Information Processing Standards (FIPS) Number 201, “Personal Identity Verification (PIV) of Federal Employees and Contractors,” as amended.
Effective Date: November 22, 2006.
Applicability Date: This rule applies to solicitations and contracts issued or awarded on or after November 22, 2006. Contracts awarded before October 27, 2005 requiring contractors to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system must be modified to ensure that credentials are issued by October 27, 2007, pursuant to FAR Subpart 4.13 in accordance with agency implementation of FIPS PUB 201 and OMB guidance M-05-24, as amended.Start Further Info
FOR FURTHER INFORMATION CONTACT:
For clarification of content, contact Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please cite FAC 2005-14, FAR case 2005-015. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755.End Further Info End Preamble Start Supplemental Information
This final rule amends the Federal Acquisition Regulation to require contracting officers to incorporate the requirement for contractors to comply with agency verification procedures that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24, and Federal Information Processing Standards Publication (FIPS PUB) Number 201 when applicable to the work to be performed under the contract.
DoD, GSA, and NASA published an interim rule in the Federal Register at 71 FR 208 on January 3, 2006. The 60-day comment period for the interim rule ended March 6, 2006. Five respondents provided comments. Most comments pointed out areas of concern and language that required clarification. The substantive comments are discussed below.
Comment: One respondent requested the Government clarify/elaborate on the requirements to have subcontractors properly cleared.
Response: Implementation of Homeland Security Presidential Directive (HSPD) 12 required by OMB memorandum M-05-24, Policy for a Common Identification Standard for Federal Employees and Contractors, follows the Federal Information Processing Standard Publication (FIPS PUB) 201 when individuals under contract with a Federal department or agency, requiring routine access to Federally-controlled facilities and/or Federally-controlled information systems, require identity credentials consistent with existing agency security policies. The need to have contactors meet the requirements of FIPS PUB 201, including background investigations, applies equally to contractors and subcontractors to the extent that subcontractors require routine access to Federally-controlled facilities and/or Federally-controlled information systems. As such, the Councils have revised the final rule to add the term “routine” to clarify that personal identity verification does not apply to all contractors and/or subcontractors.
Comment: One respondent stated there is an overlap with Department of Defense Instruction (DoDI) 3020.41 (October 3, 2005) paragraph 188.8.131.52 which states “contingency contractor personnel shall be issued a standard Geneva Convention Card...U.S. citizens and selected other CDF will be issued a DoD Uniformed Services Identification and Privilege Card...”, and points out that FAC 2005-07 requires agencies to adopt and accredit a registration process consistent with the identity proofing, registrations and accreditation requirements in section 2.2 of FIPS [PUB] 201. The respondent asks will the requirement in DoDI 3020.41 satisfy the requirements of FAC 2005-07 for providing a personal identity card for contingency contractors? The respondent also asks does FAC 2005-07 duplicate or supplement the requirement in DoDI 3020.41 or does it depend on the contingency status of the contractor?
Response: Those contingency contractor personnel who receive a common access card (CAC), including those who receive a CAC based on the eligibility for a Geneva Conventions card, must comply with the identity proofing and vetting requirements of FIPS PUB 201, as the CAC represents DoD's implementation of the Personal Identity Verification (PIV) for Federal Start Printed Page 67772Employees and Contractors standard. Policy change is currently in staffing to modify and update existing documents to comply with the heightened requirements. The current DoDI 3020.41 does not satisfy FIPS PUB 201 requirements; pending publication of the policy changes, FIPS PUB 201 must be considered additive to the requirements of DoDI 3020.1.
Comment: One respondent highlights that the FIPS PUB 201 will be implemented in two phases, that the documents referenced in the interim rule are lengthy and a small business may not have the capability to download them, and that SBA may need to assist small businesses and/or provide training to make them competent in this arena. The respondent also stated that added administrative time is required for businesses and Federal agencies to incorporate the required contract modifications. The respondent also recommends that the standards required by parts 1 and 2 of the OMB memorandum (M-05-24) be outlined in the FAR clause at 52.204-9, and that the clause be added to solicitations and contracts in full text versus incorporation by reference.
Response: The rule permits modifications to be executed according to agency procedures for FIPS PUB 201 implementation. The Councils consider the October 2007 date to be in full compliance with FIPS PUB 201 and allow adequate time for agencies to establish a completion date to modify contracts thereby lessening any administrative burden. Agencies will establish their own procedures for complying with FIPS PUB 201, therefore the Councils do not want to give the appearance that the outline encompasses all facets of identity verification by including an outline in the clause. Because agency policy will implement FIPS PUB 201, agency resources should be available to assist small businesses with questions or concerns regarding their procedures. Adding the clause in solicitations and contracts by reference is the proper prescription, and the full text of clause 52.204-9 is available using the Internet. Nonetheless, a small business can receive clarification or a copy of the clause by contacting the contracting officer.
Comment: One respondent commented that the interim rule is a significant regulatory action and suggested that the budgetary and administrative impact is so significant it should be a “major rule” that is subject to congressional review pursuant to 5 U.S.C. 801 et seq. and to the regulatory planning and review process under Executive Order 12866.
Response: The budgetary and administrative resources to implement HSPD-12 are provided by the Government. The Councils have appropriately complied with the determination made by OMB's Office of Information and Regulatory Affairs that this rule is not significant, nor economically significant, nor a major rule.
Comment: One respondent commented that the HSPD-12 requires agencies to “complete and receive notification of results of the FBI National Criminal History check prior to credential issuance.” Both requirements will significantly increase the demands placed on Government investigative services far beyond their current budgetary and manpower capabilities. The respondent provided an overview of the backlog OPM is currently experiencing. The respondent indicates that hundreds of thousands more investigations will be required by HSPD-12 for government personnel, contractors, and subcontractors, and questions how the Government will handle the influx of contractor personnel. The respondent also stated the rule will cause an artificial increase in the number of investigations to ensure that personnel that may become critical to the contract performance are not excluded only because they do not have a government-issued I.D.
Response: Attachment A to the OMB Memo M-05-24 dated August 5, 2005, states that agencies should receive notification of results of the National Agency Checks before issuing a credential. However, the memo provides that the identity credential can be issued based on the FBI National Criminal History Check (fingerprint check) if the results are not received in 5 days. Because of this provision, the Councils have concluded that flexibilities exist to allow credentialing which may mitigate the impact of an increase in demand placed on investigative services. OPM is responsible for the investigative services and has procedures in place to handle the associated workload.
Comment: One respondent expressed that a concern for industry is the potential impact of this rule on the performance of contracts by contractors and subcontractors, because the rule is silent on the consequences of Government investigative services not being completed in a timely fashion. The respondent questions if an agency is allowed beyond October 27, 2005 to continue to provide access to “federally-controlled facilities” and/or “federal information systems” for contractors and subcontractors who are not yet adjudicated. Additional concern was expressed that a contractor or subcontractor would be barred from performing on a contract because the Government is unable to provide a final identity verification and successful criminal background check.
Response: In reference to the OMB Memo M-05-24, agencies are instructed to initiate National Agency Checks by October 27, 2005. Full completion will occur over a specified time period. The guidance includes instruction for distinguishing adjudicated individuals from those that have not yet been adjudicated; it does not prohibit access. Each agency will follow its own implementation policy for access authorization when a final identity verification and successful criminal background check are pending. Therefore, the Councils do not anticipate that contractors or subcontractors will be barred from performing their contractual obligations.
Comment: Two respondents question the course of action for contractors and subcontractors, including small and disadvantaged businesses, needing to obtain identity verification for their employees. It appears that the agency will be responsible for ensuring all contractor and subcontractor employees are able to complete the process, but such a sequence would indicate that verification occurs after award and employers who do not currently have adjudicated personnel would be required to delay performance on the contract until such time as a sufficient number of personnel can be adjudicated.
Response: As stated in the response above, implementation of HSPD-12 does not prohibit access to a Federally-controlled facility and/or Federally-controlled information system pending a final identity verification and successful criminal background check. Contractors must comply with agency procedures for access authorization when a final adjudication has not been issued. There is no intent to delay contract performance until a sufficient number of personnel can be adjudicated.
Comment: One respondent stated the prospect of investigative delays would drive businesses that can offer the Government successful commercial solutions from the marketplace because the delays would impact performance, and suggests a solution is to start verifying identity before contract award. However, this option would exacerbate the problem of workload delays that Start Printed Page 67773already plague the Government investigative services.
Response: The Councils have been informed by OPM that the full extent to which HSPD-12 will create investigative delays is unknown. It is anticipated that cases received by OPM because of HSPD-12 implementation, that would not otherwise have been received, will be almost exclusively for uncleared contractors. While the true size of this population is unknown, what is known is that a large number of agencies have been investigating uncleared contractors on a regular basis and the workload increase will be significantly smaller than if no activity had ever occurred. National Agency Check with Inquiries (NACI), the minimum investigation required for HSPD-12 compliance and personal identity verification (PIV) issuance, are not labor intensive. Once the case is data-entered, it is processed by automated systems. NACIs do not, other than in rare cases, require the use of field investigators. Further, PIV credentials can be issued upon favorable completion of the fingerprint portion of the NACI, which in most cases will be accomplished in a matter of days. The option of allowing contractors to begin the investigative process before contract award would create a far greater burden on the process. OPM is the authority on handling workload for investigative services, and has procedures to support implementation of HSPD-12.
Comment: One respondent stated it supports the need for secure and reliable forms of identification, but it is not clear that the Government has sufficiently anticipated the full scale of the impact on investigative services, historical delays, nor the potential impact on contractors and subcontractor and Government contracting as a whole on the Government's ability to verify the personnel for every contractor and subcontractor requiring access to “federal information systems” and/or “federally-controlled facilities.”
Response: As stated in the above response, the Councils have been informed by OPM that the full extent to which HSPD-12 will create investigative delays is unknown, however, it is anticipated that cases received by OPM because of HSPD-12 implementation, that would not otherwise have been received, will almost exclusively be for uncleared contractors. OPM is responsible for handling investigative requests regarding HSPD-12 and has existing procedures to manage this type of workload.
Comment: One respondent stated the Councils must require as part of the rule that agencies submit information to the Government investigative services. Citing the November 9, 2005 testimony of Linda Springer, Director of the Office of Personnel Management, to the Senate Subcommittee on Oversight of Government Management, the Federal Workforce and the District of Columbia, this information will at least provide the bases for adequate, reasonable and accurate annual estimates of the personnel and costs demands they will place upon the process.
Response: In her November 9, 2005 testimony, Ms. Springer indicated that “OPM will assist agencies in improving their workload forecasting by collecting quarterly data comparing agencies' annual workload projections with actual requests,” and that OPM will continue to work toward reducing the time it takes to complete the process for investigative cases. The Councils support OPM's role in managing resources to perform investigations and OPM's procedures for gathering information for investigative services, and do not believe it is necessary to add further implementation requirements to this rule.
Comment: One respondent states the FAR interim rule sets a mechanism for requiring contractors to comply with HSPD-12 that differs from the OMB guidance. Because DOE has implemented the appropriate mechanism to assure contractors comply with HSPD-12, implementation of the FAR rule will cause hardship to the Department. The FAR policy requires agencies to follow HSPD-12 and its associated guidance. The policy states “agencies must follow FIPS 201 and OMB guidance for personal identity verification for all affected contractor and subcontractor personnel...” This policy language indicates that the FAR interim rule is intended to further the requirements of FIPS 201 and OMB guidance. This language clearly implies that for contractors which are not affected by HSPD-12, contracting officers do not have to include this clause.
Response: The Councils did not intend to overstate requirements to implement FIPS PUB 201 and the OMB guidance and agree that contracting officers do not have to include the clause if contract performance does not require compliance with HSPD-12. The final rule clarifies that HSPD-12 applies when contractors and subcontractors require routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system.
Comment: One respondent recommends that the FAR Interim Rule be modified for consistency with established HSPD-12 guidance, because the FAR requirement is not consistent with the recently amended FIPS PUB 201 and the OMB memorandum M-05-24. In particular, promulgation of the final rule as written could result in substantial confusion among the Federal agency employees and contractors who are assigned to implement HSPD-12 at large Federal agencies. The respondent listed items in the FAR interim rule which are different from the OMB memo including the definition of Federally-controlled facilities; the use of “Federal Information System” instead of “Federally Controlled Information System”; the omission of “facilities under a management and operation contract”; the exception for “education institution”; and the expansion of the definition of “Federally owned buildings and leased space” to include property interests controlled by any department or agency.
Response: The Councils have reviewed updated FIPS PUB 201 guidance and have revised the definitions in the final rule for Federally-controlled facilities and Federally-controlled information systems to be consistent with the OMB Memo M-05-24, dated August 5, 2005.
This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The changes may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because all entities that hold contracts or wish to hold contracts that require their personnel to have access to Federally-controlled facilities or information systems will be required to employ on Government contracts only employees who meet the standards for being credentialed and expend resources necessary to help employees fill out the forms for credentialing. The Councils prepared a Final Regulatory Flexibility Analysis (FRFA), and it is summarized as follows:
1. Statement of need for, and objectives of, the rule.
This rule amends the Federal Acquisition Regulation to implement the Homeland Security Presidential Directive (HSPD) 12, “Policy for a Common Identification Standard for Federal Employees and Contractors,” dated August 27, 2004. HSPD 12 requires the development and agency implementation of a mandatory Start Printed Page 67774Governmentwide standard for secure and reliable forms of identification for Federal employees and contractors, including contractor employees.
2. Summary of significant issues raised by the public comments in response to the Initial Regulatory Flexibility Analysis (IRFA), a summary of the assessment of the agency of such issues, and a statement of any changes made in the interim rule as a result of such comments.
An interim rule was published in the Federal Register at 71 FR 208 on January 3, 2006. The Councils considered all of the comments in finalizing the rule. An Initial Regulatory Flexibility Analysis was performed. One respondent highlights that the FIPS PUB 201 will be implemented in two phases, that the documents referenced in the interim rule are lengthy and a small business may not have the capability to download them, and that SBA may need to assist small businesses and/or provide training to make them competent in this arena. The respondent also stated that added administrative time is required for businesses and Federal agencies to incorporate the required contract modifications. The councils consider the October 2007 date to be in full compliance with FIPS PUB 201 and allow adequate time for agencies to establish a completion date to modify contracts thereby lessening any administrative burden. Because agency policy will implement FIPS PUB 201, agency resources should be available to assist small businesses with questions or concerns regarding their procedures.
3. Description of, and an estimate of the number of, small entities to which the rule will apply or an explanation of why no such estimate is available.
This rule will apply to all large and small businesses that seek awards when contract performance requires contractors and/or subcontractors to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system. A precise estimate of the number of small entities that fall within the rule is not currently feasible because it would include both contractors who perform in Government-owned space as well as those who perform in Government-leased space (including employees of the lessor and its contractors).
The Councils did not receive any comments on this issue from small business concerns or other interested parties in response to the Initial Regulatory Flexibility Analysis.
4. Description of the projected reporting, recordkeeping, and other compliance requirements of the rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record.
The rule does not directly require reporting, recordkeeping or other compliance requirements within the meaning of the Paperwork Reduction Act (PRA). The rule does require that any entity, including small businesses that will be performing a contract that requires its employees to have access to Federal facilities or information systems, submit information on their employees. Such information will include a personnel history for each employee having access to a Federal facility or information system for a period exceeding 6 months. Although the forms involved are similar to a standard application for employment that is used by many companies, it is envisioned that some employers, especially those using non-skilled or semi-skilled laborers, will need to help their employees complete the form. It is estimated that each applicant will spend approximately 30 minutes completing the form.
Five respondents provided public comments in response to the interim rule. The public expressed concern that downloading large documents may be problematic for small business concerns, there will be a significant increase workload for OPM resources who provide investigative services that may cause a delay and prohibit a contractor's ability to start performance while awaiting adjudication, and the interim rule overstated the credentialing requirements by referencing all contractors and subcontractors. The responses to public comments in the final rule preamble address these comments.
Agencies must adopt the technical standards for an approved identity proofing and registration process established by Federal Information Processing Standard Publication (FIPS PUB) 201, and establish their own implementation policy. The real implementation of this directive will occur at the agency level. Agencies should be prepared to assist contractors with questions or concerns about the agency policy.
5. Description of steps the agency has taken to minimize significant economic impact on small entities consistent with the stated objectives of applicable statutes, including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final rule and why each of the other significant alternatives to the rule considered by the agency was rejected.
There are no known significant alternatives that will accomplish the objectives of the rule. No alternatives were proposed during the public comment period.
The FAR Secretariat has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. Interested parties may obtain a copy from the FAR Secretariat. The Councils will consider comments from small entities concerning the affected FAR Parts 2, 4, 7, and 52 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-14, FAR Case 2005-015), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.Start List of Subjects
List of Subjects in 48 CFR Parts 2, 4, 7, and 52End List of Subjects Start Signature
Dated: November 15, 2006.
Ralph De Stefano,
Director, Contract Policy Division.
Interim Rule Adopted as Final with ChangesStart Amendment Part
Accordingly, DoD, GSA, and NASA adopt the interim rule amendingEnd Amendment Part Start Amendment Part
1. The authority citation forEnd Amendment Part Start Part
PART 2—DEFINITIONS OF WORDS AND TERMSEnd Part Start Amendment Part
2. Amend section 2.101 in paragraph (b)(2) by removing the definition “Federal information system”; revising the definition “Federally-controlled facilities”; and adding the definition “Federally-controlled information system” to read as follows:End Amendment Part
(b) * * *
(2) * * *
Federally-controlled facilities means—
(1) Federally-owned buildings or leased space, whether for single or multi-tenant occupancy, and its grounds and approaches, all or any portion of which is under the jurisdiction, custody or control of a department or agency;
(2) Federally-controlled commercial space shared with non-government tenants. For example, if a department or agency leased the 10th floor of a commercial building, the Directive applies to the 10th floor only;
(3) Government-owned, contractor-operated facilities, including laboratories engaged in national defense research and production activities; and
(4) Facilities under a management and operating contract, such as for the operation, maintenance, or support of a Government-owned or Government-controlled research, development, special production, or testing establishment.
Federally-controlled information system means an information system (44 U.S.C. 3502(8) used or operated by a Federal agency, or a contractor or other Start Printed Page 67775organization on behalf of the agency (44 U.S.C. 3544(a)(1)(A)).Start Part
PART 4—ADMINISTRATIVE MATTERSEnd Part Start Amendment Part
3. Revise section 4.1300 in paragraphs (a) and (b) and section 4.1301 to read as follows:End Amendment Part
(a) Agencies must follow Federal Information Processing Standards Publication (FIPS PUB) Number 201, “Personal Identity Verification of Federal Employees and Contractors,” as amended, and the associated Office of Management and Budget (OMB) implementation guidance as amended, for personal identity verification for all affected contractor and subcontractor personnel when contract performance requires contractors to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system.
(b) Agencies must include their implementation of FIPS PUB 201 as amended, and OMB guidance M-05-24, dated August 5, 2005, as amended, in solicitations and contracts that require the contractor to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system.
The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system. The clause shall not be used when contractors require only intermittent access to Federally-controlled facilities.Start Part
PART 7—ACQUISITION PLANNINGEnd Part Start Amendment Part
4. Amend section 7.105 by revising the last sentence in paragraph (b)(17) to read as follows:End Amendment Part
(b) * * *
(17) Security considerations. * * * For acquisitions requiring routine contractor physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system, discuss how agency requirements for personal identity verification of contractors will be met (see Subpart 4.13).Start Part
PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSESEnd Part Start Amendment Part
5. Amend section 52.204-9 by revising the date of the clause to read “(NOV 2006)”; and revising paragraphs (a) and (b) to read as follows:End Amendment Part
(a) The Contractor shall comply with agency personal identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24, as amended, and Federal Information Processing Standards Publication (FIPS PUB) Number 201, as amended.
(b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system.
(End of clause)End Supplemental Information
[FR Doc. 06-9308 Filed 11-21-06; 8:45 am]
BILLING CODE 6820-EP-S