Rules for Handling PII by DON Contractor Support Personnel
By DON Privacy Team - Published, August 29, 2018
The DON has a continuing affirmative responsibility to safeguard PII and to prevent its loss, theft or compromise. All DON personnel, including support contractors and business partners must ensure their actions do not contribute to, or result in, a compromise. Contractor employees who work onsite at a government facility must take the same DON Annual Privacy Training required of DON Civilians and military personnel. This training can be found on the Navy eLearning and Total Workforce Management Services (TWMS) websites.
Contractors should become familiar with, and adhere to Secretary of the Navy Instruction (SECNAVINST) 5211.5 series, "DON Privacy Program." Additionally, the following Privacy regulations apply to contractors.
Privacy Act of 1974:
Section 552a (m) Government Contractors
(1) When an agency provides a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency.
(2) A consumer reporting agency to which a record is disclosed under section 3711
(e) of title 31 shall not be considered a contractor for the purposes of this section.
Agencies shall ensure that contract terms necessary for the agency to respond to a breach are included in contracts when a contractor collects or maintains Federal information on behalf of the agency or uses or operates an information system on behalf of the agency. To the extent that a cooperative agreement or other such instrument requires another organization or entity to perform such functions on behalf of the agency, the agency must similarly ensure that such cooperative agreements and instruments include the following terms.
Thus, at a minimum, contracts should include terms that:
Federal Acquisition Regulation (FAR) Clauses
- Require the contractor to cooperate with and exchange information with agency officials, as determined necessary by the agency, in order to effectively report and manage a suspected or confirmed breach.
- Require contractors and subcontractors (at any tier) to properly encrypt PII in accordance with OMB Circular A-130 and other applicable policies and to comply with any agency-specific policies for protecting PII;
- Require regular training for contractors and subcontractors (at any tier) on how to identify and report a breach;
- Require contractors and subcontractors (at any tier) to report a suspected or confirmed breach in any medium or form, including paper, oral, and electronic, as soon as possible and without unreasonable delay, consistent with the agency's incident management policy and US-CERT notification guidelines;
- Require contractors and subcontractors (at any tier) to maintain capabilities to determine what Federal information was or could have been accessed and by whom, construct a timeline of user activity, determine methods and techniques used to access Federal information, and identify the initial attack vector;
- Allow for an inspection, investigation, forensic analysis, and any other action necessary to ensure compliance with this Memorandum, the agency's breach response plan, and to assist with responding to a breach;
- Identify roles and responsibilities, in accordance with this Memorandum and the agency's breach response plan; and,
- Explain that a report of a breach shall not, by itself, be interpreted as evidence that the contractor or its subcontractor (at any tier) failed to provide adequate safeguards for PII.
- An agency may also require the contractor to notify any individuals potentially affected by a breach, as explained in this Memorandum. In those instances, the agency may require the contractor to take countermeasures to mitigate the risk of harm to potentially affected individuals or to protect PII on behalf of the agency, including operating call centers and providing resources for potentially affected individuals.
There are many IT systems that are contractor owned or operated that process, store, or transmit Federal contract information. In these cases, contracts between a commercial vendor and the DON must contain the following FAR privacy clauses:
Defense Federal Acquisition Regulation Supplement (DFARS) Clauses
- 52.224 - 1 - Privacy Act Notification
The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties.
- 52.224 - 2 - Privacy Act
(a) The Contractor agrees to
(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies
(i) The systems of records; and
(ii) The design, development, or operation work that the contractor is to perform;
(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the design, development, or operation of a system of records on individuals that is subject to the Act; and
(3) Include this clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.
(b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor and any employee of the Contractor is considered to be an employee of the agency.
(c) For Systems of Record,
(1) Operation of a system of records, as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.
(2) Record, as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.
(3) System of records on individuals, as used in this clause means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
- 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
Definition: Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.
(b) Safeguarding requirements and procedures.
(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:
(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii) Verify and control/limit connections to and use of external information systems.
(iv) Control information posted or processed on publicly accessible information systems.
(v) Identify information system users, processes acting on behalf of users, or devices.
(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
(xii) Identify, report, and correct information and information system flaws in a timely manner.
(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.
(xiv) Update malicious code protection mechanisms when new releases are available.
(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
(2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.
(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.
- 52.224-3 Privacy Training
(a) Definition. As used in this clause, personally identifiable information means
information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular A–130, Managing Federal Information as a Strategic Resource).
(b) The Contractor shall ensure that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who—
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or (3) Design, develop, maintain, or operate a system of records (see also FAR subpart 24.1 and 39.105).
(c)(1) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover—
(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
(ii) The appropriate handling and safeguarding of personally identifiable information;
(iii) The authorized and official use of a system of records or any other personally identifiable information;
(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information;
(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).
(2) Completion of an agency-developed or agency-conducted training course shall be deemed to satisfy these elements.
(d) The Contractor shall maintain and, upon request, provide documentation of completion of privacy training to the Contracting Officer.
(e) The Contractor shall not allow any employee access to a system of records, or permit any employee to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle personally identifiable information, or to design, develop, maintain, or operate a system of records unless the employee has completed privacy training, as required by this clause.
(f) The substance of this clause, including this paragraph (f), shall be included in all subcontracts under this contract, when subcontractor employees will—
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records.
Alternate I (JAN 2017). As prescribed in 24.302(b), if the agency specifies that only its agency-provided training is acceptable, substitute the following paragraph (c) for paragraph (c) of the basic clause:
(c) The contracting agency will provide initial privacy training, and annual privacy training thereafter, to Contractor employees for the duration of this contract.
- 39.105 Privacy
Agencies shall ensure that contracts for information technology address protection of privacy in accordance with the Privacy Act (5 U.S.C. 552a) and [FAR] Part 24. In addition, each agency shall ensure that contracts for the design, development, or operation of a system of records using commercial information technology services or information technology support services include the following:
(a) Agency rules of conduct that the contractor and the contractor's employees shall be required to follow.
(b) A list of the anticipated threats and hazards that the contractor must guard against.
(c) A description of the safeguards that the contractor must specifically provide.
(d) Requirements for a program of Government inspection during performance of the contract that will ensure the continued efficacy and efficiency of safeguards and the discovery and countering of new threats and hazards.
- 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting
This subpart applies to Department of Defense contracts and subcontracts requiring contractors and subcontractors to safeguard covered defense information including PII that resides in or transits through covered contractor information systems by applying specified network security requirements. It also requires reporting of cyber incidents. The subpart does not abrogate any other requirements regarding contractor physical, personnel, information, technical, or general administrative security operations governing the protection of unclassified information, nor does it affect requirements of the National Industrial Security Program. The subpart includes requirements for a solicitation provision and contract clauses.
- 239.76 Cloud Computing
This subpart prescribes policies and procedures for Department of Defense acquisition of cloud computing services. It includes requirements for the protection of government data and government-related data including PII. This subpart also includes requirements for a solicitation provision and a contract clause.
Steve Daughety is the DON privacy lead. He can be reached at email@example.com.