HSPD-12 Contractual Implementation Guidance
- Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors;
- Office of Management and Budget (OMB) Memorandum M-05-24, dated August 5, 2005, Implementation of Homeland Security Presidential Directive (HSPD) 12 --Policy for a Common Identification Standard for Federal Employees and Contractors (http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf);
- Federal Information Processing Standards 201-1 (FIPS 201-1) (http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf);
- HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005 (http://www.hhs.gov/policies/hhsar/subpart307-71.html);
- HHSAR 307.7106, Statement of Work (SOW); HHSAR 307.7108 in new coverage as of February 1, 2007; (http://www.hhs.gov/policies/hhsar/);
- Federal Acquisition Regulation (FAR) 37.602, Performance Work Statement (PWS) (http://acquisition.gov/far/current/html/Subpart%2037_6.html#wp1074648);
- FAR Subpart 4.13, Personal Identity Verification of Contractor Personnel, http://acquisition.gov/far/current/html/Subpart%204_13.html#wp1074125;
- FAR 52.204-9, Personal Identity Verification of Contractor Personnel [clause], http://acquisition.gov/far/current/html/52_200_206.html#wp1139617;
- HHS IRM Information Security Program Policy http://www.hhs.gov/read/irmpolicy/121504.html.
Background: HSPD-12 and OMB’s implementing memorandum (M-05-24) direct a consistent and systematic approach to investigations, identification, and admittance of contractors to Government facilities, Information Technology (IT) systems, and sensitive data.
Analysis and Discussion: In accordance with OMB Memorandum M-05-24, by October 27, 2007, HHS must have verified and/or completed background investigations for contractors who require access to sensitive information, access to HHS IT systems, regular or prolonged access to HHS-controlled facilities, or any combination of these three. In order to support full program implementation by October 27, 2007, HHS must begin contractual implementation as soon as possible. Unlike most other guidance affecting HHS contracts, HSPD-12 applies retroactively, requiring modifications to some of HHS’ current contracts.
For new actions, requirements for contractor access to Government buildings, IT systems, and/or sensitive data should be specified as are all other requirements—during acquisition planning in a Request for Contract/Acquisition Plan (RFC/AP) and a statement of work (SOW) or performance work statement (PWS). For existing actions, the SOW/PWS and any appropriate acquisition planning documents should be revised to reflect new requirements for contractor access to Government buildings, IT systems, and/or sensitive data.
Personnel responsible for defining and documenting service requirements, i.e., Project Officers, must consult with local Building Security, IT Security, and Personnel Security about access and identification requirements. Based on these discussions, Project Officers must document all access and identification requirements in their RFCs/APs and SOWs/PWSs. Considering the potential costs (which program offices may be required to pay) and delays associated with investigations, minimizing the number of investigations is sensible; but failure to identify access requirements may further delay investigations and, ultimately, contract performance. If an RFC/AP or SOW/PWS for a service does not address access, identification, and sensitivity issues, Contracting Officers should ask Project Officers to do so. If, as October 27, 2007 approaches, Project Officers have not initiated modifications to current contracts to address access, identification, and sensitivity issues; Contracting Officers should remind them of the approaching deadline.
Adding investigation, access, and sensitivity provisions to new or existing contracts will be the most common way to comply with the acquisition-related aspects of HSPD-12, but there are alternatives. A Project Officer could adjust a SOW/PWS to reduce sensitivity or access requirements. Selected personnel could move offsite, eliminating the need for investigations. Alternately, a Contracting Officer might, with contractor concurrence, shorten a period of performance to complete performance on a contract before October 27, 2007, when access restrictions apply.
Interim Acquisition Guidance:
(1) For new actions, in addition to the acquisition planning requirements under HHSAR Part 307, Project Officers must address contractor security, access, identification, and sensitivity. After consultation with Building Security, IT Security, and Personnel Security, the Project Officer must state whether potential contractors will require access to HHS information technology, access to sensitive data, regular or prolonged access to HHS-controlled facilities, or any combination of these three. If access requirements apply, the Project Officer must specify the sensitivity level(s) of the position(s) in the acquisition planning documents.
(2) For existing and new actions, while developing or modifying a SOW or PWS in accordance with HHSAR 307.7106 (after February 1, 2007, HHSAR 307.7108 will apply) and FAR 37.602, Project Officers must address contractor access requirements. After determining that an effort involves access to HHS IT systems, access to sensitive data, regular or prolonged access to HHS-controlled facilities, or any combination of these three, the Project Officer must add a Security section substantially like the following to the SOW/PWS in new solicitations and in current and new contracts. This new Security section must specify access requirements, sensitivity level(s), and references to relevant Federal and Departmental guidance and OpDiv procedures.
C.X.1 To perform the work specified herein, contractor personnel will require access to sensitive data, regular access to HHS-controlled facilities and/or access to HHS information systems. The Government has determined the position sensitivity under this effort to be __________.
C.X.2 To gain access to the sensitive data, HHS-controlled facilities, and/or HHS information systems, the contractor shall comply with Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, and with the personal identity verification and investigation procedures contained in:
C.X.2.1 HHS Information Security Program Policy http://www.hhs.gov/read/irmpolicy/121504.html
C.X.2.2 HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005 (http://www.hhs.gov/policies/hhsar/subpart307-71.html).
C.X.2.3 [Insert references to local procedural guidelines, if any and if accessible to the public. If they are not readily accessible, attach a copy to the solicitation and contract and reference it here.]
C.X.2.4 HHS HSPD-12 Implementation Policy (draft)
C.X.3 The minimum Government investigation for a non-sensitive position is a National Agency Check and Inquiries (with fingerprinting), which consists of searches of records covering specific areas of a person’s background during the past five years. Those inquiries are sent to current and past employers, schools attended, references, and local law enforcement authorities. More restricted positions, above non-sensitive, require more extensive documentation and investigation.
C.X.4 Contractors should ensure that the employees whose names they submit have a reasonable chance for access approval. Delays associated with rejections and consequent reinvestigations may not be excusable. 
C.X.5 Typically, the Government investigates personnel at no cost to the contractor, but the expense of multiple investigations for the same position is difficult to justify. Consequently, multiple investigations for the same position may, at the Contracting Officer’s discretion, justify reduction(s) in the contract price of no more than the cost of the extra investigation(s).
C.X.6 Language similar to this Security section shall be included in any subcontracts which require subcontractor personnel to have access to an information system, access to sensitive data, regular or prolonged access to an HHS-controlled facility, or any combination of these three.
C.X.7 Inquiries, including requests for forms and assistance, should be directed to the Contracting Officer or his designee, listed in Section G of the contract.
C.X.8 Within seven (7) calendar days after final acceptance of the work specified herein, the contractor shall return all identification badges to the Contracting Officer or his designee.
 OMB recommends six months as the minimum period justifying investigation. Other factors, such as access to sensitive data or critical IT systems, may justify it.
 Effective February 1, 2007, interim HHSAR coverage will subsume “RFC” into an enhanced and standardized Acquisition Plan.
 HSPD-12 requirements apply only to services, including services incidental to supply contracts, which require contractors to have access to federal IT systems, access to sensitive information, regular or prolonged access to federally-controlled facilities, or any combination of these three.
 HSPD-12 requirements apply to contracts whose periods of performance begin after or extend past October 27, 2007.
 The following sentence may be substituted when multiple sensitivity levels apply. “The Government estimates that this effort will entail multiple levels of sensitivity, ranging from _________ to __________; but sensitivity levels cannot be ascertained definitively until after contract award.”
 Investigations may delay performance, regardless of the outcome of the investigation. The facts surrounding individual cases will determine whether a delay is excusable.