Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

Part 304--Administrative Matters

HHS Acquisition Regulation (HHSAR)

Subpart 304.13--Personal Identity Verification

304.1300 Policy.

(a) Definitions. The following definitions apply to this subpart:    

(1) Access: “Physical” entry to and/or exit from a facility/area of a facility (such as a building or room in a building) or “logical” entry into an information system, such as a researcher up-loading data/information through a secure website or a contractor accessing an HHS-controlled information system from its own facility. It does not include access to a public web site, whether by an HHS contractor or member of the public, because such web sites do not require permission to access. In the case of sensitive data/information that exists in hard copy, “access” means providing a contractor the right to view or use written/typed data or information for the purpose described in a contract.  

(2) Long-term: Greater than 6 months in duration.

(3) Routine: On a regular, non-intermittent basis, which is at least once per week during the contract or order period of performance.

(4) Sensitive data/information: As defined by the Computer Security Act of 1987, any data/information, “the loss, misuse, or unauthorized access to or modification of which, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of the Title 5 of USC (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an act of Congress to be kept secret in the interest of national defense or foreign policy.” Examples include individuals’ social security numbers; other personal identification information, such as individuals’ health, medical, or psychological information; proprietary research data; and confidential legal data. 

(5) Short-term: Six (6) months or less in duration.

(b) Homeland Security Presidential Directive (HSPD-12), entitled, “Policy for a Common Identification Standard for Federal Employees and Contractors,” was issued on August 27, 2004, to enhance security and reduce identity fraud related to contractor physical access to federally-controlled facilities and/or logical access to federally-controlled information systems.

(1) The HSPD-12 requirements related to routine, long-term physical access to HHS-controlled facilities and logical access to HHS-controlled information systems, including contractor personnel background checks/investigations (termed herein as “more stringent” access procedures), apply to all solicitations and new contracts or orders for services, including services incidental to supply contracts/orders, regardless of dollar amount, where the contractor will require such access (FAR 4.1303). In addition, HHS has determined that, when a contractor has routine, long-term access to sensitive data/information, whether it exists in an HHS-controlled information system or in hard copy, that data/information must also be protected and controlled in accordance with HSPD-12’s more stringent access procedures – see 304.1300(e).

(2) When a contractor’s access to HHS-controlled facilities, information systems, and/or sensitive data/information is of routine but short-term duration, an OPDIV shall use the applicable guidance cited in OMB memorandum M-05-24 related to “short-term” access to determine appropriate protections and limit/control contractor access – see 304.1300(f). However, if the Project Officer determines greater access controls are necessary, an OPDIV may protect and control facilities, information systems, and/or sensitive data information in accordance with HSPD-12’s more stringent access procedures.

(3) When a contractor’s access to HHS-controlled facilities, information systems, and/or sensitive data/information is not routine, regardless of duration, HHS has determined that OPDIVs shall use the applicable guidance cited in OMB memorandum M-05-24 related to “occasional visitors” to determine appropriate protections and limit/control contractor access – see 304.1300(g)

(4) Summary table of contractor access circumstances and HSPD-12 requirements.

 

Type of Access

HSPD-12 Access Procedures Required

HSPD-12 Security Notice Required in Solicitation/Contract SOW/PWS?

[see 304.1300(e)]

Routine, long-term, physical access to HHS-controlled facilitiesMore stringent access procedures applyYES
Routine, long-term logical access to an HHS-controlled information system that does not contain sensitive HHS data/informationMore stringent access procedures applyYES
Routine, long-term access to sensitive HHS data/information, whether it exists in an HHS-controlled information system (logical access) or in hard copyMore stringent access procedures applyYES
Routine, short-term access to HHS-controlled facilities, information systems, and/or sensitive HHS data/informationIf greater access controls are deemed necessary, more stringent access procedures applyYES
If greater access controls are not deemed necessary, applicable guidance cited in OMB memorandum M-05-24 related to “short-term” access to determine appropriate protections and limit/control contractor access

NO, but contractor staff must be provided with the OPDIV documentation on the rules of behavior and consequences for violation [see 304.1300(f)].

 

Non-routine access, regardless of duration, to HHS-controlled facilities, information systems, and/or sensitive HHS data/ informationApplicable guidance cited in OMB memorandum M-05-24 related to “occasional visitors” to determine appropriate protections and limit/control contractor accessNO, but contractor staff must be provided with the OPDIV “occasional visitor” policy and procedures [see 304.1300(g)].

 Back to top

(c) As part of the acquisition planning process, the Project Officer shall determine whether, based on the nature of the requirement, contractor personnel may require access to HHS-controlled facilities and/or information systems, including sensitive data/information, in order to perform the contract/order Statement of Work (SOW)/ Performance Work Statement (PWS). If contractor access is required, the Project Officer must assess, based on information available at that point in the process, the type, frequency, and duration of such access. Following that determination, the Project Officer shall consult with OPDIV and/or local building and IT security officials/staff, and officials/staff involved with personnel security, including the designated personnel security representative, to determine appropriate security requirements and, as necessary, adjust project requirements to minimize security and access issues. The Project Officer shall comply with HSPD-12 and the following implementing guidance in making these judgments and determinations:

(1) OMB memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 5, 2005.

(2) National Institutes of Standards and Technology Federal Information Processing Standard Publication (FIPS PUB) 201), dated February 25, 2005, which can be accessed at: http://csrc.nist.gov/publications/.

(3) FAR (FAR 4.13 and 52.204-9).

(4) Any HHS and OPDIV implementation thereof.

(d) If, as part of the acquisition planning process, the Project Officer determines that contractor access will not be required, the Project Officer should so state in the AP (or other acquisition request document) – see 307.7101. If an AP does not address access issues or indicates contractor access is not required, and it appears an acquisition may involve access requirements, the Contracting Officer shall request that the Project Officer address or reconsider the initial access determination. The Project Officer’s determination shall be final.

(e) If HSPD-12’s more stringent access procedures are expected to apply, because access will be routine and of long-term duration, or is routine and of short-term duration, but greater access controls are deemed necessary, the Project Officer shall include the following “HHS-Controlled Facilities and Information Systems Security” notice in a separate, clearly designated “Security” section of the SOW/PWS. (NOTE: The Contracting Officer is responsible for tailoring the language in the solicitation and contract/order in accordance with the instructions provided below.)

“XXX Security.

HHS-Controlled Facilities and Information Systems Security

(a) To perform the work specified herein, Contractor personnel are expected to have routine (1) physical access to an HHS-controlled facility; (2) logical access to an HHS-controlled information system; (3) access to sensitive HHS data or information, whether in an HHS-controlled information system or in hard copy; or (4) any combination of circumstances (1) through (3).

(b) To gain routine physical access to an HHS facility, logical access to an HHS-controlled information system, and/or access to sensitive data or information, the Contractor and its employees shall comply with Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors; Office of Management and Budget memorandum (M-05-24); and Federal Information Processing Standards Publication (FIPS PUB) Number 201; and with the personal identity verification and investigation procedures contained in the following documents:

(1) HHS Information Security Program Policy.

(2) HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005.

(3) HHS HSPD-12 Policy Document, v. 2.0.

(4) (NOTE: Based upon information provided by the Project Officer, the Contracting Officer shall insert references to OPDIV and/or local procedural guideline(s), if any; indicate if they are readily accessible to the public; and, if so, specify where they may be found. If they are not readily accessible, the Contracting Officer shall attach a copy to the solicitation and contract and reference the guideline(s) here.)

(c) This contract/order will entail the following position sensitivity level(s):      

(NOTE: At the time of solicitation, based upon information provided by the Project Officer, the Contracting Officer shall specify all known levels. If the position sensitivity levels are not known at that time, the Contracting Officer shall insert the words “To Be Determined at the Time of Award.” However, the Contracting Officer must include the definitive position sensitivity levels in the awarded contract/order.)

(d) The personnel investigation procedures for Contractor personnel require that the Contractor prepare and submit background check/investigation forms based on the type of investigation required. The minimum Government investigation for a non-sensitive position is a National Agency Check and Inquiries (NACI) with fingerprinting. More restricted positions – i.e., those above non-sensitive, require more extensive documentation and investigation.

(NOTE: The Contracting Officer shall include the following sentence in each solicitation as the concluding sentence in paragraph (d)): “As part of its proposal, and if the anticipated position sensitivity levels are specified in paragraph (c) above, the Offeror shall notify the Contracting Officer of (1) its proposed personnel who will be subject to a background check/investigation and (2) whether any of its proposed personnel who will work under the contract have previously been the subject of national agency checks or background investigations.”)

 (The Contracting Officer shall include the following sentence in each contract/order as the concluding sentence in paragraph (d) in lieu of the solicitation language: “The Contractor shall notify the Contracting Officer in advance when any new personnel, who are subject to a background check/investigation, will work under the contract and if they have previously been the subject of national agency checks or background investigations.”)

(e) Investigations are expensive and may delay performance, regardless of the outcome of the investigation. Delays associated with rejections and consequent re-investigations may not be excusable in accordance with the FAR clause, Excusable Delays – see a.

(NOTE: The Contracting Officer shall include the following sentence in each solicitation as the concluding sentence in paragraph (e): “Accordingly, if position sensitivity levels are specified in paragraph (c), the Offeror shall ensure that the employees it proposes for work under this contract have a reasonable chance for approval.”

The Contracting Officer shall include the following sentence in each contract/order as the concluding sentence in paragraph (e) in lieu of the solicitation language: “Accordingly, the Contractor shall ensure that any additional employees whose names it submits for work under this contract have a reasonable chance for approval.”)

(f) Typically, the Government investigates personnel at no cost to the Contractor. However, multiple investigations for the same position may, at the Contracting Officer’s discretion, justify reduction(s) in the contract price of no more than the cost of the additional investigation(s).

(g) The Contractor shall include language similar to this “HHS-Controlled Facilities and Information Systems Security” language in all subcontracts that require subcontractor personnel to have the same frequency and duration of (1) physical access to an HHS-controlled facility; (2) logical access to an HHS-controlled information system; (3) access to sensitive HHS data/information, whether in an HHS-controlled information system or in hard copy; or (4) any combination of circumstances (1) through (3).

(h) The Contractor shall direct inquiries, including requests for forms and assistance, to the Contracting Officer or designee.

(i) Within 7 calendar days after the Government’s final acceptance of the work under this contract, or upon termination of the contract, the Contractor shall return all identification badges to the Contracting Officer or designee.”

Back to top

(End of notice)

(f) When a contractor’s access to HHS-controlled facilities, information systems, and/or sensitive data/information is of routine, but short-term duration, and greater access controls are not deemed necessary, the Contracting Officer and Project Officer shall use the applicable guidance cited inOMB memorandum M-05-24, dated August 5, 2005, specifically Attachment A, “HSPD-12 Implementation Guidance for Federal Departments and Agencies,” to ensure that—

(1) Adequate OPDIV access controls are applied, and a contractor is granted only limited/controlled access to facilities, systems, and/or sensitive data/information, consistent with the requirements of the acquisition;

(2) Contractor staff are provided with clear OPDIV documentation on the rules of behavior and consequences of their violation before being granted access to facilities, systems, and/or sensitive data/information;

(3) Contractor security violations are documented and reported to the appropriate OPDIV authority within 24 hours of their occurrence; and

(4) Identity credentials issued to contractor staff are visually and electronically distinguishable from credentials issued to individuals to whom the more stringent HSPD-12 access procedures apply. 

However, as indicated in 304.1300(e), if the Project Officer determines greater access controls are necessary, an OPDIV may protect and control facilities, information systems, and/or sensitive data information in accordance with HSPD-12’s more stringent access procedures.

(g) When a contractor’s access to HHS-controlled facilities, information systems, and/or sensitive data/information is not routine, regardless of duration, the Contracting Officer and Project Officer shall use the applicable guidance cited in OMB memorandum M-05-24, dated August 5, 2005, specifically Attachment A, “HSPD-12 Implementation Guidance for Federal Departments and Agencies,” related to “occasional visitors” to determine appropriate protections and limit/control contractor access to ensure that—

(1) Adequate OPDIV access controls are applied, and the contractor is granted only limited/controlled access to facilities, systems, and/or sensitive data/information, consistent with the requirements of the acquisition; and

(2) OPDIV visitor policies, including contractor personnel identity badging requirements, are enforced and are provided to the contractor.


Go to:

Back to top


Content created by OGAPA-DA