On October 14, 2011, just one week after the release of the “WikiLeaks Order,” the Department of Defense (DoD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) proposed a rule that would require certain contractors to complete training that addresses the protection of privacy and the handling and safeguarding of personally identifiable information (PII). Specifically, the rule requires contractors who access government records, handle PII, or design, develop, maintain, or operate a system of government records on behalf of the government, to undergo training upon award of a contract and at least annually thereafter. Further, according to the rule, contractors would have recordkeeping requirements for documents indicating that employees have completed the mandatory training and would be required to produce those records upon government request.
In addition, the proposed Federal Acquisition Regulation (FAR) text provides that the required privacy training must, at a minimum, address seven mandatory elements. Those elements include training on privacy protection in accordance with the Privacy Act of 1974, restrictions on the use of personally owned equipment that implicates PII, breach notification procedures, and other “agency-specific” training requirements. The proposed FAR text also provides alternative language for instances where an agency would prefer that the contractor create the privacy training package, as opposed to attending an agency-developed privacy training. Additional alternative language is proposed for instances where the government determines it is in its best interest for the agency itself to conduct the training. Moreover, the clause requires that it be flowed down to any subcontractors who: (1) have access to government records; (2) handle PII; or (3) design, develop, maintain, or operate a system of records on behalf of the government.
The proposed rule is a part of a broader effort to enhance cyber security. It follows the “WikiLeaks Order,” an executive order issued October 7, 2011, and formally titled “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information,” which directs governmental change to ensure that classified information is shared responsibly and safeguarded on computer networks in a manner consistent with appropriate protections for privacy and civil liberties. The order expressly states that agencies bear “the primary responsibility for meeting these twin goals.” The proposed rule also comes shortly after the DoD requested the extension of a pilot program through November 2011, which helps protect the networks of its prime defense contractors by sharing intelligence about threats to their data with these contractors.
Contractors interested in sharing their views on the proposed rule have the opportunity to comment. Written comments are due by December 13, 2011.