5124.103 Procedures.
(b)(i) The contracting officer shall reference the following documents in solicitations and contracts that require the design, development, or operation of a system of records:
(A) DoD Directive 5400.11.
(B) DoD Regulation 5400.11-R.
(C) Regulations for community-specific protected information, as applicable, e.g. DoD Regulation 6025.18-R (DoD Health Information Privacy Regulation).
(ii) The contracting officer will ensure that work statements that require the design, development, or operation of a system of records include procedures to follow in the event of a PII breach.
(iii) The contracting officer should ensure that Government surveillance plans for contracts that require the design, development, or operation of a system of records include monitoring of the contractor’s adherence to Privacy Act/PII regulations. The assessing official should document contractor-caused breaches or other incidents related to PII in past performance reports. (See 5142.1503-90(b).) Such incidents include instances in which the contractor did not adhere to Privacy Act/PII contractual requirements.