Subpart 504.13 - Personal Identity Verification of Contractor Personnel

504.1301 Policy.

Contracting officers must follow the procedures contained in CIO P2181.1 - GSA HSPD-12 Personal Identity Verification and Credentialing Handbook, which may be obtained from the CIO Office of Enterprise Solutions, to ensure compliance with Homeland Security Presidential Directive-12 (HSPD-12) “Policy for a Common Identification Standard for Federal Employees and Contractors,” Office of Management and Budget Memorandum M-05-24, and Department of Commerce FIPS PUB 201.

504.1303 Contract clause.

Insert the clause at 552.204-9, Personal Identity Verification Requirements, in solicitations and contracts when it is determined that contractor employees will require access to federally controlled facilities or information systems to perform contract requirements.

504.1370 GSA Credentials and Access Management Procedures.

(a) General.

The CIO P 2181.1 - GSA HSPD-12 Personal Identity Verification (PIV) and Credentialing Handbook includes guidance for–

(1)Managing contract employee credentials;

(2) Ensuring contract employee credentials are returned to the GSA Office of Mission Assurance (OMA) when a contractor employee receives an unfavorable suitability determination, leaves the contract or when a contract ends; and

(3) Disabling access to information technology when a contractor employee leaves the contract or when a contract ends.

(b)Delegating Responsibilities.

(1) Contracting officers must manage PIV cards, also referred to as “GSA Access Cards”, provided to contractor employees. Contracting officers may delegate this authority to a contracting officer’s representative.

(2) If delegated, the contracting officer must ensure any contracting officer's representative delegation letter includes language for credentials and access management responsibilities.

(3) The Government contracting official who requests PIV cards on behalf of a contractor employee is also referred to as a “requesting official” pursuant to CIO P 2181.1.

(4) Standard delegation language can be found on GSA's Acquisition Portal at https://insite.gsa.gov/acquisitionportal.

(c) Required Verifications. There are multiple types of verifications to ensure only contractor employees who require PIV cards have them.

(1) Automated verification.

(i) Contractors and authorized Government contracting officials are automatically notified prior to the end date of the contract period of performance listed in the Office of Mission Assurance (OMA) system GSA Credentialing and Identity Management System (GCIMS). PIV cards will be automatically inactivated 30 days after the period of performance.

(ii) If the contractor requires a PIV card beyond 30 days after the contract period of performance, the authorized Government contracting official must submit a contractor information worksheet (CIW) (GSA Form 850) to update GCIMS, including appropriate justification.

(iii) When a contractor is made inactive in GCIMS, GCIMS will send an email to contractors and authorized Government contracting officials notifying everyone that the contractor PIV card needs to be returned. If the contractor does not comply with the terms of the automated notification, the authorized Government contracting official shall take the actions listed in paragraph (d).

(iv) The contracting officer shall include documentation in the contract file, as necessary.

(2) Manual verification.

(i) Authorized Government contracting officials are required to conduct a PIV card review annually or prior to exercising an option (see 517.207(c)), whichever comes first, to verify the contract information in GCIMS is correct (e.g. contract number, contract period of performance, contractor point of contact).

(ii) Authorized Government contracting officials shall send a letter to contractors to determine the need for continued access of individual employees and for return of PIV cards, requesting a response within no more than 15 business days.

(iii) Authorized Government contracting officials are required to submit a contractor information worksheet (CIW) (GSA Form 850) to update GCIMS, as necessary.

(iv) The contracting officer shall include documentation in the contract file, as necessary.

(d) The authorized Government contracting official shall take the following actions when a contractor fails to return PIV cards.

(1) Withhold Final Payment. COs may delay final payment under a contract if the contractor fails to comply with the PIV card requirements in accordance with paragraph (c) of FAR 52.204-9.

(2) Contractor Performance Assessment Rating System (CPARS). The Contracting Officer shall include within CPARS evaluations instances where a contractor fails to return a PIV card or other Government Furnished Equipment (GFE). This information shall be noted within the narrative of the CPARS "Regulatory Compliance" contractor performance evaluation factor (see subpart 542.15).

(3) Suspension/Debarment Referral Considerations. For willful non-compliance, the CO shall refer the contractor to the Suspension and Debarment Official (SDO). The SDO will review the complaint and decide whether or not action should be taken against the contractor.

(4) Termination Considerations. If the contractor shows a pattern of willful non-compliance regarding PIV card requirements during the performance of the contract (e.g., annual review of PIV cards), the CO may terminate the contract.

(e) The CIO P 2181.1 - GSA HSPD-12 Personal Identity Verification and Credentialing Handbook, as well as additional resources for implementing the credentials and access management requirements, can be found on the Acquisition Portal at: https://insite.gsa.gov/hspd12inprocurement.