Supporting Statement for
Paperwork Reduction Act Submission
Department of Transportation Acquisition Regulation (TAR)
Part 1239 Clause 1252.239-75
OMB Approval No. 2105-XXXX
Explain the circumstances that make the collection of information necessary. Identify legal or administrative requirements that necessitate the collection of information.
As a result of proposed rule, RIN 2105-AE26: Streamline and Update the Department of Transportation Acquisition Regulation posted to the Federal Register, 86FR69452, on December 7, 2021, TAR Case 2020-001, this is a request from the Department of Transportation (DOT) for OMB approval of a new Information Collection (IC). Under Public Law 113-283, Federal Information Security Modernization Act of 2014, each agency of the Federal Government must provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
In order for DOT to comply with Public Law 113-283, Federal Information Security Modernization Act of 2014, DOT developed clause 1252.239-75, DOT Protection of Information About Individuals, PII, and Privacy Risk Management Requirements, and contains the following information collection requirements from the public:
Notification / reporting non-compliance with DOT data protection standards with respect to Personally Identifiable Information (PII)
Notification of new or unanticipated threats or hazards, or if existing safeguards have ceased to function
Execution and submittal of confidentiality agreements (protection of PII)
Notification and secure return of PII to Government when any part of PII, in any form, the Contractor obtains from or behalf of DOT ceases to be required by Contractor or upon termination of contract, within ten (10) business days; or, at DOT’s written request to destroy, un-install and /or remove all copies of such PII and provide certification that PII has been returned, or remove or destroyed; and subcontractor certification of return of all records within 30 days of subcontractor’s completion of services
Breach reporting; and subcontractor breach reporting
Notification of subcontractor access to PII
Clause 1252.239-75, DOT Protection of Information About Individuals, PII, and Privacy Risk Management Requirements, requires any contractor under a DOT contract that creates, maintains, acquires, discloses, uses, or has access to PII in furtherance of the contract, shall comply with all applicable Federal law, guidance, and standards and DOT policies pertaining to its protection. The clause requires contractors to comply with the Privacy Act of 1974, 5 U.S.C. 552a, DOT implementing regulations (49 CFR Part 10), and DOT policies issued under the Act in the design, development, and/or operation of any system of records on individuals to accomplish a DOT function when the contract specifically identifies the work that the contractor is to perform. It imposes certain information collection requirements, reporting, and submissions as outlined in paragraph 1 above. The required information collection requirements are to be used by DOT to assess the contractor’s compliance with specific Federal and DOT IT security requirements and is necessary to ensure DOT information and information systems are adequately protected.
Information collection requirement responses, plans and other required submittals can be submitted via electronic submission.
The information collections required by the clause are based on specific requirements for DOT to ensure contractor compliance with Federal and DOT security requirements. Each contract awarded require specific information collections and other contract submissions cannot be used. Submissions are specific to individual contracts. Therefore, there will be no duplication.
If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
Small businesses will be affected in the same way as large businesses in order to comply with statutes and other Federal requirements which require security of information technology, information and information systems.
Failure to collect the information could expose vulnerabilities in DOT information technology and protection of information and information systems.
DOT does not expect that any contractor/subcontractor would submit a response more often quarterly, but the information collection requirements do pertain to each event where access to DOT personally identifiable information (PII) is accessed or used, or if there is a breach, or if a noncompliance or out of standard event is discovered.
Note: this section will be updated when the proposed rule 1239 is published in the Federal Register and at the end of public comment period. OSPE will address comments received related to this IC, if any.
There were no efforts to consult with persons outside the agency beyond the publication of this proposed rule in the Federal Register.
No payments or gifts have been provided.
This information is disclosed only to the extent consistent with prudent business practices and current regulations.
The request for information does not include any questions of a sensitive nature.
The number of respondents, frequency of responses, annual hour burden, and explanation for each form is reported as follows:
Total Burden Hours: 622
Average Number of Respondents: 311
Average Annual Responses: 622
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60
|
Number of Burden Hours |
311 |
2 |
60 |
622 |
Note: DOT has estimated the number of respondents based on identified NAICS reflecting previous contract awards averaged over the last three fiscal years—FY 2017, FY 2018, and FY 2019 where the clause may be required. DOT estimates that in the future for a typical contract performance period only 15% of the total average of contract awards represents the potential pool of number of respondents who might deal with PII and are required to submit an information collection requirement (ICR) response as shown below.
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541199 12
541513 357
541618 60
541990 932
541110 335
561499 22
561621 158
2072
Basis for estimated number of respondents: Number of NAICS contract actions = 2072 x 15% estimated number of annual respondents might submit a ICRs under this clause = 311.
If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB 83-1.
No other form is required by the TAR for use in this collection.
Provide estimates of annual cost to respondents for the hour burdens for collections of information. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.
Total estimated annual cost to all respondents: $20,588.20 (622 hours at $33.10 per hour).
Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
There are no capital or start-up costs associated with the information collection.
14. Provide estimates of annual cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operation expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 in a single table.
TAR clause 1252.239-75, DOT Protection of Information About Individuals, PII, and Privacy Risk Management Requirements.
This is a new information collection.
There are no plans to publish any data received from this information collection.
DOT will display the expiration date for OMB approval of the information collection.
There are no exceptions.
Statistical methods will not be employed.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 2022-02-04 |