Overview
FAR 4.1301 establishes the requirement for federal agencies to implement standardized Personal Identity Verification (PIV) procedures for contractor personnel who require routine physical access to federal facilities or logical access to federal information systems. It ensures that contractor identity credentials are issued, managed, and recovered in accordance with FIPS PUB 201 and OMB guidance.
Key Rules
- Mandatory Compliance: Agencies must follow FIPS PUB 201 and OMB M-05-24 for all contractor and subcontractor personnel requiring routine access to federally-controlled facilities or information systems.
- Solicitation Requirements: Agencies are required to include PIV implementation instructions in all relevant solicitations and contracts.
- Verification Authority: Agencies must designate a specific official responsible for the verification of contractor employee identities.
- Accountability and Return of Credentials: Contractors must account for and return all PIV cards or badges when:
- The credentials are no longer needed for performance.
- The specific employee’s employment is terminated.
- The contract is completed or terminated.
- Enforcement Mechanism: The Contracting Officer has the explicit authority to delay final payment if the contractor fails to return all government-provided identification.
Practical Implications
- Contract Closeout Risk: Contractors face direct financial risk at the end of a project; if a single subcontractor fails to return a security badge, the government can legally withhold the entire final payment.
- Operational Oversight: Prime contractors must implement robust internal tracking systems to manage the lifecycle of government-issued credentials for their employees and subcontractors to ensure security compliance and timely payment.