Navigate

AR-3

AR-3: Privacy Requirements for Contractors and Service Providers

The organization:

AR-3a.: Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and

AR-3b.: Includes privacy requirements in contracts and other acquisition-related documents.

Supplemental

Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to AR-3.

Control	Description
AR-1	The organization: AR-1a.: Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems; AR-1b.: Monitors federal privacy laws and policy for changes that affect the privacy program; AR-1c.: Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program; AR-1d.: Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures; AR-1e.: Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and AR-1f.: Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially].
AR-5	The organization: AR-5a.: Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; AR-5b.: Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and AR-5c.: Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].
SA-4	The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: SA-4a.: Security functional requirements; SA-4b.: Security strength requirements; SA-4c.: Security assurance requirements; SA-4d.: Security-related documentation requirements; SA-4e.: Requirements for protecting security-related documentation; SA-4f.: Description of the information system development environment and environment in which the system is intended to operate; and SA-4g.: Acceptance criteria.

Enhancements

The controls below (if any) add on to the requirements of AR-3.

Control	Description
No controls

Related CCIs

The CCIs below are tied to AR-3.

CCI	Definition
CCI-003426	The organization establishes privacy roles for contractors.
CCI-003427	The organization establishes privacy responsibilities for contractors.
CCI-003428	The organization establishes access requirements for contractors.
CCI-003429	The organization establishes privacy roles for service providers.
CCI-003430	The organization establishes privacy responsibilities for service providers.
CCI-003431	The organization establishes access requirements for service providers.
CCI-003432	The organization includes privacy requirements in contracts.
CCI-003433	The organization includes privacy requirements in other acquisition-related documents.