AR-3a.: Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and
AR-3b.: Includes privacy requirements in contracts and other acquisition-related documents.
Contractors and service providers include, but are not limited to, information providers, information processors, and other organizations providing information system development, information technology services, and other outsourced applications. Organizations consult with legal counsel, the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), and contracting officers about applicable laws, directives, policies, or regulations that may impact implementation of this control.