AGENCY:

Department of State.

ACTION:

Advance Notice of Proposed Rulemaking; request for comment.

SUMMARY:

The Department of State has identified namecheck vetting as a critical tool that can be used, where appropriate, to mitigate the risk that U.S. government activities could inadvertently benefit terrorist groups, their members, or their supporters, and is crafting rules that will address the Department's namecheck vetting process, including setting out the requirements for including vetting provisions in Department of State solicitations and awards for both grants and contracts to allow for namecheck vetting of key individuals of implementing partners and sub-contractors or sub-grantees, beneficiaries of programs, or other identified categories of individuals, when deemed appropriate by the relevant Department official.

DATES:

The Department of State will accept comments until July 31, 2024.

ADDRESSES:

Persons with access to the internet may view this rule and submit comments by going to www.regulations.gov and searching for docket number DOS-2024-0008.

• Inspection of public comments: All comments received before the close of the comment period will be available for public inspection, including any personally identifiable or confidential business or financial information that is included in a comment. The Department of State will post all comments received before the close of the comment period at www.regulations.gov. For a summary of this rulemaking, please go to www.regulations.gov/​DOS-2024-0008.

FOR FURTHER INFORMATION CONTACT:

Annura Murtadha, Vetting Chief, MurtadhaAN@state.gov, (202) 663-3871 (Fax).

SUPPLEMENTARY INFORMATION:

Because security screening precautions have slowed the delivery and dependability of surface mail and hand delivery to the Department of State in Washington, DC, the Department recommends sending all comments to the Federal eRulemaking Portal. The email address and fax number listed above are provided in the event that submission to the Federal eRulemaking Portal is not convenient (all comments must be in writing to be reviewed). You may submit comments by electronic mail, avoiding the use of any special characters and any form of encryption.

The purpose of this ANPRM is to gather data for the Department to amend 48 CFR chapter 6 and 2 CFR chapter VI, to add new pre-award and award terms for contracts and grants. The pre-award provisions will delineate the namecheck vetting process and the applicant's responsibilities for submitting information on individuals who will be subject to namecheck vetting, prior to award. The award provisions will delineate the post-award namecheck vetting process and the recipient's responsibilities with respect to namecheck vetting during the award period.

This regulatory action will boost national security by helping the Department to mitigate the risk that agency funds and other resources do not inadvertently benefit terrorist groups, their members, or their supporters.

Background

Authority for vetting is inherent in the Department of State's (“the Department” or “State”) authority to carry out the necessary administrative steps to implement foreign assistance and other Department of State programs and activities. The Office of Risk Analysis and Management (RAM) is the sole organization designated within the Department to conduct counterterrorism name-check vetting. In addition, section 7034(e) of the Department of State, Foreign Operations, and Related Programs Appropriations Act, 2024 (Div. F, Pub. L. 118-47) and similar provisions in prior year acts specifically contemplates the implementation of counterterrorism name-check vetting (described in the provision as “partner vetting”) and establishes requirements for the expansion of the vetting program, which the Department addresses as appropriate.^[1] Section 7034(e) also provides that the Secretary may restrict the award of, terminate, or cancel contracts, grants, or cooperative agreements or require an awardee to restrict the award of, terminate, or cancel a sub-award based on information in connection with a partner vetting program. With respect to foreign assistance programs, section 635(a) of the Foreign Assistance Act of 1961 (FAA) provides that assistance may be provided on such terms as may be determined to be best suited to the achievement of the purposes of the FAA.

Consistent with U.S. law and Department policy, the Department makes every reasonable effort to guard against the risk that U.S. government activities could inadvertently benefit terrorist groups, their members, or supporters. Prior to furnishing assistance or providing funding, the Department first assesses the risk that funds, goods, services, or other resources to be provided could inadvertently benefit terrorist groups, their members, or their supporters, including people or organizations who are not formally designated as terrorists by the U.S. government but who may nevertheless be linked to terrorist activities.

Where such risk is identified by a State Department Program Office, one way to mitigate it is through name-check vetting. Start Printed Page 54370

The Department of State has been conducting name-check vetting for programs in certain select countries since 2012. Through a five-year joint pilot with the U.S. Agency for International Development (USAID) that concluded in 2017, 688 contracts and grants were subject to name-checking vetting, with 1,593 key individuals from 410 organizations being vetted. The Department of State's RAM vetting program is designed to gather information about key individuals employed at organizations seeking U.S. funding, as well as subcontractors or subgrantees, beneficiaries of programs, or other identified categories of individuals that receive some benefit from an award. That information is then vetted against public sources of information and information contained in non-public relevant U.S. government databases for ties to terrorist groups, their members, or their supporters.

The Joint State-USAID Pilot Program

The Department conducted a joint pilot program with the USAID starting in 2012. The joint State-USAID pilot was initially authorized under section 7034(o) of the Department of State, Foreign Operations, and Related Programs Appropriations Act, 2010 (Div. F, Pub. L. 111-117), and required consultations between the Department and USAID and the Committees on Appropriations prior to implementation.

The joint State-USAID pilot program included both agencies' programming in five countries—Guatemala, Ukraine, Lebanon, Kenya, and the Philippines. It was later expanded to include Afghanistan. These countries were chosen to reflect geographic diversity and a range of terrorist threat levels in contexts where comparable programs were being implemented by both agencies. During the pilot's early implementation, the Department and USAID received individuals' personal information through OMB-approved forms made available to the public via an online portal. The relevant individuals were vetted, and derogatory information identified was provided to the program office. The program office would then decide on whether to proceed in light of that information.

Throughout the joint pilot, the Department and USAID also sought feedback from nongovernmental stakeholders. Some key areas of concern noted during consultations included standardization of vetting procedures, data privacy, and exemptions. To reduce concerns about effort duplication, State and USAID created a steering group to coordinate and standardize processes and data collection. In addition, to reduce the burden placed on implementers, both agencies instituted online portals for submitting individuals' information, rather than using paper forms.

These online portals provided a secure platform and more streamlined means of submitting information and included instructions in multiple languages. Further, the agencies exercised best practices to protect submitted personal information throughout the joint pilot to ensure participants' privacy and minimize risk to those operating in more repressive contexts. Access to information submitted to the Department was limited within the Department to only those with a “need-to-know,” such as the analysts charged with conducting the vetting. Records were retained and disposed according to a standardized records schedule consistent with National Archives and Records Administration guidance.

The Department also implemented structures to ensure those without required documentation can still participate in programming after their case is reviewed on an ad hoc basis.

A report was provided to Congress in 2017 at the conclusion of the pilot, consistent with section 7034(e)(1) of the Department of State, Foreign Operations, and Related Program Appropriations Act, 2017 (Div. J, Pub. L. 115-31).

Following completion of the pilot program, the Department of State's name-check vetting program has continued to operate consistent with U.S. government and Department guidance, including the Department's Foreign Affairs Manual (FAM).^[2] The vetting program continues to be managed by the Office of Risk Analysis and Management (RAM) within the Department and continues to adapt to address feedback received, evolving needs of implementers, and dynamic global security challenges.

After the Department completed the joint pilot program with USAID, the number of countries under the RAM vetting program increased due to evolving circumstances in countries where Department programs are implemented. Programs in eight countries are currently subject to counterterrorism name-check vetting based on program offices' assessments of the risk that program resources will inadvertently provide a benefit to terrorist groups, their members, or their supporters. Additional countries could be added if the implementing program office, through its risk assessment process, assesses it is necessary to mitigate risk of foreign assistance or Department programs or activities inadvertently benefitting terrorist organizations or their supporters, subject to consultation with the Appropriations Committees, consistent with requirements in the annual appropriations acts for any significant expansion of the RAM vetting program. With respect to programs within each of these countries, the Department conducts a program-specific analysis and determines whether vetting is the appropriate risk-mitigation method for a particular award. Government-to-government assistance, and contributions to Public International Organizations, nonproliferation programs, other U.S. Government agencies, or the National Endowment for Democracy are not subject to vetting under this program.

Pre-Award Vetting and Source Selection

The Department applies name-check vetting to acquisitions and foreign assistance in countries, as needed, where the risk has been determined to necessitate the practice.

Offerors (potential recipients of contract or grant funds) applying or competing for State Department funding are made aware of the security screening requirement prior to application; when an acquisition, grant, contract, or cooperative agreement is subject to name-check vetting, a provision in the solicitation will notify offerors of the vetting requirements and procedures.

Vetting for contracts and grants is conducted prior to award, often when the Department establishes the competitive range (see 48 CFR 15.306(c)).^[3] For indefinite contracts—those that provide an indefinite quantity of supplies or services during a fixed period—vetting will take place before the basic contract is awarded, in anticipation of potential orders. For all other contracts, including those that qualify as simplified acquisitions or sealed bids, the Contracting Officer determines the appropriate timing to require offerors to submit individuals for vetting.

When the Department decides to move forward with vetting an offeror, the offeror will be instructed to submit the completed Risk Assessment Information Form, DS-4184 (all DS-4184 form submissions are made through the internet-based RAM Portal). The information collection tool (DS-4184) identifies the biographic Start Printed Page 54371 information required for the key individuals of the offeror, required subcontractors, and, if applicable, beneficiaries. (Note—no biometric information, such as fingerprints, are collected.) Offerors are informed that key individuals include principal officers of the organization's governing body ( e.g., chairman, vice chairman, treasurer and secretary of the board of directors or board of trustees), the principal officer and deputy principal officer of the organization ( e.g., executive director, deputy director, president, vice president), or the program manager for the U.S. government-financed program, and any other person with significant responsibilities for administration of the U.S. government-financed activities or resources.

U.S. persons' (U.S. citizens and lawful permanent residents) information submitted through the RAM Portal is subject to the Privacy Act of 1974, as well as other authorities and guidance pertaining to information security, disclosure, and disposition. While non-U.S. persons' information is not protected under the Privacy Act, the Department aims to provide robust privacy protections for individuals regardless of the citizenship status of the record holder. The Department takes the responsibility to protect personal information seriously, particularly in contexts where there is increased risk for participants. The Portal that the Form is submitted through is housed within Department of State servers and access is strictly controlled. The vetting office's systems are also subject to auditing under the Federal Information Security Modernization Act (FISMA), which requires specific infrastructure for the provision of information security.

Once all information is submitted through the RAM Portal, the vetting official ^[4] uses multiple commercial and investigative databases, public search engines, and both unclassified and classified systems operated by the Department and other U.S. government agencies to complete the name-check vetting. The RAM vetting official is also responsible for responding to questions from offerors about information to be included on the Form.

Upon completion of the vetting, the RAM vetting official conveys the vetting results of each vetted offeror to the relevant Department program office. The RAM vetting office will only identify and provide to the program office derogatory information with a potential nexus to terrorism activities or violations of United States policy ( i.e. human rights violations or sanctioned individuals/entities); other potentially unfavorable information ( e.g., disorderly conduct, speeding tickets, or a criminal conviction for operating a motor vehicle while intoxicated) would not be provided to the program office. A name-match alone would not typically be considered sufficient evidence that a key individual has derogatory information. The program office makes the ultimate decision regarding whether to move forward with an offeror, and vetting is only one factor among many that go into making this decision.

The Department's counterterrorism vetting program was designed to avoid adding a significant amount of time to the contracting and grant process. The process was also designed to avoid delays in an award, and the typical vetting case takes, on average, fewer than 14 days. Source selection proceeds separately from vetting, meaning that the name-check process for vetting occurs concurrently to other review processes. Generally, the Department finds there is no back-and-forth between the offeror and the RAM vetting office after the offeror completes and submits the DS-4184 except in limited circumstances when the RAM vetting office must re-contact the offeror to request missing information. In circumstances when derogatory information is identified and the program office informs the offeror that they are ineligible for the award, the offeror is entitled to request a redetermination of the decision and to provide additional documentation or explanation that may be used to make a revised determination. However, due to the sensitive nature of much derogatory information, the Department does not generally share such information with offerors if vetting is the cause of the Department's decision to not move forward with an offeror.

During the 5-year period of the pilot program, 4.6% of offerors had key individuals found to have derogatory information, and 2.98% were ultimately deemed to be ineligible to participate in the award.

Offerors who change any key individuals for any reason must submit their revised DS-4184 through the RAM Portal as soon as possible to allow for vetting of individuals not previously vetted. Name-check vetting may also be required for subcontractors and subgrantees. In most circumstances, only those subcontracts and subgrants for which consent is required in accordance with FAR clause 52.244-2 will be subject to name-check vetting. The contracting officer will not consent to a subcontract or subgrant until the subcontractor and subgrantee's key individuals have completed vetting. When the Department considers it appropriate, additional subcontracts for certain classes of items (supplies and services) that are considered higher risk may also be subject to vetting, even if Contracting Officer consent is not required. These classes of items will be identified in the solicitation, and the offeror will be responsible for ensuring that subcontracts at any tier are vetted through the RAM process before placing the subcontracts. In practice, this typically requires the prime contractor to include all known subcontractors when responding to the Department's solicitations. During this pre-award stage, offerors may either collect the necessary key individual information from subcontractors and subgrantees and directly submit it through the RAM Portal, or the subcontractors and subgrantees may submit it directly through the RAM Portal.

Post-Award Vetting

Per 14 FAM 247, all grantees and contractors (including subgrantees and subcontractors) subject to initial vetting must resubmit individuals for vetting annually or when they replace key individuals with individuals who have not been previously vetted for that contract or grant. Previously vetted offerors and their key individuals are also subject to vetting when responding to solicitations for new grants or contracts for which the Department deems vetting an appropriate risk mitigation measure.. However, because vetting is valid for one year, individuals submitted on multiple awards within a given year will only be vetted one time if the same personal information is submitted. Additionally, when vetting is determined to be appropriate for a given award as identified in the initial solicitation, the Department can require vetting at any time post-award at the Department's discretion, including for the final beneficiaries of the award.

Questions for the Public

The Department of State welcomes public comment on the discussion of existing RAM vetting processes as described above, but the Department would particularly benefit from commenters addressing one or more of the following questions with detailed explanations of the reasoning, data, or experiences informing their perspective. Start Printed Page 54372

Costs Associated With Name-Check Vetting

Under OMB Control NO. 1405-0204, the Department of State has historically estimated that it takes, on average, 90 minutes for a respondent ( i.e., an offeror) to fully complete the DS-4184 and to submit it through the RAM Portal. The Department estimates the average offeror submits information on five key individuals (and notes that this has ranged between one and 50 individuals), and the 90 minute estimate is inclusive of all the time it takes to learn the relevant instructions and information requirements, gather all necessary information and documentation from key individuals (including subcontractors and subgrantees), and compile that information into the RAM Portal and submit it to the Department.

1. Is our time estimate accurate for your organization? If not, please provide us an estimate of the time that your organization expends submitting a completed DS-4184 through the RAM Portal. This estimate may include some or all of the following factors, and commenters are encouraged to provide a specific breakdown of each element of the time commitment:

I. The time spent learning the requirements for RAM Vetting, including reading relevant instructions, understanding which individuals qualify as reportable key individuals, and learning how to navigate the RAM Portal.

II. The time spent explaining vetting requirements to all key individuals.

III. The time each key individual of your organization, as well as subcontractors and subgrantees, or final beneficiaries expends gathering the necessary information and documentation to be responsive to the information collected on the DS-4184.

IV. Any travel time directly associated with developing the information necessary to be responsive to the DS-4184.

2. Are there additional time or financial costs that are routinely incurred while responding to or submitting the DS-4184 that we have not previously captured?

3. On average, how many individuals does your organization include per submission for vetting? Please consider submissions of key individuals, subcontractors and subgrantees, and final beneficiaries who are required to submit vetting information in your estimate.

4. Have vetting requirements resulted in prospective grantee or contractor organizations choosing to not participate or drop out of the application process because of:

I. Concerns regarding the cost, capacity, or ability to develop or gather the necessary identity documentation or biographic information about their key individuals or other vetted parties?

II. Other reasons associated with difficulty or inability to comply with vetting requirements? Please provide those reasons.

5. What financial costs, if any, has your organization incurred associated with maintaining appropriate information technology or physical filing systems for protecting the biographic information that must be collected prior to completing the DS-4184?

Current RAM Vetting Procedures

As described in the background section, the entire RAM vetting process takes, on average, fewer than 14 days, typically does not require significant back-and-forth between the offeror and the Department of State, and occurs concurrently to other review processes the program office is conducting.

1. In your organization's experience or in your understanding of other organizations' experiences:

I. How frequently does RAM vetting require contacting the Department of State prior to submission of the DS-4184 in the RAM Portal to seek clarification regarding information that needs to be submitted or other challenges with navigating the RAM portal?

II. How frequently does RAM vetting involve the Department following-up with your organization after initial submission to request additional information or documentation? How much additional time is typically involved in responding to and submitting any follow-up requests for additional information?

III. Has your organization ever requested reconsideration of an initial determination of ineligibility? Was your organization able to provide the necessary explanation or additional documentation to successfully revise the Department's original determination of ineligibility?

2. How might the Department structure the reconsideration or appeals process to provide offerors adequate opportunity to rebut an initial determination of ineligibility due to derogatory information? What type of feedback from the Department would help allow the offeror to provide more effective documentation or explanation when requesting a reconsideration?

Footnotes