Skip to content
LexBuild

48 CFR § 824.103 - 824.103 Procedures. 

---
identifier: "/us/cfr/t48/s824.103"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "48 CFR § 824.103 - 824.103   Procedures."
title_number: 48
title_name: "Federal Acquisition Regulations System"
section_number: "824.103"
section_name: "824.103   Procedures."
chapter_number: 8
chapter_name: "DEPARTMENT OF VETERANS AFFAIRS"
subchapter_number: "D"
subchapter_name: "SOCIOECONOMIC PROGRAMS"
part_number: "824"
part_name: "PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "5 U.S.C. 552a; 38 U.S.C. 5723-5724, 5725(a)-(c); 40 U.S.C. 121(c); 41 U.S.C. 1121(c), 1702; 38 CFR 1.550 through 1.562 and 1.575 through 1.584; and 48 CFR 1.301 through 1.304."
regulatory_source: "73 FR 2717, Jan. 15, 2008, unless otherwise noted."
cfr_part: "824"
---

# 824.103 824.103   Procedures.

(c) The contracting officer shall reference the following documents in solicitations and contracts that require the design, development, or operation of a system of records—

(1) VA Handbook 6500.6, Contract Security;

(2) VA Handbook 6508.1, Procedures for Privacy Threshold Analysis and Privacy Impact Assessment;

(3) VA Handbook 6510, VA Identity and Access Management—

(i) The contracting officer will ensure that statements of work or performance work statements that require the design, development, or operation of a system of records include procedures to follow in the event of a Personally Identifiable Information (PII) breach; and

(ii) The contracting officer shall ensure that Government surveillance plans for contracts that require the design, development, or operation of a system of records include monitoring of the contractor's adherence to Privacy Act/PII regulations. The assessing official should document contractor-caused breaches or other incidents related to PII in past performance reports. Such incidents include instances in which the contractor did not adhere to Privacy Act/PII contractual requirements.

[84 FR 45681, Aug. 30, 2019]