Download: docx | pdf

U.S. Department of Labor

Office of Federal Contract Compliance Programs

Affirmative Action Program Verification Interface

OMB Control No. 1250-New

1. Justification

The U.S. Department of Labor’s (DOL) Office of Federal Contract Compliance Programs (OFCCP) is requesting Office of Management and Budget (OMB) approval of a new information collection request (ICR). Following approval of this request, OFCCP will execute the Government Accountability Office (GAO) 2016 Equal Employment Opportunity: Strengthening Oversight Could Improve Federal Contractor Nondiscrimination Compliance report’s recommendation to collect and monitor Affirmative Action Programs (AAPs) from covered¹ federal contractors and subcontractors² on a regular basis. This will be done through a new online platform referred to as the Affirmative Action Program Verification Interface (AAP-VI).

Contractors within OFCCP’s jurisdiction that meet certain contract dollar and employee thresholds have an obligation to develop and maintain AAPs. However, OFCCP does not have a method to regularly collect the AAPs that these contractors are required to develop and maintain outside of compliance evaluations and complaint investigations. According to the 2016 GAO report, OFCCP historically “conducts evaluations for about 2 percent of federal contractor establishments annually” through its compliance evaluations and complaint investigations.³

To address this low percentage, the 2016 GAO report recommended OFCCP “develop a mechanism to monitor AAPs from covered federal contractors on a regular basis. Such a mechanism could include electronically collecting AAPs and contractor certification of annual updates.”⁴ In response to the 2016 GAO report’s open recommendation, OFCCP developed AAP-VI, a data management capability that also supports the agency’s new compliance management system (CMS). OFCCP designed AAP-VI to increase contractor compliance by creating an annual certification process and to optimize the compliance review process by creating a tool for scheduled contractors to upload their AAPs electronically for OFCCP’s review.

In addition to being responsive to the GAO report, AAP-VI supports the President’s Management Agenda (PMA) and the Administration’s mandate for all government entities to transition to electronic business processes and recordkeeping. Specifically, it supports two of the PMA’s three drivers: Modern Information Technology (IT) and Data, Accountability, and Transparency. AAP-VI is one part of OFCCP’s plan to transition its compliance evaluation processes and recordkeeping to a fully electronic mode.

For several years, OFCCP has encouraged contractors to submit AAPs and other information electronically. Contractors typically maintain the information that OFCCP requests in an electronic format. AAP-VI is a logical extension to this best practice. OFCCP designed AAP-VI to work in coordination with its new CMS, integrating case files in the cloud to streamline operations and to enhance internal communication and collaboration nationwide. During a compliance evaluation, CMS allows users to execute case actions, edit templates, and enter case data to process cases more quickly. When a contractor uploads its AAP using AAP-VI, it will be available to OFCCP staff conducting the compliance evaluation in CMS. Internal access to AAP-VI is not offered agency-wide and is limited to fewer than 10 agency staff, who are directly assigned to administer and support the interface. This streamlined document management process increases government efficiency and further transitions OFCCP to electronic business processes and recordkeeping.

Contractors currently have the option to submit information to OFCCP via email or using a delivery, courier, or postal service. Unlike AAP-VI, OFCCP does not have control nor can it guarantee the security of a sender’s email server or hand-delivery services. Any third-party email hosting provider can gain read-and-write access to data sent via their servers. Thus, enabling a direct connection between the contractor and AAP-VI vastly decreases the chances of data breach compared to email submissions.

OFCCP designed AAP-VI to be in compliance with the Federal Information Security Modernization Act of 2002 and the strict access controls and standards established by the National Institute of Standards and Technology (NIST).  In its publication NIST SP 800-53, NIST details the security protocols and standards with which all federal agencies must comply. External access to AAP-VI is controlled via a multi-layered process.  The first process requires the use of two-factor authentication via Login.gov, before initial entry to AAP-VI is granted.  Login.gov encrypts the sensitive personal information of each user separately using a unique value generated from each user’s password. This encryption method works like a safe deposit box in a bank vault. Only the user has the key, can open the box to reveal the contents, knows the password, and can decrypt their information. The second layer requires the user to enter company-specific information of which only the company representative, OFCCP, and the Equal Employment Opportunity Commission know. 

AAP-VI’s web portal is built on a Drupal platform. Drupal is fast becoming the go-to content management system for government agencies due to its built-in security modules, including the following:

 

• Security Kit that deals with any issue or attack concerning HTML injection;

• Login Security that denies full access to the content; 

• Password Policy that requires passwords to be more complicated; 

• Website Captcha and Secure Login that enable safe login procedures and prevent user data theft; and

• XSS Protection module that protects the website from XSS attacks.

 

As previously mentioned, though OFCCP staff conducting the compliance evaluation would be able to access uploaded AAPs in CMS, internal access to AAP-VI is not offered agency-wide and is limited to fewer than 10 agency staff.  Internal agency staff are required to use their Personal Identification Verification card in order to access the interface.  Any data is secured using approved and compliant cryptographic mechanisms and algorithms to secure data transmitted, processed, and stored by the interface, according to NIST Federal Information Processing Standards which are verified by the Office of the Chief Information Officer.

1. Legal and Administrative Requirements

OFCCP administers and enforces the three equal employment opportunity laws listed below, which prohibit employment discrimination and set affirmative action requirements for contractors that meet OFCCP’s jurisdictional thresholds.⁵

• Executive Order 11246, as amended (EO 11246)

• Section 503 of the Rehabilitation Act of 1973, as amended (Section 503)

• Vietnam Era Veterans’ Readjustment Assistance Act of 1974, as amended (VEVRAA)

Executive Order 11246

EO 11246 prohibits contractors from discriminating against applicants and employees based on race, color, religion, sex, sexual orientation, gender identity, and national origin and requires contractors to take affirmative action to ensure that equal opportunity is provided in all aspects of their employment. Additionally, it prohibits contractors from taking adverse employment actions against applicants and employees for inquiring about, discussing, or disclosing information about their pay or the pay of their co-workers, subject to certain limitations. EO 11246 applies to contractors (including federally assisted construction contractors) holding a government contract in excess of $10,000, or government contracts that have, or can reasonably expect to have, an aggregate total value exceeding $10,000 in a 12-month period. EO 11246 also applies to government bills of lading, depositories of federal funds in any amount, and to financial institutions that are issuing and paying agents for U.S. savings bonds and notes in any amount.

Furthermore, EO 11246 section 202(6) stipulates that contractors will furnish all information and reports required by EO 11246 for the Secretary of Labor and will permit access to books, records, and accounts by the contracting agency and the Secretary of Labor for purposes of investigation to ascertain compliance with EO 11246 and its regulations.

41 CFR Part 60-1 – Obligations of Contractors and Subcontractors

This part prescribes the nondiscrimination and general affirmative action requirements under EO 11246 and contains recordkeeping, reporting, and third-party disclosure requirements.

41 CFR Part 60-2 – Affirmative Action Programs

This part prescribes the scope, application, purpose, and contents of AAPs under EO 11246.

Section 60-2.1 requires the development and maintenance of an AAP under EO 11246. This section requires each non-construction contractor with 50 or more employees to develop an AAP for each of its establishments if the contractor meets any of the following criteria:

• has a contract of $50,000 or more;

• has government bills of lading which in any 12-month period total or can reasonably be expected to total $50,000 or more;

• serves as a depository of government funds in any amount; or

• is a financial institution that is an issuing and paying agent for U.S. savings bonds and savings notes in any amount.

Contractors are required to develop AAPs within 120 days from the commencement of a contract and must update the AAPs annually.

Sections 60-2.10 and 60-2.32 provide that contractors must maintain and make available to OFCCP documentation of their compliance with the Executive Order, specifically including contractors’ AAPs.

VEVRAA

VEVRAA prohibits contractors from discriminating against protected veterans, namely, disabled veterans, recently separated veterans, active duty wartime or campaign badge veterans, and Armed Forces service medal veterans. VEVRAA also requires contractors to take affirmative action to employ, and advance in employment, qualified protected veterans. Its requirements apply to contractors with a government contract of $150,000 or more.⁶

41 CFR Part 60-300 – Affirmative Action and Nondiscrimination Obligations of Federal Contractors and Subcontractors Regarding Disabled Veterans, Recently Separated Veterans, Active Duty Wartime or Campaign Badge Veterans, and Armed Forces Service Medal Veterans

This part establishes the nondiscrimination and affirmative action requirements under VEVRAA.

Section 60-300.40 requires each contractor with 50 or more employees and a contract of $150,000 or more to develop a VEVRAA AAP for each establishment within 120 days of the commencement of a contract.⁷ This section also requires contractors to review and update their AAP annually and to submit their AAP to OFCCP upon request.⁸

Section 60-300.44 identifies the required elements of an AAP.

Section 503

Section 503 prohibits contractors from discriminating against applicants and employees based on disability and requires contractors to take affirmative action to employ, and advance in employment, qualified individuals with disabilities. Section 503 applies to contractors with a government contract in excess of $15,000.⁹

41 CFR Part 60-741 – Affirmative Action and Nondiscrimination Obligations of Federal Contractors and Subcontractors Regarding Individuals with Disabilities

This part establishes the affirmative action and nondiscrimination obligations under Section 503.

Section 60-741.40 requires each contractor with 50 or more employees and a contract of $50,000 or more to develop a Section 503 AAP for each establishment within 120 days of the commencement of a contract.¹⁰ This section also requires contractors to review and update their AAP annually and to submit their AAP to OFCCP upon request.¹¹

Section 60-741.44 identifies the required elements of an AAP.

Platform Interface

AAP-VI will consist of five user interface sections. There are two paths for a contractor to access AAP-VI. For the first path, OFCCP will send an email invitation to every known federal contractor establishment within its jurisdiction that meets its AAP submission thresholds. The contractor will follow instructions in the email (and described generally below) to gain access. For the second path, the agency will post a notice on its website about the annual certification and the AAP submission requirements for scheduled contractors. The notice will contain AAP-VI registration instructions for contractors and subcontractors, in the event that OFCCP does not have a correct email address.

The term “user” in this section refers to the designated employee at each federal contractor’s headquarters or establishment who are tasked with AAP compliance. OFCCP will allow contractors to determine how many users to authorize internally to access AAP-VI based on their unique company structure. The five user interface sections include the following:

1. Login.gov;

2. Contractor Verification;

3. Account Profile;

4. Annual Certification; and

5. AAP Upload.

Login.gov

Each user will first be prompted to log in or create an account using Login.gov. The user will be granted access to enter the AAP-VI system once Login.gov has validated the user through its two-factor authentication process.

Contractor Verification

Once inside AAP-VI, users will only be able to access the information that OFCCP pre-populated from EEO-1 filings about the contractor’s establishment(s) by providing information unique to the contractor (e.g., EEO-1 Filing Headquarters Number and Employer Identification Number (EIN)). AAP-VI validates that the user is authorized by the contractor by checking that the unique contractor identifying information provided by the user matches the information that OFCCP has for that contractor.

Account Profile

Once verified, users can confirm that the populated contractor information is correct. The contractor information generally includes EEO-1 information on Establishment Name, Parent Name, Unit Number, Headquarter Number, Establishment Address, Establishment Status, EIN, DUNS, NAICS, Employee Count, and contact information (Name, Title, Phone, Email). Upon confirmation of this information, users will be shown a list of the contractor establishments.

Annual Certification

On an annual basis, each user will use AAP-VI to select one of the below responses to fulfill its annual certification requirement.

1. Entity has developed and maintained affirmative action programs at each establishment, as applicable, and/or for each functional or business unit. See 41 CFR Chapter 60.

2. Entity has been party to a qualifying federal contract or subcontract for 120 days or more and has not developed and maintained affirmative action programs at each establishment, as applicable. See 41 CFR Chapter 60.

3. Entity became a covered federal contractor or subcontractor within the past 120 days and therefore has not yet developed applicable affirmative action programs. See 41 CFR Chapter 60.

Existing contractors will have 90 days to comply with the certification requirement once it takes effect. The effective date will be 90 days after OMB approves this collection. New contractors and existing contractors who become subject to AAP requirements after the effective date will have 90 days to certify compliance after they have developed their AAP(s).¹²

During the 90-day period, OFCCP will provide compliance assistance to contractors upon request. Contractors will not be cited for violations or otherwise targeted for enforcement because they seek assistance complying with the AAP-VI certification requirement.

After the initial certification year, OFCCP will set a date by which all existing contractors must renew their annual certification.

AAP Upload

If OFCCP schedules a contractor for a compliance evaluation, a user for that contractor will select the scheduled establishment(s), functional business unit, or corporate headquarters and upload the applicable AAP(s) to the portal.

2. Use of Collected Material

OFCCP will use the material collected in this ICR to evaluate AAPs submitted by scheduled contractors under its jurisdiction and to verify that contractors are annually certifying their compliance with federal contracting obligations.

3. Use of Information Technology

In general, under OFCCP’s regulations, each covered contractor develops its own methods for collecting and maintaining information. Contractors have the option to use methods that best suit their needs as long as they can provide OFCCP with the information needed as a part of the AAP.

OFCCP will require scheduled contractors to submit their AAPs electronically using AAP-VI. Pursuant to the Government Paperwork Elimination Act (GPEA), government agencies must provide the option of using and accepting electronic documents and signatures, and electronic recordkeeping, where practicable.¹³ OFCCP fulfills the GPEA requirements by facilitating electronic transmission of contractors’ documentation. As noted above OFCCP believes that AAP-VI provides a more secure means of AAP transmittal than email.

4. Describe Efforts to Identify Duplication

This collection represents a partial duplication. The General Services Administration (GSA) collects and maintains responses to questions similar to those in the “Annual Certification” section above from all entities holding federal contracts, regarding whether the contractor has properly developed and maintained AAPs at its establishments.¹⁴ OFCCP contacted GSA to initiate the process of sharing the certification data that GSA collects using the System for Award Management (SAM), but the two agencies were not able to come to an agreement on sharing this data. Therefore, OFCCP will collect the data through AAP-VI, as described in this ICR.

To eliminate duplication of effort, DOL recommends that GSA remove its affirmative action compliance question from the SAM portal. In the spirit of inter-governmental cooperation, DOL would share an AAP verification data file with GSA.

Additionally, the current SAM system does not allow for comprehensive and informative reports. Even though GSA is upgrading its platform, the new platform will lack the capability to produce a comprehensive report that assists OFCCP in its compliance oversight. This ICR would allow OFCCP, the agency responsible for ensuring compliance with federal contractor AAP requirements, to run a comprehensive and informative report identifying the AAP status of covered federal contractors.

5. Impact on Small Business

OFCCP minimizes the information collection and recordkeeping burden on a significant number of small businesses, as listed below.

• Contractors with fewer than 50 employees are exempt from the AAP requirement, and would have no additional burden under this information collection.

• The portal will require minimal resources from contractors, and OFCCP will ensure that it is easy to use and accessible for small contractors.

6. Consequences of Less Frequent Collection

The 2016 GAO report indicated that OFCCP historically conducted compliance evaluations and collected AAPs annually for about two percent of all contractors in its jurisdiction.¹⁵ Due to this limitation, GAO stated that OFCCP is unable to determine the extent to which all contractors are complying with equal employment opportunity requirements. Instead, the report pointed out that OFCCP relies on contractors to comply with equal employment opportunity requirements, and some contractors may not be completing certain required activities.¹⁶

Without the data collection being proposed in this ICR, OFCCP will continue to lack the ability and resources to ensure AAP compliance by all contractors.

7. Special Circumstances

This collection is consistent with the guidelines in 5 CFR 1320.6.

8. Consultation Outside the Agency

Overview

On September 14, 2020, OFCCP published a 60-day notice in the Federal Register (85 FR 56635) soliciting comments from the public concerning its proposal to obtain approval from OMB to implement AAP-VI. OFCCP specifically requested comments which:

• Evaluate the proposed frequency and level of information collection;

• Evaluate whether the proposed collection of information is necessary for the enforcement and compliance assistance functions of the agency that support the agency's compliance mission, including whether the information will have practical utility;

• Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;

• Enhance the quality, utility, and clarity of the information to be collected;

• Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses; and

• Provide feedback on alternative options to the proposed collection.

OFCCP reviewed each of the 16 comments it received during the 60-day period. Comments were submitted by federal contractor consultants, attorneys, employer associations, and individuals.¹⁷

OFCCP received a mix of comments, some in support of the proposed information collection, some opposed, and others requesting clarification on certain items in the ICR. Respondents provided a range of opinions on the options presented for annual certification and AAP upload, and were unified in their desire to minimize the burden placed on contractors. The commenters expressed the need for AAP-VI to have proper data security measures to ensure the safe upload of contractors’ AAPs. They also requested more detail about the information OFCCP seeks to collect and the Login.gov verification process. Some comments raised concerns that OFCCP underestimated the burden associated with the proposed collection and, in one instance, stated that the agency would exceed its regulatory authority by collecting the information.

OFCCP carefully considered all of the comments and determined to proceed with a required annual certification for all federal contractors and subcontractors combined with a requirement for contractors to upload their AAPs using the portal if OFCCP schedules them for a compliance evaluation. The agency separately addresses comments for all of the issues in detail, below.

Annual Certification and AAP Upload

Some commenters supported the proposal for annual certification and AAP upload for scheduled contractors, and applauded OFCCP for developing a secure method for contractors to provide AAP documents during a compliance evaluation. They stated that the interface does not increase the burden for contractors and will improve security. (The agency also received comments questioning the system’s security measures and burden estimates, which are addressed below.)

One commenter requested that OFCCP accept the information in a variety of different formats (including pdf and zip files), to account for differences in the way contractors might prepare and present their AAPs to the agency. As mentioned in the proposal, the interface will accept the information provided by contractors in several formats (e.g., .pdf, Microsoft Word, Microsoft Excel).

One comment recommended that the use of the interface for AAP upload be voluntary, to allow contractors to submit their AAPs using existing methods (e.g., email) – at least within the first few years of AAP-VI implementation. OFCCP has determined that AAP-VI provides the most efficient, effective, and secure method for ensuring compliance with contractors’ basic affirmative action obligations. Therefore, using the portal to submit AAPs for contractors scheduled for compliance evaluations will be mandatory based on the agency’s authority to collect required data and the regulatory requirement for contractors to maintain and make their AAPs available to OFCCP. See 41 CFR 60-2.10, 60-2.32, 60-300.40(c) and (d), and 60-741.40(b)(3) and (c). However, OFCCP will need to update the collection instruments (i.e., Scheduling Letters) approved under OMB Control Number 1250-0003 to clarify the method of AAP submission for compliance evaluations. Therefore, the requirement to submit AAPs through the portal during compliance evaluations will not be implemented until the letters have been updated and approved by OMB. This provides OFCCP more time to prepare contractors to use the portal for AAP submissions.

Some commenters opposing the ICR stated that annual certifications should only occur during an evaluation. OFCCP disagrees with maintaining the status quo. Currently, the only time the contractors certify their AAP requirements to OFCCP is during an evaluation. The underlying purpose of AAP-VI is to ensure that all contractors are fulfilling their AAP obligations on an annual basis, one of the recommendations presented in the 2016 GAO report.¹⁸ As stated above, OFCCP can only schedule a fraction of the number of contractors for evaluations each year; AAP-VI would be less burden than OFCCP conducting more compliance evaluations on an annual basis, and it allows contractors to self-certify their AAP compliance. Another comment stated that AAP-VI would be yet another step in the already complicated process of creating an AAP, and would have a negligible benefit on the workforce, as most contractors would still not be scheduled for compliance evaluations. OFCCP also disagrees with this comment. Contractors are already required to answer a similar certification question for GSA about whether they have properly developed and maintained AAPs at their establishments. Reporting the same information to OFCCP takes a minimal amount of additional time. AAP-VI is a simple mechanism by which contractors can annually certify their compliance with the equal employment opportunity (EEO) laws that OFCCP enforces by selecting one of the three options provided above. Also, developing and maintaining an AAP is a crucial component of EEO compliance because AAPs help contractors identify problem areas and plan steps to correct those problems, related to the contractor’s affirmative efforts to recruit, hire, promote, and retain qualified workers regardless of race, color, religion, sex, sexual orientation, gender identity, national origin, disability or status as a protected veteran.

OFCCP specifically asked commenters to provide feedback on three alternate certification and AAP upload options provided by the agency. Below are each of the alternate options, a summary of comments for each option, and OFCCP’s responses to the comments.

Option 1: All contractors would be required to certify annually. Contractors who are scheduled for a compliance evaluation will submit their AAPs as they currently do, via email or a delivery service. One commenter supported this option, stating that since AAPs are required annually, a certification requirement should be made on a similar timeline. OFCCP agrees that there is benefit to annual certification for reasons stated herein. However, the agency decided that AAP-VI provides a more efficient and safer method of AAP submission than email or hand delivery.

Option 2: All contractors would be required to certify and upload their AAPs on an annual basis. None of the commenters supported this option, which they considered too burdensome to maintain compliance. One commenter also stated that it would be more difficult for larger contractors to meet the deadline for submission, as they claimed that some AAPs would still be in the process of being created or updated. Commenters thought that providing AAPs outside of an evaluation would provide no value, increase security risk, and might result in out-of-date documentation being stored in the system. Ultimately, after considering the comments for this option, OFCCP determined not to pursue it. The agency reassures commenters that electronic submission via the interface provides a secure environment for their data with the safeguards described herein.

Option 3: All contractors would be required to certify every two years. Contractors who are scheduled for a compliance evaluation will submit their AAPs as they currently do, via email or a delivery service. Commenters broadly supported this option as being the least burdensome to contractors, and, in their view, more closely aligned with OFCCP’s burden estimate. Commenters also said that biennial certification of AAPs would be beneficial to contractors who have not completed their AAPs by the time the certification is required. However, while Option 3 may be less burdensome, it would not meet OFCCP’s goals to ensure contractors maintain and develop AAPs on an annual basis. If existing contractors are complying with their obligations, they would have developed or updated their AAP within the past 12 months and can certify on an annual basis. New contractors that are in the process of developing an AAP at the time of certification can select the option in AAP-VI stating they are a new entity within the past 120 days and are still in the process of developing one.

For the reasons described above, OFCCP will proceed with annual certification by all federal contractors combined with use of the portal to collect AAPs when contractors are neutrally scheduled.

Burden

OFCCP received several comments regarding its burden estimates. Commenters generally thought the agency’s estimates for annual certification and AAP upload were too low.

One commenter stated that the time estimated for submitting AAPs didn’t account for the time spent by contractors to convert the AAP to an electronic format or otherwise prepare the documents for uploading, and that the time given in the supporting statement only accounts for time spent at the computer and physically using the interface. After assessing the comment, OFCCP decided to retain the .2 hour estimate for AAP upload for contractors who already maintain their AAPs in an electronic format.¹⁹ For commenters who have to convert AAPs from a paper format to an electronic format (by scanning the documents into a computer in the format they are in), OFCCP has increased the estimate to .5 hours. The updated burden analysis is captured in Paragraph 12 of the Supporting Statement.

Commenters anticipate it will take much more time for larger organizations to register, verify their establishment lists from year to year, and submit the documents that OFCCP requires in a format compatible with AAP-VI. In this ICR, OFCCP assesses burden by establishment. Therefore, the total burden for a parent company with multiple establishments is the sum of the burden of each individual establishment. Thus, OFCCP has accounted for the increased time for larger organizations with more establishments to certify AAPs for each of its establishments. In addition, OFCCP reminds contractors that they can submit AAP documents in a variety of electronic formats (e.g., .pdf, Microsoft Word, Microsoft Excel), which minimizes time needed for additional formatting.

One comment claimed the agency’s estimates neither acknowledge that contractors will typically be required to submit additional information to the OFCCP during the course of a compliance evaluation, nor include a burden estimate for the time involved in uploading those responses to the agency. Currently, OFCCP will only be accepting AAPs through the AAP-VI portal; any additional information requested by OFCCP would not be submitted through the portal. Thus, the agency declines to include estimates for such additional information requests in this ICR.

One commenter said that OFCCP’s estimates do not account for the process representatives undergo to request and obtain the requisite approval before making the certification. They claim that this process could take a significant amount of time, especially if large uploads are required for multi-establishment contractors. As stated above, contractors are already required to answer a similar certification question for GSA. Reporting the same information to OFCCP takes a minimal amount of additional time and shouldn’t require additional time for internal approval. For this information collection, OFCCP is only assessing burden for the process of logging in and answering one certification question. As part of the AAP, contractors must designate an official who has sole responsibility and authority to ensure implementation of the AAP. OFCCP believes the amount of time it would take for the contractor establishment’s designated official to determine whether an AAP has been created at that establishment is de minimis. The AAP upload will only be required for establishments scheduled for a compliance evaluation. For these reasons, the agency declines to change the burden estimate.

One commenter suggested that OFCCP consider verification by contractor, rather than establishment, in order to limit burden. Compliance with OFCCP’s affirmative action regulations is required at the establishment level, not the contractor level. Therefore, the annual certification should be required for each individual establishment. It would not decrease burden to consider verification by contractor because the contractor would still be responsible for verifying each of their establishments.

One commenter requested clarification as to whether direct federal construction contractors subject to AAP coverage under Section 503 and VEVRAA would need to comply with the proposed AAP-VI certification requirement. For this information collection request, OFCCP only seeks annual certification for supply and service contractors; construction contractors would not be required to certify compliance or submit AAPs through AAP-VI. Thus, OFCCP did not assess burden for direct federal construction contractors to certify annually that they developed and maintained Section 503 and VEVRAA AAPs.

Data Security

OFCCP received support for its development of a secure portal though which contractors can upload their AAPs. One commenter reiterated that the interface will improve security to the document submission process. Another also praised the proposed interface, provided that it would be secure. Commenters broadly expressed concerns about uploading sensitive information through AAP-VI, and would like more information about the security measures that will be in place to prevent a data breach. Commenters also requested more information about the interface, including log in, verification, and profile procedures. OFCCP reiterates its commitment to keeping all data submitted by contractors secure. The agency takes the concerns of the regulated community seriously in this regard, and has worked with data security experts at the Department to create a system that provides far greater data security than what exists through the current AAP submission process.

Several commenters sought clarity on how OFCCP will decide which contractor official will be emailed the contractor’s unique identifier and AAP-VI registration invitation. One commenter asked for more information about what emails OFCCP plans to send and how it obtained its establishment list. The commenter suggested that OFCCP should target contractor officials responsible for certifying the report as well as the company contact or agreement contact for contractors with FAAP agreements. A commenter also requested clarification as to whether OFCCP will use the unit numbers that the EEO-1 report assigns to establishments or a different identification process. OFCCP plans to obtain its initial list of contractor establishments using Employer Information Report (EEO-1) filings. The agency will use information contained in the EEO-1 report to populate AAP-VI registration invitations. Each contractor will have an opportunity to update its designated user information once it logs into AAP-VI. If a contractor does not receive an email invite and does not possess the unique identifiers needed to register for AAP-VI, contractors can enter AAP-VI as a new user and complete account registration and verification as described above. Ultimately, contractors are responsible for providing up-to-date establishment information using AAP-VI. Once a designated user is in the system, they can make changes to the contractor structure and add or remove designated users for the contractor.

In a similar vein, a commenter requested that OFCCP anticipate the impact of changes in human resources information systems, such as mergers and acquisitions, on the verification and certification processes, as well as provide detailed instructions so that contractors do not have problems with incorrect, duplicate, or other issues related to such changes. OFCCP will provide detailed instructions in its communications with contractors who must annually certify AAP compliance in AAP-VI, and provide clear instructions in AAP-VI for how contractors can update their information.

A commenter also suggested that the contractor should have the right to control who has access to the site, since it was claimed that unauthorized individuals could be granted accounts, and recommended that there be one person at each contractor organization to determine who its designated users are and to identify those persons to the agency. Commenters also recommended that OFCCP should communicate only with those persons identified by the contractor. OFCCP confirms that contractors will be able to control who has access to AAP-VI by only providing the unique contractor information needed to gain entry into AAP-VI to the users the contractor wishes to designate. OFCCP will initially only communicate with contractor contacts identified in the EEO-1 filings that OFCCP uses to pre-populate AAP-VI. After that, OFCCP will communicate with whomever the contractors have designated as users.

Regarding Login.gov, some commenters expressed concerns about managing access to accounts, and how the unique company identifier would be established to complete account verification. To clarify, Login.gov would not require a unique company identifier. Rather, it serves as a gateway to enter AAP-VI. Once inside AAP-VI, a user would then need to provide unique contractor identifier(s) in order to access information about the contractor, complete the annual certification requirement, or upload an AAP.

One commenter asked whether FAAP submissions will have to validate the respective list of establishments. They recommended that OFCCP should ask the contractor whether it prepares its plans on an establishment basis, a functional basis, or a hybrid basis, since they claimed that a contractor that prepares its AAPs only on a functional basis should be relieved from having to validate each of its establishment locations. OFCCP declines to change the wording of the certification questions. In AAP-VI, as described above, contractors will be required to certify whether they have AAPs for each establishment and/or functional unit, as applicable.

Some commenters requested that the AAP submissions should be voluntary rather than mandatory due to concern for confidentiality. They claimed that storing employer data outside of an audit creates a security risk. OFCCP acknowledges the security concerns, and has taken precautions to ensure the safety of the information submitted through the portal. As described above, AAP-VI will be built on the Drupal platform, which is protected with multiple layers of safeguards, including a Security Kit that deals with any issue or attack concerning HTML injection; complicated password requirements like Captcha and Secure Login to ensure safe login measures; and an XSS Protection module that safeguards the website from XSS attacks. Data submitted through the portal is also protected by encryption and algorithmic mechanisms to ensure safe transmission and is stored according to NIST and DOL OCIO standards. For these reasons, OFCCP declines to make AAP submissions using the portal voluntary. AAP submissions through the portal will be mandatory for establishments scheduled for compliance evaluations.

One commenter requested that data be restricted to OFCCP employees on a need-to-know basis, and that OFCCP could reassure employers by: confirming to the contractor which OFCCP staff will have access to the data; prohibiting the sharing of these data with other staff within the agency via unsecure methods; and, deleting any data that has been submitted or shared after the data has served its purpose. OFCCP confirms that less than 10 agency personnel and contract staff, including program analysts, managers, and directors, will have access to all of the contractor information in AAP-VI. No one outside of this group will be given this level of access. Agency staff who are assigned compliance evaluations will receive AAPs submitted for the evaluation. The agency will retain the data in accordance with its records management requirements. To maintain consistency in operations, the process which will be used to update designated internal user access will follow the currently approved agency protocols to access other governmental information technology platforms.

Frequency of Audits

Several commenters stated that OFCCP repeatedly schedules the same contractors for compliance evaluations, with some parent companies appearing multiple times on the same compliance evaluation schedule. OFCCP reiterates that it uses neutral selection procedures to schedule its audits, and that contractors are chosen out of its establishment pool based on application of neutrally applied objective factors. One benefit of AAP-VI will be that OFCCP will be able to use annual certification as an additional criterion for the scheduling process. Using that criterion, contractors who fail to self-certify or who state that they have not developed an AAP as required by law would be more likely to be on the scheduling list than contractors that have self-certified. This criterion will help OFCCP achieve its strategic goal of enforcing the law efficiently and maximizing the use of its resources by focusing on likely violators. The implementation of AAP-VI gives the agency the opportunity to focus evaluation on non-certifying contractors, who may be more likely to have a technical violation or a discrimination violation, under the view that companies with compliance programs are less likely violators.

Legal Authority

One commenter maintained that OFCCP has no regulatory authority to collect the information, stating that the agency must first engage in rulemaking in order to have authorization for annual certification outside of any compliance evaluation. The commenter stated that covered contractors are not required to provide any AAP compliance certification under EO 11246, and neither does the Order require submission of AAPs outside of active OFCCP investigation. Additionally, the commenter claimed that the language in the ICR concerning the maintenance and development of AAPs was too vague to meet contractors’ due process rights.

OFCCP maintains that it has legal authority to conduct this ICR and implement the use of AAP-VI interface as part of its mission to enforce the regulations under EO 11246, Section 503, and VEVRAA. These regulations require contractors to develop and maintain written affirmative action programs, and provide that contractors must make available to OFCCP documentation of their compliance. See 41 CFR 60-2.10(c), 60-2.32, 60-300.40(c) and (d), and 60-741.40(b)(3) and (c). Further, OFCCP’s regulations also allow the agency to require contractors to prepare and submit annually an affirmative action “program summary.” Id. at 60-2.31.²⁰ The annual certification is perhaps the least burdensome way to effectuate this regulatory provision, as it requires only that contractor establishments check a box to indicate their compliance status. AAP-VI is designed to help facilitate submission of this documentation. Therefore, OFCCP is within its rights to conduct this ICR and rejects the claim that to do so would be outside its regulatory authority.

9. Gifts or Payments

No payment or gift will be provided to participants.

10. Confidentiality of Information

In the case of a Freedom of Information Act (FOIA) request, OFCCP will evaluate all information pursuant to the public inspection and disclosure provisions of FOIA, 5 U.S.C. 552, and DOL’s implementing regulations at 29 CFR Part 70. OFCCP notifies in writing those contractors whose records are subject to a FOIA request. OFCCP makes no decision to disclose the information until contractors have an opportunity to submit objections to its release.

As described in Section 1, the contractor verification steps will protect contractors’ information from fraudulent activity. Using the unique identifiers described, a third party cannot impersonate the contractor and submit or modify any of the information contained in AAP-VI.

11. Questions of Sensitive Nature

No sensitive questions are involved.

12. Information Collection Hour Burden

This ICR carries only a reporting burden that applies to all three laws enforced by OFCCP. The recordkeeping burden for the information collected is covered in three other ICRs: Supply and Service Scheduling Letter (OMB Control No. 1250-0003), Section 503 Recordkeeping (OMB Control No. 1250-0005), and VEVRAA Recordkeeping (OMB Control No. 1250-0004). The burden for this ICR is broken down below:

• One-time burden for all users who are existing federal contractors: Users will go to Login.gov to certify their status using a two-factor authentication and verify their account profile. It will take the user .3 hours to complete these tasks. The total burden for existing contractors is 35,069 hours (.3 hours x 116,898 contractor establishments).²¹

• Annual burden for users who are new federal contractors: New contractors will go to Login.gov to certify their status using a two-factor authentication and verify their account profile. OFCCP estimates that one percent of its contractor universe will be new to federal contracting each year. The total annual burden for users at new contractors is 351 hours (.3 hours x 1,169 new contractor establishments).²²

• Annual burden for AAP Submission of scheduled contractors: Contractors scheduled for a compliance review, compliance check, or focused review will be required to upload their AAPs to the portal. OFCCP estimates that approximately 50 percent of contractors currently maintain their AAPs electronically and 50 percent of contractors currently maintain their AAPs in a paper format. The total annual burden for scheduled establishments who maintain their AAPs electronically is 500 hours (.2 hours x 2,500 contractor establishments). The total annual burden for scheduled establishments who maintain their AAPs in a paper format and will have to convert them to an electronic format for submission is 1,250 hours (.5 hours x 2,500 contractor establishments).²³ The total annual burden for this requirement is 1,750 hours (500 hours + 1,250 hours).

• Annual burden for certification for all contractor establishments: Every contractor will be required to access the portal annually to answer a certification question. The total annual burden is 11,690 hours (.1 hours x 116,898 contractor establishments).

The total burden for the first year is 48,509 hours (35,069 hours + 1,750 hours + 11,690 hours). The total burden for subsequent years is 13,791 hours (351 hours + 1,750 hours + 11,690 hours). The average annual burden is 25,364 hours.²⁴ OFCCP estimates the burden hours translate to approximately $1,822,403 in burden costs to contractors (25,364 hours x $71.85). ²⁵

13. Information Collection Cost Burden

OFCCP does not require a specific software, program, or format for the development, annual update, and maintenance of AAPs, nor will it for the online portal. As such, there is no cost burden associated with this information collection such as software purchasing or copying and mailing costs.

14. Cost to the Federal Government

There are three costs to the Federal Government regarding this ICR: (1) one-time development cost for Federal Government employees, (2) one-time contracted labor cost, annual AAP-VI site hosting, and operations and maintenance costs. The total cost to the Federal Government in the first year, including development of AAP-VI, is $853,019. This cost includes OFCCP staff salaries ((10 hours*$119.49) + (650 hours*$119.49) + (30 hours*$138.50)), the cost of contracted labor ($370,000), and a $400,000 site hosting and maintenance cost. The total cost to the Federal Government in subsequent years is $400,000 for site hosting, operations, and maintenance. The average annual cost to the Federal Government is $551,006.²⁶

15. Program Changes or Burden Adjustments

This is a new information collection.

16. Publication of Data for Statistical Use

There will be no publication of statistical analysis related to this collection.

17. Approval Not to Display the Expiration Date

OFCCP is not seeking approval not to display the expiration date of this collection.

18. Exceptions to the Certification Statement

OFCCP is not seeking exceptions to the certification statement of this collection.

B. Collections of Information Employing Statistical Methods

As represented in this ICR, AAP-VI does not employ the use of statistical methods.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Hall, Drew A - OFCCP
File Modified	0000-00-00
File Created	2021-01-11