After years of consideration, DoD, GSA, and NASA have published a final rule requiring contractor employees who handle personally identifiable information (PII) or work with a system of records to complete initial and annual privacy training that addresses specified elements, including the Privacy Act, working with PII, and the contractor’s incident response plan. The final rule – effective January 19, 2017, and applicable to all contracts including those for commercial items and those below the Simplified Acquisition Threshold – also requires contractors to identify each covered employee, maintain records indicating that its employees have completed the requisite training, and to provide these records to contracting officers upon request.