Agencies shall ensure that contracts for information technology address protection of privacy in accordance with the Privacy Act (5 U.S.C. 552a) and part 24. In addition, each agency shall ensure that contracts for the design, development, or operation of a system of records using commercial information technology services or information technology support services include the following:

(a) Agency rules of conduct that the contractor and the contractor's employees shall be required to follow.

(b) A list of the anticipated threats and hazards that the contractor must guard against.

(c) A description of the safeguards that the contractor must specifically provide.

(d) Requirements for a program of Government inspection during performance of the contract that will ensure the continued efficacy and efficiency of safeguards and the discovery and countering of new threats and hazards.