Skip to main content

Contractor Integrity: Stronger Safeguards Needed for Contractor Access to Sensitive Information

GAO-10-693 Published: Sep 10, 2010. Publicly Released: Sep 10, 2010.
Jump To:
Skip to Highlights

Highlights

In performing agency tasks, contractor employees often require access to sensitive information that must be protected from unauthorized disclosure or misuse. This report assesses the (1) extent to which agency guidance and contracts contain safeguards for contractor access to sensitive information, and (2) adequacy of governmentwide guidance on how agencies are to safeguard sensitive information to which contractors may have access. To conduct this work, GAO identified key attributes involving sensitive-information safeguards, analyzed guidance and met with officials at three agencies selected for their extensive reliance on contractor employees, analyzed 42 of their contract actions for services potentially requiring contractor access to sensitive information, and analyzed the Federal Acquisition Regulation (FAR) and pending FAR changes regarding governmentwide guidance on contractor safeguards for access to sensitive information.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Federal Procurement Policy To address the need for clearly defining contractor responsibilities in governmentwide guidance in the FAR, the Administrator of OFPP should ensure that the FAR Council incorporates changes in the FAR that address safeguards for contractor access to sensitive information by providing guidance to agency acquisition policy officials, in coordination with IT security and privacy officials, chief information officers, and other affected parties, on agency development and use of contractor nondisclosure agreements as a condition of access to sensitive information.
Closed – Implemented
The FAR Council published a proposed rule, Federal Acquisition Regulation: Organizational Conflicts of Interest, in the Federal Register on April 26, 2011. The proposed rule adds guidance on contractor access to nonpublic information, including a contract clause which obligates contractors to protect all nonpublic information to which they obtain access by means of contract performance. The clause requires the contractor to obtain a signed nondisclosure agreement from each person who may have access to nonpublic information and provide copies of the nondisclosure agreement to the contracting officer upon request. We are closing the recommendation as substantially implemented based on the guidance in the proposed FAR rule and will continue to follow the FAR Council's progress toward issuing the final rule.
Office of Federal Procurement Policy To address the need for clearly defining contractor responsibilities in governmentwide guidance in the FAR, the Administrator of OFPP should ensure that the FAR Council incorporates changes in the FAR that address safeguards for contractor access to sensitive information by establishing a requirement for prompt notification to appropriate agency officials of a contractor's unauthorized disclosure or misuse of sensitive information so that timely agency responses are facilitated and appropriate contractor accountability mechanisms can be enforced.
Closed – Implemented
The FAR Council published a proposed rule, Federal Acquisition Regulation: Organizational Conflicts of Interest, in the Federal register on April 26, 2011. The proposed rule adds guidance on contractor access to nonpublic information to which they obtain access by means of contract performance. The clause requires the contractor to immediately report to the contracting officer any violations of established safeguards, including improper misuse or unauthorized disclosures. We are closing the recommendation as substantially implemented based on the guidance in the proposed FAR rule and will continue to follow the FAR Council's progress toward issuing the final rule.

Full Report

Office of Public Affairs

Topics

Access controlAccountabilityAgency proceedingsAgency protocolsAuthorized accessConfidential informationContractorsControlled accessInformation accessInformation disclosureInformation managementRisk managementSafeguardsContract performancePolicies and procedures