Contractor Integrity:

Stronger Safeguards Needed for Contractor Access to Sensitive Information

GAO-10-693: Published: Sep 10, 2010. Publicly Released: Sep 10, 2010.

Additional Materials:

Contact:

William T. Woods
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In performing agency tasks, contractor employees often require access to sensitive information that must be protected from unauthorized disclosure or misuse. This report assesses the (1) extent to which agency guidance and contracts contain safeguards for contractor access to sensitive information, and (2) adequacy of governmentwide guidance on how agencies are to safeguard sensitive information to which contractors may have access. To conduct this work, GAO identified key attributes involving sensitive-information safeguards, analyzed guidance and met with officials at three agencies selected for their extensive reliance on contractor employees, analyzed 42 of their contract actions for services potentially requiring contractor access to sensitive information, and analyzed the Federal Acquisition Regulation (FAR) and pending FAR changes regarding governmentwide guidance on contractor safeguards for access to sensitive information.

GAO's analysis of guidance and contract actions at three agencies found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse. The Departments of Defense (DOD), Homeland Security (DHS), and Health and Human Services (HHS) have all supplemented the FAR and developed some guidance and standard contract provisions, but the safeguards available in DOD's and HHS's guidance do not always protect all relevant types of sensitive information contractors may access during contract performance. Also, DOD's, DHS's, and HHS's supplemental FAR guidance do not specify contractor responsibilities for prompt notification to the agency if unauthorized disclosure or misuse occurs. Almost half of the 42 contract actions analyzed lacked clauses or provisions that safeguarded against disclosure and inappropriate use of all potential types of sensitive information that contractors might access during contract performance. Additionally, DOD and HHS lack guidance on the use of nondisclosure agreements, while DHS has found that these help accountability by informing contractors of their responsibilities to safeguard confidentiality and appropriate use and the potential consequences they face from violations. There have been numerous recommendations for improved governmentwide guidance and contract provisions in the FAR, such as prohibiting certain types of contractor personnel from using sensitive information for personal gain. To address some of these areas, regulatory changes are pending to develop standardized approaches and contract clauses in the FAR that agencies could use to safeguard sensitive information, rather than developing such safeguards individually. However, similarly to issues identified in agency guidance, GAO found two key areas the FAR does not yet address. These include (1) agency use of nondisclosure agreements as a condition of contractor access to sensitive information, and (2) the need to establish clear requirements for contractors to promptly notify agencies of unauthorized disclosure and misuse of sensitive information. The ongoing rulemaking process provides an opportunity to address the need for additional FAR guidance in both areas. GAO recommends that the Office of Federal Procurement Policy (OFPP) ensure pending changes to the FAR address two additional safeguards for contractor access to sensitive information: the use of nondisclosure agreements and prompt notification of unauthorized disclosure or misuse of sensitive information. In oral comments, OFPP agreed with the recommendations. DHS also concurred with the recommendations, while DOD and HHS had no comment.

Recommendations for Executive Action

  1. Status: Open

    Comments: The FAR Council published a proposed rule, Federal Acquisition Regulation: Organizational Conflicts of Interest, in the Federal Register on April 26, 2011. The proposed rule adds guidance on contractor access to nonpublic information, including a contract clause which obligates contractors to protect all nonpublic information to which they obtain access by means of contract performance. The clause requires the contractor to obtain a signed nondisclosure agreement from each person who may have access to nonpublic information and provide copies of the nondisclosure agreement to the contracting officer upon request.

    Recommendation: To address the need for clearly defining contractor responsibilities in governmentwide guidance in the FAR, the Administrator of OFPP should ensure that the FAR Council incorporates changes in the FAR that address safeguards for contractor access to sensitive information by providing guidance to agency acquisition policy officials, in coordination with IT security and privacy officials, chief information officers, and other affected parties, on agency development and use of contractor nondisclosure agreements as a condition of access to sensitive information.

    Agency Affected: Executive Office of the President: Office of Management and Budget: Office of Federal Procurement Policy

  2. Status: Open

    Comments: The FAR Council published a proposed rule, Federal Acquisition Regulation: Organizational Conflicts of Interest, in the Federal register on April 26, 2011. The proposed rule adds guidance on contractor access to nonpublic information to which they obtain access by means of contract performance. The clause requires the contractor to immediately report to the contracting officer any violations of established safeguards, including improper misuse or unauthorized disclosures.

    Recommendation: To address the need for clearly defining contractor responsibilities in governmentwide guidance in the FAR, the Administrator of OFPP should ensure that the FAR Council incorporates changes in the FAR that address safeguards for contractor access to sensitive information by establishing a requirement for prompt notification to appropriate agency officials of a contractor's unauthorized disclosure or misuse of sensitive information so that timely agency responses are facilitated and appropriate contractor accountability mechanisms can be enforced.

    Agency Affected: Executive Office of the President: Office of Management and Budget: Office of Federal Procurement Policy

 

Explore the full database of GAO's Open Recommendations »

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Feb 20, 2013

Looking for more? Browse all our products here