GAO: Stronger safeguards needed for contractor access to sensitive information
The U.S. Government Accountability Office’s (GAO) analysis of guidance and contract actions at the Departments of Defense (DoD), Homeland Security (DHS) and Health and Human Services (HHS) found areas where sensitive information is not fully safeguarded and thus may be at risk of unauthorized disclosure or misuse.

“In performing agency tasks, contractor employees often require access to sensitive information that must be protected from unauthorized disclosure or misuse,” stated GAO in a September report.

The organization assessed the extent to which agency guidance and contracts contain safeguards for contractor access to sensitive information, and adequacy of government-wide guidance on how agencies are to safeguard sensitive information to which contractors may have access.

According to GAO, the agencies have all supplemented the Federal Acquisition Regulation (FAR) and developed some guidance and standard contract provisions, but the safeguards available in DoD’s and HHS’ guidance do not always protect all relevant types of sensitive information contractors may access during contract performance. Examples of types of sensitive information contractors may access include:

Personal – Name, social security number, date and place of birth and patient health and medical information;

Business proprietary – Trade secrets, manufacturing processes, operations or techniques and amount or source of any profits, losses or expenditures; and

Agency sensitive – Security management information, predecisional planning and budgeting documents and continuity-of-operations information.

In addition, DoD’s, DHS’, and HHS’ supplemental FAR guidance do not specify contractor responsibilities for prompt notification to the agency if unauthorized disclosure or misuse occurs, the report stated. Almost half of the 42 contract actions analyzed lacked clauses or provisions that safeguarded against disclosure and inappropriate use of all potential types of sensitive information that contractors might access during contract performance.

The GAO also stated that DOD and HHS lack guidance on the use of nondisclosure agreements, while DHS has found that these help accountability by informing contractors of their responsibilities to safeguard confidentiality and appropriate use and the potential consequences they face from violations.

GAO recommended that the Office of Federal Procurement Policy (OFPP) ensure pending changes to the FAR address two additional safeguards for contractor access to sensitive information: the use of nondisclosure agreements and prompt notification of unauthorized disclosure or misuse of sensitive information.

To read the full report, click here.