GAO: Sensitive Government Data at RiskDHS, DoD, HHS Don't Fully Safeguard Data from Contractors' Eyes
According to the GAO analysis, all three departments have supplemented the federal acquisition regulation and developed some guidance and standard contract provisions, but the safeguards available in DoD's and HHS's guidance fail to consistently protect all types of sensitive information contracts could access during government work.
GAO also said DOD's, DHS's, and HHS's supplemental federal acquisition regulation guidance fails to specify contractor responsibilities for prompt notification to the agency if unauthorized disclosure or misuse occurs. Nearly half of the 42 contract actions analyzed lacked clauses or provisions that safeguarded against disclosure and inappropriate use of all potential types of sensitive information that contractors might access during contract performance., DOD and HHS also lack guidance on the use of nondisclosure agreements, GAO said, while DHS has found that these help accountability by informing contractors of their responsibilities to safeguard confidentiality and appropriate use and the potential consequences they face from violations.
GAO cited numerous recommendations for improved governmentwide guidance and contract provisions in the acquisition regulations, including the prohibition of certain types of contractor personnel from using sensitive information for personal gain.
To address some of these areas, regulatory changes are pending to develop standardized approaches and contract clauses in the acquisition regulations that agencies could use to protect sensitive information, rather than develop such safeguards individually.
GAO found two key areas the acquisition regulations don't address:
- Agency use of nondisclosure agreements as a condition of contractor access to sensitive information, and
- The need to establish clear requirements for contractors to promptly notify agencies of unauthorized disclosure and misuse of sensitive information.
The congressional auditors said the continuing rulemaking process provides the departments an opportunity to address the need for additional federal acquisition regulation guidance in both areas.
GAO recommended that the Office of Federal Procurement Policy guarantee pending changes to the federal acquisition regulation address two additional safeguards for contractor access to sensitive information: the use of nondisclosure agreements and prompt notification of unauthorized disclosure or misuse of sensitive information.
Office of Federal Procurement Policy and DHS agreed with the recommendations. Defense and Health and Human Services officials did not comment to GAO on its recommendations.