Status Report

Proposed Rule: NASA: Contractor Access to Confidential Information

By SpaceRef Editor
December 11, 2003
Filed under ,

[Federal Register: December 5, 2003 (Volume 68, Number 234)]
[Proposed Rules]
[Page 67995-67998]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr05de03-27]

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1809, 1837, and 1852

RIN 2700-AC60

Contractor Access to Confidential Information

AGENCY: National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

SUMMARY: This rule proposes to amend the NASA Federal Acquisition
Regulation (FAR) Supplement (NFS) to provide guidance on how NASA will
acquire services to support management activities and administrative
functions, when performing those services requires the contractor to
have access to confidential information submitted by other contractors.
NASA’s increased use of contractors to support management activities
and administrative functions, coupled with implementing Agency-wide
electronic information systems, requires establishing consistent
procedures for protecting confidential information from unauthorized
use or disclosure.

DATES: Comments should be submitted on or before February 3, 2004 to be
considered in the formulation of a final rule.

ADDRESSES: Interested parties should submit written comments to David
Forbes, NASA Headquarters, Office of Procurement, Contract Management
Division (Code HK), Washington, DC 20546. Comments may also be submitted by e-mail to: David.P.Forbes@nasa.gov.

FOR FURTHER INFORMATION CONTACT: David Forbes, (202) 358-2051, e-mail: David.P.Forbes@nasa.gov.

SUPPLEMENTARY INFORMATION:

A. Background

In accomplishing its mission, NASA expends about eighty-five
percent of its appropriations through contracts. As part of the process
of awarding and performing contracts, offerors and contractors must
provide information, some of which they claim to have developed at
private expense and that may embody trade secrets or constitute
commercial or financial and confidential information (“confidential
information”). Confidential information includes technical, financial,
proprietary, commercial, privileged, or otherwise sensitive business
information. As a result, NASA receives and retains a substantial
amount of confidential information, contained in paper files and
electronic administrative systems.

Generally, the information in question is not in the public domain
and may be subject to the Trade Secrets Act, the Procurement Integrity
Act (FAR 3.104), and other laws and regulations relating to ethics,
organizational conflicts of interest, and corruption in the Federal
procurement process. To the extent that an exception to the Freedom of
Information Act applies, government agencies may also generate
confidential information, including pre-negotiation analyses and
positions and pre-decisional advice on a variety of subjects. NASA has
long recognized a responsibility to protect this type of information
from unauthorized use and disclosure. To this end, NASA has
traditionally allowed only civil servants to have access to
confidential information in the Government’s possession. Practical
realities, coupled with new policy initiatives compel NASA to
reconsider its approach to managing contractor-related information.

The practical pressure to reconsider NASA’s approach has emerged
from years of “downsizing” the civil service workforce. Simply put,
NASA no longer has enough employees to manage and safeguard all of the
information in question. Of necessity, NASA is increasing its use of
service contractors to assist in performing many administrative,
financial, and technical functions that had been performed previously
by government employees only. The types of services NASA will be
procuring run the gamut from routine clerical support such as data
entry and invoice processing, to more complex in-plant reviews,
contract closeout processing, system administration, and safety and
quality assurance activities. Service contractors may soon be
supporting most of these activities and functions throughout the
Agency. NASA must, therefore, find new, more streamlined ways to
receive from offerors and contractors confidential information that may
be entitled to protection and to disclose it to third party service
providers, without compromising the information received.

As NASA releases more confidential information provided by offerors
or contractors to other contractors, the risk increases that
unauthorized uses and disclosures will occur. One aspect of this
increased risk is the potential that organizational conflicts of
interest may arise when the Agency discloses one contractor’s
confidential information to another contractor. FAR Subpart 9.5
prescribes general rules for managing organizational conflicts of
interest and gives four specific examples of situations that may give
rise to problems. One of those examples deals directly with NASA’s
current dilemma, that is, providing one contractor access to other
contractors’ confidential information. Specifically, when one
contractor gains access to other companies’ “proprietary”
information, FAR 9.505-4 directs the service provider to enter into
agreement(s) with the other companies to protect their information from
unauthorized use or disclosure and to refrain from using the
information for any purpose other than that for which it was furnished.
Additionally, FAR 9.505-4 requires the contracting officer to obtain
copies of these third party agreements and ensure that they are
properly executed.

In the past, NASA contracts rarely required access to another
contractor’s proprietary or other forms of confidential information,
making this FAR procedure quite manageable. The current environment,
however, raises the question whether use of FAR 9.505-4 continues to be
workable for NASA. For example, in providing contract closeout
services, the contractor and its employees may have access to hundreds
of contract files, each of which should document all pre and post award
activities for a particular contract. Typically, the contracts to be
closed out will include multiple subcontractors. Many subcontractors
will also have lower-tier subcontracts. To ensure that all of these
companies have properly executed “non-disclosure agreements” among
themselves could result in a huge number of interrelated agreements.
Moreover, the contract closeout function is but one example of the
types of services that may require one NASA contractor to have access
to another contractor’s confidential information before performance can
proceed. Without obtaining even more support services, NASA cannot be
responsible for managing this potentially enormous universe of
interrelated non-disclosure agreements.

In today’s environment, NASA must rely heavily on private sector
service contractors for support in performing essential management
activities and administrative functions. For contracts requiring this
type of support, the Assistant Administrator for Procurement has
determined that it is not in the NASA’s interest to follow the general rule stated in FAR 9.505-4(b) and, in accordance with FAR
9.503, has waived its application. Rather than demand an unworkable
mass of interrelated third party non-disclosure agreements, NASA will
implement the policy and procedures described in the proposed 1837.203-
70 to manage the risks associated with one contractor having access to
another contractor’s confidential information and to assure those that
submit this type of information that NASA will protect it from
unauthorized use or disclosure.

As one element of this new approach, 1837.203-70(d)(1) requires
that contractors receiving access to confidential information must have
developed a comprehensive organizational conflicts of interest
avoidance plan. Recognizing that developing this plan may take
considerable time and effort, proposals need only summarize the
offeror’s analysis of the potential organizational conflicts of
interest that may arise from having access to another contractor’s
confidential information, or to Government-generated information that
is subject to an exception to the Freedom of Information Act. Each
offeror’s analysis, together with the other elements of each proposal,
will be considered in selecting a contractor for award. After award,
the contractor must develop and submit to the contracting officer for
review and approval a comprehensive organizational conflict of interest
avoidance plan that identifies all potential problems and proposes
specific methods to control, mitigate, or eliminate any organizational
or ethical concerns noted. This plan must also commit the contractor to
take all corrective actions necessary to address any failures to
protect confidential information from unauthorized use or disclosure.
Once the contracting officer approves this plan, he/she will
incorporate the document into the resulting contract.

NASA proposes two clauses to implement the above policies in
solicitations and contracts. The first clause at 1852.237-72, Access to
Confidential Information, would go into service contracts that involve
access to information in the Government’s possession that is necessary
to support NASA’s management activities and administrative functions.
This clause would delineate the service contractor’s responsibilities
to limit to the purposes specified in the contract its use of any of
this information that is confidential, to safeguard the information
from unauthorized outside disclosure, and to train employees and obtain
their written commitments to handle the information in an authorized
manner, only.

The second clause at 1852.237-73, Release of Confidential
Information, would go in all solicitations and contracts to notify
offerors and contractors that NASA may release their confidential
information to other contractors supporting NASA’s management
activities and administrative functions. Recognizing that this
announcement may cause concerns for these offerors and contractors, the
clause recites the protections embodied in the receiving, support
service contract through the new clause at 1852.237-72. Essentially,
the clause at 1852.237-73 announces NASA’s intent to release companies’
confidential information to support service contractors. But, in
announcing this intent, the clause also promises that the support
contractors will implement specific and enumerated safeguards and
procedures to protect the information.

B. Regulatory Flexibility Act

NASA certifies that this proposed rule will not have a significant
economic impact on a substantial number of small business entities
within the meaning of the Regulatory Flexibility Act (5 U.S.C. 601, et.
seq.), because the proposed new, streamlined approach of having each
service contractor implement specific safeguards and procedures should
offer the same or better protection for confidential information
belonging to small business entities than does the current system of
third party agreements, envisioned by FAR 9.505-4. This proposed rule
should ease the burden on small business entities by not requiring them
to enter multiple, interrelated third party agreements with the
numerous service contractors that support NASA’s management activities
and administrative functions.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the proposed
changes to the NFS do not impose any recordkeeping or information
collection requirements, or collections of information from offerors,
contractors, or members of the public that require the approval of the
Office of Management and Budget under 44 USC 3501, et. seq.

List of Subjects in 48 CFR Parts 1809, 1837, and 1852

Government Procurement.

Tom Luedtke,

Assistant Administrator for Procurement.

Accordingly, 48 CFR parts 1809, 1837, and 1852 are proposed to be
amended as follows:

1. The authority citation for 48 CFR parts 1809, 1837, and 1852
continues to read as follows:

Authority: 42 U.S.C. 2473(c)(1).

PART 1809–CONTRACTOR QUALIFICATIONS

2. Add section 1809.505-4 to read as follows:

1809.505-4 Obtaining access to confidential information.

(b) In accordance with FAR 9.503, the Assistant Administrator for
Procurement has determined that it would not be in the Government’s
interests for NASA to comply strictly with FAR 9.505-4(b) when
acquiring services to support management activities and administrative
functions. The Assistant Administrator for Procurement has, therefore,
waived the requirement that before gaining access to other companies’
proprietary or confidential (see 1837.203-70) information contractors
must enter specific agreements with each of those other companies to
protect their information from unauthorized use or disclosure.
Accordingly, NASA will not require contractors and subcontractors and
their employees in procurements that support management activities and
administrative functions to enter into separate, interrelated third
party agreements to protect confidential information from unauthorized
use or disclosure. As an alternative to numerous, separate third party
agreements, 1837.203-70 prescribes detailed policy and procedures to
protect contractors from unauthorized use or disclosure of its
confidential information. Nothing in this section waives the
requirements of FAR 37.204 and 1837.204.

PART 1837–SERVICE CONTRACTING

3. Add sections 1837.203-70, 1837.203-71, and 1837.203-72 to read
as follows:

1837.203-70 Providing contractors access to confidential information.

(a)(1) As used in this subpart, “confidential information” refers
to information that the contractor has developed at private expense or
that the Government has generated that qualifies for an exception to the Freedom of Information Act, which is not
currently in the public domain, may embody trade secrets or commercial
or financial information, and may be confidential or privileged.

(2) As used in this subpart, “requiring organization” refers to
the NASA organizational element or activity that requires specified
services to be provided.

(3) As used in this subpart, “receiving entity” refers to the
service-providing contractor that receives confidential information
from NASA to provide services to the requiring organization.

(b) To support management activities and administrative functions,
NASA relies on the services of numerous contractors. Contractors
providing these services may require access to confidential information
in the Government’s possession, which may be entitled to protection
from unauthorized use or disclosure. NASA shall require any service
contractor that receives access to confidential information to take the
steps contained in the clause at 1852.237-72, Access to Confidential
Information, to protect it from unauthorized use or disclosure.

(c) The requiring organization is responsible for identifying when
a requirement will require access to confidential information and
making the determination that providing access is necessary for
accomplishing the Agency’s mission. The requiring organization is
responsible for reviewing any contractor requests for access to
information to determine whether the access is necessary and whether
the information requested is considered confidential as defined in
paragraph (a) of this section.

(d)(1) Solicitations for services that require contractor access to
confidential information shall require each offeror (potential
receiving entity) to submit with its proposal a preliminary analysis of
possible organizational conflicts of interest that might flow from the
award of a contract. After selection, the new service contractor must
submit for approval a comprehensive organizational conflict of interest
avoidance plan, based on the preliminary analysis. This plan should
thoroughly analyze all organizational conflicts of interest that might
arise because the service contractor has access to other companies’
confidential information. This analysis should propose specific methods
to control, mitigate, or eliminate all problems identified. The
contracting officer shall incorporate the approved plan into the
resulting contract, as a compliance document.

(2) If the contractor will be operating an information technology
system for NASA that contains confidential information, the operating
contract shall include the clause at 1852.204-76, Security Requirements
for Unclassified Information Technology Resources, which requires the
implementation of an Information Technology Security Plan to protect
information processed, stored, or transmitted from unauthorized access,
alteration, disclosure, or use.

1837.203-71 Release of contractors’ confidential information.

(a) By submitting offers or performing contracts, offerors and
contractors agree that NASA may provide non-NASA employees access to
their confidential information, subject to the safeguards and
protections delineated in the clause at 1852.237-72, Access to
Confidential Information.

(b) As required by the clause at 1852.237-73, Release of
Confidential Information, or another contract clause or solicitation
provision, contractors must identify confidential information submitted
as part of a proposal or in performance of a contract. The contracting
officer shall evaluate the contractor’s claim to have submitted
“confidential information” in deciding whether NASA and its service
contractors must expend time and resources to protect and safeguard the
information in accordance with the clause at 1852.237-72.

1837.203-72 NASA contract clauses.

(a) The contracting officer shall insert the clause at 1852.237-72,
Access to Confidential Information, in all solicitations and contracts
for services that require access to confidential information belonging
to other companies or generated by the Government.

(b) The contracting officer shall insert the clause at 1852.237-73,
Release of Confidential Information, in all solicitations, contracts,
and basic ordering agreements .

PART 1852–SOLICITATION PROVISIONS AND CONTRACT CLAUSES

4. Add sections 1852.237-72 and 1852.237-73 to read as follows:

1852.237-72 Access to Confidential Information.

As prescribed in 1837.203-72(a), insert the following clause:

ACCESS TO CONFIDENTIAL INFORMATION (XX/XX)

(a) As used in this clause, “confidential information” refers
to information that a contractor has developed at private expense,
or that the Government has generated that qualifies for an exception
to the Freedom of Information Act, which is not currently in the
public domain, and may embody trade secrets or commercial or
financial information, and may be confidential or privileged.

(b) To assist NASA in accomplishing management activities and
administrative functions, the Contractor shall provide the services
specified elsewhere in this contract. Performing these services may
require access to confidential information that other companies have
furnished to the Government in the course of providing supplies or
services, or that the Government has generated.

(c) In performing this contract, the Contractor agrees to–

(1) Utilize any confidential information coming into its
possession only for the purposes of performing the services
specified in this contract, and never to improve its own competitive
position in another procurement.

(2) Safeguard confidential information coming into its
possession from unauthorized use and disclosure.

(3) Allow access to confidential information only to those
employees that need it to perform services under this contract.

(4) Preclude access and disclosure of confidential information
to persons and entities outside of the Contractor’s organization.

(5) Train employees who may require access to confidential
information about their obligations to utilize it only to perform
the services specified in this contract and to safeguard it from
unauthorized use and disclosure.

(6) Obtain an express, binding written agreement from each
employee who receives access to confidential information to protect
it from unauthorized use or disclosure and to utilize it only for
the purposes of performing this contract.

(7) Establish a monitoring process to ensure that employees
comply with all reasonable security procedures, report any breaches
to the Contracting Officer, and implement any necessary corrective
actions.

(d) The Contractor will comply with all procedures and
obligations specified in its Organizational Conflict of Interest
Avoidance Plan, which the Contracting Officer has approved and
incorporated into this contract.

(e) The nature of the work on this contract may subject the
Contractor and its employees a variety of laws and regulations
relating to ethics, conflicts of interest, corruption, and other
criminal or civil matters relating to the award and administration
of government contracts. Recognizing that this contract establishes
a high standard of accountability and trust, the Government will
carefully review the Contractor’s performance in relation to the
mandates and restrictions found in these laws and regulations.

(f) The Contractor shall include the substance of this clause,
including this paragraph (f), suitably modified to reflect the relationship of the
parties, in all subcontracts that may involve access to confidential
information.

(End of clause)

1852.237-73 Release of Confidential Information.

As prescribed in 1837.203-72(b), insert the following clause:

RELEASE OF CONFIDENTIAL INFORMATION (XX/XX)

(a) As used in this clause, “confidential information” refers
to information, not currently in the public domain, that the
Contractor has developed at private expense, may embody trade
secrets or commercial or financial information, and that may be
confidential or privileged.

(b) In accomplishing management activities and administrative
functions, NASA relies heavily on the services of various
contractors. To perform these services, contractors, as well as
their subcontractors and their individual employees, may need access
to confidential information submitted by the Contractor under this
contract.

(c)(1) The Contractor shall mark or otherwise identify any
confidential information submitted in support of this proposal or in
performing this contract. The Contracting Officer will evaluate the
Contractor’s claim to have submitted “confidential information,”
as defined above, in deciding whether NASA and its service
contractors must protect and safeguard the information in accordance
with the clause at 1852.237-72, Access to Confidential Information.
Unless the Contracting Officer decides to challenge the Contractor’s
“confidential information” marking, NASA and its service
contractors and their employees shall apply all of the conditions
and safeguards listed in the clause at 1852.237-72.

(2) For information already in NASA’s possession, the
Contracting Officer shall attempt to identify the owner and afford
that entity a reasonable opportunity to assert confidentiality in
accordance with the principles and criteria delineated in the FAR.
For purposes of asserting confidentiality, the parties may agree to
use the procedures delineated in the clause at FAR 52.227-14 as a
guide.

(d) Any entity that receives access to confidential information
needed to assist NASA in accomplishing management activities and
administrative functions must be operating under a contract that
contains the clause at 1852.237-72, Access to Confidential
Information. This clause obligates the receiving entity to do the
following:

(1) Comply with all procedures and obligations specified in its
contract, including the Organizational Conflict of Interest
Avoidance Plan, which the Contracting Officer has approved and
incorporated into its contract.

(2) Utilize any confidential information coming into its
possession only for the purposes of performing the services
specified in its contract.

(3) Safeguard confidential information coming into its
possession from unauthorized use and disclosure.

(4) Allow access to confidential information only to those
employees that need it to perform services under its contract.

(5) Preclude access and disclosure of confidential information
to persons and entities outside of the contractor’s organization.

(6) Train employees who may require access to confidential
information about their obligations to utilize it only to perform
the services specified in its contract and to safeguard it from
unauthorized use and disclosure.

(7) Obtain an express, binding written agreement from each
employee who receives access to confidential information to protect
it from unauthorized use or disclosure and to utilize it only for
the purposes of performing the contract.

(8) Establish a monitoring process to ensure that employees
comply with all reasonable security procedures, report any breaches
to the Contracting Officer, and implement any necessary corrective
actions.

(e) When the receiving entity will have primary operational
responsibility for an information technology system for NASA that
contains confidential information, the entity’s contract shall
include the clause at 1852.204-76, Security Requirements for
Unclassified Information Technology Resources. The Security
Requirements clause requires the receiving entity to implement an
Information Technology Security Plan to protect information
processed, stored, or transmitted from unauthorized access,
alteration, disclosure, or use. Receiving entity personnel requiring
privileged access or limited privileged access to these information
technology systems are subject to screening using the standard
National Agency Check (NAC) forms appropriate to the level of risk
for all. The Contracting Officer may allow the receiving entity to
conduct its own screening, provided this entity employs
substantially equivalent screening procedures.

(f) This clause does not affect NASA’s responsibilities under
the Freedom of Information Act.

(g) The Contractor shall insert this clause, including this
paragraph (g), suitably modified to reflect the relationship of the
parties, in all subcontracts that may require the furnishing of
confidential information.

(End of clause)

[FR Doc. 03-29930 Filed 12-4-03; 8:45 am]

BILLING CODE 7510-01-U

SpaceRef staff editor.