Skip to Content

Proposed Rule

Contractor Access to Confidential Information

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

National Aeronautics and Space Administration (NASA).

ACTION:

Proposed rule.

SUMMARY:

This rule proposes to amend the NASA Federal Acquisition Regulation (FAR) Supplement (NFS) to provide guidance on how NASA will acquire services to support management activities and administrative functions, when performing those services requires the contractor to have access to confidential information submitted by other contractors. NASA's increased use of contractors to support management activities and administrative functions, coupled with implementing Agency-wide electronic information systems, requires establishing consistent procedures for protecting confidential information from unauthorized use or disclosure.

DATES:

Comments should be submitted on or before February 3, 2004 to be considered in the formulation of a final rule.

ADDRESSES:

Interested parties should submit written comments to David Forbes, NASA Headquarters, Office of Procurement, Contract Management Division (Code HK), Washington, DC 20546. Comments may also be submitted by e-mail to: David.P.Forbes@nasa.gov.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

David Forbes, (202) 358-2051, e-mail: David.P.Forbes@nasa.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

A. Background

In accomplishing its mission, NASA expends about eighty-five percent of its appropriations through contracts. As part of the process of awarding and performing contracts, offerors and contractors must provide information, some of which they claim to have developed at private expense and that may embody trade secrets or constitute commercial or financial and confidential information (“confidential information”). Confidential information includes technical, financial, proprietary, commercial, privileged, or otherwise sensitive business information. As a result, NASA receives and retains a substantial amount of confidential information, contained in paper files and electronic administrative systems.

Generally, the information in question is not in the public domain and may be subject to the Trade Secrets Act, the Procurement Integrity Act (FAR 3.104), and other laws and regulations relating to ethics, organizational conflicts of interest, and corruption in the Federal procurement process. To the extent that an exception to the Freedom of Information Act applies, government agencies may also generate confidential information, including pre-negotiation analyses and positions and pre-decisional advice on a variety of subjects. NASA has long recognized a responsibility to protect this type of information from unauthorized use and disclosure. To this end, NASA has traditionally allowed only civil servants to have access to confidential information in the Government's possession. Practical realities, coupled with new policy initiatives compel NASA to reconsider its approach to managing contractor-related information.

The practical pressure to reconsider NASA's approach has emerged from years of “downsizing” the civil service workforce. Simply put, NASA no longer has enough employees to manage and safeguard all of the information in question. Of necessity, NASA is increasing its use of service contractors to assist in performing many administrative, financial, and technical functions that had been performed previously by government employees only. The types of services NASA will be procuring run the gamut from routine clerical support such as data entry and invoice processing, to more complex in-plant reviews, contract closeout processing, system administration, and safety and quality assurance activities. Service contractors may soon be supporting most of these activities and functions throughout the Agency. NASA must, therefore, find new, more streamlined ways to receive from offerors and contractors confidential information that may be entitled to protection and to disclose it to third party service providers, without compromising the information received.

As NASA releases more confidential information provided by offerors or contractors to other contractors, the risk increases that unauthorized uses and disclosures will occur. One aspect of this increased risk is the potential that organizational conflicts of interest may arise when the Agency discloses one contractor's confidential information to another contractor. FAR Subpart 9.5 prescribes general rules for managing organizational conflicts of interest and gives four specific examples of situations that may give rise to problems. One of those examples deals directly with NASA's current dilemma, that is, providing one contractor access to other contractors' confidential information. Specifically, when one contractor gains access to other companies' “proprietary” information, FAR 9.505-4 directs the service provider to enter into agreement(s) with the other companies to protect their information from unauthorized use or disclosure and to refrain from using the information for any purpose other than that for which it was furnished. Additionally, FAR 9.505-4 requires the contracting officer to obtain copies of these third party agreements and ensure that they are properly executed.

In the past, NASA contracts rarely required access to another contractor's proprietary or other forms of confidential information, making this FAR procedure quite manageable. The current environment, however, raises the question whether use of FAR 9.505-4 continues to be workable for NASA. For example, in providing contract closeout services, the contractor and its employees may have access to hundreds of contract files, each of which should document all pre and post award activities for a particular contract. Typically, the contracts to be closed out will include multiple subcontractors. Many subcontractors will also have lower-tier subcontracts. To ensure that all of these companies have properly executed “non-disclosure agreements” among themselves could result in a huge number of interrelated agreements. Moreover, the contract closeout function is but one example of the types of services that may require one NASA contractor to have access to another contractor's confidential information before performance can proceed. Without obtaining even more support services, NASA cannot be responsible for managing this potentially enormous universe of interrelated non-disclosure agreements.

In today's environment, NASA must rely heavily on private sector service contractors for support in performing essential management activities and administrative functions. For contracts requiring this type of support, the Assistant Administrator for Procurement has determined that it is not in the NASA's interest to follow the Start Printed Page 67996general rule stated in FAR 9.505-4(b) and, in accordance with FAR 9.503, has waived its application. Rather than demand an unworkable mass of interrelated third party non-disclosure agreements, NASA will implement the policy and procedures described in the proposed 1837.203-70 to manage the risks associated with one contractor having access to another contractor's confidential information and to assure those that submit this type of information that NASA will protect it from unauthorized use or disclosure.

As one element of this new approach, 1837.203-70(d)(1) requires that contractors receiving access to confidential information must have developed a comprehensive organizational conflicts of interest avoidance plan. Recognizing that developing this plan may take considerable time and effort, proposals need only summarize the offeror's analysis of the potential organizational conflicts of interest that may arise from having access to another contractor's confidential information, or to Government-generated information that is subject to an exception to the Freedom of Information Act. Each offeror's analysis, together with the other elements of each proposal, will be considered in selecting a contractor for award. After award, the contractor must develop and submit to the contracting officer for review and approval a comprehensive organizational conflict of interest avoidance plan that identifies all potential problems and proposes specific methods to control, mitigate, or eliminate any organizational or ethical concerns noted. This plan must also commit the contractor to take all corrective actions necessary to address any failures to protect confidential information from unauthorized use or disclosure. Once the contracting officer approves this plan, he/she will incorporate the document into the resulting contract.

NASA proposes two clauses to implement the above policies in solicitations and contracts. The first clause at 1852.237-72, Access to Confidential Information, would go into service contracts that involve access to information in the Government's possession that is necessary to support NASA's management activities and administrative functions. This clause would delineate the service contractor's responsibilities to limit to the purposes specified in the contract its use of any of this information that is confidential, to safeguard the information from unauthorized outside disclosure, and to train employees and obtain their written commitments to handle the information in an authorized manner, only.

The second clause at 1852.237-73, Release of Confidential Information, would go in all solicitations and contracts to notify offerors and contractors that NASA may release their confidential information to other contractors supporting NASA's management activities and administrative functions. Recognizing that this announcement may cause concerns for these offerors and contractors, the clause recites the protections embodied in the receiving, support service contract through the new clause at 1852.237-72. Essentially, the clause at 1852.237-73 announces NASA's intent to release companies' confidential information to support service contractors. But, in announcing this intent, the clause also promises that the support contractors will implement specific and enumerated safeguards and procedures to protect the information.

B. Regulatory Flexibility Act

NASA certifies that this proposed rule will not have a significant economic impact on a substantial number of small business entities within the meaning of the Regulatory Flexibility Act (5 U.S.C. 601, et. seq.), because the proposed new, streamlined approach of having each service contractor implement specific safeguards and procedures should offer the same or better protection for confidential information belonging to small business entities than does the current system of third party agreements, envisioned by FAR 9.505-4. This proposed rule should ease the burden on small business entities by not requiring them to enter multiple, interrelated third party agreements with the numerous service contractors that support NASA's management activities and administrative functions.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the proposed changes to the NFS do not impose any recordkeeping or information collection requirements, or collections of information from offerors, contractors, or members of the public that require the approval of the Office of Management and Budget under 44 USC 3501, et. seq.

Start List of Subjects

List of Subjects in 48 CFR Parts 1809, 1837, and 1852

End List of Subjects Start Signature

Tom Luedtke,

Assistant Administrator for Procurement.

End Signature

Accordingly, 48 CFR parts 1809, 1837, and 1852 are proposed to be amended as follows:

1. The authority citation for 48 CFR parts 1809, 1837, and 1852 continues to read as follows:

Start Authority

Authority: 42 U.S.C. 2473(c)(1).

End Authority Start Part

PART 1809—CONTRACTOR QUALIFICATIONS

2. Add section 1809.505-4 to read as follows:

Obtaining access to confidential information.

(b) In accordance with FAR 9.503, the Assistant Administrator for Procurement has determined that it would not be in the Government's interests for NASA to comply strictly with FAR 9.505-4(b) when acquiring services to support management activities and administrative functions. The Assistant Administrator for Procurement has, therefore, waived the requirement that before gaining access to other companies' proprietary or confidential (see 1837.203-70) information contractors must enter specific agreements with each of those other companies to protect their information from unauthorized use or disclosure. Accordingly, NASA will not require contractors and subcontractors and their employees in procurements that support management activities and administrative functions to enter into separate, interrelated third party agreements to protect confidential information from unauthorized use or disclosure. As an alternative to numerous, separate third party agreements, 1837.203-70 prescribes detailed policy and procedures to protect contractors from unauthorized use or disclosure of its confidential information. Nothing in this section waives the requirements of FAR 37.204 and 1837.204.

End Part Start Part

PART 1837—SERVICE CONTRACTING

3. Add sections 1837.203-70, 1837.203-71, and 1837.203-72 to read as follows:

Providing contractors access to confidential information.

(a)(1) As used in this subpart, “confidential information” refers to information that the contractor has developed at private expense or that the Government has generated that qualifies Start Printed Page 67997for an exception to the Freedom of Information Act, which is not currently in the public domain, may embody trade secrets or commercial or financial information, and may be confidential or privileged.

(2) As used in this subpart, “requiring organization” refers to the NASA organizational element or activity that requires specified services to be provided.

(3) As used in this subpart, “receiving entity” refers to the service-providing contractor that receives confidential information from NASA to provide services to the requiring organization.

(b) To support management activities and administrative functions, NASA relies on the services of numerous contractors. Contractors providing these services may require access to confidential information in the Government's possession, which may be entitled to protection from unauthorized use or disclosure. NASA shall require any service contractor that receives access to confidential information to take the steps contained in the clause at 1852.237-72, Access to Confidential Information, to protect it from unauthorized use or disclosure.

(c) The requiring organization is responsible for identifying when a requirement will require access to confidential information and making the determination that providing access is necessary for accomplishing the Agency's mission. The requiring organization is responsible for reviewing any contractor requests for access to information to determine whether the access is necessary and whether the information requested is considered confidential as defined in paragraph (a) of this section.

(d)(1) Solicitations for services that require contractor access to confidential information shall require each offeror (potential receiving entity) to submit with its proposal a preliminary analysis of possible organizational conflicts of interest that might flow from the award of a contract. After selection, the new service contractor must submit for approval a comprehensive organizational conflict of interest avoidance plan, based on the preliminary analysis. This plan should thoroughly analyze all organizational conflicts of interest that might arise because the service contractor has access to other companies' confidential information. This analysis should propose specific methods to control, mitigate, or eliminate all problems identified. The contracting officer shall incorporate the approved plan into the resulting contract, as a compliance document.

(2) If the contractor will be operating an information technology system for NASA that contains confidential information, the operating contract shall include the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, which requires the implementation of an Information Technology Security Plan to protect information processed, stored, or transmitted from unauthorized access, alteration, disclosure, or use.

Release of contractors' confidential information.

(a) By submitting offers or performing contracts, offerors and contractors agree that NASA may provide non-NASA employees access to their confidential information, subject to the safeguards and protections delineated in the clause at 1852.237-72, Access to Confidential Information.

(b) As required by the clause at 1852.237-73, Release of Confidential Information, or another contract clause or solicitation provision, contractors must identify confidential information submitted as part of a proposal or in performance of a contract. The contracting officer shall evaluate the contractor's claim to have submitted “confidential information” in deciding whether NASA and its service contractors must expend time and resources to protect and safeguard the information in accordance with the clause at 1852.237-72.

NASA contract clauses.

(a) The contracting officer shall insert the clause at 1852.237-72, Access to Confidential Information, in all solicitations and contracts for services that require access to confidential information belonging to other companies or generated by the Government.

(b) The contracting officer shall insert the clause at 1852.237-73, Release of Confidential Information, in all solicitations, contracts, and basic ordering agreements .

End Part Start Part

PART 1852—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

4. Add sections 1852.237-72 and 1852.237-73 to read as follows:

Access to Confidential Information.

As prescribed in 1837.203-72(a), insert the following clause:

ACCESS TO CONFIDENTIAL INFORMATION (XX/XX)

(a) As used in this clause, “confidential information” refers to information that a contractor has developed at private expense, or that the Government has generated that qualifies for an exception to the Freedom of Information Act, which is not currently in the public domain, and may embody trade secrets or commercial or financial information, and may be confidential or privileged.

(b) To assist NASA in accomplishing management activities and administrative functions, the Contractor shall provide the services specified elsewhere in this contract. Performing these services may require access to confidential information that other companies have furnished to the Government in the course of providing supplies or services, or that the Government has generated.

(c) In performing this contract, the Contractor agrees to—

(1) Utilize any confidential information coming into its possession only for the purposes of performing the services specified in this contract, and never to improve its own competitive position in another procurement.

(2) Safeguard confidential information coming into its possession from unauthorized use and disclosure.

(3) Allow access to confidential information only to those employees that need it to perform services under this contract.

(4) Preclude access and disclosure of confidential information to persons and entities outside of the Contractor's organization.

(5) Train employees who may require access to confidential information about their obligations to utilize it only to perform the services specified in this contract and to safeguard it from unauthorized use and disclosure.

(6) Obtain an express, binding written agreement from each employee who receives access to confidential information to protect it from unauthorized use or disclosure and to utilize it only for the purposes of performing this contract.

(7) Establish a monitoring process to ensure that employees comply with all reasonable security procedures, report any breaches to the Contracting Officer, and implement any necessary corrective actions.

(d) The Contractor will comply with all procedures and obligations specified in its Organizational Conflict of Interest Avoidance Plan, which the Contracting Officer has approved and incorporated into this contract.

(e) The nature of the work on this contract may subject the Contractor and its employees a variety of laws and regulations relating to ethics, conflicts of interest, corruption, and other criminal or civil matters relating to the award and administration of government contracts. Recognizing that this contract establishes a high standard of accountability and trust, the Government will carefully review the Contractor's performance in relation to the mandates and restrictions found in these laws and regulations.

(f) The Contractor shall include the substance of this clause, including this Start Printed Page 67998paragraph (f), suitably modified to reflect the relationship of the parties, in all subcontracts that may involve access to confidential information.

(End of clause)

Release of Confidential Information.

As prescribed in 1837.203-72(b), insert the following clause:

RELEASE OF CONFIDENTIAL INFORMATION (XX/XX)

(a) As used in this clause, “confidential information” refers to information, not currently in the public domain, that the Contractor has developed at private expense, may embody trade secrets or commercial or financial information, and that may be confidential or privileged.

(b) In accomplishing management activities and administrative functions, NASA relies heavily on the services of various contractors. To perform these services, contractors, as well as their subcontractors and their individual employees, may need access to confidential information submitted by the Contractor under this contract.

(c)(1) The Contractor shall mark or otherwise identify any confidential information submitted in support of this proposal or in performing this contract. The Contracting Officer will evaluate the Contractor's claim to have submitted “confidential information,” as defined above, in deciding whether NASA and its service contractors must protect and safeguard the information in accordance with the clause at 1852.237-72, Access to Confidential Information. Unless the Contracting Officer decides to challenge the Contractor's “confidential information” marking, NASA and its service contractors and their employees shall apply all of the conditions and safeguards listed in the clause at 1852.237-72.

(2) For information already in NASA's possession, the Contracting Officer shall attempt to identify the owner and afford that entity a reasonable opportunity to assert confidentiality in accordance with the principles and criteria delineated in the FAR. For purposes of asserting confidentiality, the parties may agree to use the procedures delineated in the clause at FAR 52.227-14 as a guide.

(d) Any entity that receives access to confidential information needed to assist NASA in accomplishing management activities and administrative functions must be operating under a contract that contains the clause at 1852.237-72, Access to Confidential Information. This clause obligates the receiving entity to do the following:

(1) Comply with all procedures and obligations specified in its contract, including the Organizational Conflict of Interest Avoidance Plan, which the Contracting Officer has approved and incorporated into its contract.

(2) Utilize any confidential information coming into its possession only for the purposes of performing the services specified in its contract.

(3) Safeguard confidential information coming into its possession from unauthorized use and disclosure.

(4) Allow access to confidential information only to those employees that need it to perform services under its contract.

(5) Preclude access and disclosure of confidential information to persons and entities outside of the contractor's organization.

(6) Train employees who may require access to confidential information about their obligations to utilize it only to perform the services specified in its contract and to safeguard it from unauthorized use and disclosure.

(7) Obtain an express, binding written agreement from each employee who receives access to confidential information to protect it from unauthorized use or disclosure and to utilize it only for the purposes of performing the contract.

(8) Establish a monitoring process to ensure that employees comply with all reasonable security procedures, report any breaches to the Contracting Officer, and implement any necessary corrective actions.

(e) When the receiving entity will have primary operational responsibility for an information technology system for NASA that contains confidential information, the entity's contract shall include the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources. The Security Requirements clause requires the receiving entity to implement an Information Technology Security Plan to protect information processed, stored, or transmitted from unauthorized access, alteration, disclosure, or use. Receiving entity personnel requiring privileged access or limited privileged access to these information technology systems are subject to screening using the standard National Agency Check (NAC) forms appropriate to the level of risk for all. The Contracting Officer may allow the receiving entity to conduct its own screening, provided this entity employs substantially equivalent screening procedures.

(f) This clause does not affect NASA's responsibilities under the Freedom of Information Act.

(g) The Contractor shall insert this clause, including this paragraph (g), suitably modified to reflect the relationship of the parties, in all subcontracts that may require the furnishing of confidential information.

(End of clause)

End Part End Supplemental Information

[FR Doc. 03-29930 Filed 12-4-03; 8:45 am]

BILLING CODE 7510-01-U