Skip to Content

Rule

Contractor Access to Sensitive Information

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

National Aeronautics and Space Administration (NASA).

ACTION:

Final rule.

SUMMARY:

This final rule adopts with changes the proposed rule published in the Federal Register on December 5, 2003 (68 FR 67995—67998). This final rule amends the NASA Federal Acquisition Regulation (FAR) Supplement (NFS) by providing policy and procedures on how NASA will acquire services to support management activities and administrative functions when performing those services requires the contractor to have access to sensitive information submitted by other contractors. NASA's increased use of contractors to support management activities and administrative functions, coupled with implementing Agency-wide electronic information systems, requires establishing consistent procedures for protecting sensitive information from unauthorized use or disclosure.

EFFECTIVE DATE:

June 21, 2005.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

David Forbes, NASA Headquarters, Contract Management Division, Washington, DC 20546, (202) 358-2051, e-mail: David.P.Forbes@nasa.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

A. Background

On December 5, 2003, NASA published in the Federal Register (68 FR 67995—67998) a proposed revision to the NFS prescribing policy, procedures, and clauses to address how NASA will acquire services to support management activities and administrative functions when performing those services requires the service provider to have access to “confidential” information submitted by other contractors. One of the comments that NASA received in response to this publication relates to a fundamental concept and demands attention at the outset. As published, the proposed rule used the word “confidential” to describe the types of information that required special attention when turned over to a service provider. NASA intended this word to describe a general class of information, largely of a business or management nature, the value of which arose mostly from the fact that it was not readily known to the public. NASA never intended this word to refer to one of the standard classifications of information for national security purposes, as in “confidential-secret-top secret.” Nevertheless, concerns have arisen that using the word might cause confusion with national security information. To avoid possible confusion, we have replaced the word “confidential” with the word “sensitive.” This revision should clarify that the proposed rule deals with business and management information, the value of which lies primarily in the fact that is not generally known to the public. The proposed rule does not implement or refer to the classification of information for national security purposes.

With regard to more general background information, NASA's essential procurement operations generate large amounts of “sensitive information,” both from offerors and contractors. Traditionally, NASA civil servants received, analyzed, and used this information to ensure that the Agency spent tax dollars in a responsible and consistent manner. The Trade Secrets Act and other statutes have for years imposed criminal liabilities on government employees who disclosed this type of information to unauthorized outside parties. Offerors and contractors have willingly provided sensitive information about their operations, costs, business practices, and other matters, knowing that NASA would not provide another contractor (“service provider”) access to this information without first ensuring that the parties had complied with FAR 9.505-4. As a condition to allowing a service provider access to another contractor's proprietary information, FAR 9.505-4 would require that the parties execute a satisfactory protection/use agreement. Central to this process were notice to the owner of the Start Printed Page 35550information before any access occurred and the opportunity to develop acceptable terms and conditions governing the service provider's use of the information. From a practical standpoint, this approach could work only after the Government had selected a service provider to perform clearly defined tasks using identified information from a known source that could consent to terms and conditions governing the access.

With many more contractor personnel supporting government operations, NASA must find ways to accommodate the increasing number of situations requiring non-government personnel to safeguard contractor sensitive information. Multiple, inter-related third-party protection agreements between service providers and other contractors that submit information they claim to be “sensitive” will simply not work on a large scale. To establish a more efficient, realistic, modern, across-the-board solution, the NFS revisions, published for public comment in the Federal Register on December 5, 2003 (68 FR 67995—67998), proposed a self-executing system of procurement policy, procedures, and clauses to allow NASA activities to rely routinely on private sector service providers to support day-to-day operations throughout the Agency.

The published NFS revisions proposed two new clauses to implement this self-executing system of policies and procedures. The first clause at 1852.237-72, Access to Sensitive Information, would go into all solicitations and contracts for services to allow access to sensitive information, whenever it is needed to support NASA's management activities and administrative functions. As published, this “Access” clause delineated the service provider's responsibilities to limit to the purposes specified in the contract its use of any sensitive information, to safeguard the information from unauthorized outside disclosure, and to train employees and obtain their written commitments to use the information in an authorized manner, only. Because of concerns under the Paperwork Reduction Act, NASA has revised the proposed “Access” clause to require that the service provider obtain only a simple affirmation from each employee that he/she has received training and will comply with the lessons learned regarding the use and protection of sensitive information under the contract.

The second clause at 1852.237-73, Release of Sensitive Information, goes into all solicitations and contracts, and notifies offerors and contractors that NASA may, subject to the enumerated protections mandated by the “Access” clause at 1852.237-72, release their sensitive information to service providers that support NASA activities and functions. This “Release” clause assures offerors and contractors, by reciting the express protections incorporated into the service provider's contract through the “Access” clause, that their information will remain sensitive. Essentially, the “Release” clause announces NASA's broad intent to make necessary sensitive information available to service providers, but only in accordance with strict limitations enumerated in the companion “Access” clause. These enumerated limitations mandate strict, specific, and express safeguards and procedures to protect that information.

Comments on the proposed rule were received from an industry association and NASA field installations. The comments received were considered in formulation of this final rule. This final rule adopts the proposed rule with changes. The changes are made to clarify contractor roles, to emphasize the protection of sensitive information, and to provide the owners of sensitive information assurance that their data will continue to receive protection. The changes include revising the term “receiving contractor” to “service provider;” providing a sample legend to identify sensitive information; and identifying the serious consequences for unauthorized use or disclosure.

The following summarizes the comments received from NASA's publication of the proposed rule and provides responses.

1. Comment: Was it necessary for the NASA Assistant Administrator for Procurement to waive in its entirety FAR 9.505-4, Obtaining Access to Proprietary Information? Could a less drastic solution help NASA without impacting the owners of sensitive information by simply revising the NFS to relieve contracting officers of overseeing a multitude of third party protection agreements and leave the terms of protection and their enforcement to the service providers and owners, themselves? Under this approach, the contracting officer would only identify each NASA service provider to the owners of needed sensitive information and then leave these parties free to arrange for acceptable terms of protection.

Response: In a real world, competitive environment, it was necessary for NASA to waive FAR 9.505-4 in its entirety. Implicitly, FAR 9.505-4 assumes an agency has already awarded a contract to a service provider that needs access to specific information owned by another contractor. In this scenario, the protections that the owner will demand before granting access to specific sensitive information are the only significant unknowns. The assumptions behind FAR 9.505-4 are simply not valid in the early phases of a competitive procurement. Even without burdening the contracting officer to oversee third-party protection agreements, FAR 9.505-4 would require each potential service provider in a competitive procurement to know in advance of submitting a proposal, the exact information needed to perform as specified in the solicitation, what contractors own that information, and what protections those owners deemed acceptable as a condition to granting access to the information. This level of pre-proposal information would simply not be available in a competitive procurement. As a more realistic and useful alternative, the revised NFS relies not on individual third-party protection agreements, but rather prescribes standardized, reciprocal contract clauses to protect sensitive information. A “Release” clause goes into the information owner's contract to document consent to release and to delineate the extensive, specific protections that the service provider will implement. A reciprocal “Access” clause goes into the service provider's contract to place strict controls over its activities. Under the new “Release” clause, the owner of sensitive information expressly consents to access, as needed by NASA service providers. To gain this necessary access, however, the service provider must have expressly agreed, through the new “Access” clause, to comply with and implement an extensive number of binding and enumerated protections.

2. Comment: NASA has received a large quantity of “sensitive information” in connection with solicitations and contracts that did not contain the new “Release” clause. The offerors and contractors that submitted this information are not bound by the clause and have not expressly agreed that NASA service providers may have access to their sensitive information. In view of the broad waiver of FAR 9.505-4, how will NASA contracting officers avoid violating the Trade Secrets Act by giving service providers access to sensitive information that was not subject to the “Release” clause?

Response: This point may be valid in those situations when a service provider requests access to information that NASA has received pursuant to contracts that did not contain the Start Printed Page 35551“Release” clause. To address contracts that did not contain the clause at 1852.237-73, the NFS will provide internal guidance for NASA contracting officers and requiring activities instructing them to examine all requests from service providers for access to sensitive information. This examination should first determine whether NASA possesses responsive information. If so, the requiring activity should next assess whether access to that information is crucial to the service provider's ability to perform. If the requiring activity possesses the requested information and it is crucial to performing the needed services, then the contracting officer must try to identify and contact the owner of the information to determine whether it claims that the information is “sensitive.” At this point, the contracting officer should attempt to negotiate a modification to the owner's contract to incorporate the “Release” clause and proceed from there. Because the service provider's contract will contain extensive protections for the sensitivity of the information, NASA expects that most owners will agree to incorporate the “Release” clause into their existing contracts. If the owner refuses to modify its contract to include the “Release” clause, but persists in claiming the information is sensitive, the requiring activity should prepare a preliminary assessment for the contracting officer addressing whether the claim has a valid factual basis. This analysis should address whether NASA might have persuasive grounds to challenge the claim. If there appears to be persuasive basis for challenging the owner's claim, the contracting officer should seek advice from Center counsel before taking any further action. If, on the other hand, the claim appears to be valid, the requiring activity should re-examine the relationship of the information to the services needed. The service provider may be able to perform acceptably without the requested information. Additionally, the contracting officer may be able to facilitate reaching an agreement on acceptable terms of protection. The contracting officer and the requiring activity should examine all alternatives to obtain the needed support. But, without clear evidence that the owner of the sensitive information has consented to release, NASA will not expose its employees to the risk of violating 18 USC. 1905.

3. Comment: One comment blankly asserted that the proposed rule might violate 41 USC. 418a with respect to “technical data.” Although not clearly articulated, NASA assumes the comment is referring to the following language in 41 USC. 418a:

* * * the United States may not require persons who have developed products or processes offered or to be offered for sale to the public as a condition for the procurement of such products or processes by the United States, to provide to the United States technical data relating to the design, development, or manufacture of such products or processes * * *.

Response: This prohibition deals with how Federal agencies define their procurement requirements for information. An agency may not require a company to forfeit private intellectual property rights in technical data as a condition to receiving a government contract. NASA notes simply that the proposed rule has nothing to do with defining procurement requirements for information. Rather, the proposed rule focuses on how NASA manages information that offerors and contractors have already delivered to the Government as part of submitting proposals or performing contracts. The assertion that the proposed rule might violate 41 USC. 418a appears to flow from two faulty premises. First, the proposed rule is not concerned primarily with “technical data” of a “scientific or technical nature,” but instead focuses on “information incidental to contract administration, such as financial, administrative, cost or pricing or management information.” The FAR expressly excludes this latter type of information from the definition of “technical data.” Second, the proposed rule is not concerned with how NASA defines procurement requirements for information owned by its contractors. The proposed rule simply enables service providers to obtain access to information they need to support Agency management activities and administrative functions. In most cases, the owners will have already submitted this information as a matter incidental to contract administration.

4. Comment: NASA intends to rely more and more heavily on the private sector to support essential management activities and administrative functions. Most of these activities and functions involve access to sensitive information submitted by offerors in the process of competing for awards, or by contractors as part of performance. Asking the owners of sensitive information to provide access to other contractors, some of which may be business rivals, is an inherently difficult issue and could seriously discourage competition. To promote trust, the NFS should, as a minimum, prescribe standard terms and conditions for the organizational conflicts of interest (OCI) avoidance plan and require the contracting officer to approve each offeror's proposed approach to this important document.

Response: Logically, there can be no standard approach to avoiding OCI's, which are by their nature unique to the individual contractor. The service provider must thoroughly analyze its own situation, including the services to be rendered, the information needed to perform those services, other procurements for which the service provider may intend to compete, and specific mechanisms the service provider is willing to implement to mitigate, neutralize, or eliminate foreseeable possible conflicts of interest. In addition to recognizing that each service provider's OCI's are essentially unique, any avoidance plan must flow from performance-based contracting principles to be acceptable today. As such, the buyer defines only the final outcomes to be achieved, not the methods of getting there. Consequently, the NFS will leave the details of any OCI avoidance plan to the service provider that must live by it. The contracting officer in concert with Center counsel is responsible for receiving and reviewing the plan for reasonable completeness and communicating any substantive weaknesses and omissions discovered to the service provider for necessary revisions. The contracting officer will incorporate the accepted plan into the contract as a compliance document. If the service provider fails to mitigate all potential conflicts and/or unauthorized disclosures and uses occur, the service provider must take adequate corrective actions. If the corrective actions are not adequate, the contracting officer may terminate the contract.

5. Comment: The Assistant Administrator for Procurement's broad waiver of FAR 9.505-4 could cause NASA employees to violate the Trade Secrets Act, 18 U.S.C. 1905, because not all of the information owners would have expressly consented to release through the new “Release” clause. Moreover, with respect to technical data, the proposed rule might also violate 41 U.S.C. 418a, which requires the FAR to prescribe regulations governing the allocation of rights in data developed through contracts using tax dollars. The Assistant Administrator's authority to waive rules relating to Organizational Conflicts of Interest does not extend the requirements of other statutes.

Response: The Trade Secrets Act prohibits government employees from releasing trade secret information to any extent not authorized by law. The Office Start Printed Page 35552of Federal Procurement Policy Act authorized NASA to issue the NFS. NASA is adding the new “Release” clause to the NFS in accordance with the OFPP Act. Therefore, releasing information pursuant to the “Release” clause would be “authorized by law” and not violate the Trade Secrets Act. Presumably, therefore, this comment relates to sensitive information that NASA received under contracts or other agreements that did not contain the new “Release” clause. The NFS will contain detailed procedural guidance instructing requiring activities and contracting officers how to deal with this type of information. This procedural guidance will first instruct the contracting officer/requiring activity to contact the owner of the information to evaluate its claim to be entitled to protection and to seek agreement to incorporate the new “Release” clause. Alternatively, the contracting officer should try to facilitate an individualized agreement on acceptable terms of protection. If the information appears to be entitled to protection, but the owner is unwilling to accept the “Release” clause or to negotiate specific, tailored terms of protection, the contracting officer/requiring activity should examine on a more detailed level how much access the service provider actually needs. On closer examination, it may be possible that different, less comprehensive services could satisfy the requiring activity.

In accordance with 41 U.S.C. 418a, both the FAR and the NFS have promulgated regulations dealing with how agencies acquire and allocate rights to data developed under government contracts. The Assistant Administrator for Procurement's waiver of FAR 9.505-4 does not, however, relate to how NASA acquires and allocates rights in data. The waiver relates, instead, to information submitted in support of proposals or in the course of performing contracts. Most of this information is not “technical data,” which the Government procures for its own value. Rather, the revised NFS generally uses the term “sensitive information” to refer to financial and administrative information that is incidental to contract administration. As such, the Assistant Administrator for Procurement's waiver of FAR 9.505-4 does not affect 41 U.S.C. 418a or the requirements of any other statute or binding instruction.

6. Comment: The proposed rule does not define the term “sensitive information” clearly and, as a result, fails to exclude from the operation of the clauses cost or pricing data, other financial information, administrative or management information, and the like. The term “sensitive information” should not be broader in scope than “data” as defined in FAR Part 27, which specifically excludes information incidental to contract administration.

Response: NASA understands that FAR Part 27 specifically excludes information incidental to contract administration from the definition of “data.” In contrast, the new NFS coverage focuses primarily on information incidental to contract administration, not technical data. As the published proposed rule noted, the primary purpose of the new coverage is to allow a service provider access to information necessary to support NASA activities and functions, as civil servants did in the past.

7. Comment: The proposed rule implies that NASA need only protect data “developed at private expense.” The definition of “trade secret” does not depend on the concept of development costs. A trade secret covers a variety of forms of information that derive economic value, actual or potential, from not being generally known to the public. NASA needs to continue to protect any trade secret or it will compromise the property rights of companies, with which it currently does business. FAR 27.402 instructs agencies to avoid doing so.

Response: NASA agrees that the term “trade secret” extends to many types of information that derive economic value from not being generally known to the public. But, with regard to protecting contractors” legitimate property rights, FAR 27.402 establishes the following policy: “* * * the Government recognizes that its contractors may have a legitimate proprietary interest (e.g., a property right or other valid economic interest) in data resulting from private investment.” (Emphasis added.) It seems fairly clear from this language, that FAR 27.402 envisions protecting only sensitive or proprietary information that a contractor has developed at private expense. Without meeting this simple test, the FAR implicitly does not recognize as “legitimate” a contractor's claim for trade secret protection.

8. Comment: The revised NFS would require the holders of “ordinary procurement” contracts to identify “sensitive information,” but provides no instructions on how to do so. Moreover, NASA will continue to obtain sensitive information under contracting vehicles, such as “Space Act Agreements,” that are not covered by the new “Release” clause. What will tell these contractors how to identify “sensitive information?”

Response: The revised NFS deals with how service providers obtain access to the information they need to support NASA operations, not with particular property rights resulting from the expenditure of tax dollars. As such, the NFS does not need to prescribe a particular legend to instruct contractors on how to identify their own sensitive information. For the contractor's convenience, however, the revised “Release” clause provides a sample notice identifying sensitive information. The new “Access” clause prescribes what service providers must do to protect the information they receive to support NASA operations. The NFS governs NASA contracts, not “other transactions” authorized by the Space Act. Generally, however, NASA does not acquire property and services for the expenditure of tax dollars under “other transactions.”

9. Comment: Under the new “Access” clause, a service provider can allow access to sensitive information only to employees that need it to perform the specified support. Yet, the clause does not prescribe any process for determining which employees have a “need-to-know” sensitive information or what sanctions NASA may impose for unauthorized use.

Response: Performance-based contracting principles call for NASA to define only the final performance outcomes, not how the contractor is to achieve those objectives. The revised NFS allows the contractor to define how it will achieve the specified outcomes for NASA. Assigning work and functions among its employees is certainly within the contractor's discretion. The revised section 1837.203-70 does instruct the contracting officer to monitor the effectiveness of the contractor's system for encouraging employees to avoid unauthorized uses and disclosures. The revised clause at 1852.237-72 also describes the administrative remedies available to the contracting officer to encourage service providers to comply with their new obligations to protect sensitive information and avoid unauthorized uses or disclosures.

10. Comment: The new “Access” clause requires service providers to obtain express, binding written use agreements from their employees to protect sensitive information and use it only for the purposes of performing the specified services. Doing so is likely to be a tremendous administrative burden. Additionally, the service provider has no obligation to keep different companies' information segregated.

Response: As published, the new “Access” clause did require contractors to obtain express, binding written agreements from their employees to protect sensitive information and use it Start Printed Page 35553only for performing the services specified. After considering comments on this language, NASA decided to revise the clause to require contractors to obtain written acknowledgements from their employees that they have received training in how to protect sensitive information and will adhere to the lessons learned in providing services under the contract. This simple acknowledgement does not require contractors to collect information. Certainly, a much more onerous burden would flow from a greatly expanded system of interrelated third party non-disclosure agreements among all the entities that provide sensitive information in the course of submitting competitive proposals or performing contracts for NASA. With regard to segregating different companies' information, that responsibility is implicit in the obligation to use information only to perform the specified services.

11. Comment: A potentially tremendous burden on the contracting officer, far exceeding any imposed by FAR 9.505-4, will be determining what information in NASA's possession is “sensitive” and who owns it. Moreover, NASA has information from companies that may no longer do business with the Government, or may no longer be in operation, at all; others have gone on to other businesses; and some may never have a contract containing the new “Release” clause. These situations, effectively, deprive NASA of the owner's consent to release sensitive information and expose government employees to possible violations of 18 U.S.C. 1905. If breaches and unauthorized disclosures occur, the NFS does not provide guidelines to the contracting officer on what actions are appropriate and/or effective.

Response: While some of these observations may be valid, none requires regulatory coverage beyond internal guidance for NASA operations. With regard to contracts that do not contain the “Release” clause, we are developing NFS internal guidance that begins by recognizing that in the course of proposing, the service provider will delve into the solicitation requirements to determine what information is needed to perform. The service provider should then request access to specifically identified information from the contracting officer/requiring activity. At that point, the requiring activity should try to determine whether NASA possesses the identified information, who owns it, and whether that owner claims to be entitled to protection. The contracting officer should then contact the owner to discuss incorporating the new “Release” clause. If the owner asserts the identified information is sensitive and entitled to protection, but resists incorporating the “Release” clause, the contracting officer should attempt to negotiate satisfactory, alternate terms of protection. The contracting officer should try to include the owner and the service provider in this process. At the same time, the contracting officer, with the assistance of Center counsel, should evaluate whether there is a valid factual basis for claiming that the information is sensitive and entitled to protection. If the owner continues to resist access, the contracting officer should, next, explore whether some reduced level of support, not requiring access to sensitive information, might be satisfactory. With regard to a service provider's unauthorized uses or disclosures, the clause at 1852.237-72 describes some of the administrative responses available to the contracting officer.

12. Comment: 1852.237-73(c) should specify whether and how the parties may challenge the sensitivity of information, including the process to follow and the owner's rights to redress.

Response: The new NFS purposely defines “sensitive information” to exclude “technical data,” as defined in the FAR. Sensitive information is incidental to contract administration and, generally, does not have independent value to its owners. Consequently, a highly structured, formalistic challenge process seems neither necessary nor desirable. Any challenge would have to show the following basic elements:

(a) Private investment developed the information or the Government generated it and it qualifies for an exception to the Freedom of Information Act.

(b) The information must not currently be in the public domain.

(c) The information may embody trade secretes or commercial or financial information.

(d) The information may be sensitive or privileged.

The NFS will provide only general guidance in this area, recognizing these are very difficult judgments. Until the contracting officer decides for sound reasons to challenge an owner's claim that information is sensitive and entitled to protection, NASA and its service provider will comply with the owner's assertions.

B. Executive Order 12866 and Regulatory Flexibility Act

This final rule does not meet the definition of “significant” under Executive 12866. NASA certifies that this final rule will not have a significant economic impact on a substantial number of small business entities within the meaning of the Regulatory Flexibility Act (5 U.S.C. 601, et. seq.), because the new, streamlined approach of having each service provider implement specific safeguards and procedures should offer the same or better protection for sensitive information belonging to small business entities than does the current system of third party agreements, envisioned by FAR 9.505-4. Moreover, this final rule should ease the burden on small business entities by not requiring them to enter multiple, interrelated third party agreements with numerous service contractors that support NASA's management activities and administrative functions.

C. Paperwork Reduction Act

The proposed NFS revisions simply amplify and clarify NASA's implementation of FAR 9.504, coverage that has existed for nearly 20 years. NASA has published these NFS revisions for public comment and received no challenges, objections, or concerns regarding the information collection requirements associated with providing services that will entail access to sensitive information. Because access to sensitive information is necessary to perform the specified services, solicitations will require all bidders and offerors to submit preliminary analyses of potential conflicts of interests. Further, each awarded contract that will entail access to sensitive information will also require the service provider to submit a comprehensive organizational conflicts of interest avoidance plan, as a deliverable report during performance.

Over the years, NASA has requested and OMB has approved various information collections necessary to evaluate bids and proposals submitted for the award of contracts, as well as for contract reports required to manage approved programs and projects. The OMB approval numbers currently in effect for these various categories of information collections are as follows:

1. OMB No. 2700-0085, bids and proposals with an estimated value more than $500,000.

2. OMB No. 2700-0089, reports required for contracts with an estimated value more than $500,000.

3. OMB No. 2700-0087, bids and proposals with an estimated value less than $500,000.

4. OMB No. 2700-0088, reports required on contracts valued at less than $500,000.Start Printed Page 35554

5. OMB No. 2700-0086, purchase orders for goods and services with an estimated value of $100,000 or less.

Our requests for OMB approval for these information collections have noted that NASA prepares solicitations for bids and proposals and defines requirements for contract deliverables in accordance with the OFPP Policy Act, as amended by Pub. L. 96-83, the National Aeronautics and Space Act of 1958, as amended, the Federal Acquisition Regulation (FAR), the NASA FAR Supplement, and approved mission requirements. In seeking OMB approval, NASA has described and administratively tracked these information collections in generic, functional terms, and categorized the requests based on the estimated dollar values of the purchase orders or contracts supporting the procurements in question.

As described above, these information collections cover broad functional procurement needs, at all dollar values relevant to NASA's current contracting practices. Consequently, OMB's current approvals adequately cover the proposed rule's requirements that, during the evaluation phase of each procurement, all bids and offers must contain preliminary analyses of potential conflicts of interest and that after award each new service provider must submit a comprehensive conflicts of interest avoidance plan for inclusion in the contract as a compliance document. In our view, the Paperwork Reduction Act does not require any further action in support of this final rule.

Start List of Subjects

List of Subjects in 48 CFR Parts 1809, 1837, and 1852

End List of Subjects Start Signature

Tom Luedtke,

Assistant Administrator for Procurement.

End Signature Start Amendment Part

Accordingly,

End Amendment Part Start Amendment Part

1. The authority citation for

End Amendment Part Start Authority

Authority: 42 USC. 2473(c)(1)

End Authority Start Part

PART 1809—CONTRACTOR QUALIFICATIONS

End Part Start Amendment Part

2. Add section 1809.505-4 to read as follows:

End Amendment Part
Obtaining access to sensitive information.

(b) In accordance with FAR 9.503, the Assistant Administrator for Procurement has determined that it would not be in the Government's interests for NASA to comply strictly with FAR 9.505-4(b) when acquiring services to support management activities and administrative functions. The Assistant Administrator for Procurement has, therefore, waived the requirement that before gaining access to other companies' proprietary or sensitive (see 1837.203-70) information contractors must enter specific agreements with each of those other companies to protect their information from unauthorized use or disclosure. Accordingly, NASA will not require contractors and subcontractors and their employees in procurements that support management activities and administrative functions to enter into separate, interrelated third party agreements to protect sensitive information from unauthorized use or disclosure. As an alternative to numerous, separate third party agreements, 1837.203-70 prescribes detailed policy and procedures to protect contractors from unauthorized use or disclosure of their sensitive information. Nothing in this section waives the requirements of FAR 37.204 and 1837.204.

Start Part

PART 1837—SERVICE CONTRACTING

End Part Start Amendment Part

3. Add sections 1837.203-70, 1837.203-71, and 1837.203-72 to read as follows:

End Amendment Part
Providing contractors access to sensitive information.

(a)(1) As used in this subpart, “sensitive information” refers to information that the contractor has developed at private expense or that the Government has generated that qualifies for an exception to the Freedom of Information Act, which is not currently in the public domain, may embody trade secrets or commercial or financial information, and may be sensitive or privileged, the disclosure of which is likely to have either of the following effects: To impair the Government's ability to obtain this type of information in the future; or to cause substantial harm to the competitive position of the person from whom the information was obtained. The term is not intended to resemble the markings of national security documents as in sensitive-secret-top secret.

(2) As used in this subpart, “requiring organization” refers to the NASA organizational element or activity that requires specified services to be provided.

(3) As used in this subpart, “service provider” refers to the service contractor that receives sensitive information from NASA to provide services to the requiring organization. (b)(1) To support management activities and administrative functions, NASA relies on numerous service providers. These contractors may require access to sensitive information in the Government's possession, which may be entitled to protection from unauthorized use or disclosure.

(2) As an initial step, the requiring organization shall identify when needed services may entail access to sensitive information and shall determine whether providing access is necessary for accomplishing the Agency's mission. The requiring organization shall review any service provider requests for access to information to determine whether the access is necessary and whether the information requested is considered “sensitive” as defined in paragraph (a)(1) of this section.

(c) When the requiring organization determines that providing specified services will entail access to sensitive information, the solicitation shall require each potential service provider to submit with its proposal a preliminary analysis of possible organizational conflicts of interest that might flow from the award of a contract. After selection, or whenever it becomes clear that performance will necessitate access to sensitive information, the service provider must submit a comprehensive organizational conflicts of interest avoidance plan.

(d) This comprehensive plan shall incorporate any previous studies performed, shall thoroughly analyze all organizational conflicts of interest that might arise because the service provider has access to other companies' sensitive information, and shall establish specific methods to control, mitigate, or eliminate all problems identified. The contracting officer, with advice from Center counsel, shall review the plan for completeness and identify to the service provider substantive weaknesses and omissions for necessary correction. Once the service provider has corrected the substantive weaknesses and omissions, the contracting officer shall incorporate the revised plan into the contract, as a compliance document.

(e) If the service provider will be operating an information technology system for NASA that contains sensitive information, the operating contract shall include the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, which requires the implementation of an Information Technology Security Plan to protect information processed, stored, or transmitted from unauthorized access, alteration, disclosure, or use.Start Printed Page 35555

(f) NASA will monitor performance to assure any service provider that requires access to sensitive information follows the steps outlined in the clause at 1852.237-72, Access to Sensitive Information, to protect the information from unauthorized use or disclosure.

Release of contractors' sensitive information.

Pursuant to the clause at 1852.237-73, Release of Sensitive Information, offerors and contractors agree that NASA may release their sensitive information when requested by service providers in accordance with the procedures prescribed in 1837.203-70 and subject to the safeguards and protections delineated in the clause at 1852.237-72, Access to Sensitive Information. As required by the clause at 1852.237-73, or other contract clause or solicitation provision, contractors must identify information they claim to be “sensitive” submitted as part of a proposal or in the course of performing a contract. The contracting officer shall evaluate all contractor claims of sensitivity in deciding how NASA should respond to requests from service providers for access to information.

NASA contract clauses.

(a) The contracting officer shall insert the clause at 1852.237-72, Access to Sensitive Information, in all solicitations and contracts for services that may require access to sensitive information belonging to other companies or generated by the Government.

(b) The contracting officer shall insert the clause at 1852.237-73, Release of Sensitive Information, in all solicitations, contracts, and basic ordering agreements.

Start Part

PART 1852—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

End Part Start Amendment Part

4. Add sections 1852.237-72 and 1852.237-73 to read as follows:

End Amendment Part
Access to Sensitive Information.

As prescribed in 1837.203-72(a), insert the following clause:

Access to Sensitive Information

(June 2005)

(a) As used in this clause, “sensitive information” refers to information that a contractor has developed at private expense, or that the Government has generated that qualifies for an exception to the Freedom of Information Act, which is not currently in the public domain, and which may embody trade secrets or commercial or financial information, and which may be sensitive or privileged.

(b) To assist NASA in accomplishing management activities and administrative functions, the Contractor shall provide the services specified elsewhere in this contract.

(c) If performing this contract entails access to sensitive information, as defined above, the Contractor agrees to—

(1) Utilize any sensitive information coming into its possession only for the purposes of performing the services specified in this contract, and not to improve its own competitive position in another procurement.

(2) Safeguard sensitive information coming into its possession from unauthorized use and disclosure.

(3) Allow access to sensitive information only to those employees that need it to perform services under this contract.

(4) Preclude access and disclosure of sensitive information to persons and entities outside of the Contractor's organization.

(5) Train employees who may require access to sensitive information about their obligations to utilize it only to perform the services specified in this contract and to safeguard it from unauthorized use and disclosure.

(6) Obtain a written affirmation from each employee that he/she has received and will comply with training on the authorized uses and mandatory protections of sensitive information needed in performing this contract.

(7) Administer a monitoring process to ensure that employees comply with all reasonable security procedures, report any breaches to the Contracting Officer, and implement any necessary corrective actions.

(d) The Contractor will comply with all procedures and obligations specified in its Organizational Conflicts of Interest Avoidance Plan, which this contract incorporates as a compliance document.

(e) The nature of the work on this contract may subject the Contractor and its employees to a variety of laws and regulations relating to ethics, conflicts of interest, corruption, and other criminal or civil matters relating to the award and administration of government contracts. Recognizing that this contract establishes a high standard of accountability and trust, the Government will carefully review the Contractor's performance in relation to the mandates and restrictions found in these laws and regulations. Unauthorized uses or disclosures of sensitive information may result in termination of this contract for default, or in debarment of the Contractor for serious misconduct affecting present responsibility as a government contractor.

(f) The Contractor shall include the substance of this clause, including this paragraph (f), suitably modified to reflect the relationship of the parties, in all subcontracts that may involve access to sensitive information

(End of clause)

Release of sensitive information.

As prescribed in 1837.203-72(b), insert the following clause:

Release of Sensitive Information

(June 2005)

(a) As used in this clause, “sensitive information” refers to information, not currently in the public domain, that the Contractor has developed at private expense, that may embody trade secrets or commercial or financial information, and that may be sensitive or privileged.

(b) In accomplishing management activities and administrative functions, NASA relies heavily on the support of various service providers. To support NASA activities and functions, these service providers, as well as their subcontractors and their individual employees, may need access to sensitive information submitted by the Contractor under this contract. By submitting this proposal or performing this contract, the Contractor agrees that NASA may release to its service providers, their subcontractors, and their individual employees, sensitive information submitted during the course of this procurement, subject to the enumerated protections mandated by the clause at 1852.237-72, Access to Sensitive Information.

(c)(1) The Contractor shall identify any sensitive information submitted in support of this proposal or in performing this contract. For purposes of identifying sensitive information, the Contractor may, in addition to any other notice or legend otherwise required, use a notice similar to the following:

Mark the title page with the following legend:

This proposal or document includes sensitive information that NASA shall not disclose outside the Agency and its service providers that support management activities and administrative functions. To gain access to this sensitive information, a service provider's contract must contain the clause at NFS 1852.237-72, Access to Sensitive Information. Consistent with this clause, the service provider shall not duplicate, use, or disclose the information in whole or in part for any purpose other than to perform the services specified in its contract. This restriction does not limit the Government's right to use this information if it is obtained from another source without restriction. The information subject to this restriction is contained in pages [insert page numbers or other identification of pages].

Mark each page of sensitive information the Contractor wishes to restrict with the following legend:

Use or disclosure of sensitive information contained on this page is subject to the restriction on the title page of this proposal or document.

(2) The Contracting Officer shall evaluate the facts supporting any claim that particular information is “sensitive.” This evaluation shall consider the time and resources necessary to protect the information in accordance with the detailed safeguards mandated by the clause at 1852.237-72, Access to Sensitive Information. However, unless the Contracting Officer decides, with the advice of Center counsel, that reasonable grounds exist to challenge the Contractor's claim that particular information is sensitive, Start Printed Page 35556NASA and its service providers and their employees shall comply with all of the safeguards contained in paragraph (d) of this clause.

(d) To receive access to sensitive information needed to assist NASA in accomplishing management activities and administrative functions, the service provider must be operating under a contract that contains the clause at 1852.237-72, Access to Sensitive Information. This clause obligates the service provider to do the following:

(1) Comply with all specified procedures and obligations, including the Organizational Conflicts of Interest Avoidance Plan, which the contract has incorporated as a compliance document.

(2) Utilize any sensitive information coming into its possession only for the purpose of performing the services specified in its contract.

(3) Safeguard sensitive information coming into its possession from unauthorized use and disclosure.

(4) Allow access to sensitive information only to those employees that need it to perform services under its contract.

(5) Preclude access and disclosure of sensitive information to persons and entities outside of the service provider's organization.

(6) Train employees who may require access to sensitive information about their obligations to utilize it only to perform the services specified in its contract and to safeguard it from unauthorized use and disclosure.

(7) Obtain a written affirmation from each employee that he/she has received and will comply with training on the authorized uses and mandatory protections of sensitive information needed in performing this contract.

(8) Administer a monitoring process to ensure that employees comply with all reasonable security procedures, report any breaches to the Contracting Officer, and implement any necessary corrective actions.

(e) When the service provider will have primary responsibility for operating an information technology system for NASA that contains sensitive information, the service provider's contract shall include the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources. The Security Requirements clause requires the service provider to implement an Information Technology Security Plan to protect information processed, stored, or transmitted from unauthorized access, alteration, disclosure, or use. Service provider personnel requiring privileged access or limited privileged access to these information technology systems are subject to screening using the standard National Agency Check (NAC) forms appropriate to the level of risk for adverse impact to NASA missions. The Contracting Officer may allow the service provider to conduct its own screening, provided the service provider employs substantially equivalent screening procedures.

(f) This clause does not affect NASA's responsibilities under the Freedom of Information Act.

(g) The Contractor shall insert this clause, including this paragraph (g), suitably modified to reflect the relationship of the parties, in all subcontracts that may require the furnishing of sensitive information.

(End of clause)

End Supplemental Information

[FR Doc. 05-12191 Filed 6-20-05; 8:45 am]

BILLING CODE 7510-01-P