Stronger safeguards are needed over contractor access to sensitive information, GAO has said after analyzing guidance and contract actions at the Departments of Homeland Security, Defense, and Health and Human Services.
It said sensitive information is not being fully safeguarded even though the departments have all supplemented the Federal Acquisition Regulation and developed some guidance and standard contract provisions with security in mind.
The supplemented guidance does not specify contractor responsibilities for prompt notification to the agency if unauthorized disclosure or misuse occurs, and GAO said nearly half of the 42 contract actions it looked into lacked clauses or provisions that safeguarded against disclosure and inappropriate use of all potential types of sensitive information that contractors might access during contract performance, according to GAO-10-693.
It called on the Office of Federal Procurement Policy to ensure that guidance is provided in the FAR to acquisition policy officials, IT security and privacy officials, and chief information officers on the development and use of contractor nondisclosure agreements as a condition of access to sensitive information.
It also recommended changing the FAR by establishing a requirement for prompt notification to appropriate agency officials of a contractor’s unauthorized disclosure or misuse of sensitive information so that timely agency responses are facilitated and appropriate contractor accountability mechanisms can be enforced.
