[Federal Register Volume 68, Number 234 (Friday, December 5, 2003)]
[Proposed Rules]
[Pages 67995-67998]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-29930]


=======================================================================
-----------------------------------------------------------------------

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1809, 1837, and 1852

RIN 2700-AC60


Contractor Access to Confidential Information

AGENCY: National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This rule proposes to amend the NASA Federal Acquisition 
Regulation (FAR) Supplement (NFS) to provide guidance on how NASA will 
acquire services to support management activities and administrative 
functions, when performing those services requires the contractor to 
have access to confidential information submitted by other contractors. 
NASA's increased use of contractors to support management activities 
and administrative functions, coupled with implementing Agency-wide 
electronic information systems, requires establishing consistent 
procedures for protecting confidential information from unauthorized 
use or disclosure.

DATES: Comments should be submitted on or before February 3, 2004 to be 
considered in the formulation of a final rule.

ADDRESSES: Interested parties should submit written comments to David 
Forbes, NASA Headquarters, Office of Procurement, Contract Management 
Division (Code HK), Washington, DC 20546. Comments may also be 
submitted by e-mail to: [email protected].

FOR FURTHER INFORMATION CONTACT: David Forbes, (202) 358-2051, e-mail: 
[email protected].

SUPPLEMENTARY INFORMATION:

A. Background

    In accomplishing its mission, NASA expends about eighty-five 
percent of its appropriations through contracts. As part of the process 
of awarding and performing contracts, offerors and contractors must 
provide information, some of which they claim to have developed at 
private expense and that may embody trade secrets or constitute 
commercial or financial and confidential information (``confidential 
information''). Confidential information includes technical, financial, 
proprietary, commercial, privileged, or otherwise sensitive business 
information. As a result, NASA receives and retains a substantial 
amount of confidential information, contained in paper files and 
electronic administrative systems.
    Generally, the information in question is not in the public domain 
and may be subject to the Trade Secrets Act, the Procurement Integrity 
Act (FAR 3.104), and other laws and regulations relating to ethics, 
organizational conflicts of interest, and corruption in the Federal 
procurement process. To the extent that an exception to the Freedom of 
Information Act applies, government agencies may also generate 
confidential information, including pre-negotiation analyses and 
positions and pre-decisional advice on a variety of subjects. NASA has 
long recognized a responsibility to protect this type of information 
from unauthorized use and disclosure. To this end, NASA has 
traditionally allowed only civil servants to have access to 
confidential information in the Government's possession. Practical 
realities, coupled with new policy initiatives compel NASA to 
reconsider its approach to managing contractor-related information.
    The practical pressure to reconsider NASA's approach has emerged 
from years of ``downsizing'' the civil service workforce. Simply put, 
NASA no longer has enough employees to manage and safeguard all of the 
information in question. Of necessity, NASA is increasing its use of 
service contractors to assist in performing many administrative, 
financial, and technical functions that had been performed previously 
by government employees only. The types of services NASA will be 
procuring run the gamut from routine clerical support such as data 
entry and invoice processing, to more complex in-plant reviews, 
contract closeout processing, system administration, and safety and 
quality assurance activities. Service contractors may soon be 
supporting most of these activities and functions throughout the 
Agency. NASA must, therefore, find new, more streamlined ways to 
receive from offerors and contractors confidential information that may 
be entitled to protection and to disclose it to third party service 
providers, without compromising the information received.
    As NASA releases more confidential information provided by offerors 
or contractors to other contractors, the risk increases that 
unauthorized uses and disclosures will occur. One aspect of this 
increased risk is the potential that organizational conflicts of 
interest may arise when the Agency discloses one contractor's 
confidential information to another contractor. FAR Subpart 9.5 
prescribes general rules for managing organizational conflicts of 
interest and gives four specific examples of situations that may give 
rise to problems. One of those examples deals directly with NASA's 
current dilemma, that is, providing one contractor access to other 
contractors' confidential information. Specifically, when one 
contractor gains access to other companies' ``proprietary'' 
information, FAR 9.505-4 directs the service provider to enter into 
agreement(s) with the other companies to protect their information from 
unauthorized use or disclosure and to refrain from using the 
information for any purpose other than that for which it was furnished. 
Additionally, FAR 9.505-4 requires the contracting officer to obtain 
copies of these third party agreements and ensure that they are 
properly executed.
    In the past, NASA contracts rarely required access to another 
contractor's proprietary or other forms of confidential information, 
making this FAR procedure quite manageable. The current environment, 
however, raises the question whether use of FAR 9.505-4 continues to be 
workable for NASA. For example, in providing contract closeout 
services, the contractor and its employees may have access to hundreds 
of contract files, each of which should document all pre and post award 
activities for a particular contract. Typically, the contracts to be 
closed out will include multiple subcontractors. Many subcontractors 
will also have lower-tier subcontracts. To ensure that all of these 
companies have properly executed ``non-disclosure agreements'' among 
themselves could result in a huge number of interrelated agreements. 
Moreover, the contract closeout function is but one example of the 
types of services that may require one NASA contractor to have access 
to another contractor's confidential information before performance can 
proceed. Without obtaining even more support services, NASA cannot be 
responsible for managing this potentially enormous universe of 
interrelated non-disclosure agreements.
    In today's environment, NASA must rely heavily on private sector 
service contractors for support in performing essential management 
activities and administrative functions. For contracts requiring this 
type of support, the Assistant Administrator for Procurement has 
determined that it is not in the NASA's interest to follow the

[[Page 67996]]

general rule stated in FAR 9.505-4(b) and, in accordance with FAR 
9.503, has waived its application. Rather than demand an unworkable 
mass of interrelated third party non-disclosure agreements, NASA will 
implement the policy and procedures described in the proposed 1837.203-
70 to manage the risks associated with one contractor having access to 
another contractor's confidential information and to assure those that 
submit this type of information that NASA will protect it from 
unauthorized use or disclosure.
    As one element of this new approach, 1837.203-70(d)(1) requires 
that contractors receiving access to confidential information must have 
developed a comprehensive organizational conflicts of interest 
avoidance plan. Recognizing that developing this plan may take 
considerable time and effort, proposals need only summarize the 
offeror's analysis of the potential organizational conflicts of 
interest that may arise from having access to another contractor's 
confidential information, or to Government-generated information that 
is subject to an exception to the Freedom of Information Act. Each 
offeror's analysis, together with the other elements of each proposal, 
will be considered in selecting a contractor for award. After award, 
the contractor must develop and submit to the contracting officer for 
review and approval a comprehensive organizational conflict of interest 
avoidance plan that identifies all potential problems and proposes 
specific methods to control, mitigate, or eliminate any organizational 
or ethical concerns noted. This plan must also commit the contractor to 
take all corrective actions necessary to address any failures to 
protect confidential information from unauthorized use or disclosure. 
Once the contracting officer approves this plan, he/she will 
incorporate the document into the resulting contract.
    NASA proposes two clauses to implement the above policies in 
solicitations and contracts. The first clause at 1852.237-72, Access to 
Confidential Information, would go into service contracts that involve 
access to information in the Government's possession that is necessary 
to support NASA's management activities and administrative functions. 
This clause would delineate the service contractor's responsibilities 
to limit to the purposes specified in the contract its use of any of 
this information that is confidential, to safeguard the information 
from unauthorized outside disclosure, and to train employees and obtain 
their written commitments to handle the information in an authorized 
manner, only.
    The second clause at 1852.237-73, Release of Confidential 
Information, would go in all solicitations and contracts to notify 
offerors and contractors that NASA may release their confidential 
information to other contractors supporting NASA's management 
activities and administrative functions. Recognizing that this 
announcement may cause concerns for these offerors and contractors, the 
clause recites the protections embodied in the receiving, support 
service contract through the new clause at 1852.237-72. Essentially, 
the clause at 1852.237-73 announces NASA's intent to release companies' 
confidential information to support service contractors. But, in 
announcing this intent, the clause also promises that the support 
contractors will implement specific and enumerated safeguards and 
procedures to protect the information.

B. Regulatory Flexibility Act

    NASA certifies that this proposed rule will not have a significant 
economic impact on a substantial number of small business entities 
within the meaning of the Regulatory Flexibility Act (5 U.S.C. 601, et. 
seq.), because the proposed new, streamlined approach of having each 
service contractor implement specific safeguards and procedures should 
offer the same or better protection for confidential information 
belonging to small business entities than does the current system of 
third party agreements, envisioned by FAR 9.505-4. This proposed rule 
should ease the burden on small business entities by not requiring them 
to enter multiple, interrelated third party agreements with the 
numerous service contractors that support NASA's management activities 
and administrative functions.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the proposed 
changes to the NFS do not impose any recordkeeping or information 
collection requirements, or collections of information from offerors, 
contractors, or members of the public that require the approval of the 
Office of Management and Budget under 44 USC 3501, et. seq.

List of Subjects in 48 CFR Parts 1809, 1837, and 1852

    Government Procurement.

Tom Luedtke,
Assistant Administrator for Procurement.
    Accordingly, 48 CFR parts 1809, 1837, and 1852 are proposed to be 
amended as follows:
    1. The authority citation for 48 CFR parts 1809, 1837, and 1852 
continues to read as follows:

    Authority: 42 U.S.C. 2473(c)(1).

PART 1809--CONTRACTOR QUALIFICATIONS

    2. Add section 1809.505-4 to read as follows:


1809.505-4  Obtaining access to confidential information.

    (b) In accordance with FAR 9.503, the Assistant Administrator for 
Procurement has determined that it would not be in the Government's 
interests for NASA to comply strictly with FAR 9.505-4(b) when 
acquiring services to support management activities and administrative 
functions. The Assistant Administrator for Procurement has, therefore, 
waived the requirement that before gaining access to other companies' 
proprietary or confidential (see 1837.203-70) information contractors 
must enter specific agreements with each of those other companies to 
protect their information from unauthorized use or disclosure. 
Accordingly, NASA will not require contractors and subcontractors and 
their employees in procurements that support management activities and 
administrative functions to enter into separate, interrelated third 
party agreements to protect confidential information from unauthorized 
use or disclosure. As an alternative to numerous, separate third party 
agreements, 1837.203-70 prescribes detailed policy and procedures to 
protect contractors from unauthorized use or disclosure of its 
confidential information. Nothing in this section waives the 
requirements of FAR 37.204 and 1837.204.

PART 1837--SERVICE CONTRACTING

    3. Add sections 1837.203-70, 1837.203-71, and 1837.203-72 to read 
as follows:


1837.203-70  Providing contractors access to confidential information.

    (a)(1) As used in this subpart, ``confidential information'' refers 
to information that the contractor has developed at private expense or 
that the Government has generated that qualifies

[[Page 67997]]

for an exception to the Freedom of Information Act, which is not 
currently in the public domain, may embody trade secrets or commercial 
or financial information, and may be confidential or privileged.
    (2) As used in this subpart, ``requiring organization'' refers to 
the NASA organizational element or activity that requires specified 
services to be provided.
    (3) As used in this subpart, ``receiving entity'' refers to the 
service-providing contractor that receives confidential information 
from NASA to provide services to the requiring organization.
    (b) To support management activities and administrative functions, 
NASA relies on the services of numerous contractors. Contractors 
providing these services may require access to confidential information 
in the Government's possession, which may be entitled to protection 
from unauthorized use or disclosure. NASA shall require any service 
contractor that receives access to confidential information to take the 
steps contained in the clause at 1852.237-72, Access to Confidential 
Information, to protect it from unauthorized use or disclosure.
    (c) The requiring organization is responsible for identifying when 
a requirement will require access to confidential information and 
making the determination that providing access is necessary for 
accomplishing the Agency's mission. The requiring organization is 
responsible for reviewing any contractor requests for access to 
information to determine whether the access is necessary and whether 
the information requested is considered confidential as defined in 
paragraph (a) of this section.
    (d)(1) Solicitations for services that require contractor access to 
confidential information shall require each offeror (potential 
receiving entity) to submit with its proposal a preliminary analysis of 
possible organizational conflicts of interest that might flow from the 
award of a contract. After selection, the new service contractor must 
submit for approval a comprehensive organizational conflict of interest 
avoidance plan, based on the preliminary analysis. This plan should 
thoroughly analyze all organizational conflicts of interest that might 
arise because the service contractor has access to other companies' 
confidential information. This analysis should propose specific methods 
to control, mitigate, or eliminate all problems identified. The 
contracting officer shall incorporate the approved plan into the 
resulting contract, as a compliance document.
    (2) If the contractor will be operating an information technology 
system for NASA that contains confidential information, the operating 
contract shall include the clause at 1852.204-76, Security Requirements 
for Unclassified Information Technology Resources, which requires the 
implementation of an Information Technology Security Plan to protect 
information processed, stored, or transmitted from unauthorized access, 
alteration, disclosure, or use.


1837.203-71  Release of contractors' confidential information.

    (a) By submitting offers or performing contracts, offerors and 
contractors agree that NASA may provide non-NASA employees access to 
their confidential information, subject to the safeguards and 
protections delineated in the clause at 1852.237-72, Access to 
Confidential Information.
    (b) As required by the clause at 1852.237-73, Release of 
Confidential Information, or another contract clause or solicitation 
provision, contractors must identify confidential information submitted 
as part of a proposal or in performance of a contract. The contracting 
officer shall evaluate the contractor's claim to have submitted 
``confidential information'' in deciding whether NASA and its service 
contractors must expend time and resources to protect and safeguard the 
information in accordance with the clause at 1852.237-72.


1837.203-72  NASA contract clauses.

    (a) The contracting officer shall insert the clause at 1852.237-72, 
Access to Confidential Information, in all solicitations and contracts 
for services that require access to confidential information belonging 
to other companies or generated by the Government.
    (b) The contracting officer shall insert the clause at 1852.237-73, 
Release of Confidential Information, in all solicitations, contracts, 
and basic ordering agreements .

PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    4. Add sections 1852.237-72 and 1852.237-73 to read as follows:


1852.237-72  Access to Confidential Information.

    As prescribed in 1837.203-72(a), insert the following clause:

ACCESS TO CONFIDENTIAL INFORMATION (XX/XX)

    (a) As used in this clause, ``confidential information'' refers 
to information that a contractor has developed at private expense, 
or that the Government has generated that qualifies for an exception 
to the Freedom of Information Act, which is not currently in the 
public domain, and may embody trade secrets or commercial or 
financial information, and may be confidential or privileged.
    (b) To assist NASA in accomplishing management activities and 
administrative functions, the Contractor shall provide the services 
specified elsewhere in this contract. Performing these services may 
require access to confidential information that other companies have 
furnished to the Government in the course of providing supplies or 
services, or that the Government has generated.
    (c) In performing this contract, the Contractor agrees to--
    (1) Utilize any confidential information coming into its 
possession only for the purposes of performing the services 
specified in this contract, and never to improve its own competitive 
position in another procurement.
    (2) Safeguard confidential information coming into its 
possession from unauthorized use and disclosure.
    (3) Allow access to confidential information only to those 
employees that need it to perform services under this contract.
    (4) Preclude access and disclosure of confidential information 
to persons and entities outside of the Contractor's organization.
    (5) Train employees who may require access to confidential 
information about their obligations to utilize it only to perform 
the services specified in this contract and to safeguard it from 
unauthorized use and disclosure.
    (6) Obtain an express, binding written agreement from each 
employee who receives access to confidential information to protect 
it from unauthorized use or disclosure and to utilize it only for 
the purposes of performing this contract.
    (7) Establish a monitoring process to ensure that employees 
comply with all reasonable security procedures, report any breaches 
to the Contracting Officer, and implement any necessary corrective 
actions.
    (d) The Contractor will comply with all procedures and 
obligations specified in its Organizational Conflict of Interest 
Avoidance Plan, which the Contracting Officer has approved and 
incorporated into this contract.
    (e) The nature of the work on this contract may subject the 
Contractor and its employees a variety of laws and regulations 
relating to ethics, conflicts of interest, corruption, and other 
criminal or civil matters relating to the award and administration 
of government contracts. Recognizing that this contract establishes 
a high standard of accountability and trust, the Government will 
carefully review the Contractor's performance in relation to the 
mandates and restrictions found in these laws and regulations.
    (f) The Contractor shall include the substance of this clause, 
including this

[[Page 67998]]

paragraph (f), suitably modified to reflect the relationship of the 
parties, in all subcontracts that may involve access to confidential 
information.

(End of clause)

1852.237-73  Release of Confidential Information.

    As prescribed in 1837.203-72(b), insert the following clause:

RELEASE OF CONFIDENTIAL INFORMATION (XX/XX)

    (a) As used in this clause, ``confidential information'' refers 
to information, not currently in the public domain, that the 
Contractor has developed at private expense, may embody trade 
secrets or commercial or financial information, and that may be 
confidential or privileged.
    (b) In accomplishing management activities and administrative 
functions, NASA relies heavily on the services of various 
contractors. To perform these services, contractors, as well as 
their subcontractors and their individual employees, may need access 
to confidential information submitted by the Contractor under this 
contract.
    (c)(1) The Contractor shall mark or otherwise identify any 
confidential information submitted in support of this proposal or in 
performing this contract. The Contracting Officer will evaluate the 
Contractor's claim to have submitted ``confidential information,'' 
as defined above, in deciding whether NASA and its service 
contractors must protect and safeguard the information in accordance 
with the clause at 1852.237-72, Access to Confidential Information. 
Unless the Contracting Officer decides to challenge the Contractor's 
``confidential information'' marking, NASA and its service 
contractors and their employees shall apply all of the conditions 
and safeguards listed in the clause at 1852.237-72.
    (2) For information already in NASA's possession, the 
Contracting Officer shall attempt to identify the owner and afford 
that entity a reasonable opportunity to assert confidentiality in 
accordance with the principles and criteria delineated in the FAR. 
For purposes of asserting confidentiality, the parties may agree to 
use the procedures delineated in the clause at FAR 52.227-14 as a 
guide.
    (d) Any entity that receives access to confidential information 
needed to assist NASA in accomplishing management activities and 
administrative functions must be operating under a contract that 
contains the clause at 1852.237-72, Access to Confidential 
Information. This clause obligates the receiving entity to do the 
following:
    (1) Comply with all procedures and obligations specified in its 
contract, including the Organizational Conflict of Interest 
Avoidance Plan, which the Contracting Officer has approved and 
incorporated into its contract.
    (2) Utilize any confidential information coming into its 
possession only for the purposes of performing the services 
specified in its contract.
    (3) Safeguard confidential information coming into its 
possession from unauthorized use and disclosure.
    (4) Allow access to confidential information only to those 
employees that need it to perform services under its contract.
    (5) Preclude access and disclosure of confidential information 
to persons and entities outside of the contractor's organization.
    (6) Train employees who may require access to confidential 
information about their obligations to utilize it only to perform 
the services specified in its contract and to safeguard it from 
unauthorized use and disclosure.
    (7) Obtain an express, binding written agreement from each 
employee who receives access to confidential information to protect 
it from unauthorized use or disclosure and to utilize it only for 
the purposes of performing the contract.
    (8) Establish a monitoring process to ensure that employees 
comply with all reasonable security procedures, report any breaches 
to the Contracting Officer, and implement any necessary corrective 
actions.
    (e) When the receiving entity will have primary operational 
responsibility for an information technology system for NASA that 
contains confidential information, the entity's contract shall 
include the clause at 1852.204-76, Security Requirements for 
Unclassified Information Technology Resources. The Security 
Requirements clause requires the receiving entity to implement an 
Information Technology Security Plan to protect information 
processed, stored, or transmitted from unauthorized access, 
alteration, disclosure, or use. Receiving entity personnel requiring 
privileged access or limited privileged access to these information 
technology systems are subject to screening using the standard 
National Agency Check (NAC) forms appropriate to the level of risk 
for all. The Contracting Officer may allow the receiving entity to 
conduct its own screening, provided this entity employs 
substantially equivalent screening procedures.
    (f) This clause does not affect NASA's responsibilities under 
the Freedom of Information Act.
    (g) The Contractor shall insert this clause, including this 
paragraph (g), suitably modified to reflect the relationship of the 
parties, in all subcontracts that may require the furnishing of 
confidential information.

(End of clause)

[FR Doc. 03-29930 Filed 12-4-03; 8:45 am]
BILLING CODE 7510-01-U