NASA offers changes to guard contractor information

Saying it no longer has enough employees to safeguard contractors' confidential information, NASA officials today proposed changes meant to strengthen protection of contractors' proprietary data when it must be disclosed to non-NASA support workers.

The changes were contained in a proposed rule published in the Federal Register. Comments on the changes are due by Feb. 3 via e-mail to David.P.Forbes@nasa.gov.

The proposed rule requires the following:

*NASA must disclose to bidders when a job will require access to confidential information.

*Bidders must summarize their potential organizational conflicts of interest from having access to another contractor's confidential information. Each bidder's analysis will be considered in selecting a contractor for award.

*The winning contractor must develop a conflict-of-interest avoidance plan that identifies potential problems and proposes methods to control or eliminate them. It must also include plans for corrective action if the contractor fails to protect confidential information from unauthorized use or disclosure. The plan will be incorporated into the contract.

*If the contractor will be operating an information technology system for NASA that contains confidential information, the contract must include an IT security plan to protect that information from unauthorized access, disclosure or use.

*Contractors must identify confidential information submitted in a proposal or in performance of a contract.

NASA spends about 85 percent of its appropriations through contracts. Through the bidding and contract performance processes, it receives a substantial amount of confidential information from contractors, according to the proposed rule.

Because NASA is increasingly reliant on support staff to perform functions such as invoice processing, contract closeout processing and system administration, it must find new ways to disclose confidential information to those third-party service providers while ensuring its security, the proposed rule said.

Current protections detailed in the Federal Acquisition Regulation are not enough to ensure protection of contractors' proprietary data, the proposed rule said.

The FAR requires that when one service provider gains access to other companies' proprietary information, the service provider must enter into agreements with the companies to protect their information from unauthorized use or disclosure, and refrain from using the information for any purpose other than that for which it was furnished.

NASA officials said that these existing protections are not workable because of the huge volume of third-party agreements that would have to be monitored, likely by contractor personnel.