Report: Contractors Have Unauthorized Access to Sensitive Federal Data
Some federal agencies are not doing enough to protect sensitive data from private contract workers, according to a government report released last week.
An analysis of guidance and contract actions at three agencies found that sensitive information that contract workers often have access to as part of their work is not fully safeguarded and could be misused, according to the report by the Government Accountability Office (GAO).
The GAO found that the Departments of Defense (DOD), Homeland Security (DHS), and Health and Human Services (HHS) have some guidance and standard contract provisions in place for what information contractors can access while working at federal agencies .
But none of the agencies has set up appropriate safeguards to keep contract workers away from sensitive data such as employees’ personal information, including names, Social Security numbers , dates and places of birth, as well as medical information; proprietary business information such as trade secrets; and agency-sensitive data such as security management information, according to the report.
Additionally, the three agencies don’t specify contractors’ responsibilities for prompt notification to the agency if unauthorized disclosure or misuse occurs, according to the report.
Although the Federal Acquisition Regulation (FAR) offers rules government agencies should use in acquiring goods and services, which includes contractors, it doesn’t provide guidance as to how the agencies should deal with contractors’ access to sensitive data or the contractors’ responsibilities for notifying the agencies, according to the report.
While the DOD, DHS and HHS have all supplemented the FAR and developed some guidance and standard contract provisions, the DOD and HHS haven’t done enough to protect all the sensitive information contractors might access, according to the GAO.
According to the report, there are pending FAR changes regarding government-wide guidance on contractor safeguards for access to sensitive information .
The GAO recommended that the Office of Federal Procurement Policy (OFPP) make sure the pending changes to the FAR address two additional safeguards regarding contractors’ access to sensitive information: the use of nondisclosure agreements and the prompt notification of unauthorized disclosure or misuse of sensitive information.
In oral comments, the OFPP said it agreed with the GAO's recommendations. The DHS also concurred with the recommendations, while the DOD and HHS had no comment.
