Contractor Access to Sensitive Information, 35549-35556 [05-12191]

Agencies

• National Aeronautics and Space Administration

[Federal Register Volume 70, Number 118 (Tuesday, June 21, 2005)]
[Rules and Regulations]
[Pages 35549-35556]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-12191]


=======================================================================
-----------------------------------------------------------------------

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1809, 1837, and 1852

RIN 2700-AC60


Contractor Access to Sensitive Information

AGENCY: National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule adopts with changes the proposed rule 
published in the Federal Register on December 5, 2003 (68 FR 67995--
67998). This final rule amends the NASA Federal Acquisition Regulation 
(FAR) Supplement (NFS) by providing policy and procedures on how NASA 
will acquire services to support management activities and 
administrative functions when performing those services requires the 
contractor to have access to sensitive information submitted by other 
contractors. NASA's increased use of contractors to support management 
activities and administrative functions, coupled with implementing 
Agency-wide electronic information systems, requires establishing 
consistent procedures for protecting sensitive information from 
unauthorized use or disclosure.

EFFECTIVE DATE: June 21, 2005.

FOR FURTHER INFORMATION CONTACT: David Forbes, NASA Headquarters, 
Contract Management Division, Washington, DC 20546, (202) 358-2051, e-
mail: David.P.Forbes@nasa.gov.

SUPPLEMENTARY INFORMATION: 

A. Background

    On December 5, 2003, NASA published in the Federal Register (68 FR 
67995--67998) a proposed revision to the NFS prescribing policy, 
procedures, and clauses to address how NASA will acquire services to 
support management activities and administrative functions when 
performing those services requires the service provider to have access 
to ``confidential'' information submitted by other contractors. One of 
the comments that NASA received in response to this publication relates 
to a fundamental concept and demands attention at the outset. As 
published, the proposed rule used the word ``confidential'' to describe 
the types of information that required special attention when turned 
over to a service provider. NASA intended this word to describe a 
general class of information, largely of a business or management 
nature, the value of which arose mostly from the fact that it was not 
readily known to the public. NASA never intended this word to refer to 
one of the standard classifications of information for national 
security purposes, as in ``confidential-secret-top secret.'' 
Nevertheless, concerns have arisen that using the word might cause 
confusion with national security information. To avoid possible 
confusion, we have replaced the word ``confidential'' with the word 
``sensitive.'' This revision should clarify that the proposed rule 
deals with business and management information, the value of which lies 
primarily in the fact that is not generally known to the public. The 
proposed rule does not implement or refer to the classification of 
information for national security purposes.
    With regard to more general background information, NASA's 
essential procurement operations generate large amounts of ``sensitive 
information,'' both from offerors and contractors. Traditionally, NASA 
civil servants received, analyzed, and used this information to ensure 
that the Agency spent tax dollars in a responsible and consistent 
manner. The Trade Secrets Act and other statutes have for years imposed 
criminal liabilities on government employees who disclosed this type of 
information to unauthorized outside parties. Offerors and contractors 
have willingly provided sensitive information about their operations, 
costs, business practices, and other matters, knowing that NASA would 
not provide another contractor (``service provider'') access to this 
information without first ensuring that the parties had complied with 
FAR 9.505-4. As a condition to allowing a service provider access to 
another contractor's proprietary information, FAR 9.505-4 would require 
that the parties execute a satisfactory protection/use agreement. 
Central to this process were notice to the owner of the

[[Page 35550]]

information before any access occurred and the opportunity to develop 
acceptable terms and conditions governing the service provider's use of 
the information. From a practical standpoint, this approach could work 
only after the Government had selected a service provider to perform 
clearly defined tasks using identified information from a known source 
that could consent to terms and conditions governing the access.
    With many more contractor personnel supporting government 
operations, NASA must find ways to accommodate the increasing number of 
situations requiring non-government personnel to safeguard contractor 
sensitive information. Multiple, inter-related third-party protection 
agreements between service providers and other contractors that submit 
information they claim to be ``sensitive'' will simply not work on a 
large scale. To establish a more efficient, realistic, modern, across-
the-board solution, the NFS revisions, published for public comment in 
the Federal Register on December 5, 2003 (68 FR 67995--67998), proposed 
a self-executing system of procurement policy, procedures, and clauses 
to allow NASA activities to rely routinely on private sector service 
providers to support day-to-day operations throughout the Agency.
    The published NFS revisions proposed two new clauses to implement 
this self-executing system of policies and procedures. The first clause 
at 1852.237-72, Access to Sensitive Information, would go into all 
solicitations and contracts for services to allow access to sensitive 
information, whenever it is needed to support NASA's management 
activities and administrative functions. As published, this ``Access'' 
clause delineated the service provider's responsibilities to limit to 
the purposes specified in the contract its use of any sensitive 
information, to safeguard the information from unauthorized outside 
disclosure, and to train employees and obtain their written commitments 
to use the information in an authorized manner, only. Because of 
concerns under the Paperwork Reduction Act, NASA has revised the 
proposed ``Access'' clause to require that the service provider obtain 
only a simple affirmation from each employee that he/she has received 
training and will comply with the lessons learned regarding the use and 
protection of sensitive information under the contract.
    The second clause at 1852.237-73, Release of Sensitive Information, 
goes into all solicitations and contracts, and notifies offerors and 
contractors that NASA may, subject to the enumerated protections 
mandated by the ``Access'' clause at 1852.237-72, release their 
sensitive information to service providers that support NASA activities 
and functions. This ``Release'' clause assures offerors and 
contractors, by reciting the express protections incorporated into the 
service provider's contract through the ``Access'' clause, that their 
information will remain sensitive. Essentially, the ``Release'' clause 
announces NASA's broad intent to make necessary sensitive information 
available to service providers, but only in accordance with strict 
limitations enumerated in the companion ``Access'' clause. These 
enumerated limitations mandate strict, specific, and express safeguards 
and procedures to protect that information.
    Comments on the proposed rule were received from an industry 
association and NASA field installations. The comments received were 
considered in formulation of this final rule. This final rule adopts 
the proposed rule with changes. The changes are made to clarify 
contractor roles, to emphasize the protection of sensitive information, 
and to provide the owners of sensitive information assurance that their 
data will continue to receive protection. The changes include revising 
the term ``receiving contractor'' to ``service provider;'' providing a 
sample legend to identify sensitive information; and identifying the 
serious consequences for unauthorized use or disclosure.
    The following summarizes the comments received from NASA's 
publication of the proposed rule and provides responses.
    1. Comment: Was it necessary for the NASA Assistant Administrator 
for Procurement to waive in its entirety FAR 9.505-4, Obtaining Access 
to Proprietary Information? Could a less drastic solution help NASA 
without impacting the owners of sensitive information by simply 
revising the NFS to relieve contracting officers of overseeing a 
multitude of third party protection agreements and leave the terms of 
protection and their enforcement to the service providers and owners, 
themselves? Under this approach, the contracting officer would only 
identify each NASA service provider to the owners of needed sensitive 
information and then leave these parties free to arrange for acceptable 
terms of protection.
    Response: In a real world, competitive environment, it was 
necessary for NASA to waive FAR 9.505-4 in its entirety. Implicitly, 
FAR 9.505-4 assumes an agency has already awarded a contract to a 
service provider that needs access to specific information owned by 
another contractor. In this scenario, the protections that the owner 
will demand before granting access to specific sensitive information 
are the only significant unknowns. The assumptions behind FAR 9.505-4 
are simply not valid in the early phases of a competitive procurement. 
Even without burdening the contracting officer to oversee third-party 
protection agreements, FAR 9.505-4 would require each potential service 
provider in a competitive procurement to know in advance of submitting 
a proposal, the exact information needed to perform as specified in the 
solicitation, what contractors own that information, and what 
protections those owners deemed acceptable as a condition to granting 
access to the information. This level of pre-proposal information would 
simply not be available in a competitive procurement. As a more 
realistic and useful alternative, the revised NFS relies not on 
individual third-party protection agreements, but rather prescribes 
standardized, reciprocal contract clauses to protect sensitive 
information. A ``Release'' clause goes into the information owner's 
contract to document consent to release and to delineate the extensive, 
specific protections that the service provider will implement. A 
reciprocal ``Access'' clause goes into the service provider's contract 
to place strict controls over its activities. Under the new ``Release'' 
clause, the owner of sensitive information expressly consents to 
access, as needed by NASA service providers. To gain this necessary 
access, however, the service provider must have expressly agreed, 
through the new ``Access'' clause, to comply with and implement an 
extensive number of binding and enumerated protections.
    2. Comment: NASA has received a large quantity of ``sensitive 
information'' in connection with solicitations and contracts that did 
not contain the new ``Release'' clause. The offerors and contractors 
that submitted this information are not bound by the clause and have 
not expressly agreed that NASA service providers may have access to 
their sensitive information. In view of the broad waiver of FAR 9.505-
4, how will NASA contracting officers avoid violating the Trade Secrets 
Act by giving service providers access to sensitive information that 
was not subject to the ``Release'' clause?
    Response: This point may be valid in those situations when a 
service provider requests access to information that NASA has received 
pursuant to contracts that did not contain the

[[Page 35551]]

``Release'' clause. To address contracts that did not contain the 
clause at 1852.237-73, the NFS will provide internal guidance for NASA 
contracting officers and requiring activities instructing them to 
examine all requests from service providers for access to sensitive 
information. This examination should first determine whether NASA 
possesses responsive information. If so, the requiring activity should 
next assess whether access to that information is crucial to the 
service provider's ability to perform. If the requiring activity 
possesses the requested information and it is crucial to performing the 
needed services, then the contracting officer must try to identify and 
contact the owner of the information to determine whether it claims 
that the information is ``sensitive.'' At this point, the contracting 
officer should attempt to negotiate a modification to the owner's 
contract to incorporate the ``Release'' clause and proceed from there. 
Because the service provider's contract will contain extensive 
protections for the sensitivity of the information, NASA expects that 
most owners will agree to incorporate the ``Release'' clause into their 
existing contracts. If the owner refuses to modify its contract to 
include the ``Release'' clause, but persists in claiming the 
information is sensitive, the requiring activity should prepare a 
preliminary assessment for the contracting officer addressing whether 
the claim has a valid factual basis. This analysis should address 
whether NASA might have persuasive grounds to challenge the claim. If 
there appears to be persuasive basis for challenging the owner's claim, 
the contracting officer should seek advice from Center counsel before 
taking any further action. If, on the other hand, the claim appears to 
be valid, the requiring activity should re-examine the relationship of 
the information to the services needed. The service provider may be 
able to perform acceptably without the requested information. 
Additionally, the contracting officer may be able to facilitate 
reaching an agreement on acceptable terms of protection. The 
contracting officer and the requiring activity should examine all 
alternatives to obtain the needed support. But, without clear evidence 
that the owner of the sensitive information has consented to release, 
NASA will not expose its employees to the risk of violating 18 USC. 
1905.
    3. Comment: One comment blankly asserted that the proposed rule 
might violate 41 USC. 418a with respect to ``technical data.'' Although 
not clearly articulated, NASA assumes the comment is referring to the 
following language in 41 USC. 418a:

    * * * the United States may not require persons who have 
developed products or processes offered or to be offered for sale to 
the public as a condition for the procurement of such products or 
processes by the United States, to provide to the United States 
technical data relating to the design, development, or manufacture 
of such products or processes * * *.

    Response: This prohibition deals with how Federal agencies define 
their procurement requirements for information. An agency may not 
require a company to forfeit private intellectual property rights in 
technical data as a condition to receiving a government contract. NASA 
notes simply that the proposed rule has nothing to do with defining 
procurement requirements for information. Rather, the proposed rule 
focuses on how NASA manages information that offerors and contractors 
have already delivered to the Government as part of submitting 
proposals or performing contracts. The assertion that the proposed rule 
might violate 41 USC. 418a appears to flow from two faulty premises. 
First, the proposed rule is not concerned primarily with ``technical 
data'' of a ``scientific or technical nature,'' but instead focuses on 
``information incidental to contract administration, such as financial, 
administrative, cost or pricing or management information.'' The FAR 
expressly excludes this latter type of information from the definition 
of ``technical data.'' Second, the proposed rule is not concerned with 
how NASA defines procurement requirements for information owned by its 
contractors. The proposed rule simply enables service providers to 
obtain access to information they need to support Agency management 
activities and administrative functions. In most cases, the owners will 
have already submitted this information as a matter incidental to 
contract administration.
    4. Comment: NASA intends to rely more and more heavily on the 
private sector to support essential management activities and 
administrative functions. Most of these activities and functions 
involve access to sensitive information submitted by offerors in the 
process of competing for awards, or by contractors as part of 
performance. Asking the owners of sensitive information to provide 
access to other contractors, some of which may be business rivals, is 
an inherently difficult issue and could seriously discourage 
competition. To promote trust, the NFS should, as a minimum, prescribe 
standard terms and conditions for the organizational conflicts of 
interest (OCI) avoidance plan and require the contracting officer to 
approve each offeror's proposed approach to this important document.
    Response: Logically, there can be no standard approach to avoiding 
OCI's, which are by their nature unique to the individual contractor. 
The service provider must thoroughly analyze its own situation, 
including the services to be rendered, the information needed to 
perform those services, other procurements for which the service 
provider may intend to compete, and specific mechanisms the service 
provider is willing to implement to mitigate, neutralize, or eliminate 
foreseeable possible conflicts of interest. In addition to recognizing 
that each service provider's OCI's are essentially unique, any 
avoidance plan must flow from performance-based contracting principles 
to be acceptable today. As such, the buyer defines only the final 
outcomes to be achieved, not the methods of getting there. 
Consequently, the NFS will leave the details of any OCI avoidance plan 
to the service provider that must live by it. The contracting officer 
in concert with Center counsel is responsible for receiving and 
reviewing the plan for reasonable completeness and communicating any 
substantive weaknesses and omissions discovered to the service provider 
for necessary revisions. The contracting officer will incorporate the 
accepted plan into the contract as a compliance document. If the 
service provider fails to mitigate all potential conflicts and/or 
unauthorized disclosures and uses occur, the service provider must take 
adequate corrective actions. If the corrective actions are not 
adequate, the contracting officer may terminate the contract.
    5. Comment: The Assistant Administrator for Procurement's broad 
waiver of FAR 9.505-4 could cause NASA employees to violate the Trade 
Secrets Act, 18 U.S.C. 1905, because not all of the information owners 
would have expressly consented to release through the new ``Release'' 
clause. Moreover, with respect to technical data, the proposed rule 
might also violate 41 U.S.C. 418a, which requires the FAR to prescribe 
regulations governing the allocation of rights in data developed 
through contracts using tax dollars. The Assistant Administrator's 
authority to waive rules relating to Organizational Conflicts of 
Interest does not extend the requirements of other statutes.
    Response: The Trade Secrets Act prohibits government employees from 
releasing trade secret information to any extent not authorized by law. 
The Office

[[Page 35552]]

of Federal Procurement Policy Act authorized NASA to issue the NFS. 
NASA is adding the new ``Release'' clause to the NFS in accordance with 
the OFPP Act. Therefore, releasing information pursuant to the 
``Release'' clause would be ``authorized by law'' and not violate the 
Trade Secrets Act. Presumably, therefore, this comment relates to 
sensitive information that NASA received under contracts or other 
agreements that did not contain the new ``Release'' clause. The NFS 
will contain detailed procedural guidance instructing requiring 
activities and contracting officers how to deal with this type of 
information. This procedural guidance will first instruct the 
contracting officer/requiring activity to contact the owner of the 
information to evaluate its claim to be entitled to protection and to 
seek agreement to incorporate the new ``Release'' clause. 
Alternatively, the contracting officer should try to facilitate an 
individualized agreement on acceptable terms of protection. If the 
information appears to be entitled to protection, but the owner is 
unwilling to accept the ``Release'' clause or to negotiate specific, 
tailored terms of protection, the contracting officer/requiring 
activity should examine on a more detailed level how much access the 
service provider actually needs. On closer examination, it may be 
possible that different, less comprehensive services could satisfy the 
requiring activity.
    In accordance with 41 U.S.C. 418a, both the FAR and the NFS have 
promulgated regulations dealing with how agencies acquire and allocate 
rights to data developed under government contracts. The Assistant 
Administrator for Procurement's waiver of FAR 9.505-4 does not, 
however, relate to how NASA acquires and allocates rights in data. The 
waiver relates, instead, to information submitted in support of 
proposals or in the course of performing contracts. Most of this 
information is not ``technical data,'' which the Government procures 
for its own value. Rather, the revised NFS generally uses the term 
``sensitive information'' to refer to financial and administrative 
information that is incidental to contract administration. As such, the 
Assistant Administrator for Procurement's waiver of FAR 9.505-4 does 
not affect 41 U.S.C. 418a or the requirements of any other statute or 
binding instruction.
    6. Comment: The proposed rule does not define the term ``sensitive 
information'' clearly and, as a result, fails to exclude from the 
operation of the clauses cost or pricing data, other financial 
information, administrative or management information, and the like. 
The term ``sensitive information'' should not be broader in scope than 
``data'' as defined in FAR Part 27, which specifically excludes 
information incidental to contract administration.
    Response: NASA understands that FAR Part 27 specifically excludes 
information incidental to contract administration from the definition 
of ``data.'' In contrast, the new NFS coverage focuses primarily on 
information incidental to contract administration, not technical data. 
As the published proposed rule noted, the primary purpose of the new 
coverage is to allow a service provider access to information necessary 
to support NASA activities and functions, as civil servants did in the 
past.
    7. Comment: The proposed rule implies that NASA need only protect 
data ``developed at private expense.'' The definition of ``trade 
secret'' does not depend on the concept of development costs. A trade 
secret covers a variety of forms of information that derive economic 
value, actual or potential, from not being generally known to the 
public. NASA needs to continue to protect any trade secret or it will 
compromise the property rights of companies, with which it currently 
does business. FAR 27.402 instructs agencies to avoid doing so.
    Response: NASA agrees that the term ``trade secret'' extends to 
many types of information that derive economic value from not being 
generally known to the public. But, with regard to protecting 
contractors'' legitimate property rights, FAR 27.402 establishes the 
following policy: ``* * * the Government recognizes that its 
contractors may have a legitimate proprietary interest (e.g., a 
property right or other valid economic interest) in data resulting from 
private investment.'' (Emphasis added.) It seems fairly clear from this 
language, that FAR 27.402 envisions protecting only sensitive or 
proprietary information that a contractor has developed at private 
expense. Without meeting this simple test, the FAR implicitly does not 
recognize as ``legitimate'' a contractor's claim for trade secret 
protection.
    8. Comment: The revised NFS would require the holders of ``ordinary 
procurement'' contracts to identify ``sensitive information,'' but 
provides no instructions on how to do so. Moreover, NASA will continue 
to obtain sensitive information under contracting vehicles, such as 
``Space Act Agreements,'' that are not covered by the new ``Release'' 
clause. What will tell these contractors how to identify ``sensitive 
information?''
    Response: The revised NFS deals with how service providers obtain 
access to the information they need to support NASA operations, not 
with particular property rights resulting from the expenditure of tax 
dollars. As such, the NFS does not need to prescribe a particular 
legend to instruct contractors on how to identify their own sensitive 
information. For the contractor's convenience, however, the revised 
``Release'' clause provides a sample notice identifying sensitive 
information. The new ``Access'' clause prescribes what service 
providers must do to protect the information they receive to support 
NASA operations. The NFS governs NASA contracts, not ``other 
transactions'' authorized by the Space Act. Generally, however, NASA 
does not acquire property and services for the expenditure of tax 
dollars under ``other transactions.''
    9. Comment: Under the new ``Access'' clause, a service provider can 
allow access to sensitive information only to employees that need it to 
perform the specified support. Yet, the clause does not prescribe any 
process for determining which employees have a ``need-to-know'' 
sensitive information or what sanctions NASA may impose for 
unauthorized use.
    Response: Performance-based contracting principles call for NASA to 
define only the final performance outcomes, not how the contractor is 
to achieve those objectives. The revised NFS allows the contractor to 
define how it will achieve the specified outcomes for NASA. Assigning 
work and functions among its employees is certainly within the 
contractor's discretion. The revised section 1837.203-70 does instruct 
the contracting officer to monitor the effectiveness of the 
contractor's system for encouraging employees to avoid unauthorized 
uses and disclosures. The revised clause at 1852.237-72 also describes 
the administrative remedies available to the contracting officer to 
encourage service providers to comply with their new obligations to 
protect sensitive information and avoid unauthorized uses or 
disclosures.
    10. Comment: The new ``Access'' clause requires service providers 
to obtain express, binding written use agreements from their employees 
to protect sensitive information and use it only for the purposes of 
performing the specified services. Doing so is likely to be a 
tremendous administrative burden. Additionally, the service provider 
has no obligation to keep different companies' information segregated.
    Response: As published, the new ``Access'' clause did require 
contractors to obtain express, binding written agreements from their 
employees to protect sensitive information and use it

[[Page 35553]]

only for performing the services specified. After considering comments 
on this language, NASA decided to revise the clause to require 
contractors to obtain written acknowledgements from their employees 
that they have received training in how to protect sensitive 
information and will adhere to the lessons learned in providing 
services under the contract. This simple acknowledgement does not 
require contractors to collect information. Certainly, a much more 
onerous burden would flow from a greatly expanded system of 
interrelated third party non-disclosure agreements among all the 
entities that provide sensitive information in the course of submitting 
competitive proposals or performing contracts for NASA. With regard to 
segregating different companies' information, that responsibility is 
implicit in the obligation to use information only to perform the 
specified services.
    11. Comment: A potentially tremendous burden on the contracting 
officer, far exceeding any imposed by FAR 9.505-4, will be determining 
what information in NASA's possession is ``sensitive'' and who owns it. 
Moreover, NASA has information from companies that may no longer do 
business with the Government, or may no longer be in operation, at all; 
others have gone on to other businesses; and some may never have a 
contract containing the new ``Release'' clause. These situations, 
effectively, deprive NASA of the owner's consent to release sensitive 
information and expose government employees to possible violations of 
18 U.S.C. 1905. If breaches and unauthorized disclosures occur, the NFS 
does not provide guidelines to the contracting officer on what actions 
are appropriate and/or effective.
    Response: While some of these observations may be valid, none 
requires regulatory coverage beyond internal guidance for NASA 
operations. With regard to contracts that do not contain the 
``Release'' clause, we are developing NFS internal guidance that begins 
by recognizing that in the course of proposing, the service provider 
will delve into the solicitation requirements to determine what 
information is needed to perform. The service provider should then 
request access to specifically identified information from the 
contracting officer/requiring activity. At that point, the requiring 
activity should try to determine whether NASA possesses the identified 
information, who owns it, and whether that owner claims to be entitled 
to protection. The contracting officer should then contact the owner to 
discuss incorporating the new ``Release'' clause. If the owner asserts 
the identified information is sensitive and entitled to protection, but 
resists incorporating the ``Release'' clause, the contracting officer 
should attempt to negotiate satisfactory, alternate terms of 
protection. The contracting officer should try to include the owner and 
the service provider in this process. At the same time, the contracting 
officer, with the assistance of Center counsel, should evaluate whether 
there is a valid factual basis for claiming that the information is 
sensitive and entitled to protection. If the owner continues to resist 
access, the contracting officer should, next, explore whether some 
reduced level of support, not requiring access to sensitive 
information, might be satisfactory. With regard to a service provider's 
unauthorized uses or disclosures, the clause at 1852.237-72 describes 
some of the administrative responses available to the contracting 
officer.
    12. Comment: 1852.237-73(c) should specify whether and how the 
parties may challenge the sensitivity of information, including the 
process to follow and the owner's rights to redress.
    Response: The new NFS purposely defines ``sensitive information'' 
to exclude ``technical data,'' as defined in the FAR. Sensitive 
information is incidental to contract administration and, generally, 
does not have independent value to its owners. Consequently, a highly 
structured, formalistic challenge process seems neither necessary nor 
desirable. Any challenge would have to show the following basic 
elements:
    (a) Private investment developed the information or the Government 
generated it and it qualifies for an exception to the Freedom of 
Information Act.
    (b) The information must not currently be in the public domain.
    (c) The information may embody trade secretes or commercial or 
financial information.
    (d) The information may be sensitive or privileged.
    The NFS will provide only general guidance in this area, 
recognizing these are very difficult judgments. Until the contracting 
officer decides for sound reasons to challenge an owner's claim that 
information is sensitive and entitled to protection, NASA and its 
service provider will comply with the owner's assertions.

B. Executive Order 12866 and Regulatory Flexibility Act

    This final rule does not meet the definition of ``significant'' 
under Executive 12866. NASA certifies that this final rule will not 
have a significant economic impact on a substantial number of small 
business entities within the meaning of the Regulatory Flexibility Act 
(5 U.S.C. 601, et. seq.), because the new, streamlined approach of 
having each service provider implement specific safeguards and 
procedures should offer the same or better protection for sensitive 
information belonging to small business entities than does the current 
system of third party agreements, envisioned by FAR 9.505-4. Moreover, 
this final rule should ease the burden on small business entities by 
not requiring them to enter multiple, interrelated third party 
agreements with numerous service contractors that support NASA's 
management activities and administrative functions.

C. Paperwork Reduction Act

    The proposed NFS revisions simply amplify and clarify NASA's 
implementation of FAR 9.504, coverage that has existed for nearly 20 
years. NASA has published these NFS revisions for public comment and 
received no challenges, objections, or concerns regarding the 
information collection requirements associated with providing services 
that will entail access to sensitive information. Because access to 
sensitive information is necessary to perform the specified services, 
solicitations will require all bidders and offerors to submit 
preliminary analyses of potential conflicts of interests. Further, each 
awarded contract that will entail access to sensitive information will 
also require the service provider to submit a comprehensive 
organizational conflicts of interest avoidance plan, as a deliverable 
report during performance.
    Over the years, NASA has requested and OMB has approved various 
information collections necessary to evaluate bids and proposals 
submitted for the award of contracts, as well as for contract reports 
required to manage approved programs and projects. The OMB approval 
numbers currently in effect for these various categories of information 
collections are as follows:
    1. OMB No. 2700-0085, bids and proposals with an estimated value 
more than $500,000.
    2. OMB No. 2700-0089, reports required for contracts with an 
estimated value more than $500,000.
    3. OMB No. 2700-0087, bids and proposals with an estimated value 
less than $500,000.
    4. OMB No. 2700-0088, reports required on contracts valued at less 
than $500,000.

[[Page 35554]]

    5. OMB No. 2700-0086, purchase orders for goods and services with 
an estimated value of $100,000 or less.
    Our requests for OMB approval for these information collections 
have noted that NASA prepares solicitations for bids and proposals and 
defines requirements for contract deliverables in accordance with the 
OFPP Policy Act, as amended by Pub. L. 96-83, the National Aeronautics 
and Space Act of 1958, as amended, the Federal Acquisition Regulation 
(FAR), the NASA FAR Supplement, and approved mission requirements. In 
seeking OMB approval, NASA has described and administratively tracked 
these information collections in generic, functional terms, and 
categorized the requests based on the estimated dollar values of the 
purchase orders or contracts supporting the procurements in question.
    As described above, these information collections cover broad 
functional procurement needs, at all dollar values relevant to NASA's 
current contracting practices. Consequently, OMB's current approvals 
adequately cover the proposed rule's requirements that, during the 
evaluation phase of each procurement, all bids and offers must contain 
preliminary analyses of potential conflicts of interest and that after 
award each new service provider must submit a comprehensive conflicts 
of interest avoidance plan for inclusion in the contract as a 
compliance document. In our view, the Paperwork Reduction Act does not 
require any further action in support of this final rule.

List of Subjects in 48 CFR Parts 1809, 1837, and 1852

    Government Procurement.

Tom Luedtke,
Assistant Administrator for Procurement.

0
Accordingly, 48 CFR Parts 1809, 1837, and 1852 are amended as follows:
0
1. The authority citation for 48 CFR Parts 1809, 1837, and 1852 
continues to read as follows:

    Authority: 42 USC. 2473(c)(1)

PART 1809--CONTRACTOR QUALIFICATIONS

0
2. Add section 1809.505-4 to read as follows:


1809.505-4  Obtaining access to sensitive information.

    (b) In accordance with FAR 9.503, the Assistant Administrator for 
Procurement has determined that it would not be in the Government's 
interests for NASA to comply strictly with FAR 9.505-4(b) when 
acquiring services to support management activities and administrative 
functions. The Assistant Administrator for Procurement has, therefore, 
waived the requirement that before gaining access to other companies' 
proprietary or sensitive (see 1837.203-70) information contractors must 
enter specific agreements with each of those other companies to protect 
their information from unauthorized use or disclosure. Accordingly, 
NASA will not require contractors and subcontractors and their 
employees in procurements that support management activities and 
administrative functions to enter into separate, interrelated third 
party agreements to protect sensitive information from unauthorized use 
or disclosure. As an alternative to numerous, separate third party 
agreements, 1837.203-70 prescribes detailed policy and procedures to 
protect contractors from unauthorized use or disclosure of their 
sensitive information. Nothing in this section waives the requirements 
of FAR 37.204 and 1837.204.

PART 1837--SERVICE CONTRACTING

0
3. Add sections 1837.203-70, 1837.203-71, and 1837.203-72 to read as 
follows:


1837.203-70  Providing contractors access to sensitive information.

    (a)(1) As used in this subpart, ``sensitive information'' refers to 
information that the contractor has developed at private expense or 
that the Government has generated that qualifies for an exception to 
the Freedom of Information Act, which is not currently in the public 
domain, may embody trade secrets or commercial or financial 
information, and may be sensitive or privileged, the disclosure of 
which is likely to have either of the following effects: To impair the 
Government's ability to obtain this type of information in the future; 
or to cause substantial harm to the competitive position of the person 
from whom the information was obtained. The term is not intended to 
resemble the markings of national security documents as in sensitive-
secret-top secret.
    (2) As used in this subpart, ``requiring organization'' refers to 
the NASA organizational element or activity that requires specified 
services to be provided.
    (3) As used in this subpart, ``service provider'' refers to the 
service contractor that receives sensitive information from NASA to 
provide services to the requiring organization. (b)(1) To support 
management activities and administrative functions, NASA relies on 
numerous service providers. These contractors may require access to 
sensitive information in the Government's possession, which may be 
entitled to protection from unauthorized use or disclosure.
    (2) As an initial step, the requiring organization shall identify 
when needed services may entail access to sensitive information and 
shall determine whether providing access is necessary for accomplishing 
the Agency's mission. The requiring organization shall review any 
service provider requests for access to information to determine 
whether the access is necessary and whether the information requested 
is considered ``sensitive'' as defined in paragraph (a)(1) of this 
section.
    (c) When the requiring organization determines that providing 
specified services will entail access to sensitive information, the 
solicitation shall require each potential service provider to submit 
with its proposal a preliminary analysis of possible organizational 
conflicts of interest that might flow from the award of a contract. 
After selection, or whenever it becomes clear that performance will 
necessitate access to sensitive information, the service provider must 
submit a comprehensive organizational conflicts of interest avoidance 
plan.
    (d) This comprehensive plan shall incorporate any previous studies 
performed, shall thoroughly analyze all organizational conflicts of 
interest that might arise because the service provider has access to 
other companies' sensitive information, and shall establish specific 
methods to control, mitigate, or eliminate all problems identified. The 
contracting officer, with advice from Center counsel, shall review the 
plan for completeness and identify to the service provider substantive 
weaknesses and omissions for necessary correction. Once the service 
provider has corrected the substantive weaknesses and omissions, the 
contracting officer shall incorporate the revised plan into the 
contract, as a compliance document.
    (e) If the service provider will be operating an information 
technology system for NASA that contains sensitive information, the 
operating contract shall include the clause at 1852.204-76, Security 
Requirements for Unclassified Information Technology Resources, which 
requires the implementation of an Information Technology Security Plan 
to protect information processed, stored, or transmitted from 
unauthorized access, alteration, disclosure, or use.

[[Page 35555]]

    (f) NASA will monitor performance to assure any service provider 
that requires access to sensitive information follows the steps 
outlined in the clause at 1852.237-72, Access to Sensitive Information, 
to protect the information from unauthorized use or disclosure.


1837.203-71  Release of contractors' sensitive information.

    Pursuant to the clause at 1852.237-73, Release of Sensitive 
Information, offerors and contractors agree that NASA may release their 
sensitive information when requested by service providers in accordance 
with the procedures prescribed in 1837.203-70 and subject to the 
safeguards and protections delineated in the clause at 1852.237-72, 
Access to Sensitive Information. As required by the clause at 1852.237-
73, or other contract clause or solicitation provision, contractors 
must identify information they claim to be ``sensitive'' submitted as 
part of a proposal or in the course of performing a contract. The 
contracting officer shall evaluate all contractor claims of sensitivity 
in deciding how NASA should respond to requests from service providers 
for access to information.


1837.203-72  NASA contract clauses.

    (a) The contracting officer shall insert the clause at 1852.237-72, 
Access to Sensitive Information, in all solicitations and contracts for 
services that may require access to sensitive information belonging to 
other companies or generated by the Government.
    (b) The contracting officer shall insert the clause at 1852.237-73, 
Release of Sensitive Information, in all solicitations, contracts, and 
basic ordering agreements.

PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
4. Add sections 1852.237-72 and 1852.237-73 to read as follows:


1852.237-72  Access to Sensitive Information.

    As prescribed in 1837.203-72(a), insert the following clause:

Access to Sensitive Information

(June 2005)

    (a) As used in this clause, ``sensitive information'' refers to 
information that a contractor has developed at private expense, or 
that the Government has generated that qualifies for an exception to 
the Freedom of Information Act, which is not currently in the public 
domain, and which may embody trade secrets or commercial or 
financial information, and which may be sensitive or privileged.
    (b) To assist NASA in accomplishing management activities and 
administrative functions, the Contractor shall provide the services 
specified elsewhere in this contract.
    (c) If performing this contract entails access to sensitive 
information, as defined above, the Contractor agrees to--
    (1) Utilize any sensitive information coming into its possession 
only for the purposes of performing the services specified in this 
contract, and not to improve its own competitive position in another 
procurement.
    (2) Safeguard sensitive information coming into its possession 
from unauthorized use and disclosure.
    (3) Allow access to sensitive information only to those 
employees that need it to perform services under this contract.
    (4) Preclude access and disclosure of sensitive information to 
persons and entities outside of the Contractor's organization.
    (5) Train employees who may require access to sensitive 
information about their obligations to utilize it only to perform 
the services specified in this contract and to safeguard it from 
unauthorized use and disclosure.
    (6) Obtain a written affirmation from each employee that he/she 
has received and will comply with training on the authorized uses 
and mandatory protections of sensitive information needed in 
performing this contract.
    (7) Administer a monitoring process to ensure that employees 
comply with all reasonable security procedures, report any breaches 
to the Contracting Officer, and implement any necessary corrective 
actions.
    (d) The Contractor will comply with all procedures and 
obligations specified in its Organizational Conflicts of Interest 
Avoidance Plan, which this contract incorporates as a compliance 
document.
    (e) The nature of the work on this contract may subject the 
Contractor and its employees to a variety of laws and regulations 
relating to ethics, conflicts of interest, corruption, and other 
criminal or civil matters relating to the award and administration 
of government contracts. Recognizing that this contract establishes 
a high standard of accountability and trust, the Government will 
carefully review the Contractor's performance in relation to the 
mandates and restrictions found in these laws and regulations. 
Unauthorized uses or disclosures of sensitive information may result 
in termination of this contract for default, or in debarment of the 
Contractor for serious misconduct affecting present responsibility 
as a government contractor.
    (f) The Contractor shall include the substance of this clause, 
including this paragraph (f), suitably modified to reflect the 
relationship of the parties, in all subcontracts that may involve 
access to sensitive information
    (End of clause)


1852.237-73  Release of sensitive information.

    As prescribed in 1837.203-72(b), insert the following clause:

Release of Sensitive Information

(June 2005)

    (a) As used in this clause, ``sensitive information'' refers to 
information, not currently in the public domain, that the Contractor 
has developed at private expense, that may embody trade secrets or 
commercial or financial information, and that may be sensitive or 
privileged.
    (b) In accomplishing management activities and administrative 
functions, NASA relies heavily on the support of various service 
providers. To support NASA activities and functions, these service 
providers, as well as their subcontractors and their individual 
employees, may need access to sensitive information submitted by the 
Contractor under this contract. By submitting this proposal or 
performing this contract, the Contractor agrees that NASA may 
release to its service providers, their subcontractors, and their 
individual employees, sensitive information submitted during the 
course of this procurement, subject to the enumerated protections 
mandated by the clause at 1852.237-72, Access to Sensitive 
Information.
    (c)(1) The Contractor shall identify any sensitive information 
submitted in support of this proposal or in performing this 
contract. For purposes of identifying sensitive information, the 
Contractor may, in addition to any other notice or legend otherwise 
required, use a notice similar to the following:
    Mark the title page with the following legend:
    This proposal or document includes sensitive information that 
NASA shall not disclose outside the Agency and its service providers 
that support management activities and administrative functions. To 
gain access to this sensitive information, a service provider's 
contract must contain the clause at NFS 1852.237-72, Access to 
Sensitive Information. Consistent with this clause, the service 
provider shall not duplicate, use, or disclose the information in 
whole or in part for any purpose other than to perform the services 
specified in its contract. This restriction does not limit the 
Government's right to use this information if it is obtained from 
another source without restriction. The information subject to this 
restriction is contained in pages [insert page numbers or other 
identification of pages].
    Mark each page of sensitive information the Contractor wishes to 
restrict with the following legend:
    Use or disclosure of sensitive information contained on this 
page is subject to the restriction on the title page of this 
proposal or document.
    (2) The Contracting Officer shall evaluate the facts supporting 
any claim that particular information is ``sensitive.'' This 
evaluation shall consider the time and resources necessary to 
protect the information in accordance with the detailed safeguards 
mandated by the clause at 1852.237-72, Access to Sensitive 
Information. However, unless the Contracting Officer decides, with 
the advice of Center counsel, that reasonable grounds exist to 
challenge the Contractor's claim that particular information is 
sensitive,

[[Page 35556]]

NASA and its service providers and their employees shall comply with 
all of the safeguards contained in paragraph (d) of this clause.
    (d) To receive access to sensitive information needed to assist 
NASA in accomplishing management activities and administrative 
functions, the service provider must be operating under a contract 
that contains the clause at 1852.237-72, Access to Sensitive 
Information. This clause obligates the service provider to do the 
following:
    (1) Comply with all specified procedures and obligations, 
including the Organizational Conflicts of Interest Avoidance Plan, 
which the contract has incorporated as a compliance document.
    (2) Utilize any sensitive information coming into its possession 
only for the purpose of performing the services specified in its 
contract.
    (3) Safeguard sensitive information coming into its possession 
from unauthorized use and disclosure.
    (4) Allow access to sensitive information only to those 
employees that need it to perform services under its contract.
    (5) Preclude access and disclosure of sensitive information to 
persons and entities outside of the service provider's organization.
    (6) Train employees who may require access to sensitive 
information about their obligations to utilize it only to perform 
the services specified in its contract and to safeguard it from 
unauthorized use and disclosure.
    (7) Obtain a written affirmation from each employee that he/she 
has received and will comply with training on the authorized uses 
and mandatory protections of sensitive information needed in 
performing this contract.
    (8) Administer a monitoring process to ensure that employees 
comply with all reasonable security procedures, report any breaches 
to the Contracting Officer, and implement any necessary corrective 
actions.
    (e) When the service provider will have primary responsibility 
for operating an information technology system for NASA that 
contains sensitive information, the service provider's contract 
shall include the clause at 1852.204-76, Security Requirements for 
Unclassified Information Technology Resources. The Security 
Requirements clause requires the service provider to implement an 
Information Technology Security Plan to protect information 
processed, stored, or transmitted from unauthorized access, 
alteration, disclosure, or use. Service provider personnel requiring 
privileged access or limited privileged access to these information 
technology systems are subject to screening using the standard 
National Agency Check (NAC) forms appropriate to the level of risk 
for adverse impact to NASA missions. The Contracting Officer may 
allow the service provider to conduct its own screening, provided 
the service provider employs substantially equivalent screening 
procedures.
    (f) This clause does not affect NASA's responsibilities under 
the Freedom of Information Act.
    (g) The Contractor shall insert this clause, including this 
paragraph (g), suitably modified to reflect the relationship of the 
parties, in all subcontracts that may require the furnishing of 
sensitive information.
    (End of clause)

[FR Doc. 05-12191 Filed 6-20-05; 8:45 am]
BILLING CODE 7510-01-P