UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
                                      WASHINGTON, D.C. 20460
ry
                                               SEP  2 8  1998
                                                                              OFFICE OF
                                                                         THE INSPECTOR GENERAL
     MEMORANDUM
•O
     SUBJECT:
FROM:
TO:
             Contractor Access To Confidential Data
             Audit Report No. E1BMF7- 11 -0026-8 100250
                  Elissa R.
                  Deputy Assistant Inspector General
                   for External Audits

                  Alvin M. Pesachowitz
                  Acting Assistant Administrator
                   for Administration and Resources Management
           Attached is our final report entitled "Contractor Access to Confidential Data." Our
     overall objectives were to determine if EPA: (1) has adequate controls over contractor access to
     confidential or sensitive data; (2) has routinely considered contractor access to confidential i r
     sensitive data when awarding contracts and assigning work; and. (3) personnel were
     knowledgeable about the risks, restrictions, and rules concerning contractor access to c mfu.en-ia..
     or sensitive data.
     ACTION REQUIRED

           A draft audit report was issued to you on July 7, 1998. We consider the planned
     corrective actions and milestone dates for recommendations 1 and 3, detailed in your response to
     the draft report, acceptable. Also, based on your comments and current guidelines contained in
     the Acquisition Handbook, Unit 17, we revised recommendation 2.  We understand you agree to
     implement the revised recommendation based on our discussion with the Director. Office of
     Acquisition Management, at the exit conference held on September 24. 1998.  Therefore, we are
     closing this report in our audit tracking system as of this date. Please track all planned actions
     and milestone dates in the Management Audit Tracking System.  We have no objections to the
     further release of this report to the public.

           This report describes findings and corrective actions the Office of Inspector General
     (OIG) recommends to help improve and strengthen controls over contractor access to
     confidential or sensitive data.  As such, it represents the opinion of the OIG. Final

                                                                          US EPA Headquarters Library
                                                                                 Mail code 3201
                                                                          1200 Pennsylvania Avenue NW
                                                                             Washington DC 20460
                  Recycled/Recyclable • Printed with Vegetable Oil Based Inks on 100% Recycled Paper (40°.. Postconsumer)

-------
determinations on matters in the report will be made by EPA managers in accordance with
established EPA audit resolution procedures. Accordingly, the findings described in this report
do not necessarily represent the final EPA position and are not binding upon EPA in any
enforcement proceedings brought by EPA or the Department of Justice.

       We would like to thank your staff for their cooperation. Should you or your staff have
any questions about this report, please contact Norman E. Roth, Divisional Inspector General for
Audit, Headquarters Audit Division, on (202) 260-5113.

-------
                                                       Contractor Access To Confidential Data
PURPOSE AND SCOPE

       We performed this audit as a result of the findings from a survey report entitled "Results
of Survey of EPA's Contract Management Initiatives" issued September 1997. That report
identified a potential vulnerability related to controls over contractor access to confidential or
sensitive data. Our objectives were to determine if EPA:

       (1) has adequate controls over contractor access to confidential or sensitive data;

       (2) has routinely considered contractor access to confidential or sensitive data when
       awarding contracts and assigning work; and

       (3) personnel were knowledgeable about the risks, restrictions, and rules concerning
       contractor access to confidential or sensitive data.

       We interviewed approximately one hundred contracting officers, contract specialists,
project officers, work assignment managers, and delivery order project officers who managed 21
contracts. We discussed how they handled confidential or sensitive data. We reviewed the
contract and work assignment files for the 21 contracts  to determine whether consideration was
given to controlling contractor access to confidential or sensitive data. We also reviewed
guidance documents to determine the requirements for controlling access to confidential  or
sensitive data. (See Appendix 1 for details on scope and methodology.)

Background

       EPA obtains and maintains many types of confidential or sensitive data. Because the
Agency uses contractors extensively, much of this data may be accessed by certain contractors in
the normal course of performing their duties. Confidential data includes confidential business
information, and Privacy Act information. Confidential business information includes trade
secrets, proprietary, commercial, financial, and other information that is afforded protection from
disclosure under certain circumstances as described in the Trade Secrets Act, Federal Acquisition
Regulation, and Office of Management and Budget Circular A-130. Privacy Act information
applies to records about individuals.

       Sensitive data includes enforcement-sensitive information, and EPA internal-sensitive
information.  Enforcement-sensitive information includes privileged information that, if
disclosed, would result in disruption to the legal process, or would reveal enforcement
techniques. EPA internal-sensitive information includes information used within the Agency
that, if not afforded protection from disclosure, could result in unfair contracting practices, or
may adversely affect Agency personnel or property.
                                                     Report No. EIBMF7-11-0026-8100250

-------
                                                      Contractor Access To Confidential Data
Prior Audit Coverage

       The Office of Inspector General issued a report (Report No. 7400070) on September 30,
1997, which" addressed EPA's efforts since 1992 to correct longstanding weaknesses in contracts
management. The report disclosed that the Agency has taken positive steps to address contracts
management weaknesses, however, potential vulnerabilities remain in three areas, including
contractor access to confidential or sensitive data.  This specific audit of contractor access to
confidential or sensitive data was conducted as a result of our prior findings in Report No.
7400070.

RESULTS IN BRIEF

       The Agency has a system in place to control contractor access to confidential business
information. However, the system does not adequately address controls over contractor access to
other equally sensitive data such as enforcement, Privacy Act, or internal-sensitive information.
In addition, although contracting officers routinely included various contract clauses that mention
control of confidential or sensitive data when awarding contracts, program office personnel were
not always aware of the contract clauses and did not always consider access to confidential or
sensitive data when assigning work.

       We issued a draft report on July 7, 1998.  We received-a response to the draft report from
the Office of Administration and Resources Management on August 27/1998. .The Acting
Administrator took no exception to the report findings and agreed to implement most of the
recommendations in this report.  A copy of the response is included as Appendix 2 to this report.
We held an exit conference on September 24, 1998.
FINDINGS AND RECOMMENDATIONS

The Agency's Controls over Contractor Access to Confidential or Sensitive Data Need to be
Improved

       The Agency has a system in place to control contractor access to confidential business
information.  However, the system does not adequately address controls over contractor access to
other equally sensitive data such as enforcement, Privacy Act, or internal-sensitive information.
In addition, program personnel were not always aware of requirements to safeguard against
contractor access to confidential or sensitive data.

       The Contracts Management Manual (CMM), Chapter 2 requires, for situations where a
contractor has access to confidential or sensitive data, that control measures be established to
ensure that contractors do not have inappropriate access to such data and to ensure systems are in

                                                    Report No. EIBMF7-11-0026-8100250

-------
                                                       Contractor Access To Confidential Data
place to prevent the release of sensitive data to non-designated contractor employees.  A
discussion of control measures must be prepared by the Project Officer and approved by the
contracting office prior to issuance of the solicitation. CMM, Chapter 1, requires contract
management plans for certain contracts.  One of the requirements of the plan is to identify key
vulnerabilities inherent in the contract and provide a description of the provisions for dealing
with them.  Confidential business information was identified as a key vulnerability. In addition,
the CMM provides that project officers, work assignment managers, and delivery order project
officers are responsible for monitoring all the activities of the contractor. This guidance
specifically identifies and requires the safeguarding of confidential business information.

       The contracting office routinely includes various contract clauses dealing with control
over confidential business information in the contract. These clauses may prevent improper
contractor access to confidential business information, if followed. However,  as detailed later in
the report, program office personnel were not always aware of the contract clauses and did not
always consider access to confidential or sensitive data when assigning work.  The clauses can
not serve their purpose of safeguarding confidential or sensitive data if they  are not properly
implemented.

       Contract management plans were required and established for seven of the 21 contracts
we reviewed. Each of the seven plans included provisions for dealing with confidential business
information. Some of the provisions included contract clauses identifying special requirements,
establishing reviews of work assignments, establishing security plans, and requiring contractors
to obtain confidentiality agreements from their personnel.  Although the remaining 14 contracts
did not require a contract management plan, they included clauses requiring protection of
confidential business information. Contracting Officers told us that these clauses are routinely
included in the contract as a precaution.  However, the program offices were not always aware of
these confidential business information provisions.

       We found that Cincinnati-Contracts Management Division (CMD) had good controls
over contractor access to confidential business information. Before approving work assignments,
CMD officials reviewed each work assignment for potential access to confidential business
information. If the potential for release existed^CMD officials verified that the release was
authorized in the contract. If the release was not approved in the contract, the  work assignment
was rejected. CMD officials also ensured that EPA and contractor personnel had confidential
business information clearances before approving work assignments involving access to the
information.

       A good control was also established  in a Headquarters contract involving the Integrated
Contracts Management System.  This system contains very sensitive data such as overhead rates
and proposal data for all EPA contracts.  The contractor that manages the system has access to
competitors' rates and other data that could be beneficial for future contract  bids and other

                                                     Report No. EIBMF7-11-0026-8100250
                                                               U S  EPA Headquarters Library
                                                                      Mai! code 3201
                                                               1200 Pennsylvania Avenue NW
                                                                   Washington  DC 20460

-------
                                                       Contractor Access To Confidential Data
procurement actions. Headquarters contract officials recently took action to both limit the extent
of system access and reduce the number of contractor personnel with access to the system. These
actions were appropriate and should be considered in similar situations.

       Program offices and contracting divisions each play an important ro!e in making sure that
contractor access to confidential or sensitive data is properly controlled.  Program offices have
the primary role in controlling access because they are the personnel who work directly with the
contractor and are responsible for ensuring confidential or sensitive data is not released to
unauthorized contractor personnel.  Contracting officials' roles are also key  in providing
oversight of the legal aspects of contract execution. Controlling contractor access to confidential
or sensitive data is a shared responsibility between the program  office and the contracting
divisions. Program offices should work with contracting officers to ensure they are
knowledgeable about contract clauses and necessary procedures to control contractor's access to
confidential or sensitive data. Contracting officials should place the same emphasis on
contractor access to other sensitive data, such as enforcement, Privacy Act, or internal sensitive
data, as they do for confidential business information.

EPA Routinely Considers AccessXoJSensitive  Data Issues When Awarding Contracts But Not
Always When Assigning Work.

       When awarding contracts, contracting officers routinely  included various contract clauses
that mention control of confidential or sensitive data. These clauses include provisions for
screening business information for claims of confidentiality, conducting background searches
and obtaining clearance documents on contractor personnel who have access to confidential or
sensitive data, and releasing contractor confidential business information. However, program
office personnel were not always aware of the contract clauses and did not always consider
access to confidential or sensitive data when assigning work. In addition, program office
personnel did not always know if work assignments or delivery  orders required contractors to
access confidential or sensitive data.

       For nine of the 21 contracts we reviewed, project officers, work assignment managers,
and delivery order project officers had conflicting opinions on whether a contract involved
confidential or sensitive data. For example, six project officers  told us that none of the work
assignments or delivery orders for their contracts required access to confidential or sensitive data.
On the other hand, work assignment managers  and delivery order project officers for these same
contracts told us that the work assignments or delivery orders did require the contractor to have
access to confidential or sensitive data. For another contract, the project officer said that all eight
work assignments for the contract involved access to confidential or sensitive data.  However,
one work assignment manager said that none of her work assignments involved confidential or
sensitive data.
                                                     Report No. EIBMF7-11-0026-8100250

-------
                                                       Contractor Access To Confidential Data
       As a result, confidential or sensitive data released to contractors was not always
controlled. For example, in Region 10, we visited a contractor's office and found two of five
files that contained sensitive documents. According to both the contracting officer and
contractor, these documents were provided with the work assignment.  However, none of the
work assignment managers were aware that the documents contained sensitive data and or that
the contractor had access to it.

       One contract specialist suggested that a person be designated as a point of contact to
address any questions or concerns regarding confidential or sensitive data.  Agency program
offices have document control officers who are basically responsible for controlling confidential
business information for their respective programs. However, these officers do not deal with
Privacy Act data, enforcement sensitive, or internal sensitive.  With proper training, the
document control officers could serve as points of contact to address questions concerning
contractor access to confidential or sensitive data.

       To properly protect and safeguard confidential or sensitive data, program office personnel
should be able to recognize and agree on work assignments and delivery orders that involve
contractor access to confidential or sensitive data. Confidential or sensitive data that is
inadequately  safeguarded or improperly disclosed could adversely affect Agency personnel and
property or result in a contractor having a competitive advantage in the procurement process.

Program Office Personnel Need Training About the Risks and Rules Concerning Contractor
Access to Confidential or Sensitive Data

       One of the goals of our interviews was to determine if EPA personnel were
knowledgeable about the risks, restrictions, and rules concerning contractor access to confidential
or sensitive data. Four of the 19 project officers and 21 of 54 work assignment managers and
delivery order project officers were not familiar with or aware of any procedures to control
contractor access to confidential or sensitive data. This lack of knowledge can result in
unauthorized contractor personnel having access to sensitive data. In addition, it may place the
Agency, as well as employees involved in allowing the contractor access, at risk for civil
litigation and even criminal penalties.

       The Contract  Management Manual  provides that it is EPA policy that all individuals
serving as contracting officers, project officers, work assignment managers, and delivery order
project officers fully  understand their responsibilities and duties. This understanding is to be
developed through training and actual work experience.  During our interviews, 9 of 19 project
officers and 24 of 54 other program office personnel stated they had not received specific training
regarding contractor access to confidential or sensitive data. Some of these individuals indicated
they did not fully understand the risk, restrictions and rules regarding contractor access to
confidential or sensitive data.  Training for program personnel is important since, generally, these

                                                     Report No. EIBMF7-11-0026-8100250
                                            7
                                                            U S EPA Headquarters Library
                                                                   Mail code 3201
                                                            1200 Pennsylvania Avenue NW
                                                               Washington DC 20460

-------
                                                      Contractor Access To Confidential Data
individuals have technical backgrounds and would not necessarily be knowledgeable of Federal
and EPA procurement regulations. In addition, program personnel are responsible for assigning
work to the contractor and are more aware of the specific tasks to be performed.

       Most program office personnel had taken the required contract courses. However,
program personnel told us that the courses do not adequately address the issue of contractor
access to confidential or sensitive data. They stated that the courses contain some, information
regarding confidential business information, the other areas such as Privacy Act information,
enforcement sensitive, and internal sensitive information, were not addressed at all.  Subsequent
to the audit, the Office of Acquisition Management informed us  that the current training
curriculum already addresses the need for protecting against the  unauthorized release of CBI,
procurement sensitive information, and Privacy Act information. The instructors for the contract
training courses will continue to stress the importance of maintaining protective custody of this
information.
RECOMMENDATIONS

       We recommend the Acting Assistant Administrator for Administration and Resources
Management in coordination with other appropriate senior Agency managers:

  1.    Issue a directive that contracting officers and the program office (PO/WAM) work
       together to review their contracts to determine if the contract involves contractor access to
       confidential or sensitive data and ensure necessary safeguards are in place to control
       contractor access to such data.

  2.    Emphasize the evaluation of security over all types of confidential or sensitive data
       during the quality assurance reviews completed under the Contracting Officer/Project
       Office Contract Monitoring Program.

  3.    Revise the Contracts Management Manual to include clear definitions of confidential
       business,  enforcement sensitive, and Privacy Act information. Include a specific
       requirement to address contractor access to each one in the contract management plan.
AGENCY RESPONSE AND PIG EVALUATION

       The Acting Assistant Administrator for Administration and Resources Management took
no exceptions to the report findings, and agreed to implement corrective actions for two of the
three recommendations above.  The planned corrective actions include issuing a directive to
address recommendation 1, and revising the Contracts Management Manual to address

                                                    Report No. EIBMF7-11-0026-8100250

-------
                                                      Contractor Access To Confidential Data
recommendation 3. The Acting Assistant Administrator did not concur with recommendation 2,
but indicated that Acquisition Management Review (AMR) teams would continue to ensure that
confidential business information clauses are included in EPA contracts whenever appropriate.
We modified recommendation 2 to indicate that security over all types of confidential or
sensitive data should be evaluated during quality assurance reviews completed under the
Contracting Officer/Project Office Contract Monitoring Program.  This recommendation is
supported by current guidelines contained in the Acquisition Handbook, Unit 17. At the exit
conference the Director, Office of Acquisition Management, stated that they plan to implement
the revised recommendation.

       The Acting Assistant Administrator also did not concur with a fourth recommendation
that we included in the draft report.  We recommended that a module to address contractor access
to confidential or sensitive data be included in Agency contract training courses. He believed
that this issue is adequately addressed in currently available training text. However, instructors
for the contract courses will be reminded to stress the importance of maintaining protective
custody of confidential or sensitive data, and remind contracting/project officers of this issue in
the directive to be issued for recommendation 1. The Agency's actions should adequately
address this issue, therefore, we eliminated recommendation 4 from the final report.

       The entire response is included as Appendix 2 to this report.
                                                                 U.S. EPA Headquarters Library
                                                                        Mai! code 3201
                                                                 1200 Pennsylvania Avenue NW
                                                                    Washington DC 20460
                                                    Report No. EIBMF7-11-0026-8100250

-------
                            Contractor Access To Confidential Data
(This page was intentionally left blank.)
                          Report No. EIBMF7-11-0026-8100250
                 10

-------
                                             Contractor Access To Confidential Data
                                                                     Exhibit 1
                   Contracts Selected for Review
Contract Number
68-W6-0069
68-W5-0058
68-W5-0024
68-W1-0055
68-W3-0003
68-W4-0030
68-W4-0040
68-C5-0039
68-C4-0007 -
68-C4-0024
68-D6-0014
68-W2-0025
68-S5-3002
68-W4-0010
68-W8-0084
68-W6-0012
68-W4-0021
68-W9-0059
68-W9-0060
68-W9-0046
68-W4-0014
Program Office
Office of Prevention, Pesticides, and Toxic Substances
Office of Administration and Resources Management
Agency wide1
Office of Administration and Resources Management
Office of Administration and Resources Management
Office of Solid Waste and Emergency Response
Office of Solid Waste and Emergency Response
Office of Research and Development
Office of Water
Office of Water
Office of the Administrator/Deputy Administrator
Office of Administration and Resources Management
Office of Solid Waste and Emergency Response
Office of Solid Waste and Emergency Response
Office of Administration and Resources Management
Office of Solid Waste and Emergency Response
Office of Solid Waste and Emergency Response
Office of Administration and Resources Management
Office of Solid Waste and Emergency Response
Office of Solid Waste and Emergency Response
Office of Solid Waste and Emergency Response
                                                         U.S. EPA Headquarters Library
                                                               Mail code 3201
                                                         1200 Pennsylvania Avenue NW
                                                            Washington DC 20460
Contract provides records management services for the Agency.

                                           Report No. EIBMF7-11-0026-8100250
                                   11

-------
                            Contractor Access To Confidential Data
(This page was intentionally left blank.)
                          Report No. EIBMF7-11-0026-8100250
                 12

-------
                                                      Contractor Access To Confidential Data
                                                                             Appendix 1
                                                                             Page 1 of2
                      DETAILED SCOPE AND METHODOLOGY
       We concentrated on contracts active in fiscal years 1996 and 1997. We selected and
reviewed a sample of 21 contracts from the universe of approximately 200 which are similar to
contracts that the Northern Audit Division (NAD) identified in its survey (EPA Report No.
7400070). The contract universe was classified in four categories: confidential business
information; Privacy Act information; Enforcement Sensitive information; and internal-sensitive
information. Our sample was selected to ensure that all four categories were represented.

       During the survey of EPA Contract Management Initiatives, NAD reviewed several
contract issues. NAD determined the Agency did not maintain a centralized listing of Agency
contracts where a contractor may have access to confidential or sensitive data.  The Acting
Inspector General and the Acting Assistant Administrator for Administration and Resources
Management, sent a joint letter to all the Agency's Senior Resource Officials (SRO) requesting
them to identify contracts that may involve confidential or sensitive data.  The SROs response to
the letter identified about 200 contracts  Agencywide. We used this universe as the basis for our
audit.

       We interviewed approximately one hundred contracting officers, contract specialists,
project officers, work assignment managers, and delivery order project officers who managed the
sampled contracts to determine how they handled confidential/sensitive data. We reviewed the
contract and work assignment files to determine whether consideration was given to contractor
access and to determine if EPA has a system in place to ensure all access to confidential or
sensitive data is properly monitored and controlled.

       We conducted our field work at  EPA Headquarters; Regions 3, 5, 7, 9 and 10; and offices
in Cincinnati, OH and Research Triangle Park, NC.  We reviewed 54 work assignments, delivery
orders, and technical direction documents that were issued under the 21 contracts.  These 21
contracts had a total value of almost $1.5 billion with an average value of over $71 million for
each individual contract.

       We also contacted and met with employees from the Department of Energy (DOE) and
National Aeronautics and Space Administration (NASA) to determine how they handled
contractor access to sensitive data. Both of these Agencies operate very similar to how EPA
operates its contract administration. We did not obtain any additional information that  could
benefit EPA. Thus we did not make any recommendations based on our contacts with DOE and
NASA.
                                                    Report No. EIBMF7-11-0026-8100250
                                           13'

-------

-------