^ srx
I \
iSB/
% PRO^
Office of Inspector General
Report of Audit
ACQUISITION MANAGEMENT
CONTRACTOR ACCESS TO CONFIDENTIAL DATA
E1BMF7-11 -0026-8100250
September 28, 1998
-------�
Inspector General Division
Conducting the Review: Headquarters Audit Division
Program Offices Involved: Office of Administration and
Resources Management
Office of Acquisition Management
-------�
MEMORANDUM
SUBJECT: Contractor Access To Confidential Data
Audit Report No. E1BMF7-11-0026-8100250
FROM: Elissa R. Karpf
Deputy Assistant Inspector General
for External Audits
TO: Alvin M. Pesachowitz
Acting Assistant Administrator
for Administration and Resources Management
Attached is our final report entitled "Contractor Access to Confidential Data." Our
overall objectives were to determine if EPA: (1) has adequate controls over contractor access to
confidential or sensitive data; (2) has routinely considered contractor access to confidential or
sensitive data when awarding contracts and assigning work; and, (3) personnel were
knowledgeable about the risks, restrictions, and rules concerning contractor access to confidential
or sensitive data.
ACTION REQUIRED
A draft audit report was issued to you on July 7, 1998. We consider the planned
corrective actions and milestone dates for recommendations 1 and 3, detailed in your response to
the draft report, acceptable. Also, based on your comments and current guidelines contained in
the Acquisition Handbook, Unit 17, we revised recommendation 2. We understand you agree to
implement the revised recommendation based on our discussion with the Director, Office of
Acquisition Management, at the exit conference held on September 24, 1998. Therefore, we are
closing this report in our audit tracking system as of this date. Please track all planned actions
and milestone dates in the Management Audit Tracking System. We have no objections to the
further release of this report to the public.
This report describes findings and corrective actions the Office of Inspector General
(OIG) recommends to help improve and strengthen controls over contractor access to confidential
or sensitive data. As such, it represents the opinion of the OIG. Final determinations on matters
-------�
in the report will be made by EPA managers in accordance with established EPA audit resolution
procedures. Accordingly, the findings described in this report do not necessarily represent the
final EPA position and are not binding upon EPA in any enforcement proceedings brought by
EPA or the Department of Justice.
We would like to thank your staff for their cooperation. Should you or your staff have
any questions about this report, please contact Norman E. Roth, Divisional Inspector General for
Audit, Headquarters Audit Division, on (202) 260-5113.
2
-------�
Contractor Access To Confidential Data
PURPOSE AND SCOPE
We performed this audit as a result of the findings from a survey report entitled "Results
of Survey of EPA's Contract Management Initiatives" issued September 1997. That report
identified a potential vulnerability related to controls over contractor access to confidential or
sensitive data. Our objectives were to determine if EPA:
(1) has adequate controls over contractor access to confidential or sensitive data;
(2) has routinely considered contractor access to confidential or sensitive data when
awarding contracts and assigning work; and
(3) personnel were knowledgeable about the risks, restrictions, and rules concerning
contractor access to confidential or sensitive data.
We interviewed approximately one hundred contracting officers, contract specialists,
project officers, work assignment managers, and delivery order project officers who managed 21
contracts. We discussed how they handled confidential or sensitive data. We reviewed the
contract and work assignment files for the 21 contracts to determine whether consideration was
given to controlling contractor access to confidential or sensitive data. We also reviewed
guidance documents to determine the requirements for controlling access to confidential or
sensitive data. (See Appendix 1 for details on scope and methodology.)
Background
EPA obtains and maintains many types of confidential or sensitive data. Because the
Agency uses contractors extensively, much of this data may be accessed by certain contractors in
the normal course of performing their duties. Confidential data includes confidential business
information, and Privacy Act information. Confidential business information includes trade
secrets, proprietary, commercial, financial, and other information that is afforded protection from
disclosure under certain circumstances as described in the Trade Secrets Act, Federal Acquisition
Regulation, and Office of Management and Budget Circular A-130. Privacy Act information
applies to records about individuals.
Sensitive data includes enforcement-sensitive information, and EPA internal-sensitive
information. Enforcement-sensitive information includes privileged information that, if disclosed,
would result in disruption to the legal process, or would reveal enforcement techniques. EPA
internal-sensitive information includes information used within the Agency that, if not afforded
protection from disclosure, could result in unfair contracting practices, or may adversely affect
Agency personnel or property.
Report No. EIBMF7-11-0026-8100250
3
-------�
Contractor Access To Confidential Data
Prior Audit Coverage
The Office of Inspector General issued a report (Report No. 7400070) on September 30,
1997, which addressed EPA's efforts since 1992 to correct longstanding weaknesses in contracts
management. The report disclosed that the Agency has taken positive steps to address contracts
management weaknesses, however, potential vulnerabilities remain in three areas, including
contractor access to confidential or sensitive data. This specific audit of contractor access to
confidential or sensitive data was conducted as a result of our prior findings in Report No.
7400070.
RESULTS IN BRIEF
The Agency has a system in place to control contractor access to confidential business
information. However, the system does not adequately address controls over contractor access to
other equally sensitive data such as enforcement, Privacy Act, or internal-sensitive information.
In addition, although contracting officers routinely included various contract clauses that mention
control of confidential or sensitive data when awarding contracts, program office personnel were
not always aware of the contract clauses and did not always consider access to confidential or
sensitive data when assigning work.
We issued a draft report on July 7, 1998. We received a response to the draft report from
the Office of Administration and Resources Management on August 27, 1998. The Acting
Administrator took no exception to the report findings and agreed to implement most of the
recommendations in this report. A copy of the response is included as Appendix 2 to this report.
We held an exit conference on September 24, 1998.
FINDINGS AND RECOMMENDATIONS
The Agency's Controls over Contractor Access to Confidential or Sensitive Data Need to be
Improved
The Agency has a system in place to control contractor access to confidential business
information. However, the system does not adequately address controls over contractor access to
other equally sensitive data such as enforcement, Privacy Act, or internal-sensitive information.
In addition, program personnel were not always aware of requirements to safeguard against
contractor access to confidential or sensitive data.
The Contracts Management Manual (CMM), Chapter 2 requires, for situations where a
contractor has access to confidential or sensitive data, that control measures be established to
ensure that contractors do not have inappropriate access to such data and to ensure systems are in
Report No. EIBMF7-11-0026-8100250
4
-------�
Contractor Access To Confidential Data
place to prevent the release of sensitive data to non-designated contractor employees. A
discussion of control measures must be prepared by the Project Officer and approved by the
contracting office prior to issuance of the solicitation. CMM, Chapter 1, requires contract
management plans for certain contracts. One of the requirements of the plan is to identify key
vulnerabilities inherent in the contract and provide a description of the provisions for dealing with
them. Confidential business information was identified as a key vulnerability. In addition, the
CMM provides that project officers, work assignment managers, and delivery order project
officers are responsible for monitoring all the activities of the contractor. This guidance
specifically identifies and requires the safeguarding of confidential business information.
The contracting office routinely includes various contract clauses dealing with control
over confidential business information in the contract. These clauses may prevent improper
contractor access to confidential business information, if followed. However, as detailed later in
the report, program office personnel were not always aware of the contract clauses and did not
always consider access to confidential or sensitive data when assigning work. The clauses can not
serve their purpose of safeguarding confidential or sensitive data if they are not properly
implemented.
Contract management plans were required and established for seven of the 21 contracts
we reviewed. Each of the seven plans included provisions for dealing with confidential business
information. Some of the provisions included contract clauses identifying special requirements,
establishing reviews of work assignments, establishing security plans, and requiring contractors to
obtain confidentiality agreements from their personnel. Although the remaining 14 contracts did
not require a contract management plan, they included clauses requiring protection of confidential
business information. Contracting Officers told us that these clauses are routinely included in the
contract as a precaution. However, the program offices were not always aware of these
confidential business information provisions.
We found that Cincinnati-Contracts Management Division (CMD) had good controls over
contractor access to confidential business information. Before approving work assignments,
CMD officials reviewed each work assignment for potential access to confidential business
information. If the potential for release existed, CMD officials verified that the release was
authorized in the contract. If the release was not approved in the contract, the work assignment
was rejected. CMD officials also ensured that EPA and contractor personnel had confidential
business information clearances before approving work assignments involving access to the
information.
A good control was also established in a Headquarters contract involving the Integrated
Contracts Management System. This system contains very sensitive data such as overhead rates
and proposal data for all EPA contracts. The contractor that manages the system has access to
competitors' rates and other data that could be beneficial for future contract bids and other
Report No. EIBMF7-11-0026-8100250
5
-------�
Contractor Access To Confidential Data
procurement actions. Headquarters contract officials recently took action to both limit the extent
of system access and reduce the number of contractor personnel with access to the system. These
actions were appropriate and should be considered in similar situations.
Program offices and contracting divisions each play an important role in making sure that
contractor access to confidential or sensitive data is properly controlled. Program offices have the
primary role in controlling access because they are the personnel who work directly with the
contractor and are responsible for ensuring confidential or sensitive data is not released to
unauthorized contractor personnel. Contracting officials' roles are also key in providing oversight
of the legal aspects of contract execution. Controlling contractor access to confidential or
sensitive data is a shared responsibility between the program office and the contracting divisions.
Program offices should work with contracting officers to ensure they are knowledgeable about
contract clauses and necessary procedures to control contractor's access to confidential or
sensitive data. Contracting officials should place the same emphasis on contractor access to other
sensitive data, such as enforcement, Privacy Act, or internal sensitive data, as they do for
confidential business information.
EPA Routinely Considers Access To Sensitive Data Issues When Awarding Contracts But Not
Always When Assigning Work.
When awarding contracts, contracting officers routinely included various contract clauses
that mention control of confidential or sensitive data. These clauses include provisions for
screening business information for claims of confidentiality, conducting background searches and
obtaining clearance documents on contractor personnel who have access to confidential or
sensitive data, and releasing contractor confidential business information. However, program
office personnel were not always aware of the contract clauses and did not always consider access
to confidential or sensitive data when assigning work. In addition, program office personnel did
not always know if work assignments or delivery orders required contractors to access
confidential or sensitive data.
For nine of the 21 contracts we reviewed, project officers, work assignment managers,
and delivery order project officers had conflicting opinions on whether a contract involved
confidential or sensitive data. For example, six project officers told us that none of the work
assignments or delivery orders for their contracts required access to confidential or sensitive data.
On the other hand, work assignment managers and delivery order project officers for these same
contracts told us that the work assignments or delivery orders did require the contractor to have
access to confidential or sensitive data. For another contract, the project officer said that all eight
work assignments for the contract involved access to confidential or sensitive data. However, one
work assignment manager said that none of her work assignments involved confidential or
sensitive data.
Report No. EIBMF7-11-0026-8100250
6
-------�
Contractor Access To Confidential Data
As a result, confidential or sensitive data released to contractors was not always
controlled. For example, in Region 10, we visited a contractor's office and found two of five files
that contained sensitive documents. According to both the contracting officer and contractor,
these documents were provided with the work assignment. However, none of the work
assignment managers were aware that the documents contained sensitive data and or that the
contractor had access to it.
One contract specialist suggested that a person be designated as a point of contact to
address any questions or concerns regarding confidential or sensitive data. Agency program
offices have document control officers who are basically responsible for controlling confidential
business information for their respective programs. However, these officers do not deal with
Privacy Act data, enforcement sensitive, or internal sensitive. With proper training, the document
control officers could serve as points of contact to address questions concerning contractor access
to confidential or sensitive data.
To properly protect and safeguard confidential or sensitive data, program office personnel
should be able to recognize and agree on work assignments and delivery orders that involve
contractor access to confidential or sensitive data. Confidential or sensitive data that is
inadequately safeguarded or improperly disclosed could adversely affect Agency personnel and
property or result in a contractor having a competitive advantage in the procurement process.
Program Office Personnel Need Training About the Risks and Rules Concerning Contractor
Access to Confidential or Sensitive Data
One of the goals of our interviews was to determine if EPA personnel were
knowledgeable about the risks, restrictions, and rules concerning contractor access to confidential
or sensitive data. Four of the 19 project officers and 21 of 54 work assignment managers and
delivery order project officers were not familiar with or aware of any procedures to control
contractor access to confidential or sensitive data. This lack of knowledge can result in
unauthorized contractor personnel having access to sensitive data. In addition, it may place the
Agency, as well as employees involved in allowing the contractor access, at risk for civil litigation
and even criminal penalties.
The Contract Management Manual provides that it is EPA policy that all individuals
serving as contracting officers, project officers, work assignment managers, and delivery order
project officers fully understand their responsibilities and duties. This understanding is to be
developed through training and actual work experience. During our interviews, 9 of 19 project
officers and 24 of 54 other program office personnel stated they had not received specific training
regarding contractor access to confidential or sensitive data. Some of these individuals indicated
they did not fully understand the risk, restrictions and rules regarding contractor access to
confidential or sensitive data. Training for program personnel is important since, generally, these
Report No. EIBMF7-11-0026-8100250
7
-------�
Contractor Access To Confidential Data
individuals have technical backgrounds and would not necessarily be knowledgeable of Federal
and EPA procurement regulations. In addition, program personnel are responsible for assigning
work to the contractor and are more aware of the specific tasks to be performed.
Most program office personnel had taken the required contract courses. However,
program personnel told us that the courses do not adequately address the issue of contractor
access to confidential or sensitive data. They stated that the courses contain some information
regarding confidential business information, the other areas such as Privacy Act information,
enforcement sensitive, and internal sensitive information, were not addressed at all. Subsequent
to the audit, the Office of Acquisition Management informed us that the current training
curriculum already addresses the need for protecting against the unauthorized release of CBI,
procurement sensitive information, and Privacy Act information. The instructors for the contract
training courses will continue to stress the importance of maintaining protective custody of this
information.
RECOMMENDATIONS
We recommend the Acting Assistant Administrator for Administration and Resources
Management in coordination with other appropriate senior Agency managers:
1. Issue a directive that contracting officers and the program office (PO/WAM) work
together to review their contracts to determine if the contract involves contractor access
to confidential or sensitive data and ensure necessary safeguards are in place to control
contractor access to such data.
2. Emphasize the evaluation of security over all types of confidential or sensitive data during
the quality assurance reviews completed under the Contracting Officer/Project Office
Contract Monitoring Program.
3. Revise the Contracts Management Manual to include clear definitions of confidential
business, enforcement sensitive, and Privacy Act information. Include a specific
requirement to address contractor access to each one in the contract management plan.
AGENCY RESPONSE AND PIG EVALUATION
The Acting Assistant Administrator for Administration and Resources Management took
no exceptions to the report findings, and agreed to implement corrective actions for two of the
three recommendations above. The planned corrective actions include issuing a directive to
address recommendation 1, and revising the Contracts Management Manual to address
Report No. EIBMF7-11-0026-8100250
8
-------�
Contractor Access To Confidential Data
recommendation 3. The Acting Assistant Administrator did not concur with recommendation 2,
but indicated that Acquisition Management Review (AMR) teams would continue to ensure that
confidential business information clauses are included in EPA contracts whenever appropriate.
We modified recommendation 2 to indicate that security over all types of confidential or sensitive
data should be evaluated during quality assurance reviews completed under the Contracting
Officer/Project Office Contract Monitoring Program. This recommendation is supported by
current guidelines contained in the Acquisition Handbook, Unit 17. At the exit conference the
Director, Office of Acquisition Management, stated that they plan to implement the revised
recommendation.
The Acting Assistant Administrator also did not concur with a fourth recommendation
that we included in the draft report. We recommended that a module to address contractor access
to confidential or sensitive data be included in Agency contract training courses. He believed that
this issue is adequately addressed in currently available training text. However, instructors for the
contract courses will be reminded to stress the importance of maintaining protective custody of
confidential or sensitive data, and remind contracting/project officers of this issue in the directive
to be issued for recommendation 1. The Agency's actions should adequately address this issue,
therefore, we eliminated recommendation 4 from the final report.
The entire response is included as Appendix 2 to this report.
Report No. EIBMF7-11-0026-8100250
9
-------�
Contractor Access To Confidential Data
(This page was intentionally left blank.)
Report No. EIBMF7-11-0026-8100250
10
-------�
Contractor Access To Confidential Data
Exhibit 1
Contracts Selected for Review
Contract Number
Program Office
68-W6-0069
Office of Prevention, Pesticides, and Toxic Substances
68-W5-0058
Office of Administration and Resources Management
68-W5-0024
Agencywide1
68-W1-0055
Office of Administration and Resources Management
68-W3-0003
Office of Administration and Resources Management
68-W4-0030
Office of Solid Waste and Emergency Response
68-W4-0040
Office of Solid Waste and Emergency Response
68-C5-0039
Office of Research and Development
68-C4-0007
Office of Water
68-C4-0024
Office of Water
68-D6-0014
Office of the Administrator/Deputy Administrator
68-W2-0025
Office of Administration and Resources Management
68-S5-3002
Office of Solid Waste and Emergency Response
68-W4-0010
Office of Solid Waste and Emergency Response
68-W8-0084
Office of Administration and Resources Management
68-W6-0012
Office of Solid Waste and Emergency Response
68-W4-0021
Office of Solid Waste and Emergency Response
68-W9-0059
Office of Administration and Resources Management
68-W9-0060
Office of Solid Waste and Emergency Response
68-W9-0046
Office of Solid Waste and Emergency Response
68-W4-0014
Office of Solid Waste and Emergency Response
1Contract provides records management services for the Agency.
Report No. EIBMF7-11-0026-8100250
11
-------�
Contractor Access To Confidential Data
(This page was intentionally left blank.)
Report No. EIBMF7-11-0026-8100250
12
-------�
Contractor Access To Confidential Data
Appendix 1
Page 1 of 2
DETAILED SCOPE AND METHODOLOGY
We concentrated on contracts active in fiscal years 1996 and 1997. We selected and
reviewed a sample of 21 contracts from the universe of approximately 200 which are similar to
contracts that the Northern Audit Division (NAD) identified in its survey (EPA Report No.
7400070). The contract universe was classified in four categories: confidential business
information; Privacy Act information; Enforcement Sensitive information; and internal-sensitive
information. Our sample was selected to ensure that all four categories were represented.
During the survey of EPA Contract Management Initiatives, NAD reviewed several
contract issues. NAD determined the Agency did not maintain a centralized listing of Agency
contracts where a contractor may have access to confidential or sensitive data. The Acting
Inspector General and the Acting Assistant Administrator for Administration and Resources
Management, sent a joint letter to all the Agency's Senior Resource Officials (SRO) requesting
them to identify contracts that may involve confidential or sensitive data. The SROs response to
the letter identified about 200 contracts Agencywide. We used this universe as the basis for our
audit.
We interviewed approximately one hundred contracting officers, contract specialists,
project officers, work assignment managers, and delivery order project officers who managed the
sampled contracts to determine how they handled confidential/sensitive data. We reviewed the
contract and work assignment files to determine whether consideration was given to contractor
access and to determine if EPA has a system in place to ensure all access to confidential or
sensitive data is properly monitored and controlled.
We conducted our field work at EPA Headquarters; Regions 3, 5, 7, 9 and 10; and offices
in Cincinnati, OH and Research Triangle Park, NC. We reviewed 54 work assignments, delivery
orders, and technical direction documents that were issued under the 21 contracts. These 21
contracts had a total value of almost $1.5 billion with an average value of over $71 million for each
individual contract.
We also contacted and met with employees from the Department of Energy (DOE) and
National Aeronautics and Space Administration (NASA) to determine how they handled
contractor access to sensitive data. Both of these Agencies operate very similar to how EPA
operates its contract administration. We did not obtain any additional information that could
benefit EPA. Thus we did not make any recommendations based on our contacts with DOE and
NASA.
Report No. EIBMF7-11-0026-8100250
13
-------�
Contractor Access To Confidential Data
Appendix 1
Page 2 of 2
We performed this audit in accordance with 1994 Government Auditing Standards issued
by the Comptroller General of the United States. We conducted fieldwork from September 1997
to March 1998.
Report No. EIBMF7-11-0026-8100250
14
-------�
Contractor Access To Confidential Data
Appendix 2
Page 1 of 2
MEMORANDUM
SUBJECT: Contractor Access To Confidential Data
Draft Audit Report No. E1BMF7-11-0026
FROM: Alvin M. Peasachowitz2
Acting Assistant Administrator
Office of Administration and Resources Management
TO: Elissa R. Karpf
Deputy Assistant Inspector General
For Acquisition and Assistance Audits
Thank you for the opportunity to provide comments on the above report.
We take no exceptions to the findings and our response to the OIG recommendations are discussed
below by subject in the order of appearance in the report.
If you have any questions or comments, please call me at 260-4600, or have your staff call Betty L.
Bailey, Director, Office of Acquisition Management, at 564-4310.
OIG: Recommend the Acting Assistant Administrator for Administration and Resources Management
in coordination with other appropriate senior Agency managers:
Recommendation 1: Issue a directive that contracting officers and the program office (POAVAM)work
together to review their contracts to determine if the contract involves contractor access to confidential or
sensitive data and ensure necessary safeguards are in place to control contractor access to such data.
OARM Response: We concur with this recommendation. OAM will issue a memo from the Director,
Office of Acquisition Management, to contracting officers (COs) and program office representatives,
requesting that they review and determine if their contracts involves contractor access to confidential or
sensitive data. If so, the parties will take the appropriate steps to ensure that necessary safeguards are in
place to control contractor access to such data. We will issue this memo by August 31, 1998.
2 This is an electronic file of the management response memorandum which was signed by
Alvin M. Pesachowitz on August 27, 1998.
Report No. EIBMF7-11-0026-8100250
15
-------�
Contractor Access To Confidential Data
Appendix 2
Page 2 of 2
Recommendation 2: As part of the Acquisition Management Reviews, review contacts to ensure only
authorized contractor personnel have access to confidential or sensitive data and that the clauses are being
enforced.
OARM Response: We do not concur with this recommendation. The primary focus of an Acquisition
Management Reviews (AMR) is to evaluate the practices of a contracting activity within EPA. As part of this
process, contracts are reviewed to ensure that appropriate clauses have been included, and contracts, are
managed properly. This does not include the review of a contractor's organization or its compliance with
required clauses. We consider this the responsibility of each CO, and should be a normal contract
management function. However, the AMR teams will continue to ensure that confidential business information
(CBI) clauses are included in EPA contracts, whenever appropriate.
Recommendation 3: Revise the Contracts Management Manual to include clear definitions of confidential
business, enforcement sensitive, and Privacy Act information. Include a specific requirement to address
contractor access to each one in the contract management plan.
OARM Response: We concur with this recommendation. We will revise the Contracts Management Manual
(CMM) to include clear definitions of CBI, enforcement sensitive, and Privacy Act information. This revision
will include a specific requirement to address contractor access to each type of data in the contract management
plan. We estimate it will take 6 to 9 months to complete this, as a CMM revision requires an Agency-wide
Green Border review.
Recommendation 4: Include in the Agency's contract training courses, a module that addresses all the types of
confidential or sensitive data and agency personnel responsibilities regarding contractor access to such data.
Require this training for all POs, WAMs, and DOPOs. Consider providing similar training to all document
control officers.
OARM Response: We do not concur with this recommendation. Within the current OARM training
curriculum, we already address the need for protecting against the unauthorized release of CBI, procurement
sensitive information, and Privacy Act information. We will continue to stress the importance of maintaining
protective custody of this information. These topics are specifically addressed in the Acquisition Training for
Project Officers course and text (sections
5.12 and 5.13), and the Contract Administration course/text (pages 133, 142, 471, and 480-481). These
courses are mandatory training classes for project officers, delivery order project officers, and contracting
officer representatives.
We do not believe that OAM should be responsible for providing training on specific program sensitive
information. The program offices possess the technical knowledge necessary to identify sensitive
programmatic information, and are knowledgeable of specific technical issues concerning contractor access to
sensitive data. As such, they are in a better position to craft individual training modules addressing problems
specific to each of the Agency's technical program offices. We will remind our contracting and project officer
of this issue in the memo referenced in our response to Recommendation 1 above.
Report No. EIBMF7-11-0026-8100250
16
-------�
Contractor Access To Confidential Data
Appendix 3
Report Distribution
Office of Inspector General
Acting Inspector General
Headquarters Office
Assistant Administrators
Director, Office of Acquisition Management (3801R)
Director, Contracts Management Division-Research Triangle Park
Director, Contracts Management Division-Cincinnati
Special Assistant to Director, Office of Acquisition Management (3801R)
Audit Coordinator, Office of Acquisition Management (3802R)
Agency Followup Official (2710)
Audit Coordinator, Office of Administration and Resources Management (3102)
Agency Follow-up Coordinator (2724)
Director, Office of Policy and Resources Management (3102)
Regional Offices
Regional Administrators
Report No. EIBMF7-11-0026-8100250
17
-------� |